The document discusses automating security tasks through various solutions from Cisco. It introduces the Cisco Advanced Malware Protection (AMP) solution, which uses machine learning to detect known and unknown malware across endpoints, networks, and email. It also introduces Cisco Cognitive Threat Analytics, which analyzes web traffic using machine learning to detect anomalous and malicious activity inside organizations. The document provides examples of how these solutions can automate tasks like hunting for threats, detecting anomalies, and attributing suspicious activity to specific entities. It includes demos of the AMP and Cognitive Intelligence user interfaces.

1. AMP CANADA V2
Automating your Security with Cisco
Canada • October 2018
Zero to Sixty
Sean Earhard
Advanced Threat Solution Specialist
647-988-4945 / seearhar@cisco.com
Hussain Mohammed
Advanced Threat Solutions CSE
514-623-3779 / mohhuss3@cisco.com

2. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Actionable info on how organizations of any size are automating their
most common and challenging security tasks
Agenda

3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Must automation=work?

4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
( )p i tes
effective security protection information time
x= +
what is required
for security to be
automated?
what happens
when security is
99% effective?

5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mimic
verb
1. to imitate or copy in action

6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
8 automation examples

7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
There are many broad models

8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Model: F3EAD

9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mimic:
Hunt for threats inside the environment
• Find: Identify dormant or active files inside the environment that
are threats
• Fix: Verification of the targets
• Finish: Take action against the attack
• Exploit: Collect the information generated from the finish phase
• Analyze: Develop the information collected by fusing it with
broader intelligence to gain a deeper understanding of the threat
and actor.
• Disseminate: Publish the results to feed back into the initial (Find)
stage

10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
React to alerts or user tickets, identify target machine(s), remove machines from service,
verify and/or or reimage, add blocking to consoles, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat…

11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and…

12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Solution:
Cisco AMP
Continuous Analysis and
Retrospective Detection
Patented technology that—even after a file is initially inspected—continues to compare the
files inside your environment with the global threat landscape. By correlating your history
with the latest threat intelligence from Talos, hunts inside your environment to expose
and block threats.

13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
THREATGRID
Cisco AMP
The largest
commercial threat
intelligence team in
the world
AMPThreat Intelligence Cloud
AMP
for Email
AMP
for Network
Firewall & IPS
AMP
for Web
AMP
for Meraki
MX
DNS Umbrella
AMP for
Endpoints
Continuous
Analysis and
Retrospective
Detection correlate
the latest threat
intel with the
history of your
environment

14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEMOAMP FOR ENDPOINTS

15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Overview:
https://www.cisco.com/c/en/us/products/security/amp-for-
endpoints/index.html
Know More: AMP for Endpoints

16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mimic:
Hunt for Anomalous Events
• Find: Anomalies
• Fix: Verification of the targets
• Finish: Take action against the attack
• Exploit: Collect the information generated from the finish phase
• Analyze: Develop the information collected by fusing it with
broader intelligence to gain a deeper understanding of the threat
and actor.
• Disseminate: Publish the results to feed back into the initial (Find)
stage

17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Time and research and patience and testing and verification and reducing the noise and
chasing false positives and more time and more research and more patience and more testing
and more verification and more reducing the noise and more chasing false positives and
more time and more research and more patience and more testing and more verification and
more reducing the noise and more chasing false positives and more time and more research
and more patience and more testing and more verification and more reducing the noise and
more chasing false positives and more time and more research and more patience and more
testing and more verification and more reducing the noise and more chasing false positives
and more time and more research and more patience and more testing and more verification
and more reducing the noise and more chasing false positives and more time and more
research and more patience and more testing and more verification and more reducing the
noise and more chasing false positives and more time and more research and more patience
and more testing and more verification and more reducing the noise and more chasing false
positives and more time and more research and more patience and more testing and more
verification and more reducing the noise and more chasing false positives and more time and
more research and more patience and more testing and more verification and more reducing
the noise and more chasing false positives and…

18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Solution:
Cognitive Intelligence
Analyzing billions of web requests daily, Cognitive Intelligence uses machine learning to
find malicious activity that has bypassed security controls, or entered through
unmonitored channels (including removable media or IoT devices), and is operating
inside an organization’s environment.

19. Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Identify suspicious traffic with Anomaly
Detection
Normal
Unknown
Anomalous
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Anomaly Detection
10B+ requests are processed
daily by 40+ detectors
Each detector provides its
own anomaly score
Aggregated scores are used to
segregate the normal traffic

20. Layer 1
Layer 2
AMP
CTA
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Reduce false positives with Trust Modeling
Anomalous
Normal
Unknown
Unknown
Normal
Unknown
Unknown
Unknown
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Trust Modeling
HTTP(S) requests with similar attributes are
clustered together
Over time, the clusters adjust their overall anomaly
score as new requests are added

21. Layer 1
Layer 2
AMP
CTA
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Categorize requests with Event Classification
Keep as legitimate
Alert as malicious
Keep as suspicious
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Media website
Software update
Certificate status
check
Tunneling
Domain generated
algorithm
Command and control
Suspicious extension
Repetitive requests
Unexpected destination
Event Classification
1,000+ classifiers are applied to a small subset of
the anomalous and unknown clusters
Requests’ anomaly scores update based on their
classifications

22. Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relatio
CTA
Attribute anomalous requests to endpoints
and identify threats with Entity Modeling
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
THREAT
Entity Modeling
A threat is triggered when the significance
threshold is reached
New threats are triggered as more evidence
accumulates over time

23. Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Lay
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Company B
Company C
Determine if a threat is part of a threat
campaign with Relationship Modeling
Attack Node 1
Attack Node 2
Company A Company A Company A
Phase 1 Phase 2 Phase 3
Threat
Type 1
Threat
Type 1
Threat
Type 2
Incident
Incident
Incident
Incident
Similarity Correlation Infrastructure Correlation
Company B
Company C
Company B
Company C
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Global
behavioral
similarity
Local
behavioral
similarity Local &
global
behavioral
similarity
Shared
threat
infrastructur
e
Entity Modeling

24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEMOCOGNITIVE INTELLIGENCE

25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Overview:
https://www.cisco.com/c/en/us/products/security/cognitive-threat-
analytics/index.html
Know More: Cognitive Intelligence

26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mimic:
The Hunt for Exploit Attempts
• Find: Suspicious Events – Exploit attempts
• Fix: verification of the targets
• Finish: Take action against the attack
• Exploit: Collect the information generated from the finish phase
• Analyze: Develop the information collected by fusing it with
broader intelligence to gain a deeper understanding of the threat
and actor.
• Disseminate: Publish the results to feed back into the initial (Find)
stage

27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and…

28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Solution:
AMP for Endpoints Exploit
Prevention
Monitors process and disk activity for specific behaviors associated to key stages in
ransomware execution—beginning with file download and execution, through to file
encryption. When a process begins to exhibit those behaviors, malicious activity
protection terminates it.

29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Applications in a modern operating
system based on virtual memory all
access their own address space,
which the system then maps to
locations in physical memory
and/or in the VM file on disk.

30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Make the memory
unpredictable by
changing the memory
structure
Make the app aware
of legitimate memory
structure
Any code accessing
the old memory
structure is malware

31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mimic:
Hunt for Ransomware Encryption
• Find: Ransomware encryption activity
• Fix: verification of the targets
• Finish: Take action against the attack
• Exploit: Collect the information generated from the finish phase
• Analyze: Develop the information collected by fusing it with
broader intelligence to gain a deeper understanding of the threat
and actor.
• Disseminate: Publish the results to feed back into the initial (Find)
stage

32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Solution:
AMP for Endpoints:
Malicious Activity Protection
(MAP)
Analyzing billions of web requests daily, Cognitive Intelligence uses machine learning to
find malicious activity that has bypassed security controls, or entered through
unmonitored channels (including removable media or IoT devices), and is operating
inside an organization’s environment.

