NGFW, NGIPS and AMP

Shyue Hong Chuang – Technical Marketing Engineer

Eric Kostlan – Technical Marketing Engineer
Mark Pretty – Consulting Systems Engineer
Session Objectives

Upon successful completion of this session, the attendee will be able to:
• Describe the fundamental principals of NGFW and NGIPS
• Describe the Cisco NGFW, NGIPS and AMP solutions
• Deploy NGFW and NGIPS
• Understand the malware challenge facing industry and individuals
• Describe how Cisco AMP solutions address the AMP challenge
Related Sessions (Wednesday)

LABSEC-1005 - ASA and Firepower in ACI

Wednesday 9 Mar 8:30 AM - 10:00 AM – Walk-in Self-Paced Lab
Goran Saradzic, Technical Marketing Engineer, Cisco
BRKACI-1003 - Introduction to ACI for Security Admins
Wednesday 9 Mar 12:50 PM - 2:20 PM – 211
Jatin Sachdeva, Consulting Systems Engineer, Cisco
Related Sessions (Thursday Slide 1)

LABSEC-1006 AMP Networks(5.4), AMP Endpoints and AMP Threat Grid

Thursday 10 Mar 8:30 AM - 10:30 AM – Walk-in Self-Paced Lab
Gary Spiteri, Consulting Systems Engineer, Cisco
BRKSEC-2020 - Firewall Deployment
Thursday 10 Mar 12:50 PM - 2:20 PM – 207
Eric Kostlan, Technical Marketing Engineer, Cisco
BRKSEC-2032 - FP NGIPS Deployment and Operationalisation
Thursday 10 Mar 2:30 PM - 4:00 PM – 207
Mark Pretty, Consulting Systems Engineer, Cisco
Related Sessions (Thursday Slide 2)

BRKSEC-3010 - Firepower 9300 Deep Dive

Thursday 10 Mar 4:30 PM - 6:00 PM – 207
Andrew Ossipov, Principal Engineer, Cisco
BRKSEC-2763 - ASA and FirePOWER in ACI
Thursday 10 Mar 4:30 PM - 6:00 PM – 208
Goran Saradzic, Technical Marketing Engineer, Cisco
Related Sessions (Friday)

BRKSEC-3032 - Advanced - ASA Clustering Deep Dive

Friday 11 Mar 8:45 AM - 10:45 AM – 104
Andrew Ossipov, Principal Engineer, Cisco
BRKSEC-3055 - Troubleshooting: ASA Firepower NGFW
Friday 11 Mar 2:00 PM - 4:00 PM – 104
Prapanch Ramamoorthy, Engineer, Technical Services, Cisco
 • Introduction
Agenda • Snort Fundamentals
• NGFW and NGIPS
• NGFW Principles
• NGIPS Principles
• Cisco NGFW and NGIPS Software Solutions
• Cisco NGFW and NGIPS Hardware Solutions
• Deployment
• AMP
• The Malware Problem
• AMP Principles
• Design Details
• Solution Design
• Conclusion
Introduction
Contrast NGFW, NGIPS and AMP

• Next Generation Firewall (NGFW)

• Capable of traditional stateful firewall
• Includes Application Visibility and Control
Supports identity in policy configuration
• Provides advanced security protection
• Next Generation Intrusion Prevention System (NGIPS)
• A technology that uses pattern matching to detect and drop malicious traffic.
• Deployed on the host (HIPS) or network (NIPS)
• Utilises contextual information to evaluate threats
• Advanced Malware Prevention (AMP)
• Identify and block malware as it crosses the network or resides on endpoints.
Compare NGFW, NGIPS and AMP

• All three require the ability to parse network protocols.

• All three require security intelligence to keep

up with new threats.

• All three require adaptation to address the

changing security landscape
Compare NGFW, NGIPS and AMP

• All three require the ability to parse network protocols.

• All three require security intelligence to keep

up with new threats.

• All three require adaptation to address the

changing security landscape
Snort Fundamentals
https://snort.org
What is Cisco Firepower?
Historical perspective
• Snort created
• Created by Martin Roesch in 1998
• Snort is both a language and an engine
• Open source rapidly adopts and develops Snort
• Sourcefire founded
• Founded in 2001 by Martin Roesch
• Created a commercial version of Snort
• Sourcefire acquires Immunet cloud based anti-malware vendor
• Acquisition completed 2011
• Cisco acquires Sourcefire
• Acquisition completed 2013 for $2,700,000,000
 Network
network
Snort Engine DAQ libraries
High-level Snort architecture
Packet decoder
• Packet sniffer
• Packets are read using the Data AcQuisition library (DAQ)

• Packet decoder Preprocessors

• Decodes datalink, network and transport protocols

• Preprocessors
• Normalise traffic Detection engine
• Detection engine
• Uses Snort rules to create signatures for threats
Output module
• Output module
• Handles the task of writing and displaying events
Alert and log files
Snort Engine
Packet sniffer (DAQ)
Snort Engine
Packet sniffer (DAQ)
• Snort uses a Data Acquisition Module (DAQ) to collect packets The DAQ
• There is no native Snort packet capture library
• Different capture libraries may be used without the need to recompile Snort
• The DAQ promiscuously picks packets off the wire and passes it to the packet decoder
• DAQ mode – inline, passive or read from file
• DAQ type
• PCAP – The default DAQ
• AFPacket – Like PCAP DAQ but with better performance, and allows inline operation
• IPQ – The old way to process iptables packets. This replaces the compile option
--enable-inline used in previous versions of Snort
• NFQ - This is the new and improved way to process iptables packets
• IPFW - Is used by BSD systems. It replaces the compile option --enable-ipfw
Snort Engine
Packet decoder
Snort Engine
Packet decoder
Snort Engine
Packet decoder
• Decodes Layer 2 and Layer 3 protocols
• Focused on TCP/IP protocol suite
• Stores decoded packet information in data structures help in memory
• Data structures are utilised by the detection engine
• Configured at Snort start time (using CLI options of the configuration file)
• Specify DAQ mode
• Specify DAQ type
• Turn on or off alerting features of the decoder
• Exclude designated port/protocol pairs from inspection
Snort Engine
Preprocessors
Snort Engine
Preprocessors
Snort Engine
Preprocessors
• Preprocessors play a vital function in network traffic inspection
• Present packets to the detection engine in a contextually relevant way
• Normalise traffic
• Alert if they detect anomalous conditions as defined by their settings
• Major preprocessors include the following
• frag3 – Used to reassemble packet fragments prior to inspection
• stream5 – Used to reconstruct TCP data streams so that inspection can be done in the
context of a TCP conversation
• Protocol decoders – Normalise TCP streams including: telnet, ftp, smtp, and rpc.
• http_inspect – Normalises http traffic
• DCE/RPC2 – Used to decode and desegment DCE traffic
• sfPortscan – Used to detect portscans
Snort Engine
Detection engine
Snort Engine
Detection engine
• Consists of two components to perform inspection
• Rules builder
• Inspection component
• Rules builder
• On Snort startup, assembles rules into rule chains
• Optimises rule matching by the inspection component
• Sources, destinations and port sources and destinations redundancies are eliminated
• Implements rules chains as linked lists
• Inspection component
• Matches traffic to a rule chain
• Further inspects traffic against the options in the matching rule chain
Snort Engine
Output module
Snort Engine
Output module
• Handles the task of writing and displaying events
• Supports several output formats
• Can send output to files or Syslog
• Can send logs and alerts in straight ASCII
• Can send packets in PCAP format
• Can use Unified2 format (the replacement for Unified format)
• Fast and lightweight binary format
• Can be converted to other formats by utilities such as Barnyard2

• The output module can receive input from several sources

• The packet decoder sends data that can be use to produce PCAP output
• Preprocessors send alerts on detection of anomalous conditions
• The detection engine sends log and alert data when rules are matched
Snort Language
Overview
• A simple lightweight language for identifying
• Security policy violations
• Known network attacks and IDS/IPS evasion techniques
• Snort language supports event filters
• Limit – Alert on the a specified number of events during a specified time interval, then
ignore events for the rest of the specified time interval.
• Threshold – Only alert if the event is seen a specified number of times within a
specified time interval
• Communication between rules is accomplished using flowbits
Note: The snort engine is not restricted to the Snort language. It can use
precompiled shared objects in addition to Snort rules.
Snort Language
Rule structure
• Rule header
• Used to match traffic and perform
Action (pass, drop, sdrop, alert, log)
• Protocol, Source, Destination 5-tuple
• Rule body
• Contains the message used for alerts
• Contains flow attributes
• Contains the Signature ID and revision number
• Can specify content or regular expressions
in combinations and locations in packet
• Can read packet contents to calculate offsets
• Can set and read flowbits to link to other rules
Snort Language
Oversimplified rules (used for testing)
• alert tcp any any -> any any (msg:"ProjectZ detected";
content:"ProjectZ"; sid: 1001001; rev:1;)
• alert tcp any any -> any any (msg:"ProjectQ replaced";
content:"ProjectQ"; replace:"ProjectR" sid:1001002; rev:1;)
Notes about rule action
• The second rule has replace in the body, so it performs an action not specified in the rule
header
• In Cisco Sourcefire products,
the action is typically configured
in the Management GUI
Snort Language
Sample Rule
Variables (set to “any” by default)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 Rule header

