a new world of endpoint security - sans institute
TRANSCRIPT
Farzad Bakhtiar
Product Line Manager, Cisco Endpoint SecurityJuly 23, 2020
Unifying user and endpoint protection
A New World of Endpoint Security
What’s driving endpoint security transformation?
Diverse and growingthreat landscape
Digital transformationand move to the cloud
Rapidly expanding Attack surface e.g.
remote work
Today’s reality…
“I don’t have enough time to go after every new threat, alert, patch and compromised devices accessing critical apps.”
Challenge:
Time
“My team can’t be experts on every new threat, threat hunting, and all complianceand privacy mandates.”
Challenge:
Expertise
“We can’t always get to the root cause of every attack, stolen credentials, or find the best security/productivity balance.”
Challenge:
Evidence
Organizations are stuck in the vortex of endpoint operational challenges
What’s needed?
Integrated security architecture approach to endpoint security
Multifaceted prevention
Multi-domain detection and response
User access
Threat intelligence
Automation and coordinated defense using a built-in platform
Security stack integration
How to address your endpoint security
challenges?
Redefining endpoint securityA solution that unifies user and endpoint protection
+ Multi-factor Authentication
+ Risk-based Access Control
+ Posture
+ Virtual Private Network
+ Machine Learning
+ Next Gen Antivirus
+ Fileless Malware I Ransomware Protection
+ Internet Protection
+ Advanced EDR
+ Threat Hunting
+ Attack Surface Reduction
Security that Works Together
SecureX+ Unified Visibility
+ Automation & Orchestration+ Accelerated threat response
Secure and Trusted Access To let the good guys in
Block Threats Before Compromise To keep the bad guys out
Cisco Endpoint SecurityDynamic Breach Defense
Continuous Detection and ResponseTo catch anything that slips through
Cisco SecureX - Security that Works Together with a Built-in Platform
Block Threats Before They Compromise YouTo keep the bad guys out
In Memory
Exploit Prevention I Fileless Malware Protection
System Process Protection
On Disk
AMP Cloud I File Reputation
Malicious Activity I Ransomware Protection
Antivirus
Custom Detections
Post Infection
Anomaly Detection
Cloud & Endpoint IOC’s
Behavior Analysis
Protect Across the Kill Chain
Machine Learning
Protect endpoints everywhere with Powerful Protection EnginesBlock Threats
Internet Protection
If malware gets in Immediate
Detection
Removed automatically
from endpoints
Blocked across network, endpoints, email and cloud
Save time and block more with security that works togetherSee once, block everywhereBlock Threats
Continuous Detection and ResponseTo catch what gets through
Know everything about the endpoint and respond with advanced EDR + XDR
• Continuous activity monitoring
• Advanced endpoint search
• Sandboxing
• Cloud IOCs
• Threat hunting
• Vulnerable and low prevalence software identification
• Unmanaged endpoint discovery
• Custom block/allow lists for files and network traffic
• Application control and allow list
• Endpoint isolation
• Accelerate threat response with an integrated security platform
EDR + XDR
Detect and Respond
Detection Response
Cross-control detection and response
Eliminate blind spots with
continuous monitoring and retrospective alerting
What happened?
Where did the malware come from?
Where has the malware been?
What is it doing?
How do we stop it?
Detect and Respond
• Key capabilities:
Advanced search; pre-defined, customizable queries; forensics snapshot
• Primary use cases:
Threat hunting; IT operations enablement, and vulnerability and compliance tracking
• Benefits:
Faster investigation and quicker response, seamless investigation and remediation
Improve security & IT Ops alignment and simplify threat hunting withOrbital Advanced SearchDetect and Respond
Orbital Advanced searchuse cases
Search for malicious artifacts in near
real-time to accelerate your hunt for threats.
Threat Hunting
Check system status (OS versions, patches etc.), ensuring hosts comply with
policies.
Vulnerability and Compliance
Get to the root cause of the incident fast, to speed
up remediation.
Incident Investigation
Track disk space, memory, and other
IT operations artifacts quickly.
IT Operations
Detect and Respond
• Isolate infected hosts from the rest of the network directly from the console
• Contain the threat without losing forensics data
• Shrink remediation cost by limiting the scale of attack
• Fast endpoint reactivation once remediation is complete
Contain the attack fast withEndpoint IsolationDetect and Respond
Systematic playbook developmentExecute on new and historical data, pushing the frontier of unknown threats
Uncover hidden threats faster across your attack surfaceUsing MITRE ATT&CK and other industry best practices
Threat Hunting
Continuous hunting by elite threat huntersHuman-driven hunts based on playbooks producing high fidelity alerts
Detect and Respond
Secure and Trusted Access To let the good guys in
Unifying
user access and endpoint securitySecure and Trusted Access
Zero TrustVerify trustworthiness before
granting access with a Zero Trust approach – stopping
unauthorized access and attacks faster across users, devices and
apps.
Secure ConnectionProtect against rogue
connections to corporate assets automatically – reducing
the risk of a breach and simplifying compliance.
Device ControlStop infected endpoints (on and off the network)
from accessing critical business applications – stopping attacks
before they target you.
Users use their devices to access application.
AMP for Endpoints running on the device detected malware.
It notifies theMFA about the infected device.
MFA blocks that device from accessing apps.
Block malicious devices from accessing applications.
Secure and Trusted Access
Continuous/dynamic trust verificationThe cornerstone to endpoint security
Integral part of the…Cisco Secure Remote Worker solution
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco
Confidential
Verify the identity of all users
before granting access to
company-approved applications
Enable secure access to your
network for any user, from any
device, at any time, in any location
Hold the first line of defense
against threats on the internet
wherever users go
Cisco Duo
Cisco AnyConnect
Cisco Secure Remote Worker
Cisco Umbrella
Maintain the last line of
defense through Secure
Endpoint
Cisco AMP for Endpoints
Security that Works TogetherTo maximize your operational efficiency
Get fuller visibility to threats beyond the endpoints
Simplify investigations with built-in threat response
Run automated playbooks, automate actions and access operational metrics directly from SecureX
Enable better, faster decisions and pivots with relevant context and analytics from SecureX
We’ve done the hard work to simplify your experience, accelerate your success and secure your future.
Bolster your endpoint detection and response with Cisco SecureXSecurity that Works
Together
Cisco Secure
ApplicationsEndpointNetwork Cloud
Your infrastructure
Intelligence SIEM/SOAR3rd Party/ITSM Identity
Security that Works Together
Enabling easy pivot from endpoint to cross architecture detection and response
Cisco SecureX
Secure Remote Worker
Breach DefensePhishing
Investigation
Dashboard: Get visibility to key operational metrics across your security portfolio together with AMP for Endpoints
Incident management: Triage, prioritize, track and respond to high-fidelity alerts fast involving endpoints and other security control points
Workflow: Investigate better with built-in approval workflows, malware analysis, live queries, threat response and 3rd party integrations
Ribbon: Pivot and investigate faster with relevant context that you take with you as you move from AMP for Endpoints user interface back to the platform
Threat intelligence: Further enrich your investigation with the best threat intel from Cisco Talos, across our security portfolio and various 3rd party sources
SOAR: Response – Quarantine SIEM: Visualization of Event Stream
Unified View of Assets and Controls
Unsupported Python Integrations
Managed SOC
Threat Visualization/ Response
Malware Analysis
Network DevNet: https://developer.cisco.com/amp-for-endpoints/GitHub: https://github.com/CiscoSecurity
Open Ecosystem
Security that Works Together Broad Third-Party Integrations
Demo