Cisco re-enters the personal computers protection segment.
By the beginning of the 2000s, a signature-based approach prevailed in the personal-computer protection market, consisting in detecting predominantly known threats for which the corresponding signatures were developed, with which protection tools were equipped (antiviruses, host-based intrusion detection systems, etc.). One of the first companies that suggested using behavioral mechanisms to combat unknown threats was Okena from Massachusetts, which Cisco acquired in 2003. Okena StormWatch product was renamed to Cisco Security Agent and the network giant began to offer its customers not only network security tools - Cisco Pix firewalls, NetRanger attack detection systems and VPN gateways, but also PC protection tools, entering a new market for themselves.
However, on June 11, 2010, the company made a difficult and even unexpected decision to close this product line. In part, this was dictated by the fact that PC protection was not a priority for Cisco at the time, which was focused on network security. Among other reasons, there was an active transition to mobile devices with their many operating systems, for which it was difficult to develop and maintain Cisco Security Agents. But whatever the true reason, Cisco Security Agent has ceased to exist and Cisco has focused its efforts on network security tools for a long 3 years. So far in 2013, after acquiring the world leader in the segment of intrusion prevention and next-generation security products, the Sourcefire company, Cisco once again did not have a personal computer protection solution - FireAMP, where AMP stands for Advanced Malware Protection. I would like to tell about this decision.
')
In fact, AMP is a platform to combat malicious code, which is designed to work in different points of a corporate or departmental network. There is AMP for Networks - a network high-speed gateway to combat malicious code, which can be executed both as a separate device and as a module into firewalls or next-generation intrusion prevention systems, NGFW and NGIPS, respectively. There is also AMP for Content - a module for detecting malicious code in content protection tools - the Cisco Email Security Appliance and the Cisco Web Security Appliance. And finally, there is AMP for Endpoint, also known as FireAMP, a solution for protecting PCs and mobile devices running Windows, MacOS, Android, etc.
Since AMP is a security platform, it is logical to assume that regardless of the installation site (network, PC or content protection device), the functionality to detect and block malicious code will be similar. The 7 main detection technologies are divided into 2 main types:
Since AMP is a security platform, it is logical to assume that regardless of the installation site (network, PC or content protection device), the functionality to detect and block malicious code will be similar. The 7 main detection technologies are divided into 2 main types:
Reputation filtering is very similar to what is being done in e-mail protection systems or Internet access control. We have a large database of reputation values ​​with which the analyzed object is compared. The only difference is that traditionally the reputation is assigned to an Internet site (mail server, Web site or IP address), while AMP uses file reputation, the value of which is stored in the Cisco cloud database.
In case of detection of a malicious file, its “footprint” with metadata and signs of compromise are placed in a cloud database, which is then accessed by all AMP agents for a verdict regarding the new objects being analyzed. Cloud analytics is a modern trend followed by all key players on the information security market. The entire brain activity of the defense system, which is no longer able to keep the entire base for making decisions "on board", is carried into the cloud. It used to be that antivirus vendors or manufacturers of intrusion prevention systems equipped their products with a built-in signature database, and the developers of security scanners included bases of checks in their solutions. These databases were regularly updated via the Internet, but the protection system could work in a confined space that does not have an Internet connection. Today the situation has changed. A lot of security events have to be analyzed by a modern security system. And these events are diverse and diverse. The system itself is not able to work out this avalanche of events - we need “hall assistance”, i.e. external analysts. Probably one of the first prototypes of such assistance was the global correlation system, implemented in Cisco IPS several years ago. The idea was simple - to send impersonal information about the customer's network (of course, this function could not be included) into a single center for analyzing and developing new signatures, which then had to be equipped with all IPS sensors installed at customers as part of the regular update of the signature database.