(msg:"SERVER-MYSQL Database COM_FIELD_LIST
Alert text
Buffer Overflow attempt";
flow:to_server,established; Flow attribute
content:"|04|"; depth:1; offset:4; Content search
pcre:"/^[^\x0D\x0A\x00]{512}/iR"; Rule body
metadata:policy max-detect-ips drop,
service mysql; reference:cve,2010-1850; Metadata
classtype:attempted-user;
sid:16703; rev:10; ) Signature ID and revision number
Snort Language
Host Attribute Table
• XML file associated with a particular IP address
• Specifies OS and service to port associations on the host
• Affect on preprocessors
• Frag3 and Stream5 – Uses OS information to determine policy, that is, the OS to
emulate in packet re-assembly.
• Application layer preprocessors – Users the service information to determine protocol to
port mapping.
• Affect on Snort rules through metadata attribute – see next slide
• Sourcefire builds Host Attribute Tables
• Manually
• Through network discovery
Snort Language
Metadata
• Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"MALWARE-CNC Win.Spyware.Rombertik outbound connection"; … ;
metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service http; … ; classtype:attempted-user;
sid:33161; rev:1;
• Open Source Snort
• Provides a way to annotate a rule
• Service attribute Host Attribute Table
• Sourcefire – makes additional use of
metadata attribute, including:
• Impact flag
• Action to take, based on intrusion policy
File Processing
Example of file policy rule
File Processing
Details
• Critical for Advanced Malware Protection (AMP) for Networks
• Leverage FTP, HTTP, SMTP, POP, IMAP Snort preprocessors
• File type is identified using ClamAV libraries
• Usually within first packet of the file payload
• Malware signature calculation & lookup
• Requires entire file
• Uses SHA256 hash in addition to more advanced detection techniques
• Can dynamically submit files for sandboxing
• Can block file transfer
• Can log file and malware events
Life of a Flow (slide 1 of 2)
Simplified
• Packet sniffing and hardware processing
• Packet decoding
• Preprocessing
• Security Intelligence (IP blacklist and white list)
• Immediately mark flow as blocked or trusted
• Update hardware flow state
• Network layer preprocessors
• Defragmentation and stream re-assembly
• AppID
• Access control rules engine
• Network discovery
• Remaining preprocessors
Life of a Flow (slide 2 of 2)
Simplified
• Snort detection engine
• Leverages AppID preprocessor to select rules for
relevant applications
• Generates events
• If action is to block, mark the flow as blocked and
update hardware flow state
• File processing
Firepower Enhancements to Snort
Preprocessor enhancements
• Security intelligence (also called IP Reputation)
• Provides many predefined IP backlists and whitelists
• AppID
• Provides over 3000 predefined application detectors
• Network discovery
• Provides context for evaluating IPS/IDS events
• Identifies host, applications and users by passively analysing network traffic
• Populates Network Map and Host Profiles (Host Attribute Tables)
• Access control policy rules engine (not Snort rules)
• Can match Zones, VLAN, IPs, Ports & User/Group based on packet header
• Needs App ID for matching Applications and URLs
 Firepower version Snort version

Firepower Snort Versions 5.3.x 2.9.6

Features must be baked before exposed 5.4 2.9.7

• Protected content 6.0 2.9.8

• Available in Snort 2.9.7. Available in Cisco Sourcefire 5.4

alert tcp $EXTERNAL_NET any -> any any (msg:"ThreatZ detected";
protected_content:"59cb046fb3b51555f9b408b6b9cafa13"; hash:md5;
length:7; distance:8; sid: 1001371; rev:1;)

• Application ID
• Available in Snort 2.9.7. Available in Cisco Sourcefire 6.0
alert tcp any any -> any any (msg:"FTP CWD to root attack";
appid:ftp; pcre:"/cwd.*root/i"; sid:1001372; rev:4;)
• File types and file groups
• Available in Snort 2.9.6. Available in Cisco Sourcefire 5.4
alert tcp $EXTERNAL_NET any -> any any (msg:"metaspoit call";
file_type:MSEXE; content:"|4d 45 54 41 53|"; sid:10013728; rev:1;)
Snort Optimisation on Sourcefire Appliances

• Uses Intel C compiler instead of GCC

• Major performance boost by virtue of optimised assembly.
• The network cards on the boxes are custom designed
• Load balances distinct TCP streams across the cores available on the box. This allows
for horizontal scaling when boxes are stacked
• Each Snort instance has a single thread for packet processing
• Network monitoring works better with single treading
• Hardware processing
• Look for flow in flow state table, create if not there
• If flow disposition is Block or Trust, take immediate action mark entry in flow state table
• If flow disposition is Inspect, store access control policy rule and start inspection
Snort 3.0
Available at http://www.snort.org
• Also known as Snort++
• User-friendly design
• Built-in Documentation
• Built-in configuration
• Command shell allows interaction with running instance of snort
• Auto-Detection of all protocols on all ports
• Support multiple packet processing threads
• Current version is multi-threaded, but only on thread processes packets
• Protocol
• Simplified rule language
 Demonstration
Configuring Snort on Cisco Devices
NGFW Principles
Traditional Firewall features

• Stateful inspection
• Layer 3 and Layer 4 Access Control
• Network Address Translation (NAT)
• Routing
Next Generation Firewalls
Cisco Collective Security Intelligence Enabled

WWW
Advanced Malware
High Availability
Intrusion Prevention Protection URL Filtering
(subscription) (subscription) (subscription)
Firepower
Analytics &
Automation

Network Firewall Built-in Network Identity-Policy Control

Application
Routing | Switching Visibility & Control Profiling
OpenAppID Overview

• What is OpenAppID?
• Application Visibility and Control (AVC) done the right way
• An open source application-focused detection language
• Enables users to create, share and implement custom application detection
• Available for download as an extension of Snort 2.9.7 from http://www.snort.org
• Road-mapped for Cisco Sourcefire products Calendar Year 2015
• Key advantages
• New simple language to detect apps
• Reduces dependency on vendor release cycles
• Build custom detections for new or specific
(ex. Geo-based) app-based threats
• Application-specific detail with security events
The AppID Preprocessor

• Identifies the application

• Generates appid attributes (payload, misc, client, service) that can be used in
snort rules.
alert tcp any any -> any any (msg:"FTP CWD to root"; appid:ftp;
pcre:"/cwd.*root/i"; gid:1000001; sid:1018758; rev:4; )

• Leverages Snort HTTP preprocessor for header extraction

• Generates application statistics
• Statistics are stored in Uniform2 format
• Statistics file can be read with the u2openappid or u2spewfoo commands
• Statistics can be forwarded to Syslog by using the u2streamer command
What is Lua?

• AppID preprocessor leverages the power of the Lua scripting language

• Application detectors are written using the Lua scripting language (not snort rules)
• Lua is a open-source scripting language.
• Lua is designed, implemented, and maintained by a team at PUC-Rio, the Pontifical Catholic
University of Rio de Janeiro in Brazil.
• Lua is the Portuguese word for moon.

• Benefits of Lua
• Proven – used in many industrial applications, including several Cisco products
• Powerful and fast – utilises LuaJIT just-in-time compiler
• Portable and embeddable – well documented API
• Simple, lightweight, and small – under Linux, interpreter is 182K, libraries 244K

• See more at http://www.lua.org

URL Filtering

FMC

51
ISE Integration ISE Server
Auth

Radius Publish
User
SGT
User Group
Device
Switch Location
User
Meta Data
pxGrid Firepower Management
Centre

1.802.1X User
Meta Data

User Internet
Session
Sensor
ISE Integration Screen Shot

Lab exercises available

 DNS Inspection and DNS Sinkholes
Local DNS Server

Connection to Sinkhole IP
X Sinkhole
Endpoint
(10.15.0.21)
SSL Inspection Server

Note that in this presentation, we will not distinguish SSL and TLS Encrypted

• Provides inspection of SSL traffic

• More granular AVC for HTTPS
• Provides AMP and IPS for HTTPS, FTPS, etc.
Firepower
• Acts as a man-in-the-middle. There are two SSL sessions
• Acts as client when taking to SSL server Choose external SSL
• Acts as server for high-bandwidth and
ability to inspect with
• If public key is unknown, will issue a new certificate with a different
public key, and sign the new certificate with a different private other
key solutions, e.g.
• Supports DLP Encrypted

• Tunneled SSL
• Layered SSL (STARTTLS) Client
Snort and SSL Decryption

• Integrated into DAQ

• Decryption happens before the inspection
engine sees the packets.
• Inspection engine still sees SSL handshake
• DAQ interacts with the SSL preprocessor
through policy API
Security Intelligence
 Demonstration
Application Visibility and Control
NGIPS Principles
IPS and IDS

• IPS
• Stand for Intrusion Prevention System
• A technology that uses pattern matching to detect and drop malicious traffic.
• Host IPS or HIPS is deployed on the host
• Network IPS or NIPS is deployed inline in the network
• IDS
• Stands for Intrusion Detection System
• The predecessor of IPS and stands for Intrusion Detection System
• Can Detect but cannot Prevent intrusions
• When an IPS system in not inline, it is often said to be in IDS mode
• This presentation will focus on IPS, though many concepts apply to both
Traditional IPS

• Traditional IPS provides signature-based pattern matching for detection and

prevention of intrusion attempts.
• Typically deployed behind a Firewall or in IDS mode
• Typically “Bump in the wire”
• Often looks for exploits rather than vulnerabilities
• Often overwhelm with irrelevant events
• Don’t give much contextual information to take action
• Requires high level of tuning
• Often needs additional devices to perform other related tasks
• Is often minimally effective or isn’t used
• Requires massive amounts of time and resources to make it work
• May leave organisations exposed
Next Generation IPS

• Next-Generation IPS extends traditional IPS with

• Application awareness to enable visibility into new L7 threats and reduce the attack
surface
• Contextual awareness, providing information to help better understand events and to
provide automation and reduce cost/complexity/tuning
• Content awareness, determine different file types and whether or not those can be
malicious
• Next-Generation IPS is often deployed as part of a Next-Generation Firewall
Indications of Compromise (IoCs)

