The document discusses automating security tasks through various solutions from Cisco. It introduces the Cisco Advanced Malware Protection (AMP) solution, which uses machine learning to detect known and unknown malware across endpoints, networks, and email. It also introduces Cisco Cognitive Threat Analytics, which analyzes web traffic using machine learning to detect anomalous and malicious activity inside organizations. The document provides examples of how these solutions can automate tasks like hunting for threats, detecting anomalies, and attributing suspicious activity to specific entities. It includes demos of the AMP and Cognitive Intelligence user interfaces.
Driving Behavioral Change for Information Management through Data-Driven Gree...
Cisco Connect Toronto 2018 sixty to zero
1. AMP CANADA V2
Automating your Security with Cisco
Canada • October 2018
Zero to Sixty
Sean Earhard
Advanced Threat Solution Specialist
647-988-4945 / seearhar@cisco.com
Hussain Mohammed
Advanced Threat Solutions CSE
514-623-3779 / mohhuss3@cisco.com
23. Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Lay
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Company B
Company C
Determine if a threat is part of a threat
campaign with Relationship Modeling
Attack Node 1
Attack Node 2
Company A Company A Company A
Phase 1 Phase 2 Phase 3
Threat
Type 1
Threat
Type 1
Threat
Type 2
Incident
Incident
Incident
Incident
Similarity Correlation Infrastructure Correlation
Company B
Company C
Company B
Company C
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Global
behavioral
similarity
Local
behavioral
similarity Local &
global
behavioral
similarity
Shared
threat
infrastructur
e
Entity Modeling
45. Rapid Threat Containment in Action
Get Answers Faster
Use Cisco® Platform Exchange Grid
(pxGrid) partner technologies to find
threats faster
Stop Attacks Faster
Use the network to contain attacks
manually or automatically
Protect Critical Data Faster
Dynamically restrict access
permissions or remove a device as
its threat score worsens
SIEM
Firepower
Firewall
Custom
Detection
Stealthwatch
Network
Switch Router DC FW DC SwitchWireless
Network as an Enforcer ThreatSecurity Intelligence
Automatic or Initiated by IT Admin
~5 Seconds
ISE
pxGrid
46. I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
Rapid Threat Containment
Access privileges dynamically change with threat or vulnerability score
Ratings based on open, structured expressions
STIX: Structured Threat Information Expression
AMP
CVSS: Common Vulnerability Scoring System
Access Policy
Cisco ISE
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Insignificant
Worker has open access to other
workers, finance, email, and internet1
47. Rapid Threat Containment
Access privileges dynamically change with threat or vulnerability score
Ratings based on open, structured expressions
I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
AMP
Cisco ISE
Distracting
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Access Policy
STIX: Structured Threat Information Expression
CVSS: Common Vulnerability Scoring System
Malware on the device is identified by
AMP for Endpoints2
48. Rapid Threat Containment
I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
Access privileges dynamically change with threat or vulnerability score
Ratings based on open, structured expressions
Painful
AMP
Access Policy
Cisco ISE
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
STIX: Structured Threat Information Expression
CVSS: Common Vulnerability Scoring System
Threat activity escalates (ping
sweeps) which changes risk profile3
49. Rapid Threat Containment
Access privileges dynamically change with threat or vulnerability score
Ratings based on open, structured expressions
I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
AMP
Cisco ISE
Damaging
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Access Policy
STIX: Structured Threat Information Expression
CVSS: Common Vulnerability Scoring System
Lateral attacks trigger another
increase in risk profile4
50. Rapid Threat Containment
Access privileges dynamically change with threat or vulnerability score
Ratings based on open, structured expressions
I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
AMP
Cisco ISE
Convicted
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Access Policy
STIX: Structured Threat Information Expression
CVSS: Common Vulnerability Scoring System
Device is isolated in the Remediation
security group5