Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Cisco Advanced Malware Protection TDM Presentation

Cisco
Quick Hit
Briefing
Cisco Security:
Sourcefire Deep Dive
Brian Avery
Territory Business Manager, Cisco
This session was recorded via Cisco WebEx! You can
watch the live session recording via the following URL:
https://acecloud.webex.com/acecloud/lsr.php?RCID=48db1
13ab90b4883aef8d5641c47d8ca
Thanks for your interest and participation!
Cisco
Quick Hit
Briefing
Cisco Security:
Sourcefire Deep Dive
Brian Avery
Territory Business Manager, Cisco
Connect using the audio conference
box or you can call into the meeting:
1.
Toll-Free: (866) 432-9903
2.
Enter Meeting ID: 300 430 485
and your attendee ID number.
3.
Press “1” to join the conference.
Presentation Agenda
► Quick Hits and Customer Education
► Security in the 21st Century
► Cisco Security Overview
► Sourcefire Deep Dive
About Your Host
Brian Avery
► Conclusion
Territory Business Manager, Cisco
Systems, Inc.
bravery@cisco.com
What Is a Quick Hit Briefing?
• A weekly partner briefing series designed for
Cisco Commercial Territory partners
• Concise, relevant updates on:
• Cisco products and solutions
• Partner programs and promotions
• Partner Enablement – Demand Generation,
Selling Skills, Closing Tools, etc.
• Welcome to Quick Hit Briefing #137– 28,222
attendees and growing!
C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
NEW! Cisco
Customer
Education Series
(CCE)

Customer-facing WebEx Events - Let us sell for you!

Next event – Wednesday Nov 11th @ 1:30 p.m.
You've Already Been Hacked. Now What? Cisco Next-Gen Security Can Help

Registration link | Invitation

Invite your customers to attend and we will notify you if they do!

Access registration links, invites and replays at: http://cs.co/cisco101
C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Security in the
C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
st
21
Century
Cisco Confidential
6
The Reality:
Organizations Are Under Attack
95%




of large companies
targeted by malicious traffic
100%
of organizations interacted
with websites hosting malware
Cybercrime is lucrative, barrier to entry is low
Hackers are smarter and have the resources to compromise your organization
Malware is more sophisticated
Organizations face tens of thousands of new malware samples per hour
Phishing, Low
Sophistication
1990
1995
Hacking Becomes
an Industry
2000
Source: 2014 Cisco Annual Security Report
Sophisticated Attacks,
Complex Landscape
2005
2010
2015
Viruses
Worms
Spyware and Rootkits
APTs Cyberware
1990–2000
2000–2005
2005–Today
Today +
2020
Dynamic Threat Landscape
It is a Community
that hides in plain sight
avoids detection, and
attacks swiftly
60%
54%
100%
of data is
stolen in
hours
of breaches
remain undiscovered
for months
of companies connect
to domains that host
malicious files or services
Your customer
says…
“I am just a
small fish in a
BIG pond.”
C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
Yet organizations of every size are targets
Adversaries are attacking you
And using you
By targeting your organization’s:
To attack your enterprise customers and partners:
Customer data
41% of targeted attacks are against
organizations with fewer than 500
employees
(July 2014 The National Cyber Security Alliance (NCSA)
Intellectual property
60% of UK small businesses were
compromised in 2014
(2014 Information Security Breaches Survey)
Company secrets
100% of corporate networks examined
had malicious traffic
(Cisco 2014 Annual Security Report)
If you knew you were going to be compromised,
would you do security differently?
