Advanced Malware Protection (AMP) & Threat Grid on Cisco Email Security

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone a Mashhad site director Technical Marketing at Cisco what we're going to do today we're going to talk about the implementation of advanced malware protection and and thread grade into our email security solution it's really important to understand how our email security solution is communicating with app and thread grid whether they are in the public cloud or in a private club customer have options to purchase either of it they can buy amp and thread get in the public cloud they can buy em and thread to get on Prem the private club so let's look in the case where we have a customer who have already purchased or email security solution with amp and thread grid in the public cloud so here is the customer control environment I'm using the word customer control environment because the customer may purchase cloudy may security or email security appliance doesn't matter in this scenario this is a proxy based solution for the cloud this particular customer have purchased of link s like blaow customer have purchased em in the cloud and this is meant for file repetition the customer have already purchased credit file analysis and this is a thread grade three components email security solution whether it's cloud or on-premise lines file reputation system amp in the cloud file analysis system thread grade in the cloud so we started supporting the email security solution started supporting amp back in 8 or 5 release for that we have written a software connector which is called amp connector and it has two components one is the file application component the other one is the file analysis component file web reputation component deals with app and file analysis system or component deals with credit grade so we have two components within this connector this is how the communication will happen where I will show you the example so let's take an example when message message let's say with an attachment passes through the email security solution the first thing the proxy is going to do is going to extract the file after exact extracting the file it will calculate sha-256 hash then it will send send this this particular file let's say it's sha through this file reputation connector to amp asking whether you have seen this file or not not app will come back and say yes I have seen this file or no I haven't seen this man with the yes if if the amp have seen this file then whole file repetition will start what it means by it will start the amp will send information about this particular file after scanning and the information will look like verdict and score once the scanning is complete and it's coming up with a verdict the verdicts are of three types one is good which is the value to bad is 3 and unknown is 1 the unknown is associated with the score from 1 200 a 1 to 59 is recommended that you pass or it's sort of a good file from 60 I would say 200 it's recommended to block the file but just keep in mind that amp don't have the capability to block or you know pass the ball file it's the local policy that basically helps or helps to block the file or let the power file pass through the appliance or cloud solution that's very important decisions are not made here it just provides you the file amputation information in this form verdict and score score is a ciated with unknown file type and bad is for of course recommendation is to block it and go to let it go this is just a higher level of file reputation let us look into the file analysis piece where thread of grid in the cloud comes in the picture the sandbox in piece so I'll go back again from here with a message with an attachment because passes through the email security appliance the proxy will extract the file create short of 2-6 send this file to em whether you recognize yes no yes means file repetitions kicks in no means now the file analysis will kick in so once if M does not recognize the file this file will be sent to thread of great for file analysis or sandboxing but before sending this file there are three components need to be vetted first one is the I would say policy local policy need to be varied first second is the file type support the file type should be supported by thread grid and our email security solution because it's really important to understand with file analysis we support an executable DL system that we are just adding more and more files support in our code but with a file repetition system we support almost all file accepted text file that's really important and then we have quarantine action you know we can quarantine the file let's say by default 60 medics when we send this file for file analysis in the thread in the thread grid so once the criteria is met the local policy file type in action then the file will be sent to thread grid or uploaded to thread great crowd for file analysis so once the file scanning is done in the cloud the thread grid will inform the wording to amp verdict we'll share this verdict to camp cloud so that it will update the database for file a petition and everything it will also in parallel inform email security solution yes I have completed the file analysis just watch out because thread could never share this verdict to our email security solution in order to complete the cycle it shares the worded with app cloud because should be a single source of the verdict so once the email security solution receives the information from thread grid that yes the file analysis is completed it will release the file from quarantine which I mean the timer can be set anything it will release the file from the quarantine and then it will curing the solution will curing that about the file repetition similar way the whole process will kicks in let me go back again and explain it again the file comes there we extract we create sha-256 send it to amp it comes back if we know I don't recognize the file then we send this file to thread grape we upload the file based on 3criteria x' once the thread kit is done from a file analysis perspective it share the wording to do to the amp cloud it will not share the verdict with us on the email security side it will share only in this information yes we have complete the file analysis then our solution will release the file from the quarantine and it will again go back as soon as it release the file it will go back to em and say what is the reputation of this file and then the whole process of verdict and score kicks in well amp will inform email security solution that this file has a good bag or unknown repetition with a score if if this unknown it will give a score related to it related to the intensity of the the file if it's bad if it's bad the score will come between 60 and 100 and if the score is good it will come between 1 to 59 and based on the log local policy depending about the policy we will block or let the file pass through the system now someone can ask where is the retrospection piece so within this amp connector we open a separate thread with amp cloud and we keep polling and proud about the retrospective alert as soon as they there's a file were to change it will send a you know a message or retrospective whether it to the email secure distribution it's about our code or the connector initiating a separate thread and asking and polling it to am asking for a retrospective that if there is a verdict of change if there is a verdict change and the respiratory alert will be sent through amp so that's a separate thread created too just for retrospection what happened if this is all private cloud the only change will happen we will get a database update from here from outside world database of the reputation of the files from outside once in the clock once to app in one direction depending upon the interval we're it's configured but you will the private cloud scenario private cloud scenario we'll build something like that where everything was the way it works in the public cloud it's working so the only thing will change is the database reputation system will be polling the updated information of all the files to add to the end private private amp appliances all in the cloud so hopefully it was useful let me know your feedback and really appreciate you watching this video thank you
Info
Channel: Cisco
Views: 25,719
Rating: 4.965909 out of 5
Keywords: AMP, Advanced Malware Protecton, Threat Grid, Email Security
Id: eodBQU9MDRk
Channel Id: undefined
Length: 9min 35sec (575 seconds)
Published: Mon Sep 26 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.