Cisco Security: Sourcefire Deep Dive Cisco Quick Hit Briefing Brian Avery Territory Business...
-
Upload
derrick-harvey -
Category
Documents
-
view
228 -
download
5
Transcript of Cisco Security: Sourcefire Deep Dive Cisco Quick Hit Briefing Brian Avery Territory Business...
Cisco Security: Sourcefire Deep Dive
Cisco Quick Hit Briefing
Brian AveryTerritory Business Manager, Cisco
This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:
https://acecloud.webex.com/acecloud/lsr.php?RCID=48db113ab90b4883aef8d5641c47d8ca
Thanks for your interest and participation!
Cisco Security: Sourcefire Deep Dive
Cisco Quick Hit Briefing
Brian AveryTerritory Business Manager, Cisco
Connect using the audio conference box or you can call into the meeting:
1. Toll-Free: (866) 432-9903
2. Enter Meeting ID: 300 430 485and your attendee ID number.
3. Press “1” to join the conference.
Presentation Agenda
► Quick Hits and Customer Education
► Security in the 21st Century
► Conclusion
► Cisco Security Overview
► Sourcefire Deep DiveAbout Your HostBrian AveryTerritory Business Manager, Cisco Systems, Inc.
Cisco Confidential 4C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
What Is a Quick Hit Briefing?
• A weekly partner briefing series designed for Cisco Commercial Territory partners
• Concise, relevant updates on:
• Cisco products and solutions
• Partner programs and promotions
• Partner Enablement – Demand Generation, Selling Skills, Closing Tools, etc.
• Welcome to Quick Hit Briefing #137– 28,222 attendees and growing!
Cisco Confidential 5C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Customer-facing WebEx Events - Let us sell for you!
Next event – Wednesday Nov 11th @ 1:30 p.m.You've Already Been Hacked. Now What? Cisco Next-Gen Security Can Help
Registration link | Invitation
Invite your customers to attend and we will notify you if they do!
Access registration links, invites and replays at: http://cs.co/cisco101
NEW! Cisco Customer Education Series (CCE)
Cisco Confidential 6C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Security in the 21st Century
7C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Reality: Organizations Are Under Attack
1990 1995 2000 2005 2010 2015 2020
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs CyberwareToday +
Phishing, Low Sophistication Hacking Becomes
an Industry Sophisticated Attacks, Complex Landscape
of large companies targeted by malicious traffic95% of organizations interacted
with websites hosting malware100% Cybercrime is lucrative, barrier to entry is low Hackers are smarter and have the resources to compromise your organization Malware is more sophisticated Organizations face tens of thousands of new malware samples per hour
Source: 2014 Cisco Annual Security Report
8C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Threat Landscape
It is a Community that hides in plain sight
avoids detection, and attacks swiftly
60%of data is stolen in hours
54%of breaches
remain undiscoveredfor months
100%of companies connect to domains that host
malicious files or services
Cisco Confidential 9C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Your customer says…
“I am just a small fish in a BIG pond.”
10Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Yet organizations of every size are targets
Adversaries are attacking you And using youBy targeting your organization’s: To attack your enterprise customers and partners:
Customer data
Intellectual property
Company secrets
60% of UK small businesses were compromised in 2014
(2014 Information Security Breaches Survey)
100% of corporate networks examined had malicious traffic
(Cisco 2014 Annual Security Report)
41% of targeted attacks are against organizations with fewer than 500 employees
(July 2014 The National Cyber Security Alliance (NCSA)
11C97-734093-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
If you knew you were going to be compromised, would you do security differently?