Malware
IPS Events SI Events
Events

Malware Connections to Malware Malware

CnC Connections
Backdoors Known CnC IPs Detections Executions

Admin Privilege Office/PDF/Java

Exploit Kits Dropper Infections
Escalations Compromises

Web App Attacks

Impact Assessment
ADMINISTRATOR
IMPACT FLAG WHY
ACTION

Event corresponds
Act Immediately,
1 Vulnerable
to vulnerability
mapped to host

Investigate, Relevant port open

2 Potentially
Vulnerable
or protocol in use,
but no vuln mapped

Good to Know, Relevant port not

3 Currently Not
Vulnerable
open or protocol not
in use

Good to Know, Monitored network,

4 Unknown Target but unknown host

Correlates all intrusion events to an 0 Good to Know, Unmonitored

Unknown Network network
impact of the attack against the target
Cisco NGFW and NGIPS
Software Solutions
Cisco IPS and Firewall Offerings
• Traditional ASA
• Firepower appliances
• ASA with Firepower Services
• Firepower Threat Defence (FTD)
ASA Functionality Highlights
• Adaptive Security Appliance
• Stateful architecture is about flows or connections, not packets
• Most effective with TCP, UDP, and ICMP
• Virtual IP Defragmentation and comprehensive TCP Normalisation
• SCTP inspection and limited normalisation added in ASA 9.5(2)+
• Site-to-site and Remote Access VPN
• High-speed NAT
• Application Inspection using many Application Layer Gateways (ALG)
• High Availability and Clustering
• Virtual form factor for ESX, KVM, Hyper-V, and AWS
Firepower Architecture
ASA with Firepower Services
Functional Distribution of Features

URL Category/Reputation
NGIPS
Application Visibility and Control
Advanced Malware Protection
File Type filtering
Firepower Services
File capture

TCP Normalisation NAT

TCP Intercept Routing
ASA
IP Option Inspection ACL
IP Fragmentation VPN Termination
Botnet Traffic Filter
ASA with Firepower Services

• Packet flow between the solution components

1. Ingress processing – inbound ACLs, IP defragmentation, TCP normalisation, TCP
intercept, protocol inspection, clustering/HA traffic control, VPN decryption, etc.
2. Sourcefire Services processing – URL filtering, AVC, NGIPS, AMP, etc.
3. Egress processing – outbound ACLs, NAT, routing, VPN encryption, etc.
• Packets are redirected using the Cisco ASA Modular Policy Framework (MPF)
• MPF supports fail-open, fail-closed and monitor only options
• MPF determines which traffic is send to the Firepower Services module
ASA with Firepower Services
ASA with Firepower Services
Packet flow overview
• ASA Module processes all ingress and
egress packets
• No packets are
directly processed
by Firepower
except for the
Firepower
management port
• ASA configures
and controls the
Firepower
Services Module
• Logical flow
is similar for
mid-range ASAs
Firepower Management Centre

• Formally called Defence Centre

• Centralises configuration of Firepower appliances and ASAs with Firepower
Services
• Receives events from Firepower appliances and ASAs with Firepower Services
• Correlates events to provide meaningful context for threats
• Can remediate devices in response to combinations of events
Multi-Context Support
• Security contexts share a
single Sourcefire instance
• Context IDs are passed
from the ASA to
Sourcefire when ASA
interfaces are discovered.
• Events passed to
Firepower conclude
Context IDs.
 Scaling Provided by Clustering
• Up to 16 ASAs-X
• For ASA 5586-X
• FW MAX Throughput: 640 Gbps
• Firepower IPS 440 Byte
Throughput: 96 Gbps
• Each Sourcefire Sensor is an
independent instance
• ASAs share connection state
information
• Sourcefire Sensors do not share
signature state information
• State-sharing between firewalls for symmetry and high
availability
• Every session has a Primary Owner Ownership managed
by Director node
• ASA provides traffic symmetry to Firepower module
Asymmetric Traffic
• Depending on the Access Switch Outside
running vPC, either upstream link could
be used to send the return traffic.
• This is one easy way asymmetry can Core
get introduced.
• Deploying Security Devices that do not
integrate into modern designs gets very vPC Peer-link
difficult. N7K
• These problems get more complicated
when moving to distributed datacentres.
• One requirement for inserting security vPC
services into this deployment is that it Access
has to handle that traffic will be
DC Servers
asymmetric
Firepower Threat Defence (FTD)
• Provides Software for all Cisco NGFW models
• Provides Software Convergence
• ASA
• Firepower
• Achieves single-pane-of-glass management
with Firepower Management Centre
New
ASA Feature
s

Firepower
Firepower Threat Defence (FTD)
• Provides Software for all Cisco NGFW models
• Provides Software Convergence L2-L4
Inspections
Advanced
Inspections
• ASA (ASA
Technology)
(Firepower
Technology)
• Firepower
• Achieves single-pane-of-glass management Firepower Threat
with Firepower Management Centre Defence

Firepower
Management Centre
FTD feature pedigree
• Everything from Firepower 6.0
• Phased introduction of features from ASA
• Currently supported ASA features
• IPv4 and IPv6 Connection state tracking and TCP normalisation
• Access Control
• NAT (Full support)
• Unicast Routing (except EIGRP)
• ALGs (only default configuration)
• Intra chassis Clustering on Firepower 9300
FTD Features
• Tradition Firewall features
• Stateful inspection
• NAT
• Routing
• Advance feature
• Threat (Snort)
• AVC (OpenAppID)
• URL filtering
• AMP (including integration with Threat Grid)
• Security intelligence
• Authentication and Authorisation
Architecture Diagram
Packet Flow
 Life of a packet in Routed mode

Application, URL
Yes reputation/Category based
IP
Application access control enforcement
Reputation/
Identification IPS policy enforcement
SI
File/Network AMP policy Trustpath
enforcement or Allow
No Event gen
Yes

DROP No
No
Existing No
RX Ingress NAT
Conn/Clust Advanced TrustPath? DROP
Pkt Interface Untranslate
er redirect ACL
permit
Yes
No

Yes Yes
DROP
L3 L2
ASA ALG NAT IP Egress Route TX
Checks Header Interface
Addr Pkt

No
No No
No
DROP DROP DROP
DROP
Cisco NGFW and NGIPS
Hardware Solutions
Firepower Products

FP 8000 Series
2 Gbps – 60 Gbps

NGIPS
Firepower Appliances

• Provides IPS/IDS capabilities and advanced malware protection (AMP)

• Provides AVC and URL filtering
FP 8000 Series
• Provides Network Discovery
2 Gbps – 60 Gbps
• Provides firewall capabilities FP 7000 Series
• NAT NGIPS
50 Mbps – 1.25 Gbps
• Routing
NGIPS
FP Virtual
200 Mbps per core
NGIPS
Scaling Provided by Stacking

• Stacking combines two or more devices FP 8390

• One primary device FP 8270 60 Gbps
• One or more secondary devices 45 Gbps NGIPS
FP 8360
30 Gbps NGIPS
• Only the primary device
has sensing interfaces FP 8350 NGIPS FP8390
15 Gbps
• Secondary devices NGIPS FP8370
provide their CPU and
memory resources
to the stack FP8360
FP8350
 Cisco NGFW and ASA Product Family
Performance and Scalability

FP 9300
FP 4100 Series
(4110, 4120, 4140)
ASA 5585-X Series
(SSP 10, 20, 40, 60)

ASA 5555-X
ASA 5545-X
ASA 5506W ASA 5525-X
ASA 5506-X ASA 5516-X
ASA 5506H ASA 5508-X

SMB & Distributed Commercial & Data Centre, High Performance

Enterprise Enterprise Computing, Service Provider
Platform-Based Security Architecture
Management Common Security Policy and Management

Security Cisco Security Applications Third-Party Security Applications

Access Context Content Application Threat
Services and Control Awareness Inspection Visibility Prevention
Applications
Common Security Policy & Management
Security Orchestration
Services Security Cisco ONE Platform Cloud Intelligence
Platform Management APIs APIs APIs APIs
Physical Appliance Virtual Cloud
APIs APIs

Infrastructure Device API: OnePK™, OpenFlow, CLI

Element Cisco Networking Operating Systems (Enterprise, Data Centre, Service Provider)
Layer
ASIC Data Plane Route–Switch–Compute Software Data Plane
Services Architecture on the Firepower 9300
Firepower
Supervisor 9300 Overview
Application deployment and orchestration
Network attachment (10GE/40GE) and traffic distribution
Clustering base layer for ASA Firewall or Cisco NGFW

1
2

Security Modules
Embedded packet/flow classifier (Smart NIC) and crypto hardware
CPUs with a total of 24 or 36 physical cores (48 or 72 with hyperthreading)
Standalone or clustered within (up to 240Gbps) and across (1Tbps+) chassis
Supervisor Simplified Hardware Diagram

System Bus
Security Security Security
RAM
Module 1 Module 2 Module 3

2x40Gbps 2x40Gbps 2x40Gbps Ethernet

Internal Switch Fabric

X86 CPU
(up to 24x40GE)

2x40Gbps 5x40Gbps 5x40Gbps

On-board 8x10GE NM NM
interfaces Slot 1 Slot 2
Network Interfaces
• Supervisor configures interfaces and directs traffic to security
modules
• All interfaces are called “Ethernet” and 1-referenced (i.e. Ethernet1/1)
• Hardware OIR support at FCS, software support to follow

• Mix and match up to two 10GE/40GE standard-width modules at FCS

• 8x10GE SFP/SFP+ per module
• 4x40GE QSFP per module, each port can split to 4x10GE

• Double-width 2x100GE module for later availability

• Future hardware bypass support for inline IPS interface on all
modules
 Security Modules RAM
System Bus

