On November 3rd, Cisco announced that we are extending our Security Everywhere strategy with new solutions and services aimed at helping our customers gain greater visibility, context, and control from the cloud to the network to the endpoint. Providing organizations more visibility means being able to see all their systems, not just Windows but Mac, mobile, virtual machines, and now Linux!
AMP for Endpoints now has a dedicated Linux connector. Attacks against datacenters are on the rise. Given that these systems contain highly sensitive customer and corporate data, and more often than not custom applications that are central to the day to day business, organizations need to have deep visibility into these attack vectors in order to prevent, detect, scope, contain, and remediate targeted attacks faster and more efficiently. At the moment, the Linux connector will be available for RHEL 6.5 and 6.6 as well as CentOS 6.4, 6.5 and 6.6. It is available to all current AMP customers with existing accounts, and will also be available to ELA v4 customers.
Edge to Endpoint Malware Analysis
A critical component of this launch is the extension of our advanced malware analysis and threat intelligence solution, AMP Threat Grid.
We have integrated AMP Threat Grid into our ASA with FirePOWER Services models, FirePOWER NGIPS appliances and the AMP for Networks solution. These are three huge integrations that can now tap into the power of the Threat Grid malware analysis engine. Why is this so big? Well, we acquired ThreatGRID in the summer of 2014. By January 2015 we had it integrated into our AMP for Endpoints products. We reached another critical milestone in the summer of 2015 by adding the AMP Threat Grid sandboxing capability to Cisco’s Email and Web Security solutions. Now, just a few months later, we are realizing the vision of providing full edge-to-endpoint sandboxing on a single platform – AMP Threat Grid. This is immensely powerful for anyone using the solution.
As a cloud-based platform, all potential malware submissions, except those marked private, are searchable in the AMP Threat Grid database. You’re not limited to the threats against your company, but can see what is targeting everyone around the world, giving you the benefit of shared threat intelligence and situational awareness of the malware that all our users are seeing. The AMP Threat Grid knowledge base can be searched on 25 different variables. So if you just want to see the most common behavioral indicators (like IoC’s – but behavior based, not signature based), or which domains or IP’s are serving up malware today, you can.
Integration also makes life easier for many organizations today that have an average of 30 security vendors they work with – and that’s on the low side. Some have reported as high as 90. That’s an incredible amount to manage and maintain. With integrations from edge-to-endpoint across Cisco security technologies, we can help reduce this complexity and fragmentation. AMP Threat Grid has a robust REST API that can be used to integrate with your existing tools. So whether you have Guidance Software’s EnCase solution that can automatically submit samples to Threat Grid, Tenable’s Nessus scanner that automatically consumes threat intelligence from AMP Threat Grid, or any of the other 3rd party integrations Cisco security solutions support, whether you have the Threat Grid appliance or SaaS, this won’t be just another screen for SOC analysts to stare at. AMP Threat Grid provides a common analysis platform across your entire security infrastructure! Check out this video:
32 and 64 bit analysis
Malware authors are, in general, financially motivated. This is why we have seen such a rise in ransomware. It’s a shot gun approach to infect a lot of people and have them pay out a little money each. In the case of the well-known Angler Exploit kit it was an estimated $60 million per year. Malware authors are going to continue to follow the money. As 64-bit systems become more common place, more software is written for them, and the more malware will be written specifically to infiltrate these systems. AMP Threat Grid includes the option to use a Windows 64-bit environment to analyze potential malware samples. We populate the virtual environment with a host of standard software to replicate actual endpoints, providing accurate, context-rich analysis.
With the rise of stealthy, environment-aware malware we also have a feature called Glovebox. Just like working with bio-hazards, where dangerous pathogens are contained within a closed chamber, Glovebox allows you to interact with the malware in a safe environment to prevent contamination. Some malware requires users to interact with the system, potentially opening a browser, or clicking a dialogue box. If you don’t do one of these actions, the malware remains dormant to avoid detection. With Glovebox you can safely interact with the malware and analyze its behavior for better detection and to discern its true intent.
AMP Threat Grid in Action
If you’d like an in-depth look at market drivers with Forrester analyst Rick Holland, and to hear how ADP is using AMP Threat Grid including to detect vicious ransomware, watch the webinar “Get Your Head Out Of The Sandbox”.