Embed Size (px)
Citation preview
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 15
Cisco AMP for Endpoints v1.1 – Instant Demo
Last Updated: 08-APRIL-2019
About This Demonstration This guide for the preconfigured demonstration includes:
• Requirements
• About This Solution
• Scenario 1: Identifying and Quarantining Malware
Requirements The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
Lapop Cisco AnyConnect®
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 15
About This Solution
Cisco Advanced Malware Protection (AMP) for Endpoints provides advanced malware protection for PCs, Macs, Linux systems, mobile devices, and virtual environments.
AMP for Endpoints is the only product today that goes beyond point-time-detection to provide the visibility and control you need to stop advanced threats missed by other security layers. AMP for Endpoints is an intelligent, enterprise-class, advanced malware analysis and protection product. It uses a telemetry model to take full advantage of big data, continuous analysis, and advanced analytics.
With AMP for Endpoints you can continuously detect, track, analyze, control, and block advanced malware outbreaks across endpoints, including PCs, Macs, Linux systems, mobile devices, and virtual systems.
• Before: AMP for Endpoints uses the best global threat intelligence to strengthen defenses.
• During: AMP for Endpoints uses that intelligence, known file signatures, and dynamic file analysis engines powered by AMP Threat Grid to block policy-violating file types, exploit attempts, and malicious files trying to infiltrate the network.
• After: Inevitably, some advanced malware can evade your first lines of defense. AMP for Endpoints provides a lattice of detection capabilities, combined with big data analytics and continuous analysis, to determine if advanced, unknown malware evaded front-line defenses. Sophisticated machine learning techniques evaluate hundreds of behavioral characteristics associated with each file. If a file with an unknown or previously deemed "good" disposition starts behaving badly, AMP will detect it and instantly alert security teams with an indication of compromise, or automatically remediate the malware based on policy controls.
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 15
Scenario 1. Identifying and Quarantining Malware
This scenario looks at four key questions about malware, specifically:
• What happened to the endpoint
• Where else is that malware
• What is it doing to the system
• How do we stop it
Steps 1. The AMP for Endpoints dashboard displays.
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 15
2. On the dashboard, click Overview.
The Threats section contains alert data generated by comparing endpoint traffic flows to SourceFIRE supply or user configured custom IP reputation lists. A policy decision can configure the endpoint connector to block traffic to suspicious sites and quarantine the file responsible for initiating this traffic.
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 15
The Vulnerabilities section contains alert data generated by comparing file data from the endpoints to known malware signatures, heuristics engines, behavioral engines, and file relationship data, among others.
The Compromises section contains alert data calculated using large data sets that are reviewed using:
• Contextual information in order to continually analyze event data
• Updated security information for a daily reassessment of historic file and flow logs
• File and flow events (or a combination of both) to analyze behavior patterns over time
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 15
3. Click Dashboard.
4. Click Events and search for Demo_AMP_Threat_Audit.
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 15
5. Click on Demo_AMP_Threat_Audit to launch the Device Trajectory.
6. The device trajectory displays all the files that have executed on this endpoint (listed on the left) and a list of events (listed on the right).
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 15
7. Scroll to the left to see the history for the endpoint. The highlighted area illustrates the indicators of compromise, allowing you to pin point what led up to that infection. Click one of the indicators to see event detection details.
NOTE: You can also select an event from the right hand panel to jump to that event in the timeline. This timeline shows an exact, detailed replay of what happened on the machine.
8. The Event Details tell you where the malware was identified, moved and executed.
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 15
9. Right click on the incident and select Copy SHA-256 to explore if the malware infection exists elsewhere in the system.
10. Click Analysis > Search. Right click and paste the SHA, and click Search.
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 15
11. This displays the File Trajectory results for the incident.
12. Click on the link for the File Trajectory. The entry point tells you where the file was first encountered, while the trajectory shows all the executions of the file over time on the network.
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 15
13. Scroll down to the Event History details, and right click on the first SHA-256 detail. Click File Analysis.
14. In the Analysis results window, click on Report for the first item listed.
NOTE: Please be aware that the traffic is always changing and the computers and files may be different then called out in the guide
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 15
15. Review the Threat Grid report and the behavioral indicators that show exactly what the file is doing on the system.
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 15
16. Click the plus sign next to any of the indicators to see detailed information.
17. Scroll down to point out the TCP/IP Streams and Processes.
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 15
18. Right click the file name, and select Simple Detection > Quarantine List to quarantine the file.
Demo Zone Guide Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 15
What’s Next? Check out the related information to learn more about AMP.
AMP for Endpoints Basics Lab v1.2
Cisco AMP Breach Detection Lab v1
