Today's advanced threats hide in plain sight, patiently waiting to strike, challenging security teams to track their progress across their network and endpoints. Meanwhile, executive and board-level reporting requirements are increasing as leadership demands in-depth answers that are unavailable from today’s block/allow security tools. With 55% of organizations unable to identify the origin of their last security breach, it’s time to stop relying on tools that define security based on what they see ‘out there’ and instead hunt for threats by tracking files, file relationships, and both endpoint and network behavior ‘in here’—inside your environment. In the first part of this interactive session, learn how Cisco’s Advanced Malware Protection (AMP) solutions use big data analytics to compare a real-time, dynamic history of your environment to the global threat landscape, automatically uncovering and blocking advanced threats before they strike. Then watch workflow examples demonstrating how your security team can use this advanced visibility and control to dramatically improve their efficiency and finally deliver the business 100% confidence answers.
4. B L O C K
Protection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times.
TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED
×
“How are we
finding these
failures in our
environment?”
“How do we know
we’re responding
to the right
alerts?”
“How long does
it take us to
answer these
questions?”
“How long does it
take us to find the
rest of the machines
compromised by the
same attack?”
“How long does it
take us to
redefine security
in all our tools?”
R E S P O N D T O A L E R T S
Security tools generate 100’s, even
1,000’s of alerts each day. Any one of
those could be a breach in progress.
!
I N V E S T I G A T E
I N C I D E N T S
When a cybersecurity incident impacts
the business, the business needs answers:
• Where did it start?
• How did it succeed?
• How long have we been
compromised?
• How many machines are impacted?
• How can it be stopped?
?
R E I M A G E + R E C O V E R
Reimaging is not recovering. The average
compromised machine remains undiscovered for 200+
days.
I M P R O V E D E F E N S E
Reducing the attack surface means upgrading security
policy – but the average organization manages 34-55
security tools.
8. antivirus point in time
threat inspection
This population of threats is
100% effective, 100% of the time
network point in time
threat inspection
web point in time
threat inspection
email point in time
threat inspection
BEFORE, DURINGANDAFTER INACTION
12. 65% of CEOs say their risk management
approach is falling behind.
In a new reality where security breaches come at
a daily rate, we must move away from trying to
achieve the impossible perfect protection and
instead invest in detection and response.
Organizations should move their investments
from 90 percent prevention and 10 percent
detection and response to a 60/40 split.
Peter Sondergaard
Senior VP and Global Head of Research
Gartner
15. 2015 Gartner MQ for Intrusion Prevention Systems
“The Advanced Malware
Protection (AMP)
products provide a
quicker path to adding
advanced threat
capabilities… competing
well against stand-alone
and established
advanced persistent
threat (APT) solution
vendors.”
25. B L O C K
Protection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times.
×
!
?
“How are we
finding these
failures in our
environment?”
26. C O N T I N U O U S A N A L Y S I S A N D
R E T R O S P E C T I V E S E C U R I T Y
AMP blocks threats, but it doesn’t stop there. AMP uses
big data analytics to continuously analyze the history
of endpoint and network behavior in your environment
– uncovering advanced threats and rewinding history
to block them.
30. R E S P O N D T O A L E R T S
Security tools generate 100’s, even
1,000’s of alerts each day. Any one of
those could be a breach in progress.
B L O C K
Protection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times.
×
!
?
“How are we
finding these
failures in our
environment?”
“How do we know
we’re responding
to the right
alerts?”
31. C O N T I N U O U S A N A L Y S I S A N D
R E T R O S P E C T I V E S E C U R I T Y
AMP blocks threats, but it doesn’t stop there. AMP uses
big data analytics to continuously analyze the history
of endpoint and network behavior in your environment
– uncovering advanced threats and rewinding history
to block them.
T H E P O W E R O F C O N T E X T
In real-time, AMP Appliances passively discover the
environment they are protecting – mapping the
vulnerabilities of each host. An attack leveraging
actual vulnerabilities of the target host is a true top
alerts.
32. • Alert overload example
• Unfiltered: List of Intrusion Events
• By Impact: List of Intrusion Events
• How? Passive Discovery Overview
• Endpoint: Vulnerable Software
34. R E S P O N D T O A L E R T S
Security tools generate 100’s, even
1,000’s of alerts each day. Any one of
those could be a breach in progress.
I N V E S T I G A T E
I N C I D E N T S
When a cybersecurity incident impacts
the business, the business needs answers:
• Where did it start?
• How did it succeed?
• How long have we been
compromised?
• How many machines are impacted?
• How can it be stopped?
B L O C K
Protection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times.
TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED
×
!
?
“How are we
finding these
failures in our
environment?”
“How do we know
we’re responding
to the right
alerts?”
“How long does
it take us to
answer these
questions?”
35. C O N T I N U O U S A N A L Y S I S A N D
R E T R O S P E C T I V E S E C U R I T Y
AMP blocks threats, but it doesn’t stop there. AMP uses
big data analytics to continuously analyze the history
of endpoint and network behavior in your environment
– uncovering advanced threats and rewinding history
to block them.
T H E P O W E R O F C O N T E X T
In real-time, AMP Appliances passively discover the
environment they are protecting – mapping the
vulnerabilities of each host. An attack leveraging
actual vulnerabilities of the target host is a true top
alerts.