Cisco
Security Overview
Defending Against These Advanced Threats
Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Network
Endpoint
After
Scope
Contain
Remediate
During
Detect
Block
Defend
Before
Discover
Enforce
Harden
Mobile
Virtual
Point in Time
Cloud
Continuous
Email & Web
Defending Against These Advanced Threats
Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Before
Discover
Enforce
Harden
During
Detect
Block
Defend
After
Scope
Contain
Remediate
ASA
VPN
NGIPS
Advanced Malware Protection
NGFW
Meraki
ESA/WSA
Network as Enforcer
CWS
ThreatGRID
Secure Access + Identity Services
FireSIGHT and pxGrid
Comprehensive Security Requires
Breach Prevention
Rapid Breach Detection,
Response, Remediation
Threat Intelligence
Source: http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html
Cisco
Sourcefire
Advanced Malware
Protection
Cisco Advanced Malware Protection
Built on unmatched collective security intelligence
Cisco®
1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
Collective
101000
0110
00
0111000
111010011
101
1100001
110 101000 0110 00 0111000 111010011
101 1100001
Security
Cisco Collective
1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1100001110001110 1001 1101 1110011 0110011 10100
Intelligence
Security Intelligence Cloud
WWW
Email
Endpoints
Web
Networks
1.6 million
global sensors
13 billion
web requests
100 TB
of data received per day
24x7x365 operations
150 million+
deployed endpoints
4.3 billion web blocks per day
600
engineers, technicians,
and researchers
35%
worldwide email traffic
40+ languages
1.1 million incoming malware
samples per day
IPS
Automatic
Updates in
real time
Devices
Talos Security Intelligence
AMP Threat Grid Intelligence
AMP Threat Grid Dynamic
Analysis
10 million files/month
Advanced Microsoft
and Industry Disclosures
AMP Community
Snort and ClamAV Open Source
Communities
Private/Public Threat Feeds
AEGIS Program
AMP
Advanced Malware Protection
Cisco AMP Threat Grid
Feeds Dynamic Malware Analysis and Threat Intelligence to the AMP Solution
1001 1101 1110011 0110011 101000 01101001
00 1101 1110011 0110011 101000 0110 00
AMP Threat
Gridcontent
platform
Actionable
threat
Actionable
Intelligence
Low Prevalence
Files
101000
0110
00 0111000
110
101000
0110 00 0111000 111010011
101
1100001
110and 111010011 101 1100001
correlates
the sample
intelligence
is generated
that can
1100001110001110
Analyst or system (API) submits suspicious
sample to Threat Grid
result
millions111010011
be packaged
and
integrated
in to
1001 1101 101000
1110011
0110
0110011
00 with
0111000
101000
0110
00
a variety
of existing
systems
of other
samples
and or
used
independently.
billions
of artifacts
101 1100001 110
Threat Score/Behavioral Indicators
Big Data Correlation
Threat Feeds
An automated engine observes, deconstructs,
and analyzes using multiple techniques
Cisco® AMP Threat Grid
platform correlates the sample
result with millions of other
samples and billions of artifacts
 Proprietary techniques for
static and dynamic analysis
 “Outside looking in” approach
 350 Behavioral Indicators
Sample and Artifact Intelligence Database
Actionable threat content and
intelligence is generated that
can be utilized by AMP, or
packaged and integrated into a
variety of existing systems or
used independently.
Cisco AMP Delivers a Better Approach
Point-in-Time Protection
Retrospective Security
File Reputation, Sandboxing, and Behavioral Detection
Continuous Analysis
Unique to Cisco® AMP
Point-in-Time Detection
Cisco AMP Defends With Reputation
Filtering And Behavioral Detection
Continuous Protection
Reputation Filtering
One-to-One
Signature
Fuzzy
Finger-printing
Retrospective Security
Cisco Collective Security Intelligence
Behavioral Detection
Machine
Learning
Indications
of Compromise
Dynamic
Analysis
Advanced
Analytics
Device Flow
Correlation
Point-in-Time Detection
Reputation Filtering Is Built On
Three Features
Reputation Filtering
Unknown file is encountered,
1
One-to-One
Signature
File is not known to be malicious
and is admitted
3
Unknown file is encountered,
signature is analyzed, sent to
cloud
4
Behavioral Detection
signature is analyzed, sent to
cloud
2
Fuzzy
Finger-printing
Retrospective Security
Cisco Collective Security Intelligence
Machine
Learning
Indications
of Compromise
File signature is known to be
malicious and is prevented from
entering the system
Collective Security