A similar approach has been used in other Cisco security tools, for example, in Cisco ASA 5500-X firewalls and its Botnet Traffic Filter module. Earlier, such “cloud analytics” was used in content security solutions - the E-mail Security Appliance and Web Security Appliance. Sourcefire, recently acquired by us, used the same ideology in its protection tools (NGIPS, NGFW, AMP) - the VRT cloud (Vulnerability Research Team) for analytics.
And it's not the absence or infrequent update. Just the ideology of the "star" (the manufacturer independently collects information about threats and distributes it among all customers) began to falter as the number and complexity of threats increased. It was necessary to attract into the ranks of the defenders and the buyers / consumers of the remedies themselves - they began to transmit information from their devices and security software to the manufacturer, to his cloud of information security analytics. It was there that the analysis of information received from both customers and from various sources of the vendor itself was made. It was there that the methods of dealing with threats, old and new, were developed. For IPS / IDS and antiviruses - these were signatures, for content filtering systems - URL bases, spam templates, reputation databases, blacklists, etc. For firewalls - lists of botnets (bots and command centers). This information was promptly delivered to the consumer, increasing the “knowledge” of his remedies regarding new threats.
Today, in conditions when not only the number of threats grows, but also their complexity; when protection systems fail to cope with the load, and their service technicians cannot keep up with the constantly changing threat landscape; when the system resources allocated for the operation of the protection tool are limited, a new look is needed for deciding whether there is a threat or not in the analyzed network traffic, files, email and Web traffic. And if the defense system itself is not able to do this, then it remains to “entrust” this work to an external analytical center, which will undertake the difficult task of continuously analyzing information about threats received from a multitude of disparate sources, their ongoing analysis and prompt updating of all means protection, connected to this cloud, intelligence analytics, which Cisco has called Cisco Security Intelligence Operations (SIO). In fact, Cisco now has three such clouds - the “native” Cisco SIO, the Sourcefire VRT cloud and the cloud acquired by ThreatGRID in late May. All three clouds are in the process of integration and merging. But back to AMP.
AMP has another great feature - a retrospective analysis that allows you to detect post factum malware. Yes, it is unpleasant to admit that 100% protection does not exist and cannot be. Yes, skipping a means of protecting any malicious program, especially one specifically designed for a particular company, is possible. But now what, to run to change the place of work, to leave for a hard drinking or to tear my hair out of grief? Not! We must be prepared for such an event. Under the conditions of a powerful increase in the number of malicious programs, the effectiveness and the IS services, and the protections used by it, depend not on whether or not all threats can be repelled, but on how quickly the compromised / infected nodes are detected and localized within the network. And here the retrospective analysis function is the best suited for detecting threats that have penetrated inside.
How can the threat penetrate inside the protected perimeter? Yes, whatever. Through an infected USB flash drive, via tablet synchronization with a working PC, via a 3G / 4G modem, through an unauthorized wireless access point ... Yes, through the holes in the firewall at the end. Therefore, it is so important not only to build a perimeter defense wisely, but also to be prepared for the fact that malicious programs can penetrate it. The retrospective security feature in AMP includes 5 key mechanisms:
Below we see an illustration of how retrospective security works. At 10:57 on the network, on the node with the address 10.4.10.183, the first appearance of the WindowsMediaInstaller.exe file is recorded. At this point, we know nothing about this file and skip it inside the network. This is normal. According to Cisco's annual security report, a new malware is detected every 4 seconds. Do we update our remedies at such intervals? And if we update, are new malware identified at such a rate by the manufacturer of the protection? In this case, we were able to identify that the file contains malicious code only after 7 hours. In the traditional approach, we can apply this knowledge only to new files that will be analyzed by the protection system. But what to do with those files that have already got inside the network? Accept and forgive? In the case of the retrospective security feature in Cisco AMP, we may be post factum, but we detect penetration, as well as all the nodes that have been “distributed”, which allows us to quickly localize the problem and prevent it from spreading throughout the network.