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Security Overview
13C97-734093-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
BeforeDiscover EnforceHarden
DuringDetect Block Defend
AfterScope
ContainRemediate
Network Endpoint Mobile Virtual Cloud Email & Web
Point in Time Continuous
14C97-734093-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
BeforeDiscover EnforceHarden
DuringDetect Block Defend
AfterScope
ContainRemediate
FireSIGHT and pxGrid
ASA VPN
NGFW Meraki
Advanced Malware Protection
Network as Enforcer
NGIPS
ESA/WSA
CWSSecure Access + Identity Services ThreatGRID
Advanced Malware Protection
15C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Comprehensive Security Requires
Breach PreventionRapid Breach Detection, Response, Remediation
Threat Intelligence
Source: http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Sourcefire
Advanced Malware Protection
17C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Advanced Malware ProtectionBuilt on unmatched collective security intelligence
1.6 millionglobal sensors
100 TBof data received per day
150 million+ deployed endpoints
600engineers, technicians, and researchers
35% worldwide email traffic
13 billionweb requests
24x7x365 operations
4.3 billion web blocks per day
40+ languages
1.1 million incoming malware samples per day
AMP Community
Private/Public Threat Feeds
Talos Security Intelligence
AMP Threat Grid Intelligence
AMP Threat Grid Dynamic Analysis10 million files/month
Advanced Microsoft and Industry Disclosures
Snort and ClamAV Open Source Communities
AEGIS Program
Email Endpoints Web Networks IPS Devices
WWW Automatic Updates in real time
101000 0110 00 0111000 111010011 101 1100001 1101100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100
1001 1101 1110011 0110011 101000 0110 00
Cisco® Collective Security
IntelligenceCisco Collective
Security Intelligence Cloud
AMPAdvanced Malware Protection
18C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AMP Threat Grid Feeds Dynamic Malware Analysis and Threat Intelligence to the AMP Solution
Cisco® AMP Threat Grid platform
correlates the sample result with
millions of other samples and
billions of artifacts
Actionable threat content and intelligence is generated that can be utilized by AMP, or packaged and integrated into a variety of existing systems or used independently.
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
101000 0110 00 0111000 111010011 101 1100001 110
1001 1101 1110011 0110011 101000 0110 00
Analyst or system (API) submits suspicious sample to Threat Grid
Low Prevalence Files
An automated engine observes, deconstructs, and analyzes using multiple techniques
Actionable threat content and intelligence is generated that can be packaged and integrated in to a variety of existing systems or
used independently.
AMP Threat Grid platform correlates the sample result with millions
of other samples and billions of artifacts
101000 0110 00 0111000 111010011 101 1100001 110
101000 0110 00 0111000 111010011 101 1100001 110
1001 1101 1110011 0110011 101000 0110 00
Threat Score/Behavioral IndicatorsBig Data Correlation
Threat Feeds
Sample and Artifact Intelligence Database
Actionable Intelligence
Proprietary techniques for static and dynamic analysis
“Outside looking in” approach
350 Behavioral Indicators
19C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Unique to Cisco® AMP
Cisco AMP Delivers a Better Approach
Point-in-Time Protection
File Reputation, Sandboxing, and Behavioral Detection
Retrospective Security
Continuous Analysis
20C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AMP Defends With Reputation Filtering And Behavioral Detection
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Continuous ProtectionReputation Filtering Behavioral Detection
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-OneSignature
Indications of Compromise
Device Flow Correlation
21C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-OneSignature
Indications of Compromise
Device Flow Correlation
Reputation Filtering Behavioral Detection
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-OneSignature
Indications of Compromise
Device Flow Correlation
Reputation Filtering Is Built On Three Features
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Unknown file is encountered, signature is analyzed, sent to cloud
1
File is not known to be malicious and is admitted 2
Unknown file is encountered, signature is analyzed, sent to cloud
3
File signature is known to be malicious and is prevented from entering the system
4
Collective Security Intelligence Cloud
22C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-OneSignature
Indications of Compromise
Device Flow Correlation
Reputation Filtering Is Built On Three Features
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Collective Security Intelligence Cloud
Fingerprint of file is analyzed and determined to be malicious 1
Malicious file is not allowed entry2
Polymorphic form of the same file tries to enter the system 3
The fingerprints of the two files are compared and found to be similar to one another
4
Polymorphic malware is denied entry based on its similarity to known malware
5
23C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-OneSignature
Indications of Compromise
Device Flow Correlation
Reputation Filtering Is Built On Three Features
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Collective Security Intelligence Cloud
Machine Learning Decision Tree
Possible clean file
Possible malware
Confirmed malware
Confirmed clean file
Confirmed clean file
Confirmed malware
Metadata of unknown file is sent to the cloud to be analyzed1
Metadata is recognized as possible malware2
File is compared to known malware and is confirmed as malware
3
Metadata of a second unknown file is sent to cloud to be analyzed