V I S I B I L I T Y + C O N T R O L
Because AMP records the history of the
environment, your team can quickly scroll back
time to discover what happened.
• Identify ‘patient zero’ – the first victim.
• Determine the attack scope – how malware
traversed the organization.
• Contain the event, understanding all affected
systems.
• Remediate quickly, focusing on high-priority
events and systems.
• Prevent reinfection by identifying the root
causes.
38. R E S P O N D T O A L E R T S
Security tools generate 100’s, even
1,000’s of alerts each day. Any one of
those could be a breach in progress.
I N V E S T I G A T E
I N C I D E N T S
When a cybersecurity incident impacts
the business, the business needs answers:
• Where did it start?
• How did it succeed?
• How long have we been
compromised?
• How many machines are impacted?
• How can it be stopped?
B L O C K
Protection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times.
R E I M A G E + R E C O V E R
Reimaging is not recovering. The average
compromised machine remains undiscovered for 200+
days.
×
!
?
“How are we
finding these
failures in our
environment?”
“How do we know
we’re responding
to the right
alerts?”
“How long does
it take us to
answer these
questions?”
“How long does it
take us to find the
rest of the machines
compromised by the
same attack?”
39. C O N T I N U O U S A N A L Y S I S A N D
R E T R O S P E C T I V E S E C U R I T Y
AMP blocks threats, but it doesn’t stop there. AMP uses
big data analytics to continuously analyze the history
of endpoint and network behavior in your environment
– uncovering advanced threats and rewinding history
to block them.
T H E P O W E R O F C O N T E X T
In real-time, AMP Appliances passively discover the
environment they are protecting – mapping the
vulnerabilities of each host. An attack leveraging
actual vulnerabilities of the target host is a true top
alerts.
V I S I B I L I T Y + C O N T R O L
Because AMP records the history of the
environment, your team can quickly scroll back
time to discover what happened.
• Identify ‘patient zero’ – the first victim.
• Determine the attack scope – how malware
traversed the organization.
• Contain the event, understanding all affected
systems.
• Remediate quickly, focusing on high-priority
events and systems.
• Prevent reinfection by identifying the root
causes.
S Y S T E M I C R E S P O N S E
AMP works through the cloud, enforcing security response
everywhere it is installed. Before we can react to alert, AMP is
already blocking on the network, endpoints – even laptops off our
network, email and web.
42. R E S P O N D T O A L E R T S
Security tools generate 100’s, even
1,000’s of alerts each day. Any one of
those could be a breach in progress.
I N V E S T I G A T E
I N C I D E N T S
When a cybersecurity incident impacts
the business, the business needs answers:
• Where did it start?
• How did it succeed?
• How long have we been
compromised?
• How many machines are impacted?
• How can it be stopped?
B L O C K
Protection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times.
R E I M A G E + R E C O V E R
Reimaging is not recovering. The average
compromised machine remains undiscovered for 200+
days.
I M P R O V E D E F E N S E
Reducing the attack surface means upgrading security
policy – but the average organization manages 34-55
security tools.
TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED
×
!
?
“How are we
finding these
failures in our
environment?”
“How do we know
we’re responding
to the right
alerts?”
“How long does
it take us to
answer these
questions?”
“How long does it
take us to find the
rest of the machines
compromised by the
same attack?”
“How long does it
take us to
redefine security
in all our tools?”
43. C O N T I N U O U S A N A L Y S I S A N D
R E T R O S P E C T I V E S E C U R I T Y
AMP blocks threats, but it doesn’t stop there. AMP uses
big data analytics to continuously analyze the history
of endpoint and network behavior in your environment
– uncovering advanced threats and rewinding history
to block them.
T H E P O W E R O F C O N T E X T
In real-time, AMP Appliances passively discover the
environment they are protecting – mapping the
vulnerabilities of each host. An attack leveraging
actual vulnerabilities of the target host is a true top
alerts.
“AMP finds what
our other tools
miss”
“We used to have to choose
from 1,000’s of alerts…now
we know the 4-6 critical
alerts for our
environment”
“What used to take
us 2 weeks or 2
months now takes us
2 minutes”
“Instead of
spending 4 hours
each day chasing
our tools, we’re
blocking
everywhere,
automatically”“It would
have taken 2
hours a day
to do what’s
being done
automatically
”
V I S I B I L I T Y + C O N T R O L
Because AMP records the history of the
environment, your team can quickly scroll back
time to discover what happened.
• Identify ‘patient zero’ – the first victim.
• Determine the attack scope – how malware
traversed the organization.
• Contain the event, understanding all affected
systems.
• Remediate quickly, focusing on high-priority
events and systems.
• Prevent reinfection by identifying the root
causes.
S Y S T E M I C R E S P O N S E
AMP works through the cloud, enforcing security response
everywhere it is installed. Before we can react to alert, AMP is
already blocking on the network, endpoints – even laptops off our
network, email and web.
S H A R E D S E C U R I T Y I N T E L L I G E N C E
With AMP ThreatGrid, both Cisco industry partners and non-
Cisco solutions can benefit from dynamic analysis executed by
AMP, automatically improving your defense.
44. Integration
• How sharing Threat Intelligence works
• Adding integration
• Invitation to review your environment?