34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Endpoint
Network
Dropper
C2 Callbacks
Payloads
Command and
Control
Dropper
Executes
Email
Opened
File
Encryption
Delete
Shadow
Copies
Payload
Download
Succeeds
Key
Exchange
Email
Payload Download
Attempts
18
26 False Negatives
Blocks
Dropper
Arrives
User calls the
helpdesk to ask
why IT is
encrypting the
machine

35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEMOEXPLOIT PREVENTION AND
MALICIOUS ACTIVITY
PREVENTION

36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Overview:
https://www.cisco.com/c/en/us/products/security/cognitive-threat-
analytics/index.html
• Overview:
https://blogs.cisco.com/security/secure-your-endpoints-against-
ransomware-introducing-malicious-activity-protection
Know More: AMP for Endpoints
Exploit Prevention
Malicious Activity Protection

37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mimic:
Hunt for Threats in Encrypted Traffic
• Find: Malware inside encrypted traffic
• Fix: verification of the targets
• Finish: Take action against the attack
• Exploit: Collect the information generated from the finish phase
• Analyze: Develop the information collected by fusing it with
broader intelligence to gain a deeper understanding of the threat
and actor.
• Disseminate: Publish the results to feed back into the initial (Find)
stage

39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“You can’t see
what?”

40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Solution:
Encrypted Traffic Analytics
With intraflow telemetry captured on Catalyst 9000 switches and ISR 4000 and ASR
1000 routers, Cisco hunts for malware in encrypted traffic.

41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Overview:
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-
networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-
wp-cte-en.pdf
Know More: Encrypted Traffic Analytics (ETA)

43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mimic:
Dynamic Threat Containment
• Find: Evidence of a compromise
• Fix: verification of the targets
• Finish: Take action against the attack
• Exploit: Collect the information generated from the finish phase
• Analyze: Develop the information collected by fusing it with
broader intelligence to gain a deeper understanding of the threat
and actor.
• Disseminate: Publish the results to feed back into the initial (Find)
stage

44. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Solution:
Rapid Threat Containment
Use the open integration of Cisco security products, technologies from Cisco partners,
and the extensive network control of the Cisco Identity Services Engine (ISE) to
dynamically respond to compromises.

45. Rapid Threat Containment in Action
Get Answers Faster
Use Cisco® Platform Exchange Grid
(pxGrid) partner technologies to find
threats faster
Stop Attacks Faster
Use the network to contain attacks
manually or automatically
Protect Critical Data Faster
Dynamically restrict access
permissions or remove a device as
its threat score worsens
SIEM
Firepower
Firewall
Custom
Detection
Stealthwatch
Network
Switch Router DC FW DC SwitchWireless
Network as an Enforcer ThreatSecurity Intelligence
Automatic or Initiated by IT Admin
~5 Seconds
ISE
pxGrid

46. I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
Rapid Threat Containment
 Access privileges dynamically change with threat or vulnerability score
 Ratings based on open, structured expressions
STIX: Structured Threat Information Expression
AMP
CVSS: Common Vulnerability Scoring System
Access Policy
Cisco ISE
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Insignificant
Worker has open access to other
workers, finance, email, and internet1

47. Rapid Threat Containment
 Access privileges dynamically change with threat or vulnerability score
 Ratings based on open, structured expressions
I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
AMP
Cisco ISE
Distracting
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Access Policy
STIX: Structured Threat Information Expression
CVSS: Common Vulnerability Scoring System
Malware on the device is identified by
AMP for Endpoints2

48. Rapid Threat Containment
I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
 Access privileges dynamically change with threat or vulnerability score
 Ratings based on open, structured expressions
Painful
AMP
Access Policy
Cisco ISE
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
STIX: Structured Threat Information Expression
CVSS: Common Vulnerability Scoring System
Threat activity escalates (ping
sweeps) which changes risk profile3

49. Rapid Threat Containment
 Access privileges dynamically change with threat or vulnerability score
 Ratings based on open, structured expressions
I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
AMP
Cisco ISE
Damaging
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Access Policy
STIX: Structured Threat Information Expression
CVSS: Common Vulnerability Scoring System
Lateral attacks trigger another
increase in risk profile4