4
Metadata is similar to known clean file, possibly clean5
File is confirmed as a clean file after being compared to a similarly clean file
6
24C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
Indications of Compromise
Device Flow Correlation
Behavioral Detection Is Built On Four Features
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Collective Security Intelligence Cloud
File of unknown disposition is encountered1
File replicates itself and this information is communicated to the cloud
2
File communicates with malicious IP addresses or starts downloading files with known malware disposition
3
Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client
4
These indications are prioritized and reported to security team as possible compromise
5
25C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Analysis
Machine Learning
Advanced Analytics
Indications of Compromise
Device Flow Correlation
Behavioral Detection Is Built On Four Features
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Collective Security Intelligence Cloud
Collective User Base
AMP Threat Grid Sandbox
Dynamic Analysis Engine executes unknown files in on-premises or cloud sandboxes powered by Cisco® AMP Threat Grid
1
Two files are determined to be malware, one is confirmed as clean
2
Intelligence Cloud is updated with analysis results, and retrospective alerts are broadcast to users
3
26C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Analysis
Advanced Analytics
Indications of Compromise
Device Flow Correlation
Behavioral Detection Is Built On Four Features
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Collective User Base
Collective Security Intelligence Cloud
Cisco® AMP Threat Grid Analysis
Receives information regarding software unidentified by Reputation Filtering appliances
1
Receives context regarding unknown software from Collective User Base
2
Analyzes file in light of the information and context provided3
Identifies the advanced malware and communicates the new signature to the user base
4
27C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Dynamic Analysis
Advanced Analytics
Device Flow Correlation
Behavioral Detection Is Built On Four Features
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Collective Security Intelligence Cloud
IP: 64.233.160.0
Device Flow Correlation monitors communications of a host on the network
1
Two unknown files are seen communicating with a particular IP address
2
One is sending information to the IP address, the other is receiving commands from the IP address
3
Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site
4
Unknown files are identified as malware because of the association
5
28C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AMP Delivers A Better Approach
Unique to Cisco® AMP
Point-in-Time Protection
File Reputation, Sandboxing, and Behavioral Detection
Retrospective Security
Continuous Analysis
29C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AMP Defends With Retrospective Security
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
To be effective, you have to be everywhere
Continuously
30C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Continuous Protection Is Necessary
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints NetworkEmail Devices
Gateways
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Talos + Threat Grid Intelligence
31C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Continuous Protection Is Necessary
Context Enforcement Continuous Analysis
Who What
Where When
How
Event History
Collective Security Intelligence
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
32C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Continuous Protection Is Necessary
Context Enforcement Continuous Analysis
Who What
Where When
How
Event History
Collective Security Intelligence
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
33C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AMP Defends With Retrospective Security
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
TrajectoryBehavioralIndications
of Compromise
Elastic Search
Continuous Analysis
Attack Chain Weaving
34C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrajectoryBehavioralIndications
of Compromise
BreachHunting
Continuous Analysis
Attack Chain Weaving
Retrospective Security Is Built On…
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Performs analysis the first time a file is seen
1
Persistently analyzes the file over time to see if the disposition is changed
2
Giving unmatched visibility into the path, actions, or communications that are associated with a particular piece of software
3
35C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrajectoryBehavioralIndications
of Compromise
BreachHunting
Continuous Analysis
Attack Chain Weaving
Retrospective Security Is Built On…
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Uses retrospective capabilities in three ways:
File Trajectory records the trajectory of the software from device to device
File Trajectory1
Process Monitoring monitors the I/O activity of all devices on the system
Communications Monitoring monitors which applications are performing actions
Attack Chain Weaving analyzes the data collected by File Trajectory, Process, and Communication Monitoring to provide a new level of threat intelligence
Process Monitoring2
Communications Monitoring3
36C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrajectoryBehavioralIndications
of Compromise
BreachHunting
Continuous Analysis
Attack Chain Weaving
Retrospective Security Is Built On…
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Behavioral Indications of Compromise uses continuous analysis and retrospection to monitor systems for suspicious and unexplained activity… not just signatures!
