Cisco Blogs


Cisco Blog > Security

Cisco AMP Just Got Better – Enhancements for Continuous Breach Detection, Response, and Remediation

Breaches happen.

It makes us cringe to say it, but it’s the obvious truth. A week doesn’t go by that we don’t hear about the latest breach in the news. All of us in the IT security industry would love to say, “our technology can prevent all breaches.” But it’s a pipedream. Being able to prevent 100 percent of breaches or detect all threats trying to infiltrate the network is simply not reality.

Of course, we prevent what we can. And we can get pretty close. In fact, Cisco Advanced Malware Protection (AMP) was shown to block 99 percent of incoming malware in a comparative test on Breach Detection Systems done by NSS Labs.  Ninety-nine percent is pretty darn good, and in fact, Cisco AMP emerged a leader in that test. But still, it only takes one percent to cause a breach.

When malware gets through your front-line defenses, you need continuous threat protection in place that can quickly detect it, contain it, and remediate it before damage can be done. Cisco AMP provides the visibility and control to do exactly that. Even after files are initially inspected, AMP’s continuous analysis engines constantly monitor activity on endpoints, mobile devices, and in the network to spot any signs of malicious behavior, and provide continuous detection of threats in your environment. As a result, you have protection before, during, and after an attack.

Today I am excited to announce that Cisco AMP just got even better.  We are announcing new features and new innovations that enhance Cisco AMP’s protection capabilities and continuous threat protection in the following areas:

Continuous Detection and Retrospective Security

  • AMP still provides continuous analysis of files after an attack so that you can see the complete ancestry of an attack, scope a compromise, and continuously detect and uncover evasive threats. You get deep visibility to see threats in your environment and the control to quickly stop them.
  • Endpoint Indications of Compromise (IoCs) in AMP for Endpoints lets users now submit their own IoCs using the open IoC standard to catch targeted attacks.
  • The Low Prevalence feature in AMP for Endpoints uncovers stealthy, targeted threats that were only seen by a small number of users and automatically sends them for sandbox analysis.

Threat Intelligence and Dynamic Malware Analysis

  • The recent integration of Threat Grid capabilities into AMP gives you context-rich threat intelligence feeds, over 350 unique behavioral indicators that analyze the actions of a file, easy to understand threat scores and analytics, and billions of malware artifacts at your disposal to improve your ability to detect and prevent future attacks. These capabilities and more are also available as a standalone threat intelligence and dynamic malware analysis solution via AMP Threat Grid.
  • The new Vulnerabilities feature in AMP for Endpoints identifies vulnerable software being targeted by malware, and the potential exploit, providing you with a prioritized list of hosts to patch.

Deployment Flexibility and Choice

  • Deploy the solution how and where you want it: on the endpoint, mobile devices, in the network on a Cisco FirePOWER Next-Generation IPS security appliance, on a Cisco ASA firewall, and on web and email gateways. You can also deploy AMP Threat Grid as a standalone threat intelligence and dynamic malware analysis solution.
  • No need to manage multiple security platforms or deploy multiple appliances. Cisco AMP is fully integrated with Cisco security products for ease-of-deployment, ease-of-use, and ease-of operation.

To learn more about these innovations, visit our Cisco Security Launch page to watch videos, product demos, customer testimonials, and more.

Tags: , , ,

Endpoint Visibility to Combat Advanced Attacks – I Want That

Protecting data, maintaining compliance, and enabling the business is a balancing act. Put too many controls in place and you inhibit workflow. Rely exclusively on traditional security tools and you lack the visibility to detect and respond to advanced attacks quickly.

The industrialization of hacking has created an effective and efficient criminal economy. Attackers are fast and the malware they write and resell is smart, able to evade traditional defenses and quick to do damage. If attackers get through – and they will since there is no such thing as 100% breach prevention – IT security professionals need to be able to detect potential malicious activity as it happens, analyze it, and take action. And, increasingly, network-centric detection is not enough.

An explosion of new, untethered devices means that endpoints extend everywhere and so does the workplace you need to protect. Windows and Mac desktops and laptops, tablets and smartphones, and even smart watches make it possible to connect back to the corporate network anytime from anywhere. Attackers are taking advantage of this proliferation of endpoints and using gaps in security to drive their attacks home. Endpoint visibility is becoming a must-have.