• Two configurations Ethernet

• SM-36 “Extreme”: 72 x86 CPU cores
(up to 80Gbps of firewalled throughput)
• SM-24 “Enterprise”: 48 x86 CPU cores x86 CPU 1 x86 CPU 2
(up to 60Gbps of firewalled throughput) 24 or 36 cores 24 or 36 cores

• Dual 800GB SSD in RAID1 by default 2x100Gbps

• Built-in hardware Packet/Flow Classifier Packet/Flow Classifier and

and Crypto Accelerator Crypto Accelerator

• Cisco Cruz for Smart NIC functionality 2x40Gbps

• Dual Cavium Nitrox CNN3550-C20 Backplane Supervisor Connection
(up to 20Gbps of IPsec each) crypto
• Hardware VPN acceleration is targeted for next release
 Firepower 4100 Series Front View

Power LED Mgmt Locater SYS LEDs SSD1 SSD2

Console USB SSD 1 3 5 7 NetMod 1 (Slot) NetMod 2 (Slot)

2 4 6 8
Fixed
8x SFP+ (10G) fixed ports
Security Engine
Modular system
2x Network Modules (NetMod) slots
2x 2.5” SSD Slots
Network Modules and Transceivers Support

All external network modules require fibre or copper transceivers

Fail To Wire Network Modules provide hardware bypass functionality

4x40GE
8x10GE

1GE optical SFP support 40 GE QSFP Support

1GE copper SFP support
10 GE optical SFP+
10 GE optical SFP-S
10 GE Twinax Support
Support for both Single Mode
and Multi Mode optical cable
4x10 GE breakouts for each
40 GE port
Support for both Single Mode
and Multi Mode optical cable
Support for direct-attach
copper cable
FP 4140 Hardware
Model Hardware Specifications
Category FP 4110 FP 4120 FP 4140 FP 4150
Chassis & I/O 1RU, 2 EPM slots, 8 Fixed SFP+ ports, 2 SSD slots, Dual PSU Slots

Redundant
PSU – Default CFG Single AC Single AC Redundant AC
AC
Management Processor/Memory Gladden 2C@2.0GHz, 8G DDR3 (1600)
Single 12-Core Dual 12-Core Dual 18-Core Dual 22-Core
Processor - Xeon
E5-2658V3 E5-2658V3 E5-2699V3 E5-2699V4
Processor Speed 2.2GHz 2.2GHz 2.3GHz 2.2GHz

L3 Cache /socket 30MB 30MB 45MB 55MB

256GB
DDR4 RAM 64GB (2133) 128GB (2133) 256GB (2400)
(2133)
SSD – Default CFG. 1 x 200GB 1 x 400GB
Single Cruz/Single Nitrox
Security Acceleration Module Dual Cruz + Dual Nitrox (Moor Park)
(Moor Park Lite)
Traditional Firewall Performance
Category FP 4110 FP 4120 FP 4140

Large Packet Firewall (1500 byte UDP) 20Gbps 40Gbps 60Gbps

Firewall Throughput 10Gbps 20Gbps 30Gbps

Firewall Packet Per Second (64byte UDP) 3M 6M 10 M

UDP Latency (1500 LDR) 18 µ sec 31.16 µ sec 30.49 µ sec

VPN (3DES/AES) 5 Gbps 10 Gbps 15 Gbps

VPN Sessions 5K 10 K 15 K

Connections per Second 150K 250K 350K

Concurrent Connections 10M 15M 25M

NGFW Performance
Category FP 4110 FP 4120 FP 4140

NGFW - FW+AVC Perf. (440byte) 4 – 6 Gbps 6 – 8 Gbps 10 -15 Gbps

NGFW - FW+AVC+IPS Perf.(440byte) 2 – 4 Gbps 3 – 6 Gbps 6-12 Gbps

NGFW - FW+AVC+IPS+AMP Perf.
2 Gbps 2.5Gbps 5Gbps
(440byte)
NGFW - FW+AVC+IPS+AMP+URL Perf.
2 Gbps 2.5Gbps 5Gbps
(440byte)
NGFW - Enable Logging Impact (Max %) 15% 15% 15%
Standalone NGIPS Perf. - No FW/AVC
4 Gbps 8.5Gbps 12Gbps
(440byte) - “balanced” base policy, no tuning
NGIPS Enable Logging Impact (Max %) 10% 10% 10%

NGIPS Concurrent Connections 150K 250K 350K

Other Cisco Products

• Sourcefire technologies, including Snort are the centrepiece of the Cisco

Security strategies
• Sourcefire technologies will be integrated into a wide range of Cisco products
• Snort will Internet of Things (IoT) and Internet of Everything (IoE)
• Cisco ISA
• Several products currently utilise Cisco Sourcefire AMP without a Snort engine
• Cisco Email Security Appliance (ESA)
• Cisco Web Security Appliance (WSA)
• Cisco Cloud Web Security (CWS)
Meraki Implementation of Snort

• Deploys traditional Sourcefire engine

• Downloads rules from Sourcefire servers
• First to the Meraki backend
• Then rules are distributed to devices
• Utilises predefined security / connectivity / balanced policies
• Does not allow customisation of IPS policies
• Implements organisation level security reporting
• Administrators can see what signatures fire where across their whole domain
Meraki vs. ASA with Firepower Services
Cisco Meraki MX Cisco ASA with Firepower Services
• Lean IT focus • Threat-focused NGFW
• Best in class UTM • Advanced threat protection
capabilities
• Radically simplified deployment
• Low cost form factor available
• Ultra low operating cost via cloud
management • Unmatched visibility and control
• Robust security • Provides correlation and advanced
analytics
• Optimised for highly distributed
environments • Advanced remediation capabilities
• Protect against advanced threats
Cisco Integrated Services Router (ISR)

• For the ISR 4k, services are

deployed on a UCS-E blade
• Blade contains ESXi hypervisor
• Sourcefire sensor is deployed as a virtual machine
• Can consolidate network functionality into a single router
• Physical IPS sensor  Cisco Sourcefire virtual sensor
• Physical WAN optimisation device  Cisco vWAAS
• Physical QoS appliance  IOS QoS capabilities
• Snort integration is road-mapped for lower-end ISR routers
• Similar to Meraki Snort deployment – Snort without the full Sourcefire sensor
Cisco Security for Modern Industry

• Leverage industrial network infrastructure

products are already on the market
• Industrial Ethernet (IE) switches
• Connected Grid Routers (CGR)
• Leverage ASA and Sourcefire technologies
• VPN technologies
• New Snort preprocessors for operational technology (OT) protocols
• New Snort rules for specific OT threats or commands
• Partner with (OT) vendors to build Industrial protections into
the Cisco Industrial Security Appliance (ISA)
• Provide Cisco Validated Designs to fit Industrial processes
Industrial Security Appliance (ISA)

• Software
• Firewall: ASA
• IPS: Sourcefire Firepower Services
• Identify and block threats
• Generic
• OT protocol specific
• OT application specific
• Application Visibility and Control
• Protocols
• Applications
• Individual commands
Deployment
NGFW/NGIPS Deployment Cycle
The Main Steps

• Network Security Policy

• Use Cases
• Location
• Connectivity
• Performance
• Availability and Scaling
• Management.
Policy
Network Security Policy

• Outlines rules for computer network access

• Determines how policies are enforced
• Basic Architecture of the network security environment
• Keep malicious users, applications and traffic out
• Keep internal data in
• Attack Mitigation and Incident Response
• Align to business needs
 Use Case
What problem are we solving ?
•5-tuple Access Control
•Remote Access
•Stateful Protocol Inspection
•Site-to-Site
•NAT
Traditional •NAT, Routing, …
•Routing VPN
FW

•Trojan Horses, Rootkits,..

• Application Visibility and Control
•Scope spreading
• User-Based Controls
• Filtering Web Access Malware •0-days
NGFW • Encrypted Traffic

• Intrusion Detection
• Intrusion Prevention
• Encrypted Traffic
• Compliance
NGIPS • Network Forensics
 Location
What Network Segment do we want to protect ?

• Internet Edge
• Data Centre
• Branch
• Core
• Extranets
• Critical Network Segments
 Location
Internet Edge

• Enterprise’s GW to Cyberspace
• Serves diverse building blocks
• Allow outbound employee traffic and
inbound traffic to servers
• Filter outbound employee traffic
• Need for diversified policy protecting both
DMZ and users
• Expected threats include (D)DoS),
Intrusion attempts, application-layer
attacks
• URL and Application filtering, IPS/IDS,
SSL Decryption, Anti-malware
 Connectivity
What Interfaces are needed

• How Many Interfaces ?

• Fibre or Copper ?
• Bypass or non-bypass
• Interface Speed ?
• Need for bundling Interfaces ?
• Need for Wireless ?
Connectivity
How should the NGFW/NGIPS be connected ?

FirePOWER Appliance
Promiscuous Mode
• Passive interface

FirePOWER Appliance
Inline Mode
• Inline Interfaces
• Virtual Switched Mode
• Virtual Routed Mode

ASA With FirePOWER Services

• Inline
• Promiscuous
• Span Port Mode
Connectivity
FirePOWER Appliance Deployment Models
Traditional IPS Deployment
• Bump in the wire, entirely transparent to the network
• Bypass functionality
• Easy to insert into an existing network
• I.e. FirePOWER Inline Interfaces
Traditional Transparent Firewall Deployment
• No Bypass functionality
• Can actively participate in the network (i.e. keeps CAM
table, can broadcast ARP request)
• State-sharing is a requirement for network continuity in
HA pairs
• i.e. Virtual Switched Mode
Traditional IDS Deployment
• SPAN, TAP to send a copy of traffic to IDS
• Does not impact network traffic
• Easy to insert into an existing network
• I.e. Passive Mode
Traditional Routed Firewall Deployment
• FW is a hop in the network between L3 boundaries
• Has to be aware of routing protocols
• State-sharing is a requirement for network continuity in
HA pairs
• I.e. Virtual Routed Mode
 Connectivity
ASA with FirePOWER Services Deployment Models

ASA itself could be deployed in many ways:

• L2 (Transparent) / L3 (Routed mode)
• Single-Context / Multi-Context
• Active/Standby, Active/Active, Clustering

Modular Policy Framework (MPF) is used to

forward traffic from ASA to FirePOWER
Services:
• Inline policy-map global_policy
• Promiscuous class class-default
sfr fail-open
• Monitor-only service-policy global_policy global
 Performance
How to measure and why it matters ?

• Sizing: Which device do I need to buy?

• Upgrade of existing or new device?
• Features: What features am I going to need or want to run?
• Firewall, IPS, Application Control, URL, Malware?
• Location: Where is the device in the network?
• In front of a DNS only data centre with millions of very small very fast transactions or in
front of HTTP web servers serving normal web pages?
• Data centre looking at only internal traffic or Internet Edge looking at the wild Internet?
As with all performance discussions, YOUR MILEAGE MAY VARY!!
 Performance
Determining your IPS Performance needs

• How does your traffic mix look like ?

• What is your peak throughput ?
• What Features will you need ?
• What is your peak conn/s and max conn ?
• How much latency is acceptable ?
• Can we exclude traffic from inspection ?
• Use Netflow, NBAR, AVC, ASA Stats
• Plan for the future !
Availability and Scaling
What should happen if the IPS fails

ASA with FirePOWER FirePOWER Appliance - FirePOWER Appliance –

Services Promiscuous Inline
• ASA w/ Firepower Fail- • N.A. • Automatic Application Bypass
Network
Open • Hardware Bypass
Availability • Alternate Path
• ASA A/S Failover • FirePOWER Clustering – • FirePOWER Clustering – Inline
Security Passive Redundancy • FirePOWER Clustering - Switched
Availability • FirePOWER Clustering - Routed
Availability and Scaling
How to scale beyond what 1 Appliance can do ?

ASA with FirePOWER Appliance - Passive FirePOWER Appliance –

FirePOWER Services Inline
• N.A. • Stacking • Stacking
Scaling

• ASA Clustering * • Passive Clustered Stack • Clustered Stack

Scaling + • FirePOWER Passive Appliances • ASA with FirePOWER Appliances *
Availability with Etherchannel RSPAN *

* Can be deployed in asymmetric traffic environments

Scaling
Stacking for FirePOWER 8000 Series
4x Stacking supported 8300, 8200
2x Stacking on 8100 Series

8350 8360 8370 8390

15 Gbps 30 Gbps 45 Gbps 60 Gbps
 Scaling + Availability
Clustering for ASA5500-X
vPC
• Scaling and Availability for FirePOWER Services
• Can be deployed in an asymmetric environment
• Up to 16 ASA5585-X or two ASA5500-X with FirePOWER
services ASA Cluster
• Stateless load balancing by external switch
• Support for VPC and LACP
• Cluster Control Protocol/Link
vPC
• State-sharing between Firewalls for concerted operation and
high availability
• Every session has a primary and secondary owner ASA
• ASA provides traffic symmetry to FirePOWER modules
 Management FMC ASDM
Firepower Management Centre Model Server, web- On-box
based UI

Form Factor VM or Appliance Runs on ASA

• Management Platforms: Firepower
# devices Up to 300 1
Management Centre, ASDM *
Cost $ No Charge
• Firepower Management Centre can
be an appliance or a VM Manages FirePOWER, ASA, FirePOWER
FirePOWER services on select
• Firepower Manager Appliances can services platforms
be deployed in HA Contextual Awareness Detailed Basic, no IoC or
and Visibility Impact Assessment
• Determining factors: device type,
Event Collection Extensive Basic
deployment size, cost, other security
devices, scaling requirements, Reporting Extensive Basic
responsibilities
Health Monitoring Basic: CPU, Extensive
* ASDM currently only manages FirePOWER Services on Memory
5506/8/16
 Implementation
Installation, Basic Configuration and Insertion into the network

1. Installation of Firepower Management Centre

2. Installing FirePOWER appliance or FirePOWER Services for ASA
3. Adding FirePOWER appliance/module into Firepower Management Centre
4. Apply Basic Configuration
5. Insertion into the network
6. Tuning
7. Recommended: Move from Audit mode to inline mode
8. Operation
Policies

• System Policy: manages system-level settings such as audit logs, mail relay, etc.
• Health Policy: a collection of health module settings to check the health of devices
• Network Discovery Policy: defines how the system collects data of network assets
• File Policy: used to perform AMP and file filtering
• Intrusion Policy: defines IPS rules to be enabled for inspection
• SSL Policy: defines what traffic to decrypt and how to decrypt it
• Access Control Policy: permits/denies traffic through the device, defines which Intrusion/File
policies are applied to traffic flows
• Network Analysis Policy: govern many traffic preprocessing options, and are invoked by advanced
settings in your access control policy
Network Discovery Policy

Profiled networks
Access Control Policy
The Malware Problem
Attack Awareness Fades Confidence

59%
confident in having the
51%
have strong confidence in
54%
have strong confidence
latest technology ability to detect a security in ability to defend
weakness in advance against attacks
-5% 0% -4%

45%
have strong confidence
54%
have strong confidence in
56%
review security policies
in ability to scope and ability to verify an attack on a regular basis
contain an attack
-1% +0% +0%

Source: Cisco Security Research, ASR 2016

 Top Malware Tactics
High Prevalence Samples Low Prevalence Samples
Facebook Scams Windows "Sality" Malware
Javascript Windows "Krap-K" Malware
Windows "Gampass"…
JavaScript iframe Downloader
JavaScript "Blackhole"
Redir Windows Trojan
JavaScript Trojan Downloader Suspicious PDFs
Windows Backdoor "Ace"
Windows Binaries
Trojan Downloader
Windows Trojan Downloader iFrame
Phishing Windows Backdoor
Windows Downloader…
iFrame
Windows Hoax
JavaScript Obfuscation JavaScript Trojan…
Andriod Trojan Downloader Windows Trojan Downloader
Windows Trojan "Upatre"
Windows Trojan
Windows Worm
0 5000 10000 15000 20000 25000 30000 35000 0 10 20 30 40 50
Sample Count in ,000s Sample Count
Source: Cisco Security Research, ASR 2016
Ransomware - Cut off one head and two more shall
take it’s place

Cryptowall3 CBT

Number of Samples

Cryptowall4

TeslaCrypt
TeslaCryptv2

Locky?
The Question Is No Longer If Malware Will Get Into
Your Network
It’s How Quickly You Can Detect the Infection, Understand Scope, and Remediate the Problem
Confirm Infection
Where do I start?
Notification Quarantine Triage Confirm

How bad is the situation?

Infection Identified
Stop

Analyze Malware Cannot Identify Infection No

What systems were affected? Infection
Static and
Build Test Device Network Proliferation
Dynamic
Bed Analysis Analysis Analysis
Analysis
What did the threat do?
Update Profile Malware
Malware Proliferation Profile
How do we recover?
Define
Search Search
Scan Rules
Remediate Network Device
Devices (from
How do we keep it from Traffic Logs profile)
happening again? Search for Re-infection
John N. Stewart, senior vice president, chief security and
trust officer, Cisco
Malware in the Kill Chain
Recon Connection Events, Maltego?
Access Lists, AVC

GW Intrusion/Security Events
Attack Delivery Email/Web/Intrusion Policy Enforcement

Intrusion Events, Host IOC, Behavioural Indicators

Exploitation Intrusion & File/Malware Policy Enforcement

Security Intel Events, Beh. Indicators

C&C
Access Rules, DNS Policy, Snort Rules

Network File Trajectory, File Events

Lateral Movement AMP Rep, File Analysis

Malware File Events

Persistence File and Malware Policies

Connection Events, SIEM, Flow

Steal Data Access Rules, Sinkholing

https://media.blackhat.com/bh-us-12/Briefings/Flynn/bh-us-12-Flynn-intrusion-along-the-kill-chain-WP.pdf
Correlating Weak Signals Into Indicators Of
Compromise
DNS to malware site
Correlate
detected by NGIPS Intelligence
Weak Signals into
Indicators of
Compromise
Malware File Download
detected by AMP for
Content
Your Network
Malware Propagation
detected by NGIPS
CNC Traffic detected
by NGIPS
Malware Persistence
actions detected by
AMP for Endpoints
Low specificity, High Sensitivity
Ransomware Indicators were firing for Locky
2000
1800
1600
1400
1200
1000
800
600
400
200
0
2015-11 2015-12 2016-01 2016-02

command-deleted-shadow-copy
desktop-wallpaper-modified
Indications of Compromise

IPS Events SI Events Malware Events IoC: “tag” on a host that

indicates that an event
Malware CnC Connections to Malware Malware
indicating likely host
Backdoors Connections Known CnC IPs Detections Executions infection has occurred

Exploit Kits
Admin Privilege
Escalations
Office/PDF/Java
Compromises
Dropper
Infections
IoCs are tallied against
each host
Web App
Attacks
AMP Principles
Jason Brvenik, principal engineer, Security Business
Group, Cisco
Design: Principles of Advanced Malware Protection

Point-in-Time Protection Retrospective Security

PLAN A: PLAN B:
• Leverage Collective Security • The UNKNOWN that we want
Intelligence to Analyse
• Protect against what we
• Reducing time to detect and
collectively KNOW about
remediate

File Reputation, Sandboxing, and Behavioural Detection Continuous Analysis

Unique to Cisco® AMP

 Point-in-Time Detection Retrospective Security

Cisco AMP Defends With Reputation Cisco Collective Security Intelligence

Filtering And Behavioural Detection

Continuous Protection
Reputation Filtering Behavioural Detection

One-to-One Fuzzy Machine Indications Dynamic Advanced Device Flow

Signature Finger-printing Learning of Compromise Analysis Analytics Correlation
 Point-in-Time Detection Retrospective Security

Retrospection Described Cisco Collective Security Intelligence

Typical Analysis

file Analysis Stops After

Initial Disposition x time •
•
•
Sleep techniques
Unknown protocols
Encryption
1-to-1, Fuzzy, Machine Actually… • Performance
Learning, Sandboxing, etc; Disposition = BAD
Disposition = CLEAN … too late!