Using the power of Attack Chain Weaving, Cisco® AMP is able to recognize patterns and activities of a given file, and identify an action to look for across your environment rather than a file fingerprint or signature
An unknown file is admitted into the network
1The unknown file copies itself to multiple machines
2Duplicates content from the hard drive
3Sends duplicate content to anunknown IP address
4
37C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrajectoryBehavioralIndications
of Compromise
BreachHunting
Attack Chain Weaving
Retrospective Security Is Built On…
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
File trajectory automatically records propagation of the file across the network
Collective Security Intelligence Cloud
Computer
Virtual Machine
Mobile
Mobile
Virtual Machine Computer
Network
Collective Security Intelligence Cloud
Mobile
Mobile
File TrajectoryUnknown file is downloaded to device1
Fingerprint is recorded and sent to cloud for analysis2
The unknown file travels across the network to different devices
3
Sandbox analytics determines the file is malicious and notifies all devices
4
If file is deemed malicious, file trajectory can provide insight into which hosts are infected, and it provides greater visibility into the extent of an infection
5
38C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrajectoryBehavioralIndications
of Compromise
BreachHunting
Retrospective Security Is Built On…
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Computer
Unknown file is downloaded to a particular device
1
The file executes2
Device trajectory records this, the parent processes lineage and all actions performed by the file
3
File is convicted as malicious and the user is alerted to the root cause and extent of the compromise
4
Drive #1 Drive #2 Drive #3
Device Trajectory
39C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrajectoryBehavioralIndications
of Compromise
ElasticSearch
Retrospective Security Is Built On…
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Elastic Search is the ability to use the indicators generated by Behavioral IoCs to monitor and search for threats across an environment
1
When a threat is identified, it can be used to search for and identify if that threat exists anywhere else
2
This function enables quick searches to aid in the detection of files that remain unknown but are malicious
3
40C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage
These applications are affected
What
The breach affected these areas
Where
This is the scope of exposure over time
When
Here is the origin and progression of the threat
How
Focus on these users first
Who
41C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AMP Everywhere Strategy Means Protection Across the Extended Network
AMPAdvanced Malware
Protection
AMP for Networks
AMP on Web & Email Security Appliances
AMP on Cisco® ASA Firewall with FirePOWER Services
AMP for Endpoints
AMP for Cloud Web Security & Hosted Email
AMP Private Cloud Virtual Appliance
MAC OS
Windows OS Android Mobile
Virtual
CWS
AMP Threat Grid Malware Analysis + Threat
Intelligence EngineAppliance or Cloud
*AMP for Endpoints can be launched from AnyConnect
42C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
There Are Several Ways You Can Deploy AMP
AMPAdvanced Malware Protection
Deployment Options
AMP on Email and Web; Cisco® ASA; CWS
AMP for Networks(AMP on FirePOWER Network Appliance)
AMP for Endpoints AMP Private Cloud Virtual Appliance
Method License with ESA, WSA, CWS, or ASA customers
Snap into your networkInstall lightweight connector on endpoints
On-premises Virtual Appliance
Ideal for New or existing Cisco CWS, Email /Web Security, ASA customers
IPS/NGFW customers
Windows, Windows OS for POS, Mac, Android, virtual machines; can also deploy from AnyConnect client
High-Privacy Environments
Details
ESA/WSA: Prime visibility into email/web
CWS: web and advanced malware protection in a cloud-delivered service
AMP capabilities on ASA with FirePOWER Services
Wide visibility inside network
Broad selection of features- before, during, and after an attack
Comprehensive threat protection and response
Granular visibility and control
Widest selection of AMP features
Private Cloud option for those with high-privacy requirements
Can deploy full air-gapped mode or cloud proxy mode
For endpoints and networks
Windows/MAC Mobile Virtual
43C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protection Across Networks
The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment
Endpoint
Content
Network
WWW
44C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protection Across Endpoints
The Endpoint platform has device trajectory, elastic search, and outbreak control, which in this example is shown quarantining recently detected malware on a device that has the AMP for Endpoints connector installed
Endpoint
Content
Network
WWW
45C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protection Across Web and Email
Cisco® AMP for Web and Email protects against malware threats in web and email traffic by blocking known malware and issuing retrospective alerts when unknown files are convicted
Endpoint
Content
Network
WWW
Conclusion
47Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
BeforeDiscover EnforceHarden
DuringDetect Block Defend
AfterScope
ContainRemediate
Network Endpoint Mobile Virtual Cloud Email & Web
Point in Time Continuous
48Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Only Cisco Security Can Deliver…Visibility and Control Across the Full Attack Continuum
Attack Continuum
BeforeDiscover EnforceHarden
DuringDetect Block Defend
AfterScope
ContainRemediate
FireSIGHT and pxGrid
ASA VPN
NGFW Meraki
Advanced Malware Protection
Network as Enforcer
NGIPS
ESA/WSA
CWSSecure Access + Identity Services ThreatGRID
49C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Are You Able to Defend Against Advanced Malware?