This solution has one drawback - dependence on the connection to the Internet, to the management cloud and information security. If a company's security policies do not allow it or the organization has weak Internet channels, all the benefits of the Cisco AMP can turn the anti-malware system into a useless or inefficient program / device. Understanding this, Cisco offered a solution called FireAMP Private Cloud, whose task is to become an intermediary between the Cisco SIO / Sourcefire VRT cloud and the AMP user company. In this case, AMP agents will be managed, as well as to apply for updates and a verdict on each analyzed file, not to the cloud, but to the FireAMP Private Cloud virtual device located in the territory of the organization itself.
But the question with access to the Internet still remains. How to make the system work in the complete absence of the Internet? To answer this question, we bought at the end of May the company ThreatGRID, which offers exactly local devices of information security analytics, which are now integrated with Cisco AMP.
In conclusion, I would like to say that Cisco Advanced Malware Protection solution, in which Cisco is now investing large resources, is becoming an integral part of our information security portfolio.
However, on June 11, 2010, the company made a difficult and even unexpected decision to close this product line. In part, this was dictated by the fact that PC protection was not a priority for Cisco at the time, which was focused on network security. Among other reasons, there was an active transition to mobile devices with their many operating systems, for which it was difficult to develop and maintain Cisco Security Agents. But whatever the true reason, Cisco Security Agent has ceased to exist and Cisco has focused its efforts on network security tools for a long 3 years. So far in 2013, after acquiring the world leader in the segment of intrusion prevention and next-generation security products, the Sourcefire company, Cisco once again did not have a personal computer protection solution - FireAMP, where AMP stands for Advanced Malware Protection. I would like to tell about this decision.
')
In fact, AMP is a platform to combat malicious code, which is designed to work in different points of a corporate or departmental network. There is AMP for Networks - a network high-speed gateway to combat malicious code, which can be executed both as a separate device and as a module into firewalls or next-generation intrusion prevention systems, NGFW and NGIPS, respectively. There is also AMP for Content - a module for detecting malicious code in content protection tools - the Cisco Email Security Appliance and the Cisco Web Security Appliance. And finally, there is AMP for Endpoint, also known as FireAMP, a solution for protecting PCs and mobile devices running Windows, MacOS, Android, etc.
Since AMP is a security platform, it is logical to assume that regardless of the installation site (network, PC or content protection device), the functionality to detect and block malicious code will be similar. The 7 main detection technologies are divided into 2 main types:
Since AMP is a security platform, it is logical to assume that regardless of the installation site (network, PC or content protection device), the functionality to detect and block malicious code will be similar. The 7 main detection technologies are divided into 2 main types:
- Reputational Filtering
- Exact Signatures. This method is similar to the one used by traditional antiviruses that have databases of known malware.
- Fuzzy prints. This method is designed to combat polymorphic malware, whose code may vary depending on conditions. AMP is looking for similar features in the analyzed code and, in the event of a match, gives a verdict on the presence of malicious content, which is blocked.
- Machine learning. This method allows you to evaluate the metadata of the analyzed files in order to detect maliciousness.
- Behavioral analysis
- Indicators of compromise. This method is based on the study of signs, indicators (indicators of compromise), which are inherent in malicious code. For example, if in the analyzed file there are functions of self-reproduction, data transfer to the Internet and (or) reception of control commands from any node, then this, with a high degree of probability, may characterize the presence of malicious code in the file.
- Dynamic analysis. This method consists in sending the analyzed file to the cloud "sandbox", where it is checked from different points of view and the verdict on the presence or absence of signs of severity is made.
- Advanced analytics. This method allows you to consider when analyzing suspicious files additional contextual information collected from different sources and using different mechanisms. Typically, this method works in conjunction with reputational techniques.
- Analysis and correlation of flows. This method uses knowledge of malicious sites and IP addresses that are often involved in malicious activity — transferring control commands, accepting stolen data, etc. Detection of the interaction of the analyzed file with such nodes characterizes its harmfulness.