To combat these more frequent and destructive attacks, you need to see beyond traditional indicators of a breach, like a signature or a hash or an IP address, to identify behavior-based activities that may point to malicious activities. This visibility must be on workstations so that you can track executables and processes across your environment and cut detection time down to minutes or seconds. You also need to maintain that visibility on devices connected to a protected network or roaming on public or personal in-home wi-fi.

Cisco Advanced Malware Protection (AMP) for Endpoints gives you the visibility and control you need to protect data, maintain compliance, and enable the business – everywhere workers may be. For example, the Prevalence capability in Cisco AMP displays files that have been executed across the organization ordered from lowest to highest number of instances. Files with low prevalence likely indicate a malicious executable you need to investigate. And because AMP is cloud-based you can continue to track devices and deliver the same level of protection whether devices are on or off the network.

Customers across a broad range of industries are using Cisco AMP for Endpoints to increase protection against today’s elusive attacks. Listen to Tim McGuffin, Information Security Officer at Sam Houston State University, describe how his team used Cisco AMP for Endpoints to detect and respond to a malware attack disguised as bad user behavior, and how they maintain a secure infrastructure while ensuring academic freedom and research.

Tags: , ,

AMP Threat Grid Empowers Law Enforcement to Fight Cybercrime

Recognizing the critical need for state and local law enforcement agencies to have state-of-the art technologies to effectively fight digital crime, Cisco is creating the AMP Threat Grid for Law Enforcement Program. The program is designed to empower those working to protect our communities from cybercriminals with its dynamic malware analysis and threat intelligence platform.

Computers are central to modern criminal investigations, whether as instruments to commit the crime, as is the case for phishing, hacking, fraud or child exploitation; or as a storage repository for evidence of the crime, which is the case for virtually any crime. In addition, those using computers for criminal activity continue to become more sophisticated, and state and local law enforcement agencies struggle to keep up with their internal computer forensics / digital investigation capabilities. Malware analysis is also a critical part of digital investigations: to prove or disprove a “Trojan Defense” for suspects, wherein the accused rightly or falsely claims a malicious software program conducted the criminal activity and not the user; and to investigate unknown software and suspicious files on the computers of the victims of cybercriminal activity for evidence of the crime.

Read More »

Tags: , , , , , , , ,

Equation Coverage

Cisco Talos is aware of the public discourse surrounding the malware family dubbed “The Equation Family”. As of February 17th the following rules (33543 – 33546 MALWARE-CNC Win.Trojan.Equation) were released to detect the Equation Family traffic. These rules may be found in the Cisco FireSIGHT Management Console (Defense Center), or in the Subscriber Ruleset on Snort.org. Talos security researchers have also added the associated IPs, Domains, URLs, and hashes to all Cisco security devices to provide immediate protection across the network. Talos will continue to monitor public information as well as continue to independently research to provide coverage to this malware family.

coveragetable
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

While email has not been observed as an attack vector, ESA is capable of blocking the malware used in this campaign.

Tags: , , , , , ,

How AMP Threat Grid Accelerates Incident Response with Artifacts, Content, and Correlation

As a result of Cisco’s acquisition last May, ThreatGRID is now part of the Cisco Advanced Malware Protection (AMP) portfolio as AMP Threat Grid. The acquisition expands Cisco AMP capabilities in the areas of dynamic analysis and threat intelligence technology, both on-premise and in the cloud. AMP Threat Grid extends Cisco AMP with even greater visibility, context, and control over sophisticated threats. Security analysts and incident response teams can augment their forensics analysis to detect and stop evasive attacks faster than ever.

AMP Threat Grid is not simply another dynamic analysis platform or sandbox. While the solution does leverage various dynamic analysis techniques and ‘sandboxing’ to produce content, it also acts as a content engine so that you can more quickly and easily extract insights from the data. AMP Threat Grid treats all of its analysis as content, making it available to the user via a portal or API. AMP Threat Grid also doesn’t stop at a single analysis technique; instead it applies multiple dynamic and static analysis engines to submitted samples – all produced disk, network, and memory artifacts – in order to generate as rich a source of data as possible.

Read More »

Tags: , , , , ,