Assess your customers’ current level of endpoint protection
Assess your customers’ current level of network protection
Can your customers detect advanced malware in web and email? 1
2
3
50C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Determine hardware requirements and configuration changes
Select POV length and delivery
Schedule kick-off meeting
Establish a timeframe and installation datefor POV
Get Started Now
Offer your customers a Proof-of-Value (POV) deployment1
2
3
4
5
51Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
52Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
http://www.cisco.com/web/partners/specializations/security-arch.html
53Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
54Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Need Assistance Getting Cisco Express Security Specialized?
Call your Cisco Distributor
They will navigate with you, through the specialization requirementsThey host/sponsor the required AM & SE specialization classes
Offering FREE* ASA 5506
Enable you to complete Security Network Assessments –$1,500 spiff available
http://www.cisco.com/web/partners/specializations/express-security/index.html
55Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Advanced Malware Protection
• Cisco AMP Threat Grid - Appliances
• Cisco AMP Threat Grid - Cloud
• Cisco Advanced Malware Protection Virtual Private Cloud Appliance
• Cisco Advanced Malware Protection for Endpoints
• Cisco Advanced Malware Protection for Networks
Sourcefire Resources
56Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Customer Case Studies
• Playlist of all Customer Testimonials on AMP
• John Chambers on Cisco Security and AMP
• SHSU.uses AMP for Endpoints
• Gartner Video-on-Demand: Strategies to Combat Advanced Threats featuring Cisco AMP
• ADP uses ThreatGrid https://www.youtube.com/watch?v=x7c21CgyH3o&feature=youtu.be
Sourcefire Resources
57Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AMP Demos /Videos
• AMP + Threat Grid External Launch Video
• AMP for Endpoints Overview Video
• NSS Labs Breach Detection System test
• AMP for Networks Overview Video
• AMP on Techwise TV June 2015
• AMP Threat Grid Overview Video
• AMP Overview in 4 Minutes: Meet Tom, the IT Security Guy
Sourcefire Resources
58Cisco ASA for SMB and Distributed Enterprise Presentation | © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Updated Data Sheets, At-a-Glances, Infographic, Whitepapers
• AMP Solution Overview
• AMP Solution AAG
• AMP for Networks: Data Sheet | AAG
• AMP for Endpoints: Data Sheet | AAG
• Security Everywhere Whitepaper (direct link)
• AMP Threat Grid Solution Overview
• AMP Threat Grid – Appliance: Data Sheet | AAG
• AMP Threat Grid – Cloud: Data Sheet
• Malware Infographic
Sourcefire Resources
Cisco Confidential 59© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Invite Your Customers to the next CCE Event Next event – Wednesday Nov 11th @ 1:30 p.m.
You've Already Been Hacked. Now What? Cisco Next-Gen Security Can Help
Registration link | Invitation Invite your customers to attend and we will notify you if they do! Access registration links, replays at: http://cs.co/cisco101
Call to Action
Cisco Confidential 60C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Join Us Next Week!
Next Quick Hit BriefingBig Data = Big $$$$ - Learn how to Monetize Big Data with Cisco
Thursday Nov 5th, 2015 at 9:30 ET
Check http://cs.co/quickhit for registration links and replays
Thank you.
62© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Appendix: How AMP Works
63C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How Cisco AMP Works: Network File Trajectory Use Case
64C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
65C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox
66C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
67C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application
68C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later
69C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Cisco® Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.
70C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
At the same time, a device with the AMP for Endpoints connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware
71C97-734160-01 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Eight hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.