Reputation filtering is very similar to what is being done in e-mail protection systems or Internet access control. We have a large database of reputation values ​​with which the analyzed object is compared. The only difference is that traditionally the reputation is assigned to an Internet site (mail server, Web site or IP address), while AMP uses file reputation, the value of which is stored in the Cisco cloud database.
In case of detection of a malicious file, its “footprint” with metadata and signs of compromise are placed in a cloud database, which is then accessed by all AMP agents for a verdict regarding the new objects being analyzed. Cloud analytics is a modern trend followed by all key players on the information security market. The entire brain activity of the defense system, which is no longer able to keep the entire base for making decisions "on board", is carried into the cloud. It used to be that antivirus vendors or manufacturers of intrusion prevention systems equipped their products with a built-in signature database, and the developers of security scanners included bases of checks in their solutions. These databases were regularly updated via the Internet, but the protection system could work in a confined space that does not have an Internet connection. Today the situation has changed. A lot of security events have to be analyzed by a modern security system. And these events are diverse and diverse. The system itself is not able to work out this avalanche of events - we need “hall assistance”, i.e. external analysts. Probably one of the first prototypes of such assistance was the global correlation system, implemented in Cisco IPS several years ago. The idea was simple - to send impersonal information about the customer's network (of course, this function could not be included) into a single center for analyzing and developing new signatures, which then had to be equipped with all IPS sensors installed at customers as part of the regular update of the signature database.
A similar approach has been used in other Cisco security tools, for example, in Cisco ASA 5500-X firewalls and its Botnet Traffic Filter module. Earlier, such “cloud analytics” was used in content security solutions - the E-mail Security Appliance and Web Security Appliance. Sourcefire, recently acquired by us, used the same ideology in its protection tools (NGIPS, NGFW, AMP) - the VRT cloud (Vulnerability Research Team) for analytics.
And it's not the absence or infrequent update. Just the ideology of the "star" (the manufacturer independently collects information about threats and distributes it among all customers) began to falter as the number and complexity of threats increased. It was necessary to attract into the ranks of the defenders and the buyers / consumers of the remedies themselves - they began to transmit information from their devices and security software to the manufacturer, to his cloud of information security analytics. It was there that the analysis of information received from both customers and from various sources of the vendor itself was made. It was there that the methods of dealing with threats, old and new, were developed. For IPS / IDS and antiviruses - these were signatures, for content filtering systems - URL bases, spam templates, reputation databases, blacklists, etc. For firewalls - lists of botnets (bots and command centers). This information was promptly delivered to the consumer, increasing the “knowledge” of his remedies regarding new threats.
Today, in conditions when not only the number of threats grows, but also their complexity; when protection systems fail to cope with the load, and their service technicians cannot keep up with the constantly changing threat landscape; when the system resources allocated for the operation of the protection tool are limited, a new look is needed for deciding whether there is a threat or not in the analyzed network traffic, files, email and Web traffic. And if the defense system itself is not able to do this, then it remains to “entrust” this work to an external analytical center, which will undertake the difficult task of continuously analyzing information about threats received from a multitude of disparate sources, their ongoing analysis and prompt updating of all means protection, connected to this cloud, intelligence analytics, which Cisco has called Cisco Security Intelligence Operations (SIO). In fact, Cisco now has three such clouds - the “native” Cisco SIO, the Sourcefire VRT cloud and the cloud acquired by ThreatGRID in late May. All three clouds are in the process of integration and merging. But back to AMP.
AMP has another great feature - a retrospective analysis that allows you to detect post factum malware. Yes, it is unpleasant to admit that 100% protection does not exist and cannot be. Yes, skipping a means of protecting any malicious program, especially one specifically designed for a particular company, is possible. But now what, to run to change the place of work, to leave for a hard drinking or to tear my hair out of grief? Not! We must be prepared for such an event. Under the conditions of a powerful increase in the number of malicious programs, the effectiveness and the IS services, and the protections used by it, depend not on whether or not all threats can be repelled, but on how quickly the compromised / infected nodes are detected and localized within the network. And here the retrospective analysis function is the best suited for detecting threats that have penetrated inside.
