Documente Academic
Documente Profesional
Documente Cultură
Upon successful completion of this session, the attendee will be able to:
• Describe the fundamental principals of NGFW and NGIPS
• Describe the Cisco NGFW, NGIPS and AMP solutions
• Deploy NGFW and NGIPS
• Understand the malware challenge facing industry and individuals
• Describe how Cisco AMP solutions address the AMP challenge
Related Sessions (Wednesday)
• Preprocessors
• Normalise traffic Detection engine
• Detection engine
• Uses Snort rules to create signatures for threats
Output module
• Output module
• Handles the task of writing and displaying events
Alert and log files
Snort Engine
Packet sniffer (DAQ)
Snort Engine
Packet sniffer (DAQ)
• Snort uses a Data Acquisition Module (DAQ) to collect packets The DAQ
• There is no native Snort packet capture library
• Different capture libraries may be used without the need to recompile Snort
• The DAQ promiscuously picks packets off the wire and passes it to the packet decoder
• DAQ mode – inline, passive or read from file
• DAQ type
• PCAP – The default DAQ
• AFPacket – Like PCAP DAQ but with better performance, and allows inline operation
• IPQ – The old way to process iptables packets. This replaces the compile option
--enable-inline used in previous versions of Snort
• NFQ - This is the new and improved way to process iptables packets
• IPFW - Is used by BSD systems. It replaces the compile option --enable-ipfw
Snort Engine
Packet decoder
Snort Engine
Packet decoder
Snort Engine
Packet decoder
• Decodes Layer 2 and Layer 3 protocols
• Focused on TCP/IP protocol suite
• Stores decoded packet information in data structures help in memory
• Data structures are utilised by the detection engine
• Configured at Snort start time (using CLI options of the configuration file)
• Specify DAQ mode
• Specify DAQ type
• Turn on or off alerting features of the decoder
• Exclude designated port/protocol pairs from inspection
Snort Engine
Preprocessors
Snort Engine
Preprocessors
Snort Engine
Preprocessors
• Preprocessors play a vital function in network traffic inspection
• Present packets to the detection engine in a contextually relevant way
• Normalise traffic
• Alert if they detect anomalous conditions as defined by their settings
• Major preprocessors include the following
• frag3 – Used to reassemble packet fragments prior to inspection
• stream5 – Used to reconstruct TCP data streams so that inspection can be done in the
context of a TCP conversation
• Protocol decoders – Normalise TCP streams including: telnet, ftp, smtp, and rpc.
• http_inspect – Normalises http traffic
• DCE/RPC2 – Used to decode and desegment DCE traffic
• sfPortscan – Used to detect portscans
Snort Engine
Detection engine
Snort Engine
Detection engine
• Consists of two components to perform inspection
• Rules builder
• Inspection component
• Rules builder
• On Snort startup, assembles rules into rule chains
• Optimises rule matching by the inspection component
• Sources, destinations and port sources and destinations redundancies are eliminated
• Implements rules chains as linked lists
• Inspection component
• Matches traffic to a rule chain
• Further inspects traffic against the options in the matching rule chain
Snort Engine
Output module
Snort Engine
Output module
• Handles the task of writing and displaying events
• Supports several output formats
• Can send output to files or Syslog
• Can send logs and alerts in straight ASCII
• Can send packets in PCAP format
• Can use Unified2 format (the replacement for Unified format)
• Fast and lightweight binary format
• Can be converted to other formats by utilities such as Barnyard2
• Application ID
• Available in Snort 2.9.7. Available in Cisco Sourcefire 6.0
alert tcp any any -> any any (msg:"FTP CWD to root attack";
appid:ftp; pcre:"/cwd.*root/i"; sid:1001372; rev:4;)
• File types and file groups
• Available in Snort 2.9.6. Available in Cisco Sourcefire 5.4
alert tcp $EXTERNAL_NET any -> any any (msg:"metaspoit call";
file_type:MSEXE; content:"|4d 45 54 41 53|"; sid:10013728; rev:1;)
Snort Optimisation on Sourcefire Appliances
• Stateful inspection
• Layer 3 and Layer 4 Access Control
• Network Address Translation (NAT)
• Routing
Next Generation Firewalls
Cisco Collective Security Intelligence Enabled
WWW
Advanced Malware
High Availability
Intrusion Prevention Protection URL Filtering
(subscription) (subscription) (subscription)
Firepower
Analytics &
Automation
• What is OpenAppID?
• Application Visibility and Control (AVC) done the right way
• An open source application-focused detection language
• Enables users to create, share and implement custom application detection
• Available for download as an extension of Snort 2.9.7 from http://www.snort.org
• Road-mapped for Cisco Sourcefire products Calendar Year 2015
• Key advantages
• New simple language to detect apps
• Reduces dependency on vendor release cycles
• Build custom detections for new or specific
(ex. Geo-based) app-based threats
• Application-specific detail with security events
The AppID Preprocessor
• Benefits of Lua
• Proven – used in many industrial applications, including several Cisco products
• Powerful and fast – utilises LuaJIT just-in-time compiler
• Portable and embeddable – well documented API
• Simple, lightweight, and small – under Linux, interpreter is 182K, libraries 244K
FMC
51
ISE Integration ISE Server
Auth
Radius Publish
User
SGT
User Group
Device
Switch Location
User
Meta Data
pxGrid Firepower Management
Centre
1.802.1X User
Meta Data
User Internet
Session
Sensor
ISE Integration Screen Shot
Connection to Sinkhole IP
X Sinkhole
Endpoint
(10.15.0.21)
SSL Inspection Server
Note that in this presentation, we will not distinguish SSL and TLS Encrypted
• Tunneled SSL
• Layered SSL (STARTTLS) Client
Snort and SSL Decryption
• IPS
• Stand for Intrusion Prevention System
• A technology that uses pattern matching to detect and drop malicious traffic.
• Host IPS or HIPS is deployed on the host
• Network IPS or NIPS is deployed inline in the network
• IDS
• Stands for Intrusion Detection System
• The predecessor of IPS and stands for Intrusion Detection System
• Can Detect but cannot Prevent intrusions
• When an IPS system in not inline, it is often said to be in IDS mode
• This presentation will focus on IPS, though many concepts apply to both
Traditional IPS
Malware
IPS Events SI Events
Events
Event corresponds
Act Immediately,
1 Vulnerable
to vulnerability
mapped to host
URL Category/Reputation
NGIPS
Application Visibility and Control File Type filtering
Firepower Services
Advanced Malware Protection File capture
Firepower
Firepower Threat Defence (FTD)
• Provides Software for all Cisco NGFW models
• Provides Software Convergence L2-L4
Inspections
Advanced
Inspections
• ASA (ASA
Technology)
(Firepower
Technology)
• Firepower
• Achieves single-pane-of-glass management Firepower Threat
with Firepower Management Centre Defence
Firepower
Management Centre
FTD feature pedigree
• Everything from Firepower 6.0
• Phased introduction of features from ASA
• Currently supported ASA features
• IPv4 and IPv6 Connection state tracking and TCP normalisation
• Access Control
• NAT (Full support)
• Unicast Routing (except EIGRP)
• ALGs (only default configuration)
• Intra chassis Clustering on Firepower 9300
FTD Features
• Tradition Firewall features
• Stateful inspection
• NAT
• Routing
• Advance feature
• Threat (Snort)
• AVC (OpenAppID)
• URL filtering
• AMP (including integration with Threat Grid)
• Security intelligence
• Authentication and Authorisation
Architecture Diagram
Packet Flow
Life of a packet in Routed mode
Application, URL
Yes reputation/Category based
IP
Application access control enforcement
Reputation/
Identification IPS policy enforcement
SI
File/Network AMP policy Trustpath
enforcement or Allow
No Event gen
Yes
DROP No
No
Existing No
RX Ingress NAT
Conn/Clust Advanced TrustPath? DROP
Pkt Interface Untranslate
er redirect ACL
permit
Yes
No
Yes Yes
DROP
L3 L2
ASA ALG NAT IP Egress Route TX
Checks Header Interface
Addr Pkt
No
No No
No
DROP DROP DROP
DROP
Cisco NGFW and NGIPS
Hardware Solutions
Firepower Products
FP 8000 Series
2 Gbps – 60 Gbps
NGIPS
Firepower Appliances
FP 9300
FP 4100 Series
(4110, 4120, 4140)
ASA 5585-X Series
(SSP 10, 20, 40, 60)
ASA 5555-X
ASA 5545-X
ASA 5506W ASA 5525-X
ASA 5506-X ASA 5516-X
ASA 5506H ASA 5508-X
1
2
Security Modules
Embedded packet/flow classifier (Smart NIC) and crypto hardware
CPUs with a total of 24 or 36 physical cores (48 or 72 with hyperthreading)
Standalone or clustered within (up to 240Gbps) and across (1Tbps+) chassis
Supervisor Simplified Hardware Diagram
System Bus
Security Security Security
RAM
Module 1 Module 2 Module 3
On-board 8x10GE NM NM
interfaces Slot 1 Slot 2
Network Interfaces
• Supervisor configures interfaces and directs traffic to security
modules
• All interfaces are called “Ethernet” and 1-referenced (i.e. Ethernet1/1)
• Hardware OIR support at FCS, software support to follow
2 4 6 8
Fixed
8x SFP+ (10G) fixed ports
Security Engine
Modular system
2x Network Modules (NetMod) slots
2x 2.5” SSD Slots
Network Modules and Transceivers Support
4x40GE
8x10GE
Redundant
PSU – Default CFG Single AC Single AC Redundant AC
AC
Management Processor/Memory Gladden 2C@2.0GHz, 8G DDR3 (1600)
Single 12-Core Dual 12-Core Dual 18-Core Dual 22-Core
Processor - Xeon
E5-2658V3 E5-2658V3 E5-2699V3 E5-2699V4
Processor Speed 2.2GHz 2.2GHz 2.3GHz 2.2GHz
VPN Sessions 5K 10 K 15 K
• Software
• Firewall: ASA
• IPS: Sourcefire Firepower Services
• Identify and block threats
• Generic
• OT protocol specific
• OT application specific
• Application Visibility and Control
• Protocols
• Applications
• Individual commands
Deployment
NGFW/NGIPS Deployment Cycle
The Main Steps
• Intrusion Detection
• Intrusion Prevention
• Encrypted Traffic
• Compliance
NGIPS • Network Forensics
Location
What Network Segment do we want to protect ?
• Internet Edge
• Data Centre
• Branch
• Core
• Extranets
• Critical Network Segments
Location
Internet Edge
• Enterprise’s GW to Cyberspace
• Serves diverse building blocks
• Allow outbound employee traffic and
inbound traffic to servers
• Filter outbound employee traffic
• Need for diversified policy protecting both
DMZ and users
• Expected threats include (D)DoS),
Intrusion attempts, application-layer
attacks
• URL and Application filtering, IPS/IDS,
SSL Decryption, Anti-malware
Connectivity
What Interfaces are needed
FirePOWER Appliance
Promiscuous Mode
• Passive interface
FirePOWER Appliance
Inline Mode
• Inline Interfaces
• Virtual Switched Mode
• Virtual Routed Mode
• System Policy: manages system-level settings such as audit logs, mail relay, etc.
• Health Policy: a collection of health module settings to check the health of devices
• Network Discovery Policy: defines how the system collects data of network assets
• File Policy: used to perform AMP and file filtering
• Intrusion Policy: defines IPS rules to be enabled for inspection
• SSL Policy: defines what traffic to decrypt and how to decrypt it
• Access Control Policy: permits/denies traffic through the device, defines which Intrusion/File
policies are applied to traffic flows
• Network Analysis Policy: govern many traffic preprocessing options, and are invoked by advanced
settings in your access control policy
Network Discovery Policy
Profiled networks
Access Control Policy
The Malware Problem
Attack Awareness Fades Confidence
59%
confident in having the
51%
have strong confidence in
54%
have strong confidence
latest technology ability to detect a security in ability to defend
weakness in advance against attacks
-5% 0% -4%
45%
have strong confidence
54%
have strong confidence in
56%
review security policies
in ability to scope and ability to verify an attack on a regular basis
contain an attack
-1% +0% +0%
Cryptowall3 CBT
Number of Samples
Cryptowall4
TeslaCrypt
TeslaCryptv2
Locky?
The Question Is No Longer If Malware Will Get Into
Your Network
It’s How Quickly You Can Detect the Infection, Understand Scope, and Remediate the Problem
Confirm Infection
Where do I start?
Notification Quarantine Triage Confirm
Infection Identified
Stop
GW Intrusion/Security Events
Attack Delivery Email/Web/Intrusion Policy Enforcement
https://media.blackhat.com/bh-us-12/Briefings/Flynn/bh-us-12-Flynn-intrusion-along-the-kill-chain-WP.pdf
Correlating Weak Signals Into Indicators Of
Compromise
DNS to malware site
Correlate
detected by NGIPS Intelligence
Weak Signals into
Indicators of
Compromise
Malware File Download
detected by AMP for
Content
Your Network
Malware Propagation
detected by NGIPS
CNC Traffic detected
by NGIPS
Malware Persistence
actions detected by
AMP for Endpoints
Low specificity, High Sensitivity
Ransomware Indicators were firing for Locky
2000
1800
1600
1400
1200
1000
800
600
400
200
0
2015-11 2015-12 2016-01 2016-02
command-deleted-shadow-copy
desktop-wallpaper-modified
Indications of Compromise
Exploit Kits
Admin Privilege
Escalations
Office/PDF/Java
Compromises
Dropper
Infections
IoCs are tallied against
each host
Web App
Attacks
AMP Principles
Jason Brvenik, principal engineer, Security Business
Group, Cisco
Design: Principles of Advanced Malware Protection
PLAN A: PLAN B:
• Leverage Collective Security • The UNKNOWN that we want
Intelligence to Analyse
• Protect against what we
• Reducing time to detect and
collectively KNOW about
remediate
Typical Analysis
Continuous Analysis
70%
60%
False Positive
50%
Restrospective Detection
40% Detection
30%
20%
10%
0%
2015-09 2015-10 2015-11 2015-12 2016-01
AMP and Threat Grid Provides Unique Value
More than 50% files convicted More than 30% files convicted by
by Threat Grid that did not exist AMP provides TALOs that did not exist in Virus
in Virus Total at time of industry leading Total at time of detection
detection advanced malware
protection
100%
100%
90%
90%
80%
80%
70% 32% 36% 33%
70% 35%
75% 57%
60% 63% 60%
TG Convicted Not
50% 75% Known to VT TALOS Convicted
50% Not Known to VT
40% Known to VT
40%
30% 30% Known to VT
20% 20%
10% 10%
0% 0%
2015-11 2015-12 2016-01 2015-11 2015-12 2016-01
AMP + Threat Grid December 2015 Summary
5,953,757 files were marked malicious in
December leading to 220,035 Threat Detections
and 85,463 Retrospective Detections on 118,274
endpoints across 1,436 businesses.
Of the unique files convicted by Threat Grid, 75% did
not exist in Virus Total at the time of detection.
Advanced Malware
Protection for Firepower
David Goeckeler, Senior Vice President and General
Manager, Security Business Group
Security Architecture Goals - Edge to endpoint
visibility
Governance, Risk,
Compliance
Cisco Advanced Malware Protection
Cisco Security
TALOS
Advanced Malware Protection for Firepower
Threat Intelligence Cloud
Reputation Lookups
- SHA256
AMP - File Metadata
- DFC
File and Malware Engine
Retrospective Security
Archive Captured
Analysis Files
Sandbox and Threat
AMP Intelligence Engine
• Malware Research
Threat Grid
• Static Analysis
• File Dynamic Analysis
Who is Talos? ?
Primary member of the Cisco's Collective
Security Intelligence (CSI) ecosystem. Merge of:
- Sourcefire's Vulnerability Research Team,
- Cisco Threat Research and Communications
group, and
- Cisco Security Applications group
Sandnets Honeypots
AMP Protection Across the Extended Network Threat Intelligence AMP for Endpoints
Threat Grid
AMP on Firepower NGIPS Malware Analysis + Threat AMP Private Cloud
Appliance Intelligence Engine Virtual Appliance
(AMP for Networks)
CWS/CTA
Static analysis
No Instrumentation
Threat Score
Static Analysis
Dynamic Analysis
Security Endpoint Gov, Risk,
Analytics Security Compliance
Threat Intelligence Premium
Analysis
content feeds
Endpoints report Security Teams
AMP Threat Grid Behavioural IoC Development
510
561
Indicators
500
Today
490
480
470 New TG BIOCs
10.00%
artifact-exec-
extension-
New IOCs (Qtr) Count Percent obfuscation
8.00%
artifact-exec-extension-obfuscation 224948 9.54% pe-uses-dot-net
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 181
181
William Dugger, Senior Manager, Network Engineering,
Beachbody, LLC
Design Details
AMP for Network (Firepower < 6.0)
Public
Cloud
For Firepower Appliances and ASA with AMP for Networks 5.4
AMP
Firepower Services w/ AMP License Cloud
Firepower
Management Centre
Reputation
Lookup
Cloud integration (TG & AMP) & Hybrid Firepower AMP Connector
Reputation
Managed
Integration (TG On Prem w/AMP Cloud) Device Threat Score Poll Update
Public Threat
Incoming
Traffic
Malware Report Lookup
• File reputation query Engine SF API
TCP
32137
• Static & Dynamic Analysis
SF Data /443
Corr File Analysis
• File reputation updates Submission
TCP/32137/443 TALOS
VRT
Sandbox
AMP for Network (Firepower 6.0)
Public
Cloud
Incoming
Traffic
Malware Report Lookup
Engine Threat Grid API
• File reputation query TCP
/443
• Static & Dynamic Analysis SF Data
Corr File Analysis
• File reputation updates Submission Threat Grid
TCP/443 Cloud
Public Threat
Traffic
Threat
Grid API File Analysis
Submission Threat Grid
TCP/443 Cloud
AMP
Connectors
File Query Cloud ThreatGrid
(Connector ID, SHA, ETHOS, SPERO, DFC) / TALOS
Sandbox
1-to-1 Signatures
Response Disposition
File Query
Fuzzy
Fingerprinting
SHA Conviction
(Connector ID, SHA, SPERO)
Machine Learning
Response Disposition
DFC
Retrospective
Queue
Retrospective Query (PING2)
Advanced Analytics
Y Malware Event
File is Malware?
and Block
N
N Y No further
File was captured? File is Clean? end
processing
Y
Malware File Dispositions
• Malware indicates that the AMP cloud categorised the file as malware, local malware analysis
identified malware, or the file’s threat score exceeded the malware threshold defined in the file policy.
• Clean indicates that the AMP cloud categorised the file as clean, or that a user added the file to the
clean list.
• Unknown indicates that the system queried the AMP cloud, but the file has not been assigned a
disposition; in other words, the AMP cloud has not categorised the file.
• Custom Detection indicates that a user added the file to the custom detection list.
• Unavailable indicates that the system could not query the AMP cloud.
Disposition Caching
• Dispositions and associated threat scores have the following TTL values:
• Clean — 4 hours
• Unknown — 1 hour
• Malware — 1 hour
Malware File Policy
File Policy inspects files in the following order:
• Spero Analysis - eligible executable file, the device can analyse the file's
structure and submit the resulting Spero signature to the AMP Threat Grid
cloud
• Local Malware Analysis - Using a local malware inspection engine, the
device examines an eligible file. The device also generates a file
composition report detailing a file's properties, embedded objects, and
possible malware.
• Dynamic Analysis - device pre-classifies files as possible malware, submits
these files to the AMP Threat Grid cloud or on-premises appliance for
dynamic analysis, regardless of whether the device stores the file. Runs the
file in a sandbox environment. View a dynamic analysis summary report that
details why the cloud assigned the threat score.
Malware and File Policy Order of Processing
Y
Inspect archive? Extract contents Uninspectable
N archive
Y
Store files? Capture file
N
Y Spero Supported File Y
Spero? Compute spero hash AMP
(PE)?
N
Y Y ClamAV
Local Malware Office, pdf, exe,
Pre-class + High
Analysis? mach-o?
Fidelity Scan
N
Y ClamAV Y Threat
Dynamic Analysis? File Submission
Pre-class Flagged Grid
N
File
Event Capacity Handling()
end
…..
….. File Composition
…..
Report
File Pre-classification
Nor
mal
File
Don’t
Submit
Local Malware Analysis Pre-Class
+ Hi-fid
The device examines an eligible file, blocks it if the file contains malware and the
file rule is configured to do so, and generates malware events.
• If LMA not enabled, pre-classification rules still run, device generates a file
composition report detailing a file's properties, embedded objects, and possible
malware.
• If LMA enabled, the local malware detection engine pre-classifies files and
statically analyses using high fidelity signatures provided by Cisco.
NOTE: If “Enable Automatic Local Malware Detection Updates” is enabled,
Firepower Management Centre checks for signature updates once every 30
minutes.
