www.utgsolutions.com@utgsolutions 205.413.4274

B u s i n e s s • D r i v e n • Te c h n o l o g y

Agenda•Intro

•Game Planning for SuccessUTG -Derrick Helms, CISSP

•Cisco AMPCisco – Chris Robb

•Q&A

•Drawing for ASA 5506-X and 2 $100 Visa Cards!

CyberSecurity -Game Planning for Success

Derrick Helms, CISSP

Headlines

There is a multi-billion dollar global industry targeting your prized assets

$450 Billionto

$1 TrillionSocial

Security$1

MobileMalware

$150

$Bank

Account Info>$1000 depending

on account type and balance

FacebookAccounts$1 for an

account with 15 friends

Credit CardData

$0.25-$60

MalwareDevelopment

$2500(commercial

malware)

DDoS

DDoS asA Service~$7/hour

Spam$50/500K

emails MedicalRecords

>$50

Exploits$1000-$300K

Industrialization of Hacking

Cisco Advanced Malware Protection

Chris Robb - Cisco

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

Spyware & Rootkits

2010

Viruses

2000

Worms

2005

APTsCyberware

Today +

Anti-virus(Host)

IDS/IPS (Network)

Anti-malware(Host+Network)

Intelligence and Analytics

(Host+Network+Cloud)

Enterprise Response

The World Has Changed:The Industrialization of Hacking

In the news…what do these all have in common?Home Depot

Over 50 UPS Franchises hit by data breach4.5M Records stolen from US Health Giant

Goodwill

Russian Hackers steal 4.5B recordsMeet Me Social Network User’s Passwords Stolen

Insider breach at Las Vegas Brain and Spine Surgery Center

Florida bank notifies roughly 72,000 customers of breech

Los Angeles based health system breached

Payment cards used on Wireless Emporium website compromisedAlbertson’s stores CC data hacked

$100,000 bitcoin loss due to hack

Microsoft’s Twitter Account Hacked Sony’s Twitter Account Hacked

Russian PM’s Twitter hacked – “I resign”

NRC Computers hacked 3 times

Ferguson police offices computers hacked Norwegian oil industry under attack

Saudi TV website hacked by Libyan

Sony suffer DOS attack

Dairy Queen hacked

JP Morgan

What Can We Learn From Sony 12/04/2014: What has happened at Sony Pictures Entertainment over the past week reads like a blockbuster screenplay—or a chief executive’s nightmare: Hackers target a major company, disabling its internal systems and leaking documents revealing long-held secrets, from coming products to executive pay.

12/05/2014: The Sony data breach continues to get worse. First, it was exposed budgets, layoffs and 3,800 SSNs, then it was passwords. Now, it's way more social security numbers—including Sly Stallone's.

The Wall Street Journal reports that analysis of the documents leaked so far included the Social Security numbers of 47,000 current and former Sony Pictures workers. That included Sylvester Stallone, Rebel Wilson, and Anchorman director, Judd Apatow. The Journal reports that the SSNs are found alongside salary information, home addresses, and contract details.

What Can We Learn From Traditional Point in Time Solutions

We Tested all of These Solutions

“Captive portal”

“It matches the pattern”

“No false positives,no false negatives”

ApplicationControl

FW/VPN

IDS/IPSUTM

NAC

AV

PKI

“Block or Allow”

“Fix the Firewall”

“No key, no access”

Sandboxing

“Detect the Unknown”

Threat Analytics

“Outside looking in”

The Best Point in Time Protection Protects you 90 + % of the time

Even Sandboxing Has Holes

Antivirus

Sandboxing

Initial Disposition = Clean

Actual Disposition = Bad Too Late!!

Not 100%

Analysis Stops

Even

t Hor

izon

Sleep TechniquesUnknown ProtocolsEncryptionPolymorphism

Blind to scope of compromise

Recap of Issues that need to be fixed by security providers • Targeted attacks / advanced persistent threats are hard to detect

• Malware’s has an ecosystem of components and it’s important to understand what that ecosystem is and which part of any solution addresses those ecosystem components.

• Malware’s intensions are nefarious in nature, but the components are built just like standard software so it can easily hide in your environment

• Don’t get caught up in the catch rate game because no security solution protects you 100%. what about the files they missed? The industry average to find a file that got by your defenses is 200 days .