Continuous Analysis

• When you can’t

file Analysis
Continues x time
detect 100%,
visibility is critical
Initial Retrospective Alert
Disposition = CLEAN sent later when
Disposition = BAD
Value of Retrospective Security
Relying on point-in-
100%
time detection
90% technologies alone is
insufficient.
80%

70%

60%
False Positive
50%
Restrospective Detection
40% Detection

30%

20%

10%

0%
2015-09 2015-10 2015-11 2015-12 2016-01
 AMP and Threat Grid Provides Unique Value
More than 50% files convicted More than 30% files convicted by
by Threat Grid that did not exist AMP provides TALOs that did not exist in Virus
in Virus Total at time of industry leading Total at time of detection
detection advanced malware
protection
100%
100%
90%
90%
80%
80%
70% 32% 36% 33%
70% 35%
75% 57%
60% 63% 60%
TG Convicted Not
50% 75% Known to VT TALOS Convicted
50% Not Known to VT
40% Known to VT
40%
30% 30% Known to VT
20% 20%
10% 10%
0% 0%
2015-11 2015-12 2016-01 2015-11 2015-12 2016-01
AMP + Threat Grid December 2015 Summary
5,953,757 files were marked malicious in
December leading to 220,035 Threat Detections
and 85,463 Retrospective Detections on 118,274
endpoints across 1,436 businesses.
Of the unique files convicted by Threat Grid, 75% did
not exist in Virus Total at the time of detection.
Advanced Malware
Protection for Firepower
David Goeckeler, Senior Vice President and General
Manager, Security Business Group
Security Architecture Goals - Edge to endpoint
visibility

Security Information &

Event Management

Deep Packet Inspection

Governance, Risk,
Compliance
Cisco Advanced Malware Protection

Cisco Security

Network Security Endpoint OpenDNS

Content Security Secure
ASA | ISR
ESA | WSA
Security … Lancope
Access
FP | FTD (FireAMP) Meraki

Advance Malware Protection (AMP)

API
(AMP) AMP Threat Grid
Integrated Standalone

TALOS
Advanced Malware Protection for Firepower
Threat Intelligence Cloud
Reputation Lookups
- SHA256
AMP - File Metadata
- DFC
File and Malware Engine
Retrospective Security
Archive Captured
Analysis Files
Sandbox and Threat
AMP Intelligence Engine
• Malware Research
Threat Grid
• Static Analysis
• File Dynamic Analysis
Who is Talos? ?
Primary member of the Cisco's Collective
Security Intelligence (CSI) ecosystem. Merge of:
- Sourcefire's Vulnerability Research Team,
- Cisco Threat Research and Communications
group, and
- Cisco Security Applications group

Snort, ClamAV, SenderBase, and SpamCop

Examples of Talos 0-day Threat Protection:

• TALOS-2015-0024 – Total Commander
• TALOS-2015-0018 – Apple Quicktime
• VRT-2014-0301 – Microsoft Windows FastFAT
Where does the data in AMP Come From?
TALOS AEGIS™ TALOS Crete
Program Program

Private & Public File Samples

Threat Feeds (>1.1MM per day)

Sandnets Honeypots

AMP Open Source

Community Communities
Advanced Microsoft
& Industry Disclosures
The AMP Everywhere
Architecture AMP Remote Endpoints

AMP Protection Across the Extended Network Threat Intelligence AMP for Endpoints

for an Integrated Threat Defence Cloud

Threat Grid
AMP on Firepower NGIPS Malware Analysis + Threat AMP Private Cloud
Appliance Intelligence Engine Virtual Appliance
(AMP for Networks)

AMP on Web and Email

AMP on Cisco® ASA Firewall AMP for Endpoints Security Appliances
with Firepower Services

CWS/CTA

AMP on ISR with Firepower AMP on Cloud Web Security

Services and Hosted Email

CentOS, Red Hat

Windows OS Android Mobile Virtual MAC OS Linux for servers
and datacenters

AMP for Endpoints can be

launched from AnyConnect
John N. Stewart, senior vice president, chief
security and trust officer, Cisco
AMP TG Principles : Beyond the Sandbox

Static analysis

No Instrumentation

Every sample analysed

Threat Score

Threat Intelligence Feeds

AMP Threat Grid Platform
Cloud Appliance
Web UI
Cloud Web UI
API API

Unified Malware Analysis

Threat Intelligence Platform
Human
Malware Malware Context
Readable
Sample Execution and Discovery and
Behavior
Interaction Artifact Mining Attribution
Indicators

Static Analysis Dynamic Analysis

Closed Crowd Sourced And/or Confidential

Malware Intelligence Malware Intelligence
Unified Dynamic Malware Analysis and Threat
Intelligence
Cisco Security Solutions Network Security Solutions
Edge Security 3rd Party
monitoring Integration
platforms

Firewalls Network Suspicious Suspicious

& UTM Security file file
SIEM

AMP Threat Grid

SECU RI T
Y

Email Web Deep Packet

Security Security Inspection

Static Analysis

Dynamic Analysis
Security Endpoint Gov, Risk,
Analytics Security Compliance
Threat Intelligence Premium
Analysis
content feeds
Endpoints report Security Teams
AMP Threat Grid Behavioural IoC Development
510
561
Indicators
500
Today
490
480
470 New TG BIOCs

460 Mod TG BIOCs

Unchanged TG BIOCs
450
440
430
420
2015-09 2015-10 2015-11 2015-12 2016-01

New Malware Count

Source: AV-TEST -
https://www.av-
test.org/en/statistics/malware
/
Performance of New Indicators
Top 5 introduced in the last 3 months on January Submissions
12.00%

10.00%
artifact-exec-
extension-
New IOCs (Qtr) Count Percent obfuscation
8.00%
artifact-exec-extension-obfuscation 224948 9.54% pe-uses-dot-net

pe-uses-dot-net 130215 5.52%

6.00% pe-uses-visual-
pe-uses-visual-basic 53868 2.28% basic
registry-autorun-key-system-dir 20376 0.86%
4.00% registry-
registry-autorun-key-temp-dir 18357 0.78% autorun-key-
system-dir
2.00% registry-
autorun-key-
temp-dir
0.00%
201511 201512 201601
Percentage
Top 10 Indicators on 2016-01 submissions

IOC Count Percent

pe-encrypted-section 1020595 43.26%
antivirus-flagged-artifact 942420 39.95%
pe-section-execute-writable 935526 39.66%
modified-executable 820120 34.77%
memory-execute-readwrite 813078 34.47%
modified-file-in-user-dir 632673 26.82%
pe-header-timestamp-prior 552288 23.41%
imports-IsDebuggerPresent 529613 22.45%
ie-proxy-disabled 404978 17.17%
modified-file-in-system-dir 401256 17.01%
AMP Threat Grid Integration Matrix

Product Cloud (API) On-Premise (API)

Standalone: AMP Threat Grid Yes Yes
Integration: AMP for Endpoints Yes AMP: Private Cloud Virtual
Appliance
TG: No
Integration: AMP for WSA Yes AMP: No (Cloud only)
TG: Yes
Integration: AMP for ESA Yes AMP: No (Cloud only)
TG: Yes
Integration: AMP for Networks (6.0) Yes AMP: No (Cloud only)
TG: Yes.
Cisco AMP Provides Contextual Awareness and Visibility
That Allows You to Take Control of an Attack Before It Causes Damage

Focus on these users

first
Who

These applications are

affected
What

The breach affected

these areas
Where

This is the scope of

exposure over time
When

Here is the origin and

progression
of the threat
How
 Demonstration
AMP and Dynamic
Analysis in Action
Integrating AMP for Network with AMP Threat Grid
Clean Collective Security 1- Files is downloaded through AMP for Network
Intelligence 2- AMP for Network calculates File hash (SHA256) and sends it to
Malware FMC for disposition lookup. Last packet is on hold by device
Unknown till disposition is received.
3- FMC sends hash lookup to AMP CSI to identify hash disposition
4- CSI Cloud responds to the lookup with disposition “Unknown”
5- FMC records the disposition “Unknown” in File Trajectory
FMC 6- AMP for Network releases the last packet and submits a copy
of the file to AMP Threat Grid for Dynamic Intelligence (Sandbox)

AMP Threat Grid

AMP for Network

High
Threat Score

7- Threat Score (e.g. >=95) is calculated based on Behavioural

Network File Trajectory Indicators and Threat Intelligence obtained by FMC polling
8- Subsequent downloads of the same file will be blocked by
AMP for Network
9- AMP Solution also leverages CSI Cloud for Continuous Analysis
and Retrospective Security
10- Retrospective Call for a disposition change from Unknown
Source: Kudos to Mahmoud Rabi to Malicious
Endpoint

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 181
181
William Dugger, Senior Manager, Network Engineering,
Beachbody, LLC
Design Details
AMP for Network (Firepower < 6.0)
Public
Cloud

For Firepower Appliances and ASA with AMP for Networks 5.4
AMP
Firepower Services w/ AMP License Cloud
Firepower
Management Centre
Reputation
Lookup
Cloud integration (TG & AMP) & Hybrid Firepower AMP Connector
Reputation
Managed
Integration (TG On Prem w/AMP Cloud) Device Threat Score Poll Update
Public Threat