Intelligence Cloud
Dynamic
Analysis
Advanced
Analytics
Device Flow
Correlation
Point-in-Time Detection
Reputation Filtering Is Built On
Three Features
One-to-One
Signature
1
Fingerprint of file is analyzed
and determined to be malicious
2
Malicious file is not allowed entry
3
Polymorphic form of the same file
tries to enter the system
4
The fingerprints of the two files are
compared and found to be similar
to oneMachine
another
Indications
Fuzzy
Finger-printing
5
Learning
of Compromise
Polymorphic malware is denied
entry based on its similarity to
known malware
Retrospective Security
Cisco Collective Security Intelligence
Collective Security
Intelligence Cloud
Dynamic
Analysis
Advanced
Analytics
Device Flow
Correlation
Point-in-Time Detection
Reputation Filtering Is Built On
Three Features
ne-to-One
Signature
Fuzzy
Finger-printing
1
Metadata of unknown file is sent
to the cloud to be analyzed
2
Metadata is recognized as
possible malware
3
File is compared to known
malware and is confirmed as
malware
4
Metadata of a second unknown
file is sent to cloud to be
analyzed
Machine 5
Learning
6
Metadata is similar to known
Indications
clean
file, possibly cleanDynamic
of Compromise
Analysis
File is confirmed as a clean file
after being compared to a
similarly clean file
Retrospective Security
Cisco Collective Security Intelligence
Collective Security
Intelligence Cloud
Machine Learning Decision Tree
Possible
malware
Advanced
Analytics
Possible
clean file
Flow
Device
Correlation
Confirmed
malware
Confirmed
clean file
Confirmed
malware
Confirmed
clean file
Point-in-Time Detection
Behavioral Detection Is Built On
Four Features
Fuzzy
ger-printing
Machine
Learning
1
File of unknown disposition is
encountered
2
File replicates itself and this
information is communicated to
the cloud
3
File communicates with malicious
IP addresses or starts
downloading files with known
malware disposition
4
Combination of activities indicates
a compromise and the behavior is
reported to the cloud and AMP
Advanced
Dynamic
client
Indications
of Compromise
5
Analysis
Analytics
These indications are prioritized
and reported to security team as
possible compromise
Device Flow
Correlation
Retrospective Security
Cisco Collective Security Intelligence
Collective Security
Intelligence Cloud
achine
earning
Point-in-Time Detection
Behavioral Detection Is Built On
Four Features
1
Dynamic Analysis Engine
executes unknown files in
on-premises or cloud
sandboxes powered by
Cisco® AMP Threat Grid
2
Two files are determined to
be malware, one is
confirmed as clean
Collective Security
Intelligence Cloud
Indications
of Compromise
Dynamic
Analysis
3
AdvancedCloud isDevice Flow
Intelligence
Analytics
updated
with analysisCorrelation
results, and retrospective
alerts are broadcast to users
Retrospective Security
Cisco Collective Security Intelligence
AMP Threat Grid Sandbox
Collective
User Base
Point-in-Time Detection
Behavioral Detection Is Built On
Four Features
cations
mpromise
1
Receives information regarding
software unidentified by Reputation
Filtering appliances
2
Receives context regarding
unknown software from Collective
User Base
3
Analyzes file in light of the
information and context provided
4
Dynamic
Analysis
Advanced
Analytics
Identifies the advanced malware
and communicates the new
signature to the user base
Device Flow
Correlation
Retrospective Security
Cisco Collective Security Intelligence
Collective Security
Intelligence Cloud
Cisco® AMP Threat Grid
Analysis
Collective
User Base
namic
alysis
Point-in-Time Detection
Behavioral Detection Is Built On
Four Features
Advanced
Analytics
1
Device Flow Correlation monitors
communications of a host on the
network
2
Two unknown files are seen
communicating with a particular
IP address
3
One is sending information to the
IP address, the other is receiving
commands from the IP address
4
Collective Security Intelligence
Cloud recognizes the external IP
as a confirmed, malicious site
5
Unknown files are identified
as malware because
of the association
Device Flow
Correlation
Retrospective Security
Cisco Collective Security Intelligence
IP: 64.233.160.0
Collective Security
Intelligence Cloud
Cisco AMP Delivers A Better Approach
Point-in-Time Protection
Retrospective Security
File Reputation, Sandboxing, and Behavioral Detection
Continuous Analysis
Unique to Cisco® AMP
Point-in-Time Detection