• Do traditional point in time solutions like Email ,Content ,Next Gen Firewall, IPS, AV and Sandbox solution give you the visibility you need? Be honest with yourself do they allow you to proactively reduce your attack surface

• Regardless of your security solutions always back up your data because no one is 100% !!!!!!!

AMP goes beyond point-in-time detection

BEFOREDiscoverEnforce Harden

DURINGDetect Block Defend

AFTERScope

ContainRemediate

Network Endpoint Mobile Virtual Email & Web

ContinuousPoint-in-time

Attack Continuum

Cloud

Continuous Protection when advanced malware evades point-in-time detection

Antivirus

SandboxingInitial Disposition = Clean

Point-in-time Detection

Initial Disposition = Clean

AMP

Actual Disposition = Bad = Too Late!!

Not 100%

Analysis Stops

Sleep Techniques

Unknown Protocols

Encryption

Polymorphism

Retrospective Detection,Analysis Continues

AMP Everywhere Strategy

AMP

CONTINUOUSLY RECORD ACTIVITY REGARDLESS OF DISPOSITION

Data we are sending to AMP Cloud

AMP CLOUD

RECORDING

PRIVATE CLOUD

AMP for Endpoint: Device Trajectory / Incident Analysis

AMP for Endpoint: Vulnerability Detection

Low Prevalence

Speed Matters: Time to Detection (TTD)The current industry TTD rate of 100 to 200 days is not acceptable.

17.5200 VSHOURSDAYS

Industry Cisco

Cisco 2015Midyear Security Report• Speed of Innovation > ~40% Efficacy• Point products >> weak defenses• Integrated Threat Defense is needed

Cisco Minimizes the Time to Detect Breaches

Cisco Advanced Malware Protection Built on Unmatched Collective Security Intelligence

1.6 millionglobal sensors100 TBof data received per day150 million+ deployed endpoints600engineers, technicians, and researchers35% worldwide email traffic

13 billionweb requests

24x7x365 operations

4.3 billion web blocks per day

40+ languages

1.1 million incoming malware samples per day

AMP Community

Private/Public Threat Feeds

Talos Security Intelligence

AMP Threat Grid Intelligence

AMP Threat Grid Dynamic Analysis10 million files/month

Advanced Microsoft and Industry Disclosures

Snort and ClamAV Open Source Communities

AEGIS Program

Email Endpoints Web Networks IPS Devices

WWW

Automatic updates

in real time

101000 0110 00 0111000 111010011 101 1100001 1101100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100

1001 1101 1110011 0110011 101000 0110 00 Cisco®

Collective Security

IntelligenceCisco Collective

Security Intelligence Cloud

AMPAdvanced Malware Protection

3.5 BILLION SEARCHES

TODAY

19.6 BILLION THREATS BLOCKED

TODAY

AMP Offers Point-in-Time and Retrospective Protection

Point-in-Time Protection

File Reputation & Sandboxing

Dynamic Analysis

Machine Learning

Fuzzy Finger-printing

Advanced Analytics

One-to-OneSignature

How Cisco Made a Better Sandbox Allow you to Interact with Malware with Glove Box Outside Looking In approach no Hooks

Prioritize threats Context-driven Malware Analytics

SAMPLE Glove Box ThreatGrid Video

Sample ThreatGrid Report

THREAT INTELLIGENCE

Visibility, Analytics, People.

Private WAN

FW

FW

Secure Web

IPS

ISE

AMP

AMP

AMP

AMPVPN

ISE

Endpoints

Data Centers

Offices/Plants

Secure Email

IPS

Internet

AMP

Cisco’s Threat Defense Strategy

77%email phishing

malicious web-download

19%

0.3%Network attack

4%Direct Install

99.2% Block Rate (#1)17 Hour Detection Time (#1)

FW

Sample AMP for Endpoints Reports

Introducing Threat Grid Everywhere

Suspicious file

Analysis report

Edge

Endpoints

Firewalls & UTM

EmailSecurity

SecurityAnalytics

Web Security

EndpointSecurity

NetworkSecurity

3rd PartyIntegration

S E C U R I T Y

Securitymonitoring platforms

Deep Packet Inspection

Gov, Risk, Compliance

SIEM

Dynamic Analysis

Static Analysis

Threat Intelligence

AMP Threat Grid

Cisco Security Solutions Network Security Solutions

Suspicious file

Premium content feeds

Security Teams

Automatically submit suspicious files

Automated analysis, from edge to endpoint

Submission

Analyst or system (API)submits suspicious sample toThreat Grid.

Suspicious file

Edge

Endpoints

ASA w/FPS ESA

Next Gen IPSWSA

AMP forEndpoints

AMP for Networks

Easily integrate with partner solutions

Security Analytics NessusXPSEnCaseEnterprise 360

API

Our robust REST API streamlines partner integration

AMP Threat Grid: Key Differentiators

Data Fidelity & Performance

Scalability & Flexibility

Usability

Context & Data Enrichment

Integration &Architecture

• Proprietary analysis delivers unparalleled insight into malicious activity• High-speed, automated analysis and adjustable runtimes• Does not expose any tags or indicators that malware can use to detect that it is being observed

• 100,000s of samples analyzed daily (6-10 million per month)• SaaS delivery (no hardware) or Appliance (as needed)

• Search and correlate all data elements of a single sample against billons of sample artifacts collected and analyzed over years (global and historic context)

• Enable the analyst to better understand the relevancy of sample in question to one’s environment

• Clearly presented information for all levels of the IT Security team:- Tier 1-3 SOC Analysts, Incident Responders & Forensic Investigators, and Threat Intel Analysts

• Web portal, Glovebox (User Interaction), Video Replay, Threat Score, Behavioral Indicators and more

• Architected from the ground up with an API to integrate with existing IT security solutions (Automatically receive submissions from other solutions and pull the results into your environment)

• Create custom threat intelligence feeds with context or leverage automated batch feeds

AMP for Networks AMP Appliance

NextGen Firewall ,IPS , URL & AMP

The AMP appliance was designed to run all fire power features Nextgen Firewall IPS , URL and Advanced Malware Protection (AMP).

The AMP Appliance was built on the FP platform and has had its CPU and memory optimized to run all the security features and maintain performance throughput numbers per the AMP for Networks datasheet.

The AMP Appliance also includes a Hardware Storage pack / SSD drive to store files for later analysis must have this for AMP capabilities .

Fire Power Appliance NextGEN firewall IPS &URL

The Fire Power appliance was designed to run the fire power features NextgenFirewall IPS & URL filtering

If you want to turn on Advanced Malware Protection (AMP) capabilities at a later date you can but you will need to buy and install the hardware Storage pack / SSD drive and the AMP software.

Keep in mind when you turn on the AMP features you will see a performance hit so you will need to make sure the FP appliance is sized correctly for the customers environment

If a customer wants AMP always try go with the AMP appliance with new purchases

ASA X-series with SSD / SW blade

Firewall with VPN ,NextgenFirewall IPS, URL & AMP

The ASA X-series with SSD / SW bladewas designed to run all fire power features Nextgen Firewall IPS URL and Advanced Malware Protection ( AMP ) you can also run traditional firewall and VPN capabilities

Keep in mind when you turn on the more advanced fire power features you will see a performance hit so you will need to size this appliance correctly for the customers environment

Retrospection in Action

Correlation with AMP for endpoints would show file was cleaned / Quarantined

How Cisco AMP Works: Network File Trajectory Use Case

An unknown file is present onIP: 10.4.10.183, having been downloaded from Firefox

At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8

Seven hours later the file is then transferred to a third device (10.3.4.51) using anSMB application

The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later

The Cisco® Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all fourdevices immediately.

At the same time, a device with the AMP for Endpoints connector reacts to the retrospective event and immediately stops and quarantines the newlydetected malware

Eight hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.

© 2014 Cisco and/or its affiliates. All rights reserved. 53

AMPThreat Intelligence

Cloud

Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat

Linux for datacenters

AMP on Web & Email Security AppliancesAMP on Cisco® ASA Firewall

with Firepower Services

AMP Private Cloud Virtual Appliance

AMP on Firepower NGIPS Appliance

(AMP for Networks)

AMP on Cloud Web Security & Hosted Email

CWS/CTA

Threat GridMalware Analysis + Threat

Intelligence Engine

AMP on ISR with Firepower Services

The AMP Everywhere ArchitectureAMP Protection across the Extended Network for an Integrated Threat Defense

AMP for Endpoints

AMP for Endpoints

remote endpoints

AMP for Endpoints can be launched from AnyConnect

© 2014 Cisco and/or its affiliates. All rights reserved. 54

Identify Solution Options

Customer Need Feature WSA, ESA, CWS Network Endpoint

I want to be able to define policies for malware… File Reputation ✔ ✔ ✔

I want to be able to isolate suspected malware for threat analysis… Sandboxing ✔ ✔ ✔

I want to be able to backtrack if malware makes it into my system… Retrospective Security ✔ ✔ ✔

I need to identify compromised devices on my network… Indications of Compromise ✔ ✔

I want to track how a file has been behaving… File Analysis ✔ ✔

I want to track how threats traverse the network… File Trajectory ✔ ✔

I want to see system activities, relationships and events … Device Trajectory ✔

I want to search large sets of data for compromises… Elastic Search ✔

I want to be able to stop the spread of malware with custom tools… Outbreak Control ✔

© 2014 Cisco and/or its affiliates. All rights reserved. 55

Understanding The Different Platforms

• Detect and block malware attempting to enter through email or web gateways

• Receive extensive reporting, URL/Message tracking and remediation prioritization

• Add-on to an existing appliance or in the cloud

AMP for Content

• Detect and block malware attempting to enter the network

• Detect breaches using multi-source indications of compromise

• Contain malware and its communications

AMP for Networks

• Detect breaches by analyzing indications of compromise

• Uncover an infection, trace its path, analyze its behavior

• Remediate the threat quickly and eliminate the risk of reinfection

AMP for Endpoints

Cisco Confidential 56C97-732872-00 © 2014 Cisco and/or its affiliates. All rights reserved.

Cisco AMP is the Leader in Security EffectivenessCisco AMP offers superior security effectiveness, excellent performance, and provides security across more attack vectors than any other vendor

• 99.2% Security Effectiveness rating in BDS testing, the highest of all vendors tested.

• Only vendor to block 100% of evasiontechniques during testing.

• Excellent performance with minimal impact on network, endpoint, or application latency.

Cisco Confidential 57C97-732872-00 © 2014 Cisco and/or its affiliates. All rights reserved.

“So do any network security vendors understand data center and what’s needed to accommodate network security? Cisco certainly does.”

“Cisco is disrupting the advanced threat defense industry.”

“… AMP will be one of the most beneficial aspects of the [Sourcefire] acquisition.”

“Based on our (Breach Detection Systems) reports, Advanced Malware Protection from Cisco should be on everyone’s short list.”

2014 Vendor Rating for Security: Positive

RecognitionMarket

“The AMP products will provide deeper capability to Cisco's role in providing secure services for the Internet of Everything (IoE).”

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58

Cisco AMP for Network OptionsHelping you choose the correct appliance for your environment

For more info Click the following Link

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59

Cisco AMP for Networks Dedicated AppliancesThe AMP appliance was purpose built to run to run the following software on one appliance . Nextgen Firewall, Sourcefire IPS and AMP ( advanced malware protection)

AMP Appliance + AMP Subscription Bundles

http://www.cisco.com/c/en/us/products/collateral/security/amp-appliances/datasheet-c78-733182.html

For more info Click the following Link

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60

Cisco FP/ FirePower Dedicated AppliancesThe FP Appliance was purpose built to run to run the following software on one appliance . Nextgen Firewall, and Sourcefire IPS ***If you want to run AMP (Advanced Malware Protection) on a New purchase you should always position the AMP Appliance ***

AMP Appliance + AMP Subscription Bundles

http://www.cisco.com/c/en/us/products/collateral/security/firepower-8000-series-appliances/datasheet-c78-732955.pdf

For more info Click the following Link

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61

Cisco ASA AppliancesASA Cisco has added the capability to run Nextgen Firewall, Sourcefire IPS and AMP ( advanced malware protection) make sure you have the bandwidth conversation with your customers and what they can expect with full functionality turned on

ASA + AMP Subscription Bundles

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

Q & A

Derrick Helms – UTGdhelms@utgsolutions.com

Chris Robb – Ciscochrrobb@cisco.com