A few years ago sandboxing technology really came of age in the security industry. The ability to emulate an environment, detonate a file without risk of infection, and analyze its behavior became quite a handy research tool. Since then, sandboxes have become relatively popular (not nearly on the same scale as anti-virus or firewalls) and can be found in larger organizations. You may even have purchased a sandbox a few years ago, but it’s likely that your malware analysis needs have gone beyond the traditional sandboxing technologies that simply extract suspicious samples, analyze in a local virtual machine, and quarantine.
It’s time to go beyond using sandboxing as a standalone capability in order to get the most out of it. You need a more robust malware analysis tool that fits seamlessly into your infrastructure and can continuously detect even the most advanced threats that are environmentally aware and can evade detection.
There are three typical ways that organizations purchase and deploy sandbox technology.
- A stand-alone solution designed to feed itself samples for analysis without dependency on other security products. This has the most flexibility in deployment but adds significant hardware costs and complexity to management and analysis, especially for distributed enterprises.
- A distributed feeding sensor approach, such as firewalls, IPS, or UTMs with built-in sandboxing capabilities. These solutions are usually cost effective and easy to deploy but are less effective in detecting a broad range of suspicious files including web files. They can also introduce bandwidth limitations that can hamper network performance and privacy concerns when a cloud-based solution is the only option.
- Built into secure content gateways, such as web or email gateways. This approach is also cost effective but focuses on web and email channels only and also introduces performance limitations and privacy concerns.
But there’s a fourth way that actually takes the best of what these approaches offer and raises the bar to help you fight well-funded attackers that get better at what they do every day: Cisco AMP Threat Grid. Through AMP Threat Grid, Cisco offers advanced malware analysis and intelligence that delivers a better ROI, better integration, and more visibility into what is happening in your environment. Don’t take my word for it, though. The Center for Internet Security recently described how they are using it to analyze malware samples from more than 19,000 state, local, tribal, and territorial governments.
AMP Threat Grid is available as an on-premises standalone malware analysis solution and as a cloud-based SaaS solution that provides a REST API to automate sample submissions from a wide range of technologies you have already invested in, including:
- Firewalls and Unified Threat Management (UTM) devices from the most popular vendors, including, of course, Cisco ASA
- Gateways for both Email and Web traffic
- Proxy Servers
- Security Information and Event Management (SIEM) systems
- Governance, Risk, and Compliance (GRC) tools
- And numerous others
Cisco has already integrated AMP Threat Grid’s malware analysis capabilities into AMP for Endpoints. This provides advanced malware analysis as part of AMP’s powerful continuous analysis and retrospective security capabilities. AMP Threat Grid is also integrated into Cisco Email and Web security solutions, providing more eyes in more places. Watch this video to hear how ADP have integrated AMP Threat Grid into their business to become an intelligence-led security organization
Each of these solutions eliminates cost and complexity while offering the ability to analyze a broad range of suspicious objects automatically, including executables, libraries (DLLs), Java, PDF, MS Office documents, XML, Flash, and URLs. Most submissions are analyzed in an average of 7.5 minutes. Not only does AMP Threat Grid analyze a broad range of objects, but it also provides deep analytics capabilities wrapped with robust context. With over 450 behavioral indicators and a malware knowledge base sourced from around the globe, AMP Threat Grid provides more accurate, context rich analytics into malware than ever before.
All samples are given a threat score based on severity and confidence that provides a quick and easy way for junior security analysts to prioritize actions and make better decisions. The threat score is on a 0-100 range, with 100 being known malware and the rest ranging from suspicious to benign because malware is not a yes or no answer.
Perhaps even most importantly, AMP Threat Grid knows its audience; it has no instrumentation within the virtual environment ensuring that even the most sophisticated environment-aware malware is caught. It’s an essential way to rise to the challenge of advanced attackers.
To hear more about how your organization to move beyond the sandbox, watch this webinar featuring experts from Forrester Research, ADP, and Cisco.
Tags: AMP Threat Grid, malware, sandbox, security
Discovered by Andrea Allievi and Piotr Bania of Cisco Talos.