Cisco AMP Defends With
Retrospective Security
To be effective, you have to be everywhere
Continuously
Retrospective Security
Cisco Collective Security Intelligence
Point-in-Time Detection
Why Continuous Protection Is
Necessary
Retrospective Security
Cisco Collective Security Intelligence
Breadth and Control points:
WWW
Email
Endpoints
Web
Network
Gateways
Devices
Telemetry Stream
File Fingerprint and Metadata
Continuous feed
1000111010011101 1100001110001110
File and Network I/O
0001110
1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00 0111000 111010011
0100001100001 1100 0111010011101 1100001110001110
Process Information
101 1100001 110
1001 1101 1110011 0110011 101000 0110 00
Continuous analysis
Talos + Threat Grid Intelligence
Point-in-Time Detection
Why Continuous Protection Is
Necessary
Retrospective Security
Cisco Collective Security Intelligence
Event History
Who
What
Where
When
Collective Security
Intelligence
How
Context
Enforcement
Continuous Analysis
Point-in-Time Detection
Why Continuous Protection Is
Necessary
Retrospective Security
Cisco Collective Security Intelligence
Event History
Who
What
Where
When
Collective Security
Intelligence
How
Context
Enforcement
Continuous Analysis
Point-in-Time Detection
Cisco AMP Defends With
Retrospective Security
Continuous
Analysis
Attack Chain
Weaving
Behavioral
Indications
of Compromise
Retrospective Security
Cisco Collective Security Intelligence
Trajectory
Elastic
Search
Point-in-Time Detection
Retrospective Security Is Built On…
Continuous
Analysis
Persistently
Performs analysis
analyzes the file
the Chain
first time a file is Behavioral
over time to Trajectory
see if
1 Attack
2
Weaving
Indicationsthe disposition is
seen
of Compromise
changed
Retrospective Security
Cisco Collective Security Intelligence
3
Giving unmatched visibility into
the path, actions, or
Breach
communications
that are
Hunting
associated
with a particular
piece of software
Point-in-Time Detection
Retrospective Security Is Built On…
Uses retrospective
capabilities in three
ways:
1
File Trajectory
2
Process Monitoring
3
Communications Monitoring
Attack Chain
Weaving
Continuous
Analysis
Attack Chain
Weaving
analyzes the data
collected
by File
Behavioral
Trajectory, Process,
Indications
and Communication
of
Compromise
Monitoring to
provide a new level
of threat intelligence
File Trajectory
Communications
Monitoring
Process Monitoring
Retrospective Security
Cisco Collective Security Intelligence
records the trajectoryBreach
of the software from device to
Trajectory
monitors which
performing
the I/Oapplications
activity of allare
devices
on theactions
system
device
Hunting
nuous
ysis
Point-in-Time Detection
Retrospective Security Is Built On…
Retrospective Security
Cisco Collective Security Intelligence
Behavioral Indications of Compromise uses continuous analysis and retrospection
to monitor systems for suspicious and unexplained activity… not just signatures!
Attack Chain
Weaving
Behavioral
Trajectory
An unknown
file
Indications 1 is admitted into
of Compromise
the network
2
Breachfile
The unknown
copies Hunting
itself to
multiple machines
Duplicates
3 content from
the hard drive
Sends duplicate
4 content to an
unknown IP address
Using the power of Attack Chain Weaving, Cisco® AMP is able to recognize patterns and activities of a given file, and identify an
action to look for across your environment rather than a file fingerprint or signature
ck Chain
eaving
Point-in-Time Detection
Retrospective Security Is Built On…
1
Unknown file is downloaded to
device
2
Fingerprint is recorded and sent
to cloud for analysis
The unknown file travels across
the network to different devices
3
Behavioral
Indications
of Compromise
Retrospective Security
Cisco Collective Security Intelligence
File Trajectory
Collective Security
Intelligence Cloud
Mobile
Network
Mobile
Virtual Machine
File trajectory automatically
records propagation of the file
across the network
Sandbox analytics determines
4 the file is malicious and notifies
all devices
Trajectory
Breach
Hunting
5
If file is deemed malicious, file
trajectory can provide insight into
which hosts are infected, and it
provides greater visibility into the
extent of an infection
Computer
Mobile
Computer
Mobile
Virtual Machine
Point-in-Time Detection
Retrospective Security Is Built On…
havioral
cations
mpromise
Retrospective Security
