Unified Malware Analysis and Threat Intelligence
Cisco AMP Threat Grid
Tech update
Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified
Consulting Systems Engineer, Cyber Security, Denmark
Introducing Threat Grid Everywhere
Suspicious file
Analysis report
Edge
Endpoints
Firewalls
& UTM
Security
Security
Analytics
Web
Security
Endpoint
Security
Network
Security
3rd PartyIntegration
S E C U R I T Y
Securitymonitoring platforms
Deep Packet
Inspection
Gov, Risk,
Compliance
SIEM
Dynamic Analysis
Static Analysis
Threat Intelligence
AMP Threat Grid
Cisco Security Solutions Network Security Solutions
Suspicious file
Premium content feeds
Security Teams
Automatically submit suspicious filesAutomated analysis, from edge to endpoint
Submission
Analyst or system (API)
submits suspicious sample to
Threat Grid.
Suspicious file
Edge
Endpoints
ASA w/FPS ESA
Next Gen
IPSWSA
AMP for
Endpoints
AMP for
Networks
Examine files with context-driven analysis
“Outside looking in” approach
No presence in the VM
Proprietary techniques for static and dynamic analyses
Observing all changes to local host and network communications
Downloadable analysis JSON, in minutes
Capability to pivot on any data element
Detailed report identifying key behavioral indicators and threat score
Accurately identify attacks, in near real time
Static and Dynamic analysis execute automatically
F
R
S
Process with additional activity
File activity
Registry activity
Sample process
Legend:
Dynamic Analysis: Process tree visualization
Easily Identify and Prioritize threats
450+ behavioral indicators (and growing)• Malware families, malicious behaviors, and more
• Detailed description and actionable information
Prioritize threats with confidence• Enhance SOC analyst and IR knowledge and effectiveness
(and security product)
Easy-to-understand Threat Scores guide decision making
DEMO
Leverage our global community and scale
Millions of samples analyzed every month
• Near real time analysis
Correlates each sample analysis with billions
of malware artifacts• Exceptional scale and coverage for global threats
Threat intelligence prepares you for tomorrow’s threats
Deploy as needed in your environment
• Secure logical access and physical facility
• No external cloud provider element: Self-
contained processing and storage
(Cisco AMP Threat Grid developed IP and
dedicated hardware)
• Local malware analysis backed by full power of
Cisco® AMP Threat Grid’s cloud
• For regulatory and policy compliance, all data
remains on premises
• Consistent user experience from cloud to
appliance (UI, API, etc.)
Cloud solution Powerful security appliance
Cisco Confidential 8© 2015 Cisco and/or its affiliates. All rights reserved.
Unified Malware Analysis and Threat Intelligence
Performance• High-speed, automated analysis and adjustable runtimes
• Does not expose any tags or indicators that malware can use to detect that it is being observed
• Can observe a greater number of behaviors
Usability• Video playbacks
• Glovebox for malware interaction and operational troubleshooting
• Process Graph for visual representation of process lineage
• Threat Score & Behavioral Indicators
Context• Search and correlate all data elements of a single sample against billons of sample artifacts
collected and analyzed over years (global and historic context)
• Enable the analyst to better understand the relevancy of sample in question to one’s
environment
Integration• Architected from the ground up with an API to integrate with existing IT security solutions
(Automatically receive submissions from other solutions and pull the results into your
environment)
• Create custom threat intelligence feeds
Cisco AMP Threat Grid
Cisco Confidential 9© 2015 Cisco and/or its affiliates. All rights reserved.
On-Premise Appliance
Local malware analysis backed by full power of Cisco® AMP Threat Grid’s cloud
For regulatory and policy compliance, all data remains on premises
Continuous, one-way stream of federated data from Cisco AMP Threat Grid helps ensure full context
Consistent user experience from cloud to appliance (UI, API, etc.)
TG5000:
Up to 1500 sample analysis / day
Cisco UCS C220 M3 Chasis (1U)
6 x 1TB SAS HDD with LSI hardware RAID
TG5500:
Up to 5000 sample analysis / day
Cisco UCS C220 M3 Chasis (1U)
6 x 1TB SAS HDD with LSI hardware RAID
Powerful security and compliance
AMP Threat Grid unifies analysis and threat intelligence to deliver…
Context Rich Analytics Seamless IntegrationAutomated Analysis
http://www.cisco.com/web/DK/learn_events/seminarkalender2016.html
Thank you.