Talos, in conjunction with Microsoft’s security advisory issued on September 8th, is disclosing the discovery of a memory corruption vulnerability within the Microsoft Windows CDD Font Parsing Kernel Driver. This vulnerability was initially discovered by the Talos and reported in accordance with responsible disclosure policies to Microsoft. Please see Talos’s Microsoft Tuesday Blog for coverage information for this vulnerability. Read the full Talos Vulnerability Report via the talosintel.com portal here: TALOS-2015-0007
A specially crafted font file can cause the Microsoft Windows CDD Font Parsing Kernel driver to corrupt internal memory structures. The DrvTextOut routine acquires and locks the associated device and behaves differently based on the surface type. If the type is a bitmap and the Windows DWM is on, the driver will read and write directly to the video frame buffer and calls EngTextOut, then exits. However, the driver behaves in an unexpected manner where a new background rect is generated mixing the “OpaqueRect” rectangle located in the sixth parameter and the rectangle located in the “pStringTextObj” object.
If the ClipObject describes a NON-Trivial clip, even the “rclBounds” of the clip object is merged to the background rectangle. The Font Object is parsed, and finally the routine decides if it should clip the background rect or not.
The final decision is based on the following check:
Read More »
Tags: 0-day, security, Talos, vulnerability spotlight
Frequent and major cybersecurity breaches have occurred this year, with some causing immense financial damage across many industry segments and leading to a loss of reputation and in some cases lost customers. This puts security top of mind for organizations of all sizes, and it’s definitely a number one priority for Cisco.
Today is an exciting day for Cisco and its partner ecosystem as we announce the close of the acquisition of OpenDNS, a privately held security company headquartered in San Francisco that offers advanced threat protection for any device, anywhere, anytime delivered in a Software-as-a-Service (SaaS) model. The acquisition builds on Cisco’s Security Everywhere strategy, adding broad visibility and threat intelligence. OpenDNS offers a cloud-delivered security platform that accelerates time to value, as it’s fast and easy-to-deploy. Through our integration efforts OpenDNS accelerates the delivery of the Cisco’s cloud-delivered security portfolio, strengthening our advanced threat protection capabilities.
Cisco is committed to being the security market leader, together with our partners, across all industry segments. The OpenDNS acquisition is well aligned to Cisco’s goal of developing innovative security offerings and accelerating sales for partners. In fact, today we are announcing our first integration between the technology platforms of OpenDNS Umbrella and Cisco AMP Threat Grid. And, we’ll announce more offers in the coming quarters that integrate OpenDNS technology into the industry’s most comprehensive security portfolio. Read More »
Tags: Cisco, opendns, partner, security
ITD (Intelligent Traffic Director) is getting a lot of interest about transparent (Layer 2) mode device support.
Here is a 10 minute video that shows step by step ITD deployment for Transparent mode security devices, such as Firewalls, IPS, IDS, Web application Firewalls (WAF), ASA, Cisco Sourcefire, etc:
ITD is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5k/6k/7k/9k series of switches. It supports IP-stickiness, resiliency, NAT (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS. There is no service module or external appliance needed.
Solution Guide: ITD with Layer 2 Firewall / IPS / IDS
Here is more information about ITD: www.cisco.com/go/itd
Please send email to firstname.lastname@example.org if you have any questions.
Tags: #BestofInterop, #CiscoITD, #CiscoLive2015, #CLUS, ACI, ASA, best of interop, Best of Interop 2015, Best of Interop Finalist, Big Data, Cisco, Cisco Nexus, Cisco Nexus 5600, Cisco Nexus 7000, Cisco Nexus 9000, Cisco Nexus Switches, ciscolive, cloud, Cloud Computing, data center, innovation, interop, IPS, ITD, load balancer, nexus, Nexus 7000, NFV, SDN, security, server load balancer, Service Provider, Sourcefire, video
Much has been published in the industry about how automation will result in job loss e.g. the book, The Second Machine Age, as an example.
Further, the question is obvious as to whether or not the skills you have today will be relevant tomorrow?
Such discussions have been occurring for the past several years since the financial crisis of 2008; and the question now pondered by enterprises and governments is :
- How do we grow the middle class?
- How do we provide skills to under-served communities?
Read More »
Tags: Cisco, connected devices, Disruption, future of technology, innovation, inter-cloud, IoE, jobs, security