1

Sourcefire FireAMP™ is the only solution that goes beyond

point-time-detection to provide you the level of visibility

and control you need to stop advanced threats missed by

other security layers. FireAMP is an intelligent, enterprise-

class advanced malware analysis and protection solution

that uses a telemetry model that leverages big data and

advanced analytics to detect, track, analyze, control and

block advanced malware outbreaks across endpoints,

virtual systems and mobile devices.

Comprehensive Advanced Malware Protection

Companies struggle to find a solution that can effectively address the full lifecycle of the advanced malware problem, providing protection, incident response and remediation against the latest threats without over-burdening the budget or sacrificing operational efficiency. Part of the challenge resides in the lack of continuity and intelligence that exists between detect/blocking technologies and incident response/remediation technologies.

Often, this lack of intelligence can leave an organization blind to the full extent and depth of an outbreak, causing incident

response and remediation efforts to begin well after an outbreak. In addition, lack of continuity can cause infected systems and root causes to be missed during these efforts, leading to an endless cycle of reinfection.

Benefits

• Continuous detection of malware - immediately and retrospectively

• Complete visibility to track and analyze malware

• Robust control capabilities to stop the spread and communication of malware

• Protection extends across virtual systems and mobile devices

• Integration with Sourcefire AMP for networks

Sourcefire FireAMP™ AdvAnced MAlwAre Protection for endPoints, Mobile devices And virtuAl systeMs

SourCefire fireAMP

2SourCefire fireAMP

As a result, security professionals often don’t have visibility into the scope of advanced malware in their network, struggle to contain and remediate it after an outbreak and are unable to address fundamental questions needed to be effective:

fireAMP Discovers, Analyzes and Blocks Advanced Malware

FireAMP delivers a lattice of detection capabilities combined with big data analytics and continuous analysis to determine if advanced malware is on your network. Sophisticated machine learning techniques evaluate more than 400 characteristics associated with each file to analyze and block advanced malware. The combination gives you detection capabilities that go beyond traditional point-in-time detection, allowing FireAMP to also retrospectively detect files that become malicious after the initial point of entry.

With FireAMP, it’s easy to see if advanced malware is a problem by reviewing powerful dashboards, charts and reports.

• Dashboard gives a quick overview of trouble spots.

• Heat Map shows which systems require immediate attention.

• High Risk Computers shows systems already infected with advanced malware.

• Threat Root Cause shows top applications introducing malware.

• Advanced Persistent Threats shows advanced malware that may be unique.

• Global Data shows how your environment compares with anonymous data from other users around the world.

• What was the method and point of entry?

• What systems were affected?

• What did the threat do?

• Can i stop the threat and root cause?

• How do we recover from it?

• How do we prevent it from happening again?

Continuous Analysis Vs Point-in-time

Dashboards with Indications of Compromise

3SourCefire fireAMP

Visibility to See More than ever Before

Today’s malware is more sophisticated than ever. Evolving quickly, it can evade discovery once it has compromised a system, while providing a launching pad for a persistent attacker to move laterally within an organization.

What was the method and point of entry? What systems were affected?

Powerful innovations like FireAMP File Trajectory and Device Trajectory leverage Sourcefire’s big data analytics and continuous analysis capabilities to show you the systems impacted by malware, including patient-zero and the root causes associated with a potential compromise. This helps to quickly understand the scope of the problem by identifying malware gateways and the path attackers are using to gain a broader foothold into other systems.

What did the threat do?

FireAMP File Analysis, backed by the Sourcefire VRT® (Vulnerability Research Team), provides a safe, secure sandbox environment to analyze the behavior of malware and suspect files. File Analysis produces detailed information on file behavior; the severity of behaviors, the original file name, screen shots of the malware executing and sample packet captures. Armed with this information, you’ll have a better understanding of what is necessary to contain the outbreak and block future attacks.

Device Trajectory further aids in quick analysis of threat activity on a computer by tracking file and network activity at the endpoint in chronological order. This gives you complete visibility into the events that occurred leading up to and following a compromise, including parent processes, connections to remote hosts and unknown files that may have been downloaded by malware.

Deep Analysis with Device Trajectory

File Analysis

4SourCefire fireAMP

Can i stop the threat and root causes? Can we prevent it from happening again?

FireAMP Outbreak Control gives you a suite of control capabilities to effectively stop the spread of malware and malware related activities, like call-back communications or dropped file execution, without waiting for updates from your security vendor. This gives you the power to move directly from investigation to control with a few mouse clicks, significantly reducing the time a threat can have to spread or do more damage and the time it normally takes to put controls in place.

