Cisco AMP Solution Rene Straube CSE, Cisco Germany January 2017 The AMP Everywhere Architecture AMP Remote Endpoints Threat Intelligence AMP Protection Across the Extended Network AMP for Endpoints for an Integrated Threat Defense Cloud Threat Grid AMP for Networks Malware Analysis + Threat AMP Private Cloud (AMP on Firepower NGIPS Intelligence Engine Virtual Appliance Appliance bundle) AMP on Web and Email AMP on Cisco® NGFW AMP for Endpoints Security Appliances Firewalls CWS/CTA AMP on Cloud Web AMP on ISR with Firepower Security Services and Hosted Email CentOS, Red Hat Windows OS Android Mobile Virtual MAC OS Linux for servers and datacenters AMP for Endpoints can be launched from AnyConnect The AMP Everywhere Architecture Simplified AMP Threat Intelligence Cloud Threat Grid AMP Cloud or Cloud or on-prem Private Cloud (Sandboxing) (Filer Reputation) Endpoints CentOS, Red Hat Windows OS Android Mobile Virtual MAC OS Linux for servers and datacenters AMP for Endpoints can be launched from AnyConnect How does Cisco‘s Adwanced Malware Protection (AMP) work? Advanced Malware Protection Summary File Reputation File Sandboxing File Retrospection Preventative blocking Behavioral analysis Retrospective of suspicious files of unknown files alerting after an attack ESA – AMP Threat Grid Process Flow Threat Grid in the Cloud 1. Email sent from Internet 2. Accepted by ESA Appliance 1. 3. Email passed through security stack on ESA 4. Threat intelligence from AMP Cloud used to determine if email or 2. attachments match malicious 3. indicators (SHA Lookup) 4. The AMP Cloud Advanced Malware Protection Summary File Reputation File Sandboxing File Retrospection Preventative blocking Behavioral analysis Retrospective of suspicious files of unknown files alerting after an attack ESA – AMP Threat Grid Process Flow Threat Grid in the Cloud 1. Email sent from Internet 2. Accepted by ESA Appliance 1. 3. Email passed through security stack on ESA 4. Threat intelligence from AMP Cloud used 2. to determine if email or attachments match malicious indicators (SHA Lookup) 3. 5. If the file is still suspicious and qualifies for sandboxing, it is sent to cloud instance of AMP Threat Grid for analysis 9. 6. Threat Grid cloud allows malware to 6. access Internet and retrieve additional files 7. If AMP Threat Grid malware analysis determines that it has serious malicious behaviors and indicators, the AMP Cloud is updated (poked) to mark file as bad 4. 5. 8. The AMP 8. ESA polls and is updated to mark file as Cloud 7. bad Threat Grid 9. ESA processes file accordingly and send Cloud email, email notification or quarantines email Advanced Malware Protection Summary File Reputation File Sandboxing File Retrospection Preventative blocking Behavioral analysis Retrospective of suspicious files of unknown files alerting after an attack ESA – AMP Threat Grid Process Flow Threat Grid in the Cloud 1. Email sent from Internet 2. Accepted by ESA Appliance 1. 3. Email passed through security stack on ESA 4. Threat intelligence from AMP Cloud used 2. to determine if email or attachments match malicious indicators (SHA Lookup) If a Files 5. If the file is still suspicious and qualifies 3. Disposition for sandboxing, it is sent to cloud changes in instance of AMP Threat Grid for analysis 9. AMP cloud 6. Threat Grid cloud allows malware to 6. then ESA access Internet and retrieve additional gets files informed about it !! 7. If AMP Threat Grid malware analysis determines that it has serious malicious behaviors and indicators, the AMP Cloud is updated (poked) to mark file as bad 4. 5. 8. The AMP 8. ESA polls and is updated to mark file as Cloud 7. bad Threat Grid 9. ESA processes file accordingly and send Cloud email, email notification or quarantines email
Description: