AGILE SECURITY™:Security for the Real World

Doak AdamsFireAMP Specialist

Prepared for:

Advanced Malware Protection

33

Introducing FireAMP

The only way to get the visibility & control needed to fight threats missed by other

security layers.

44

Our Approach to Advanced Malware

Lightweight Connector• Watches file actions• Fingerprint & attributes

Web Console

• Transaction Processing• Analytics• Intelligence

Mobile Connector• Watches for apps• Fingerprint & attributes

Virtual Connector• “VMWare Vshield • One instance per Host

55

Visibility▸ Which endpoint was infected first?▸ How did we get infected?▸ How extensive is the outbreak?▸ How does the malware behave?

Control▸ What is needed to recover?▸ Can we stop the outbreak?

How do you Fight Advanced Malware?(Also Unknown, APT, Zero Day)

66

Spotlight: File Trajectory

Fingerprint

Visibility

Droppers

Malware “Flight Recorder” shows:

Entry Point

77

FireAMP File AnalysisDeep Insight into Malware Behavior

88

Spotlight: Outbreak Control

Tool How it Works When to Use

Simple Custom Detections

Cloud-based, uses SHA or original file Fastest way to block specific malware.

Advanced Custom Signatures

Client-based, uses advanced techniques (e.g. offsets, wildcards, regular expressions)

Useful for families of malware or to close gap when waiting on sig. from security vendor

Application Blocking Lists

Cloud-based, uses SHA or original file Blocks execution of applications based on group policy (e.g. no Skype in HR) – good for Zero Day

Custom Whitelists Cloud-based, uses SHA or original file Prevent false positives on trusted apps and standard images

Create custom protection policies to stop outbreaks without updates

Cloud Recall quarantines malware based on past exposure

Collective Security Intelligence

Private & PublicThreat Feeds

Honeypots

Advanced Microsoft & Industry Disclosures

50,000 MalwareSamples per Day Snort® & ClamAV™

Open SourceCommunities

SourcefireAEGIS™ Program

SourcefireFireCLOUD™

IPS Rules

MalwareProtection

IP & URLBlacklists Vulnerability

DatabaseUpdatesSourcefire

VulnerabilityResearch

Team

Global Visibility Through Open Community

1010

FireAMP IPS Integration

Security Intelligence Integration of End Point <> Network

● FireAMP Events to Defense Center

• Transaction Processing• Analytics• Intelligence

1111

FireAMP > Defense Center

FireAMP > Defense Center

1313

FireAMP>Defense Center

1414

Revolutionary Approach to the Problem Known/Unknown Malware Visibility Known/Unknown Malware Control Security Intelligence is Key

Conclusion

1515

Questions?