How can the threat penetrate inside the protected perimeter? Yes, whatever. Through an infected USB flash drive, via tablet synchronization with a working PC, via a 3G / 4G modem, through an unauthorized wireless access point ... Yes, through the holes in the firewall at the end. Therefore, it is so important not only to build a perimeter defense wisely, but also to be prepared for the fact that malicious programs can penetrate it. The retrospective security feature in AMP includes 5 key mechanisms:
- Retrospective. This method allows us to track the time and place of the first appearance of the file in the monitored network, as well as its current location, which is determined by maximal coverage of the AMP agents of the protected network (on a PC, on the network and on content analysis tools).
- Analysis of the chain of attack. This method allows you to collect, analyze and save information about how files, processes and interaction channels behave in a protected network. In other words, we can analyze how various applications behave, when and by whom they are launched, with whom and at what time they interact, what interfaces are used, etc.?
- Behavioral indicators of compromise. This mechanism allows analyzing the activity of a file that has entered the network and concludes that it is harmful. For example, a file that got inside the organization, hit multiple sites, copied confidential information and sent it to an external IP address with a high degree of probability is malicious. Only an analysis of the combination of such indicators helps to identify unknown threats, some of which may go unnoticed by traditional remedies.
- Trajectory analysis. This method allows you to record the time, method, entry point and exit point of the file inside it, which allows you to accurately answer the classic incident management questions at any time: “Where did the malicious program get to the network?”, “With whom did the infected site interact?”, “ Where else did the malware get? ”,“ Who is the source of the problems? ”. And all this without scanning the network - all information is collected in real time and is ready for use at any time. Cisco AMP has two mechanisms for analyzing trajectories — File Trajectory (for analyzing file movement over the network) and Device Trajectory (for analyzing file actions on a specific node).
- Hunt for gaps. This mechanism is similar to the behavioral indicators of compromise, but it works at a higher level. If indicators of compromise are searched for a specific file, then the hunt for gaps is carried out in relation to the entire network. We are looking for similar indicators in what has already happened on the network in the recent past.
Below we see an illustration of how retrospective security works. At 10:57 on the network, on the node with the address 10.4.10.183, the first appearance of the WindowsMediaInstaller.exe file is recorded. At this point, we know nothing about this file and skip it inside the network. This is normal. According to Cisco's annual security report, a new malware is detected every 4 seconds. Do we update our remedies at such intervals? And if we update, are new malware identified at such a rate by the manufacturer of the protection? In this case, we were able to identify that the file contains malicious code only after 7 hours. In the traditional approach, we can apply this knowledge only to new files that will be analyzed by the protection system. But what to do with those files that have already got inside the network? Accept and forgive? In the case of the retrospective security feature in Cisco AMP, we may be post factum, but we detect penetration, as well as all the nodes that have been “distributed”, which allows us to quickly localize the problem and prevent it from spreading throughout the network.
This solution has one drawback - dependence on the connection to the Internet, to the management cloud and information security. If a company's security policies do not allow it or the organization has weak Internet channels, all the benefits of the Cisco AMP can turn the anti-malware system into a useless or inefficient program / device. Understanding this, Cisco offered a solution called FireAMP Private Cloud, whose task is to become an intermediary between the Cisco SIO / Sourcefire VRT cloud and the AMP user company. In this case, AMP agents will be managed, as well as to apply for updates and a verdict on each analyzed file, not to the cloud, but to the FireAMP Private Cloud virtual device located in the territory of the organization itself.
But the question with access to the Internet still remains. How to make the system work in the complete absence of the Internet? To answer this question, we bought at the end of May the company ThreatGRID, which offers exactly local devices of information security analytics, which are now integrated with Cisco AMP.
In conclusion, I would like to say that Cisco Advanced Malware Protection solution, in which Cisco is now investing large resources, is becoming an integral part of our information security portfolio.
Source: https://habr.com/ru/post/226699/
All Articles