High Fidelity Signature Set
Demonstration
Local Malware Analysis in
Action
What the Malware Did
Solution Design
Design: Components
• On-Premise
• Managed Device
• AMP for Networks Appliance
• FP Appliance w/ AMP
• ASA w/ FP Services Cisco
FMC
Cloud
• Manager
• Firepower Management Centre
• Cloud Components
• Cisco AMP Cloud
• Dynamic Analysis Cloud
(Optional On-prem appliance)
Components: AMP for Networks Appliance
AMP7150 AMP8050 AMP8150 AMP8350 AMP8360 AMP8370 AMP8390
Varies by
NGIPS/NGFW
Appliance Model
(IPS / SI / DNS)
AMP
URL Filtering
(AMP / TG)
Malware
Threat
IPS IPS AMP
211
Components: Licensing
* AMP for FP | ASA 6.0 does not support AMP Private Cloud. Requires 5.4 or planned 6.1
AMP Threat Grid Subscription Upgrades
AMP + TG hyperlinks)
Windows OS Registry Activity report / Download Registry contents JSON
Android Mobile Advanced Malware
MAC OS Protection Process Graph and Process Timeline JSON
AMP for Endpoints Advanced search (samples, artifacts, IPs, registry, URLs, etc)
API integration for automation of sample uploads
API integration of threat intel into SIEM, visualisation tools, etc.
Threat Intelligence Feeds via API
SHA256 Lookup
Threat
Polling for Threat Score Cisco AMP Score
FMC + Status
Public Cloud
SHA256 Lookup
Events
SHA256 Lookup
Cisco AMP
Polling for Threat Score Public Cloud
FMC Threat
Score
+ Status
SHA256 Lookup
5.4 Talos
6.0
Events
Sandbox
AMP for
Networks
Sensor *Pre-Release Info Subject to Change
220
AMP for Networks 5.4 – Private Cloud (Proxy Mode)
SHA256 Lookup
Public
Cloud
FMC
SHA256 Lookup
Events
5.4
(Proxied)
AMP for
Networks NOTE: No Automated
Sensor File Analysis Capability
221
AMP for Networks 6.0
– Private Cloud Not Supported
SHA256 Lookup Public
Public Threat Report Lookup 6.0
(direct)
Cloud
FMC X
SHA256 Lookup
Events
5.4
(Proxied)
X
AMP for SHA256 Lookup 6.0
Threat Score Polling
Networks Private Threat Report lookup
Sensor ThreatGrid
File Submission 6.0 Appliance
222
AMP Everywhere
Privacy Use Case Details (FP 6.0)
Cloud-based Hash Lookup + Localised Dynamic File Analysis
Endpoint Private
Endpoint Disposition Query
Cloud
On-Premises
223
AMP Everywhere
Privacy Use Case Details (FP 5.4)
Air-Gapped Hash Lookup + API Scripted File Analysis
Endpoint Private
Endpoint Cloud • No File Analysis today
On-Premises
AMP for
FP | ASA Threat Grid • Customer self-supported TG API scripted
5.4 • TG API scripted Appliance submissions for local File Analysis
submission of • No TG appliance to AMP Private Cloud
captured files on FMC interaction
224
Using AMP in Firepower
Management Centre
Using File and Malware Analysis
Retrospective Security; and
Network File Trajectory
Monitoring File Events...
Monitoring Malware Events...
Analysing Security Incidents
Who was the What other IPs/Users TCP/IP IPS Alerts from these
user on have downloaded the communication from hosts?
10.1.19.4? file? these hosts?
IoC:
Malware!
10.1.19.4
Network File Trajectory
Retrospective Security in Network File Trajectory
How Cisco AMP Works:
Network File Trajectory Use Case
An unknown file is present on IP:
10.4.10.183, having been
downloaded from Firefox
At 10:57, the unknown file is from
IP 10.4.10.183 to IP: 10.5.11.8
Seven hours later the file is then
transferred to a third device
(10.3.4.51) using an SMB
application
The file is copied yet again onto a
fourth device (10.5.60.66) through
the same SMB application a half
hour later
The Cisco® Collective Security
Intelligence Cloud has learned this
file is malicious and a retrospective
event is raised for all four devices
immediately.
At the same time, a device with the
AMP for Endpoints connector
reacts to the retrospective event
and immediately stops and
quarantines the newly detected
malware
Eight hours after the first attack, the
Malware tries to re-enter the system
through the original point of entry
but is recognised and blocked.
Conclusion
Summary
Access Policy
Source Destination User URL Application Action Inspection
Store files?
Application Protocol:
SMTP, POP3, HTTP,
IMAP, FTP, SMB
File Type for
which rule
applies
File Rules – No Order of Precedence