Streamlining Threat Investigations with AMP Unity
Preventing malware incidents is very much like preventing bad things from happening in our day-to-day life. We all take precautions every day (well, most of us do, anyway). Actions as simple as carrying an umbrella when rain is forecasted, buckling a safety belt when driving, or using sun screen when it gets sunny and hot. All of this is known as risk management. We want to build walls high enough to protect ourselves and the companies we work for. However, despite the measures taken, malware incidents will still occur.
That leads us to the need of building a robust incident handling practice in order to help address malware outbreaks. A practice that is driven by passionate people, well-thought-out processes, and tightly integrated security architecture.
Advanced Security Architecture
Cisco has built, acquired and partnered to deliver a security architecture that facilitates the sharing of context, policy, event, and threat intelligence. Native integrations between the products provide simplicity through automation, save time and money for security operations, improve workflows, and expedite threat detection while optimizing resource usage and minimizing risk.
Cisco AMP Unity is the new capability that delivers visibility and control to allow customers to investigate threat delivery vectors, identify the scope of compromise, and contain threats faster. Organizations can now see all of their AMP-enabled devices in the AMP console. That’s right, any organization that has an AMP subscription as part of their Cisco firewall, IPS, email, or web security solution can now see and investigate malware trajectory in the Cisco AMP for Endpoints console.
This integration allows the investigator to easily correlate threat propagation data and view how files traverse across their infrastructure to determine how and when it was delivered. It helps eliminate the need to login to all of the relevant user interfaces separately to determine if a threat was delivered through one vector or another – saving time when it’s needed most. But not only that. AMP Unity allows containing a threat identified by a security analyst across all major threat delivery vectors consistently. A unified custom file blacklist (or a file whitelist) can be created through the AMP console and can be seamlessly applied across the entire security architecture. That helps ensure that endpoints (AMP for Endpoints), email (appliance and cloud) and web gateways (Web Security Appliance), as well as network security devices (NGIPS and NGFW) honor your containment strategy.
Cisco Security Incident Response Service posted a blog on the process of incident response, available here. AMP Unity empowers security analysts to be more effective at the most complex phase of incident handling process described in that blog – the threat detection and analysis phase.
This phase is specifically challenging as it requires analysts to assign priority ratings to incidents. Multiple criteria make sense here: starting with how malware entered the environment, which hosts and networks it’s affecting, and all the way up to how it’s impacting them. That is likely to influence how soon you should be reacting to a particular outbreak and which containment actions should be taken.
Containment could include a myriad of actions. Whether it’s providing the user with instructions to contain a malware incident, shutting down and blocking services abused by malware, blacklisting files involved in a threat, or placing any other restrictions on the network to contain an incident, the objective remains the same. Containment is meant to stop the spread of malware and prevent further damage to the endpoints while attempting to minimize the impact on the business. And that’s where the second major advantage of leveraging a security architecture powered by AMP Unity comes into play.
Review these videos for a more detailed feature overview and demo:
AMP Unity – Feature Overview:
AMP Unity – FMC Integration:
Threat investigations are often very complex and require a systematic approach to analysis, containment, and recovery. With malware incidents, especially those that are widespread (such as fast-spreading worms), organizations should use a strategy that provides fast visibility into threat propagation and allows organizations to contain an incident as quickly as possible. At Cisco, we always strive to help customers streamline security operations by developing an architecture that is simple, open and automated. Architecture that is real, that works, and that is here right now!
Make sure to check in for more blogs on the subject, as new security integrations come to life.
You can test AMP for Endpoints yourself with a free trial.