50. Rapid Threat Containment
 Access privileges dynamically change with threat or vulnerability score
 Ratings based on open, structured expressions
I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
AMP
Cisco ISE
Convicted
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Access Policy
STIX: Structured Threat Information Expression
CVSS: Common Vulnerability Scoring System
Device is isolated in the Remediation
security group5

51. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Overview:
https://www.cisco.com/c/en/us/solutions/enterprise-
networks/rapid-threat-containment/index.html
Know More: Rapid Threat Containment

52. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mimic:
Sharing Threat Intel Between Vendors
• Find: Evidence of a compromise
• Fix: verification of the targets
• Finish: Take action against the attack
• Exploit: Collect the information generated from the finish phase
• Analyze: Develop the information collected by fusing it with
broader intelligence to gain a deeper understanding of the threat
and actor.
• Disseminate: Publish the results to feed back into the initial (Find)
stage

53. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Memorize every console and jump between them as fast as you can…
…or…
buy a SIEM and…
connect that SIEM to all the things and…
get the SIEM producing and…
keep that SIEM producing

54. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Solution:
Threat Grid
Accelerate malware threat detection and response with a powerful API that integrates
and automates existing security products and processes.

55. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Supported Integrations & PartnersAMP Solutions Select Recipe Integrations Select Threat Feed Integrations
Glove Box interactive malware lab
Automated correlation of behavior between samples
2-way API integration with non-Cisco tools
Advanced file analysis
Cisco AMP Threat Grid Cloud

56. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Supported Integrations & PartnersAMP Solutions Select Recipe Integrations Select Threat Feed Integrations
Glove Box interactive malware lab
Automated correlation of behavior between samples
2-way API integration with non-Cisco tools
Advanced file analysis
Cisco AMP Threat Grid Appliance

57. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEMOTHREAT GRID

58. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Overview:
https://www.cisco.com/c/en/us/products/security/threat-
grid/index.html
Know More: Threat Grid

59. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mimic:
The full lifecycle of Incident Response
• Find: Evidence of a compromise (picking up the scent)
• Fix: verification of the targets (following the scent)
• Finish: Take action against the attack (eradicating the source)
• Exploit: Collect the information generated from the finish phase
• Analyze: Develop the information collected by fusing it with
broader intelligence to gain a deeper understanding of the threat
and actor.
• Disseminate: Publish the results to feed back into the initial (Find)
stage

60. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Find: Threat intel (external)
Fix: Match to targets in your environment (internal)
Finish: Stop the attack (internal)
Exploit: Collect internal intel from the finish stage (internal)
Analyze: Add external info to deepen understanding (external)
Disseminate: Publish the results to repeat the Find phase (internal)

61. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Solution:
Cisco Threat Response
Simplifies security investigations and incident response. It aggregates threat intelligence,
enriches that intelligence with context from your organization, and shows where you’re
impacted. And it places response actions right at your fingertips.

62. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
UNSTRUCTURED
SNAP-
SHOTS
CASE-
BOOKS
QUERY ALL ONE-CLICK QUERY ALL ONE-CLICK PORTABLE
CTR
DISSEMINATEANALYZEEXPLOITFINISHFIXFIND
SOURCES
SOURCES
SOURCES
TOOL
TOOL
TOOL
TOOL
TOOL
TOOL
TOOL
SOURCE
SOURCE
SOURCE
SOURCE
SOURCE
SOURCE
SOURCE
ACTION
ACTION
ACTION
ACTION
ACTION
ACTION
ACTION
PIVOT
PIVOT
PIVOT
PIVOT
PIVOT
PIVOT
PIVOT
1.8
or…

63. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DEMOCISCO THREAT RESPONSE

64. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Overview:
https://www.cisco.com/c/en/us/products/security/threat-
response.html
Know More: Cisco Threat Response (CTR)

65. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CONCLUSION

66. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
( )p i tes
effective security protection information time
x= +
what is required
for security to be
automated?
what happens
when security is
99% effective?