Incoming
Traffic
Malware Report Lookup
• File reputation query Engine SF API
TCP
32137
• Static & Dynamic Analysis
SF Data /443
Corr File Analysis
• File reputation updates Submission
TCP/32137/443 TALOS
VRT
Sandbox
AMP for Network (Firepower 6.0)
Public
Cloud

AMP for Networks 6.0

For Firepower Appliances and ASA with AMP
Cloud
Firepower Services w/ AMP License Firepower
Management Centre
Reputation
Lookup
Firepower AMP Connector
Reputation
Cloud integration (TG & AMP) & Hybrid Managed
Threat Score Poll Update
Device
Integration (TG On Prem w/AMP Cloud) Public Threat

Incoming
Traffic
Malware Report Lookup
Engine Threat Grid API
• File reputation query TCP
/443
• Static & Dynamic Analysis SF Data
Corr File Analysis
• File reputation updates Submission Threat Grid
TCP/443 Cloud

Optional Threat Grid Reputation Lookup

Appliance Threat Score Poll
Private Threat Report Lookup
TCP/443
Design: Communications
AMP for Network (Firepower 6.0) w/ AMP4EP
Public
Cloud AMP4E
Operations
AMP for Networks 6.0 Connectivity AMP for
AMP Endpoint
Cloud Connectors
Firepower
Management Centre AMP4E Malware Events
Reputation Lookup Required Server Addresses for AMP Operations
TCP{/443 http://www.cisco.com/c/en/us/support/docs/sec
Firepower AMP Connector
Reputation urity/sourcefire-amp-appliances/118121-
Managed
Threat Score Poll Update technote-sourcefire-00.html
Device
Incoming

Public Threat
Traffic

Malware Report Lookup

Engine Threat Grid API
TCP/443

Threat
Grid API File Analysis
Submission Threat Grid
TCP/443 Cloud

Optional Threat Grid Reputation Lookup

Appliance Threat Score Poll
Private Threat Report Lookup
TCP/443
Dynamic Analysis - Supported Environments
Supported “Sandbox” Operating Systems:
● Windows XP, Service Pack 3 is currently supported (Default Integration)
● Windows 7 SP1 32 bit; 64 bit
● Windows 8 will not be supported
● Windows 10 is currently in beta
● Support for Mac OS, Unix, Ubuntu, and Linux is not yet available

Supported browsers to access the AMP Threat Grid portal:

• Mozilla Firefox,
• Google Chrome, and
• Apple Safari.
File Types Supported
• Automatically submitted for dynamic analysis:
• EXE/DLL
• PDF
• NEW_OFFICE (OOXML/DOCX/PPTX/XLSX)
• MSOLE2 (Microsoft Office applications OLE Document)

• Static analysis using a local Clam signature set:

• EXE/DLL
• PDF
• NEW_OFFICE
• MSOLE2
• Additional file types such as Mach-O
Note: File contents within archives which match the aforementioned types will be
analysed
Full TG Portal Supported File Types

• PE32 Files (detailed static forensics): archives, no password or ‘infected’

• Executable (.EXE) • Quarantine (.VBN, .SEP)
• Libraries (.DLL) • Mime HTML Files (.MHTM)
• Java Archives (.JAR) • XML Based Office Document Types
(.DOCX, .XLSX, .PPTX)
• Portable Document Format (.PDF) (detailed
static forensics, including Javascript resources.) • Flash Files (.SWF)
• Office Documents • URLs (as Internet Shortcut file, or submit URL
(.DOC, .DOCX, .RTF, .XLS, .XLSX, .PPT, .PPT directly. Detailed static forensics of Javascript
X) (limited static forensics) resources.)
• Archive and Quarantine Formats
• ZIP (.ZIP) as a container, no nesting of
Design: Communications [AMP Related]
Protocol/Port Description From Proxy supported

TCP/443 Malware Cloud Lookups FMC Yes

TCP/443 AMP for Endpoints Event Pull FMC Yes

TCP/443 Dynamic Analysis File Upload Managed Devices Yes

TCP/443 Threat Score Poll and Report Lookup FMC Yes

Additional Communication Considerations

TCP/443 URL Updates FMC Yes

TCP/80
TCP/443 Security Intelligence FMC Yes
Updates
 Threat Score
File Lookup and Retrospection Status

AMP
Connectors
File Query Cloud ThreatGrid
(Connector ID, SHA, ETHOS, SPERO, DFC) / TALOS
Sandbox

1-to-1 Signatures
Response Disposition

File Query
Fuzzy
Fingerprinting

SHA Conviction
(Connector ID, SHA, SPERO)

Machine Learning
Response Disposition
DFC

Retrospective
Queue
Retrospective Query (PING2)
Advanced Analytics

Changed Disposition Dynamic Analysis

Design: AMP for Networks Inspection

AMP in the network inspection Path

Design: When AMP Blocks Files & Malware
 Malware and File Policy Order of Processing
Y
File size > limit? Stop file capture AMP
N
Entire File Seen?
N
Y FMC
Calc SHA256 Analysis Engine
Cache lookup

Action (Malware Y Sensor

Drop last packet SHA256 lookup
Cloud Lookup | Analysis Engine
Force Retransmit Local cache
Block Malware) Cache lookup

Y Malware Event
File is Malware?
and Block
N
N Y No further
File was captured? File is Clean? end
processing
Y
Malware File Dispositions

• Malware indicates that the AMP cloud categorised the file as malware, local malware analysis
identified malware, or the file’s threat score exceeded the malware threshold defined in the file policy.
• Clean indicates that the AMP cloud categorised the file as clean, or that a user added the file to the
clean list.
• Unknown indicates that the system queried the AMP cloud, but the file has not been assigned a
disposition; in other words, the AMP cloud has not categorised the file.
• Custom Detection indicates that a user added the file to the custom detection list.
• Unavailable indicates that the system could not query the AMP cloud.
Disposition Caching

• Dispositions and associated threat scores have the following TTL values:
• Clean — 4 hours
• Unknown — 1 hour
• Malware — 1 hour
Malware File Policy
File Policy inspects files in the following order:
• Spero Analysis - eligible executable file, the device can analyse the file's
structure and submit the resulting Spero signature to the AMP Threat Grid
cloud
• Local Malware Analysis - Using a local malware inspection engine, the
device examines an eligible file. The device also generates a file
composition report detailing a file's properties, embedded objects, and
possible malware.
• Dynamic Analysis - device pre-classifies files as possible malware, submits
these files to the AMP Threat Grid cloud or on-premises appliance for
dynamic analysis, regardless of whether the device stores the file. Runs the
file in a sandbox environment. View a dynamic analysis summary report that
details why the cloud assigned the threat score.
Malware and File Policy Order of Processing
Y
Inspect archive? Extract contents Uninspectable
N archive
Y
Store files? Capture file
N
Y Spero Supported File Y
Spero? Compute spero hash AMP
(PE)?
N
Y Y ClamAV
Local Malware Office, pdf, exe,
Pre-class + High
Analysis? mach-o?
Fidelity Scan
N
Y ClamAV Y Threat
Dynamic Analysis? File Submission
Pre-class Flagged Grid
N
File
Event Capacity Handling()
end
 …..
….. File Composition
…..
Report
File Pre-classification

Clam Pre-classifier Submit to

File
Sandbox
Sus
pect
File

Nor
mal
File
Don’t
Submit
Local Malware Analysis Pre-Class
+ Hi-fid

The device examines an eligible file, blocks it if the file contains malware and the
file rule is configured to do so, and generates malware events.
• If LMA not enabled, pre-classification rules still run, device generates a file
composition report detailing a file's properties, embedded objects, and possible
malware.
• If LMA enabled, the local malware detection engine pre-classifies files and
statically analyses using high fidelity signatures provided by Cisco.
NOTE: If “Enable Automatic Local Malware Detection Updates” is enabled,
Firepower Management Centre checks for signature updates once every 30
minutes.
High Fidelity Signature Set
 Demonstration
Local Malware Analysis in
Action
What the Malware Did
Solution Design
Design: Components
• On-Premise
• Managed Device
• AMP for Networks Appliance
• FP Appliance w/ AMP
• ASA w/ FP Services Cisco
FMC
Cloud
• Manager
• Firepower Management Centre

• Cloud Components
• Cisco AMP Cloud
• Dynamic Analysis Cloud
(Optional On-prem appliance)
Components: AMP for Networks Appliance
AMP7150 AMP8050 AMP8150 AMP8350 AMP8360 AMP8370 AMP8390

AMP 500 Mbps 1 Gbps 2 Gbps 5 Gbps 10 Gbps 15 Gbps 20 Gbps

Throughput
Storage 120 GB 400 GB 400 GB 400 GB+ 800 GB+ 1200 GB+ 1600 GB+
Capacity
Interface 0 3 3 7 6 5 4
Expansion Bays
Fail-open 4 RJ45 Yes w/ Yes w/ Yes w/ Yes w/ Yes w/ Yes w/
interfaces netmods netmods netmods netmods netmods netmods
Form Factor 1U 1U 1U 2U 4U 6U 8U

*AMP83xx appliance includes Malware Storage Pack [separate SSD]*

Components: Firepower Management Centre
FS750 FS1500 FS2000 FS3500 FS4000 FS VMware

Number of 10 35 70 150 300 25

Managed Devices
High-availability None Paired, identical Paired, identical Paired, identical Paired, Identical None
FMCs FMCs FMCs FMCs
Maximum number 20MM 30MM 60MM 150MM 300MM 10MM
of events
Maximum 2K / 2K 50K / 50K 150K / 150K 300K / 300K 600K / 600K 50K / 50K
host/user records
Components: AMP Threat Grid Cloud/Appliances
Cloud TG5000 TG5500