Cisco Collective Security Intelligence
Device Trajectory
1
Unknown file is downloaded to a
particular device
2
The file executes
Drive #1
3
Trajectory
Drive #2
Device trajectory records this,
the parent processes lineage
and all actions performed by the
file
Breach
Hunting
4
File is convicted as malicious
and the user is alerted to the
root cause and extent of the
compromise
Computer
Drive #3
Point-in-Time Detection
Retrospective Security Is Built On…
havioral
cations
mpromise
Trajectory
Elastic
Search
1
Elastic Search is the ability
to use the indicators
generated by Behavioral
IoCs to monitor and search
for threats across an
environment
2
When a threat is
identified, it can be
used to search for
and identify if that
threat exists
anywhere else
Retrospective Security
Cisco Collective Security Intelligence
3
This function enables
quick searches to aid
in the detection of
files that remain
unknown but are
malicious
Cisco AMP Provides Contextual Awareness and Visibility
That Allows You to Take Control of an Attack Before It Causes Damage
Focus on these users
first
Who
These applications are
affected
What
The breach affected
these areas
Where
This is the scope of
exposure over time
When
How
Here is the origin and
progression
of the threat
Cisco AMP Everywhere Strategy Means Protection
Across the Extended Network
*AMP for Endpoints can be
launched from AnyConnect
Virtual
Windows OS
Android Mobile
MAC OS
AMP for Networks
AMP for Endpoints
AMP
AMP on Cisco® ASA Firewall
with FirePOWER Services
Advanced Malware
Protection
AMP Private Cloud
Virtual Appliance
CWS
AMP on Web & Email Security
Appliances
AMP for Cloud Web Security
& Hosted Email
AMP Threat Grid
Malware Analysis + Threat
Intelligence Engine
Appliance or Cloud
There Are Several Ways You Can
Deploy AMP
Deployment
Options
Windows/MAC
AMP on Email and Web;
Cisco® ASA; CWS
Method
License with ESA, WSA,
CWS, or ASA customers
Ideal for
New or existing Cisco
CWS, Email /Web
Security, ASA customers
Details
 ESA/WSA: Prime
visibility into email/web
 CWS: web and
advanced malware
protection in a clouddelivered service
 AMP capabilities on
ASA with FirePOWER
Services
AMP for Networks
AMP
Advanced Malware Protection
Mobile
Virtual
AMP for Endpoints
(AMP on FirePOWER
Network Appliance)
AMP Private Cloud
Virtual Appliance
Snap into your network
Install lightweight connector
on endpoints
On-premises Virtual
Appliance
IPS/NGFW customers
Windows, Windows OS for
POS, Mac, Android, virtual
machines; can also deploy
from AnyConnect client
High-Privacy
Environments
 Wide visibility inside
network
 Broad selection of
features- before,
during, and after an
attack
 Comprehensive threat
protection and response
 Granular visibility and
control
 Widest selection of AMP
features
 Private Cloud option
for those with highprivacy requirements
 Can deploy full airgapped mode or cloud
proxy mode
 For endpoints and
networks
Protection Across Networks
Network
Endpoint
WWW
Content
The Network platform uses indications of compromise, file analysis, and in this example file
trajectory to show you exactly how malicious files have moved across the environment
Protection Across Endpoints
Network
Endpoint
WWW
Content
The Endpoint platform has device trajectory, elastic search, and outbreak control, which in this
example is shown quarantining recently detected malware on a device that has the AMP for
Endpoints connector installed
Protection Across Web and Email
Network
Endpoint
WWW
Content
Cisco® AMP for Web and Email protects against malware threats in web and email traffic by blocking
known malware and issuing retrospective alerts when unknown files are convicted
Conclusion
Defending Against These Advanced Threats
Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Network
Endpoint
After
Scope
Contain
Remediate
During
Detect
Block
Defend
Before
Discover
Enforce
Harden
Mobile
Virtual
Point in Time
Cloud
Continuous
Email & Web
Only Cisco Security Can Deliver…
Visibility and Control Across the Full Attack Continuum
Attack Continuum
Before
Discover
Enforce
Harden
During
Detect
Block
Defend
After
Scope
Contain
Remediate
ASA
VPN
NGIPS
Advanced Malware Protection
NGFW
Meraki
ESA/WSA
Network as Enforcer
CWS
ThreatGRID
Secure Access + Identity Services
FireSIGHT and pxGrid
Are You Able to Defend Against Advanced Malware?
1
Can your customers detect advanced
malware in web and email?