Tool When To use BenefiTs

Simple Custom Detections Quickly block a specific file across all or select systems

Fast and specific, no wasted time or effort

Advanced Custom Signatures Effectively block families of polymor-phic malware

Get ahead of a dynamic invader before it can change to evade detection

Application Blocking Lists Enforce application policies or contain a compromised application being used as a malware gateway

Easy way to stop the re-infection lifecycle

Custom White Lists Keep safe, custom or mission critical applications running no matter what

Keep the right applications running

Device Flow Correlation Stop call-back communications at the source, especially for remote endpoints outside the corporate network

Sourcefire VRT powered IP blacklists

A powerful innovation called Cloud Recall automatically remediates systems without a full scan. The technology continuously cross-references files analyzed in the past against the latest threat intelligence and quarantines any files previously deemed clean or unknown that are now known to be a threat.

fireAMP extends Advanced Malware Protection Across Networks, Virtual Systems and Mobile Devices

“With Sourcefire’s host-based Advanced Malware Detection/Prevention, next-generation network security offerings, and cloud-based big data intelligence and analytics, Sourcefire offers an enterprise-class security architecture. This will likely make Sourcefire extremely popular with CISOs and large organizations. “

Jon Oltsik, Senior Principal Analyst, Enterprise Security Group

fireAMP VirTuAl fireAMP MoBile

FireAMP Virtual is one of the first virtual security products to use big data analytics for increased security intelligence across virtual environments.

FireAMP Virtual simplifies defense-in-depth requirements to address advanced malware by eliminating the need for traditional anti-virus (AV) security layers which can add significant performance and resource constraints on virtual machines.

FireAMP Mobile delivers the real-time visibility and control you need to secure against threats targeting Android-based devices.

FireAMP Mobile relies on cloud-based detection capabilities to quickly analyze Android applica-tions for possible threats in real time. With this visibility, you can quickly understand which systems are infected and which applica-tions are introducing the malware.

5SourCefire fireAMP

FireAMP integrates with Sourcefire’s Advanced Malware Protection for FirePOWER® as well as Sourcefire’s dedicated Advanced Malware Protection (AMP) appliance to deliver comprehensive protection across extended networks and endpoints. Both AMP solutions for the network enable inline malware detection/blocking, continuous analysis and retrospective alerting and leverage Sourcefire’s vast cloud security intelligence to deliver the following benefits:

• Detection and blocking of malware infected files attempting to enter or traverse the network

• Continuous analysis and subsequent retrospective alerting of infected files in the event malware determination changes after initial analysis

• Tracking of malware that has entered the network; identifying point of entry, propagation, protocols used, users and host affected

• Correlation of malware related events with broader security events and contextual data to provide a comprehensive picture of malicious activity

• identification and control of employee-owned devices (BYoD) on the network

enterprise-ready to Scale Protection

Manageability: FireAMP Console provides complete management, deployment, policy configuration and reporting for Windows systems, mobile devices and virtual systems.

Performance: FireAMP, FireAMP Virtual and FireAMP Mobile leverage lightweight connector architectures, requiring less storage, computation and memory than other security solutions, speeding protection against attacks. FireAMP Virtual leverages VMware’s vShield EPSEC integration to deliver agentless protection, which maximizes performance, minimizes resource consumption and avoids possible AV storm conditions.

Privacy: All FireAMP connectors use metadata for analysis. Actual files are not needed and not sent to the cloud for analysis.

5.13 | REV1B

6SourCefire fireAMP

©2013 Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Agile Security and the Agile Security logo, ClamAV, FireAMP, FirePOWER, FireSIGHT and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.

Take the Next Step Toward Agile Security®

To learn more about Sourcefire Advanced Malware Protection solutions contact a member of the Sourcefire Global Security Alliance™ today to view a demonstration, request an onsite evaluation, or schedule a meeting, or visit us at www.sourcefire.com for more information.

System requirements:

fireAMP works with following operating systems.

fireAMP Software Requirements:

• Microsoft Windows XP with Service Pack 3 or later

• Microsoft Windows Vista

• Microsoft Windows 7

• Microsoft Windows Server 2003

• Microsoft Windows Server 2008

fireAMP Virtual

Software Requirements:

• VMware vCenter Server 5 Patch 1 or vCenter Server 4.1 Patch 3:

» esXi 5.0 Patch 1 build 474610+

» esXi 4.1 Patch 3 build 433742+

• VMware vShield Manager 5, minimum build 47379+:

» vshield endpoint loadable Kernel Module (lKM) 5.0.0-447150+

• VMware Tools 8.6.0 build 515842+:

• installed on guest virtual machines via eSXi 5.0 Patch 1

fireAMP Mobile

Works with Android mobile devices (Android version 2.1 and above)