Max Samples/Day 100 (Base) 1,500 5,000

Varies by
NGIPS/NGFW
Appliance Model

AMP Upgrade w/o N/A Yes Yes

TG Subscription
(Sandbox API only)

AMP Upgrade w/TG Yes Yes Yes

Subscription
Available Standalone Yes Yes Yes

Form Factor N/A 1U 1U

Components: Firepower Malware License
Firepower Services Firepower Threat Defence

(IPS / SI / DNS)
AMP

URL Filtering
(AMP / TG)
Malware
Threat
IPS IPS AMP

URL URL URL IPS IPS

AVC AVC AVC AVC AVC Base (NGFW)
Blue = Term-based
Green = Perpetual

211
Components: Licensing

• “Malware” license required [per appliance] for:

• Malware Cloud Lookups [also requires subscription]
• Malware Storage Pack
• Advanced File Policy options
• Archive Inspection for Malware
• Captured File Storage
• Dynamic Analysis*
• Malware Events
NOTE:
AMP Appliance SKUs include Malware licensing
* Rate Limited by Appliance Model
AMP Threat Grid: Existing AMP Customers
Environment Existing AMP installation AMP Threat Grid Options
Integrated Cloud based Threat Grid
with AMP solutions
Add Threat Grid To AMP
Cloud  3
AMP for FP | ASA
 3
Subscription

Connected AMP for Endpoint

Private Tagging Option
ESA | WSA | CWS

AMP with Threat Grid Appliance Threat Grid License

AMP for FP | ASA*

Private  4  4 Threat Grid Appliance
AMP for
AMP for Endpoint Endpoint
Private Cloud
Threat Grid Subscription
ESA | WSA | CWS Option

* AMP for FP | ASA 6.0 does not support AMP Private Cloud. Requires 5.4 or planned 6.1
AMP Threat Grid Subscription Upgrades

AMP Threat Grid Portal Subscription

Additional Features/Capabilities
AMP for Networks Threat Score, where applicable
AMP on Cisco ASA w/
Firepower Services Interact with malware samples in Glovebox
Download PCAP, JSON, Sample, related Artifacts, Video
Select Environment for Emulation
Threat intelligence context & correlation (pivot in reports with
Linux

AMP + TG hyperlinks)
Windows OS Registry Activity report / Download Registry contents JSON
Android Mobile Advanced Malware
MAC OS Protection Process Graph and Process Timeline JSON
AMP for Endpoints Advanced search (samples, artifacts, IPs, registry, URLs, etc)
API integration for automation of sample uploads
API integration of threat intel into SIEM, visualisation tools, etc.
Threat Intelligence Feeds via API

AMP on Web & Email Security

Appliances
Premium Content Threat Grid Snort Integration
Threat Grid Snort Integration
AMP for Networks 6.0 w/ Cisco AMP Public Cloud

AMP for AMP Threat Grid

Networks w/ Portal Subscriber
Threat Grid
User Additional Features/Capabilities

SHA256 Lookup
Threat
Polling for Threat Score Cisco AMP Score
FMC + Status
Public Cloud
SHA256 Lookup
Events

File Analysis Submission

Threat Grid
AMP for
Networks
Sensor
219
AMP for Networks – Public Cloud
FP 5.4 and 6.0 Co-existence

SHA256 Lookup
Cisco AMP
Polling for Threat Score Public Cloud
FMC Threat
Score
+ Status

SHA256 Lookup
5.4 Talos
6.0
Events
Sandbox

File Submission 6.0 ThreatGrid

AMP for
Networks
Sensor *Pre-Release Info Subject to Change

220
AMP for Networks 5.4 – Private Cloud (Proxy Mode)
SHA256 Lookup
Public
Cloud
FMC

SHA256 Lookup
Events

5.4
(Proxied)

AMP for
Networks NOTE: No Automated
Sensor File Analysis Capability

221
AMP for Networks 6.0
– Private Cloud Not Supported
SHA256 Lookup Public
Public Threat Report Lookup 6.0
(direct)
Cloud
FMC X

SHA256 Lookup
Events

5.4
(Proxied)
X
AMP for SHA256 Lookup 6.0
Threat Score Polling
Networks Private Threat Report lookup
Sensor ThreatGrid
File Submission 6.0 Appliance
222
 AMP Everywhere
Privacy Use Case Details (FP 6.0)
Cloud-based Hash Lookup + Localised Dynamic File Analysis

Proxy Mode Lookup • SHA hashes sent for

AMP for No File Analysis today
AMP for Collective Security AMP File
AMP Integration

Endpoint Private
Endpoint Disposition Query
Cloud
On-Premises

AMP for Public

FP | ASA Threat Grid
Appliance AMP
6.0
• Localised submissions for Cloud
Dynamic File Analysis
AMP for • No TG appliance to AMP
ESA | WSA Cloud interaction
• SHA hashes sent for
Collective Security AMP File
Disposition Query

223
 AMP Everywhere
Privacy Use Case Details (FP 5.4)
Air-Gapped Hash Lookup + API Scripted File Analysis

• SHA hashes sent for Private

AMP for Cloud Virtual Appliance
AMP for Disposition Query
AMP Integration

Endpoint Private
Endpoint Cloud • No File Analysis today
On-Premises

AMP for
FP | ASA Threat Grid • Customer self-supported TG API scripted
5.4 • TG API scripted Appliance submissions for local File Analysis
submission of • No TG appliance to AMP Private Cloud
captured files on FMC interaction

224
 Using AMP in Firepower
Management Centre
Using File and Malware Analysis
Retrospective Security; and
Network File Trajectory
Monitoring File Events...
Monitoring Malware Events...
Analysing Security Incidents

Who was the What other IPs/Users TCP/IP IPS Alerts from these
user on have downloaded the communication from hosts?
10.1.19.4? file? these hosts?

IoC:
Malware!
10.1.19.4
Network File Trajectory
Retrospective Security in Network File Trajectory
How Cisco AMP Works:
Network File Trajectory Use Case
An unknown file is present on IP:
10.4.10.183, having been
downloaded from Firefox
At 10:57, the unknown file is from
IP 10.4.10.183 to IP: 10.5.11.8
Seven hours later the file is then
transferred to a third device
(10.3.4.51) using an SMB
application
The file is copied yet again onto a
fourth device (10.5.60.66) through
the same SMB application a half
hour later
The Cisco® Collective Security
Intelligence Cloud has learned this
file is malicious and a retrospective
event is raised for all four devices
immediately.
At the same time, a device with the
AMP for Endpoints connector
reacts to the retrospective event
and immediately stops and
quarantines the newly detected
malware
Eight hours after the first attack, the
Malware tries to re-enter the system
through the original point of entry
but is recognised and blocked.
Conclusion
Summary

You should now be able to:

• Describe the fundamental principals of NGFW and NGIPS
• Describe the Cisco NGFW, NGIPS and AMP solutions
• Deploy NGFW and NGIPS
• Understand the malware challenge facing industry and individuals
• Describe how Cisco AMP solutions address the AMP challenge
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2016 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.

• Directly from your mobile device on the Cisco Live

Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue
Learn online with Cisco Live!
Visit us online after the conference for full
T-Shirts can be collected in the World of Solutions access to session videos and
on Friday 11 March 12:00pm - 2:00pm presentations. www.CiscoLiveAPAC.com
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.
– Directly from your mobile device on the Cisco Live
Mobile App
– By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located
throughout the venue
Learn online with Cisco Live!
T-Shirts can be collected Friday 11 March Visit us online after the conference
for full access to session videos and
at Registration presentations.
www.CiscoLiveAPAC.com
Thank you
Deployment Configuration
AMP for Networks/AMP in Firepower

• AMP for Networks

• dedicated appliances
• AMP in Firepower
• AMP in ASA with Firepower Services
• Managed by Firepower Management Centre
• configuration and analysis/monitoring of Network AMP
• insight into AMP for Endpoints (FireAMP) client
events, IoCs
Network AMP Configuration in a Nutshell

File Policy = InternetFilePolicy

Rule: EXE files: Block Malware, Dynamic Analysis=On, Store=...

Rule: Office Files : Block Malware, Dynamic Analysis=.., Store=....

Rule: All Files: Block Malware, Dynamic Analysis=..., Store=....

Access Policy
Source Destination User URL Application Action Inspection

inside inside any any any Permit insideFilePolicy

inside any any any any Permit internetFilePolicy

internetFilePolicy
Configuring AMP in Firepower Management Centre

Create File Policy

Add File Rule(s) to
File Policy
File Rules
Action:
Block Malware, Cloud Lookup
Detect File, Block File

Store files?

Application Protocol:
SMTP, POP3, HTTP,
IMAP, FTP, SMB
File Type for
which rule
applies
File Rules – No Order of Precedence

Order does not matter!

If two or more rules match for the same file type:
1. Block Files 2. Block Malware 3. Malware Cloud Lookup 4.
Detect Files
Using Threat Grid
File Policy / Advanced
Configuring Malware File Policy
Malware File Inspection Configuration
• File Policy inspects files in the following order:
• Spero Analysis - eligible executable file, the device can analyse the file's
structure and submit the resulting Spero signature to the AMP Threat Grid
cloud
• Local Malware Analysis - Using a local malware inspection engine, the
device examines an eligible file. The device also generates a file
composition report detailing a file's properties, embedded objects, and
possible malware.
• Dynamic Analysis - device pre-classifies files as possible malware, submits
these files to the AMP Threat Grid cloud or on-premises appliance for
dynamic analysis, regardless of whether the device stores the file. Runs the
file in a sandbox environment. View a dynamic analysis summary report that
details why the cloud assigned the threat score.
Sample Screenshot File Composition Report
Sample Screenshot Dynamic Analysis Report