fireamp presentation
DESCRIPTION
FireAMP is Sourcefire's malware protection with "big data" technology to combat new and unknown threats.TRANSCRIPT
AGILE SECURITY™:Security for the Real World
Doak AdamsFireAMP Specialist
Prepared for:
Advanced Malware Protection
33
Introducing FireAMP
The only way to get the visibility & control needed to fight threats missed by other
security layers.
44
Our Approach to Advanced Malware
Lightweight Connector• Watches file actions• Fingerprint & attributes
Web Console
• Transaction Processing• Analytics• Intelligence
Mobile Connector• Watches for apps• Fingerprint & attributes
Virtual Connector• “VMWare Vshield • One instance per Host
55
Visibility▸ Which endpoint was infected first?▸ How did we get infected?▸ How extensive is the outbreak?▸ How does the malware behave?
Control▸ What is needed to recover?▸ Can we stop the outbreak?
How do you Fight Advanced Malware?(Also Unknown, APT, Zero Day)
66
Spotlight: File Trajectory
Fingerprint
Visibility
Droppers
Malware “Flight Recorder” shows:
Entry Point
77
FireAMP File AnalysisDeep Insight into Malware Behavior
88
Spotlight: Outbreak Control
Tool How it Works When to Use
Simple Custom Detections
Cloud-based, uses SHA or original file Fastest way to block specific malware.
Advanced Custom Signatures
Client-based, uses advanced techniques (e.g. offsets, wildcards, regular expressions)
Useful for families of malware or to close gap when waiting on sig. from security vendor
Application Blocking Lists
Cloud-based, uses SHA or original file Blocks execution of applications based on group policy (e.g. no Skype in HR) – good for Zero Day
Custom Whitelists Cloud-based, uses SHA or original file Prevent false positives on trusted apps and standard images
Create custom protection policies to stop outbreaks without updates
Cloud Recall quarantines malware based on past exposure
Collective Security Intelligence
Private & PublicThreat Feeds
Honeypots
Advanced Microsoft & Industry Disclosures
50,000 MalwareSamples per Day Snort® & ClamAV™
Open SourceCommunities
SourcefireAEGIS™ Program
SourcefireFireCLOUD™
IPS Rules
MalwareProtection
IP & URLBlacklists Vulnerability
DatabaseUpdatesSourcefire
VulnerabilityResearch
Team
Global Visibility Through Open Community
1010
FireAMP IPS Integration
Security Intelligence Integration of End Point <> Network
● FireAMP Events to Defense Center
• Transaction Processing• Analytics• Intelligence
1111
FireAMP > Defense Center
FireAMP > Defense Center
1313
FireAMP>Defense Center
1414
Revolutionary Approach to the Problem Known/Unknown Malware Visibility Known/Unknown Malware Control Security Intelligence is Key
Conclusion
1515
Questions?