At RSA this year and last, Marty Roesch, VP and Chief Architect for Cisco’s Security Business Group, talked about the need of an integrated threat defense to drive systemic response. The idea is to correlate and analyze data and telemetry from the multiple security technologies that organizations have deployed across different control points. And then to define what “looks bad” consistently and in one place via a single visibility platform. With that visibility and context, you can drive a simultaneous and instant response across the entire infrastructure.
This strategy makes a lot of sense, especially given the nature of the advanced malware problem with multiple attackers launching multifaceted attacks using multiple attack vectors across your architecture. With a combination of attacks joining forces and coming at you from all angles, shouldn’t your security tools also join forces to better protect you? To do this, the security technologies you’ve deployed across networks, endpoints, web and email gateways, virtual systems, mobile devices, and the cloud need to be able to share information to detect, contain, and respond to attacks faster and more effectively. More specifically, an integrated threat defense is:
Great for Detection. Malware is stealthy, often flying under the radar. But when tools can talk to each other and share information about behaviors they see in the environment, they can identify the weird one-offs. It’s these nuanced anomalies that we haven’t seen before that can indicate part of a larger attack that could go unnoticed. If you can correlate telemetry and threat events and share that information, you can uncover relationships between malware to detect different attacks and techniques being used simultaneously.
Great for Outbreak Control. Once a threat is detected, and each control point knows about the threat, they can lock down their respective areas. It’s no different from a state-of-the-art museum security system. If a threat is detected in one area, then all rooms in the building are quickly closed off to contain the threat. This requires an interconnected system working as one, not multiple disparate systems that don’t communicate. If that were the case, the thief could easily navigate through the other security control points to escape.
Great for Remediation. Going beyond outbreak control, if every tool has visibility into where the threat is, where it has been, and what it’s doing, then time-to-remediation (at the source and across all affected areas) is accelerated. And knowing that 60% of all data is obfuscated within just a few hours of attack, time is of the essence here.
The Cisco Advanced Malware Protection (AMP) technology and portfolio of products share many of the characteristics that Marty outlined as being essential for an integrated threat defense and systemic response. AMP is a technology that can be deployed across many different security control points: on the network, endpoint, servers, mobile devices, email, and web. When these different deployments are used together, they communicate and share information. For instance, when the network sees a threat, the endpoint knows about it. When the endpoint detects malicious behavior, the network is notified and can contain network level communications. With more “AMP eyes” in more places across your network, and communication of threats between security control points, organizations can more quickly detect, contain, and remediate threats.
An integrated threat defense can turn the fight against advanced malware in your favor. To learn more about the ways in which AMP can achieve this, visit www.cisco.com/go/amp and see how Cisco’s own IT security group used AMP technology deployed on the network, web, and email to decrease management complexity, increase detections, and better protect their organization.