2
Assess your customers’ current level
of network protection
3
Assess your customers’ current level
of endpoint protection
Get Started Now
1
Offer your customers a Proof-of-Value (POV)
deployment
2
Establish a timeframe and installation date
for POV
3
Determine hardware requirements and
configuration changes
4
Select POV length and delivery
5
Schedule kick-off meeting
http://www.cisco.com/web/partners/specializations/security-arch.html
Need Assistance Getting Cisco Express Security
Specialized? http://www.cisco.com/web/partners/specializations/expresssecurity/index.html
They will navigate with you, through the
specialization requirements
They host/sponsor the required AM & SE
specialization classes
Offering FREE* ASA 5506
Enable you to complete Security Network
Assessments –$1,500 spiff available
Call your Cisco Distributor
Sourcefire Resources
•
Advanced Malware Protection
•
Cisco AMP Threat Grid - Appliances
•
Cisco AMP Threat Grid - Cloud
•
Cisco Advanced Malware Protection Virtual Private Cloud Appliance
•
Cisco Advanced Malware Protection for Endpoints
•
Cisco Advanced Malware Protection for Networks
Sourcefire Resources
Customer Case Studies
•
Playlist of all Customer Testimonials on AMP
•
John Chambers on Cisco Security and AMP
•
SHSU.uses AMP for Endpoints
•
Gartner Video-on-Demand: Strategies to Combat Advanced Threats
featuring Cisco AMP
•
ADP uses ThreatGrid
https://www.youtube.com/watch?v=x7c21CgyH3o&feature=youtu.be
Sourcefire Resources
AMP Demos /Videos
•
AMP + Threat Grid External Launch Video
•
AMP for Endpoints Overview Video
•
NSS Labs Breach Detection System test
•
AMP for Networks Overview Video
•
AMP on Techwise TV June 2015
•
AMP Threat Grid Overview Video
•
AMP Overview in 4 Minutes: Meet Tom, the IT Security Guy
Sourcefire Resources
Updated Data Sheets, At-a-Glances, Infographic, Whitepapers
•
AMP Solution Overview
•
AMP Solution AAG
•
AMP for Networks: Data Sheet | AAG
•
AMP for Endpoints: Data Sheet | AAG
•
Security Everywhere Whitepaper (direct link)
•
AMP Threat Grid Solution Overview
•
AMP Threat Grid – Appliance: Data Sheet | AAG
•
AMP Threat Grid – Cloud: Data Sheet
•
Malware Infographic
Call to Action
Invite Your Customers to the next CCE Event

Next event – Wednesday Nov 11th @ 1:30 p.m.
You've Already Been Hacked. Now What? Cisco Next-Gen Security Can Help

Registration link | Invitation
 Invite your customers to attend and we will notify you if they do!
 Access registration links, replays at: http://cs.co/cisco101
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
59
Join Us Next Week!
Next Quick Hit Briefing
Big Data = Big $$$$ - Learn how to Monetize Big Data with Cisco
Thursday Nov 5th, 2015 at 9:30 ET
Check http://cs.co/quickhit for registration links and replays
C97-731719-02 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
60
Thank you.
Appendix:
How AMP Works
How Cisco AMP Works:
Network File Trajectory Use Case
An unknown file is present on IP:
10.4.10.183, having been
downloaded from Firefox
At 10:57, the unknown file is from
IP 10.4.10.183 to IP: 10.5.11.8
Seven hours later the file is then
transferred to a third device
(10.3.4.51) using an SMB
application
The file is copied yet again onto a
fourth device (10.5.60.66) through
the same SMB application a half
hour later
The Cisco® Collective Security
Intelligence Cloud has learned this
file is malicious and a retrospective
event is raised for all four devices
immediately.
At the same time, a device with the
AMP for Endpoints connector
reacts to the retrospective event
and immediately stops and
quarantines the newly detected
malware
Eight hours after the first attack, the
Malware tries to re-enter the system
through the original point of entry
but is recognized and blocked.
Related documents
10.2.1.2 Worksheet - Answer Security Policy
10.2.1.2 Worksheet - Answer Security Policy
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Cisco Video Strategy - Distributed Computing Industry Association
Cisco Video Strategy - Distributed Computing Industry Association
Cisco 2611 Router
Cisco 2611 Router
Corresponding Actions
Corresponding Actions
Cisco Services are most attractive to customers when they are sold
Cisco Services are most attractive to customers when they are sold
PT Activity 2.5.3
PT Activity 2.5.3
Download