AMP for Endpoints Overview and Integration with ISE

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back in this video we're going to go ahead and do an overview of an for endpoints and talked about in the end its integration with ice so I'm going to go ahead and kind of start out with maybe not a lot of people know about an for endpoints or have ever used it it am Fizz anti-malware protection and it's it you know is the reason why anti-malware exists is because it you know things like AV or you know classic AV where you're looking at a set of signatures that are downloaded or updated from time to time and it's looking just mostly at the the most commonly signature common signature seen instead of like ever the mass amount out there it's not looking at polymorphic by Bower or anything that might change it's very static and unfortunately Mauer tends to only see about 20 to 30 percent of and stop 20 to 30 percent of it so when cisco acquired source fire one of the things they did acquire as well as their amp product and that's something that's integrated with with their firewalls and your IPS is and and there was also an endpoint component so it is you know think of it as kind of a cloud mower solution and and i'll try my best to explain up I might not give it the best justice but I'll certainly try so there we go so a friend point is a is a piece of software that's just installed in the in the endpoint and what it does is it looks for you know files as they come to as they're downloaded or moved you know inside the computer executed at any time it that file changes its looking at it and initially when the files downloaded it it computes into a sha and since that that sha hash to the amp cloud and the amp cloud you know the first thing it does is have I seen it before if it seemed that that has that sha-256 hash before and it sees it's clean or malware it can issue a disposition pretty quickly if not if not that then it can say is it a part of a family of our and you know you may ask yourself how would it know that well in order to beat a Vaz vendor a V signatures you know a lot of these malware writers pretty clever so what they do is they just change it slightly so it doesn't match signature anymore so what it was amp has this feature called ethos where it looks for slight deviations and even though the whole hash has changed if you're just changing a couple little bits in the file mathematically you can actually compute how how much how much change if it deviates from it a known piece of malware by only a few percentage points you know mathematically amp would know that so it still would be able to to see that and that that feature is called ethos so next thing it can look at is it can look at the metadata of the files because sometimes with metadata data for like an executable you can you can see you can see certain indicators of compromised and that feature in in a in a am for endpoint is called spiros next thing is if it comes back as all unknown what it can do as well as it could do a trigger sandboxing and i don't know if anyone remembers this but about couple years ago cisco acquired a company called threat grid which you know they do sandboxing but they also they also do targeted malware and and forensics so what at that point if if nothing's been seen before or you know a certain combination of factors what it can do is essentially you know upload that that file and in the threat grid crap cloud executed you know assign points on it depending on you know it's a yo if it's a zero day could potentially detected in under seven minutes so at that point once it's a once it's detected amp will change this position up here and so anyone else downloading a file anywhere in the world with an for endpoints or you know that have an for networks sees that file in the future it will you know it will say nope not you shall not pass and with the am for endpoints piece of it it will go back to a trigger on that that connector that ampere endpoint connector to quarantine it and misspelled quarantine horribly there so can quarantine it remove it and let's say for example you have a very bad zero day malware outbreak in your in your environment and you know here if you have a Z you're struggling because you have to pay premium support just to get signatures written in a week or two and you don't really know what's happened after that that's that's been downloaded onto your desktop so it could be doing the secondary malware infection and amp what what it will do is it has the ability to create a custom block list so you can see everything that it that end pointed after it got onto your your computer see where we all what our reached out to what what registry changes it made and you can effectively find those secondary infections very quickly and remove them so it's a really cool product and I'm I'm very excited about it obviously I'm I wouldn't call myself an expert in it quite yet and I'm still working on the the CCI for that so we will see but you know I just kind of wanted to show you some of the cool things it does do and right now I'm in the amp for endpoints cloud dashboard and this can be integrated with your your firepower firewall so you can you know let's say you're a file moves past your firewall you can actually with this integration you can see where it moves past the kind of have the you know kind of see a map of what where that file moves once inside your network if you integrate this or you can just yell see it here so I've got some right now I have some test data up and this is just kind of demo data if I wanted to kind of drill into some information I can you know there's a lot of different views I can see so if I wanted to see for example malware that was executed or detected I can see these beyond in this case there was a threat grid report and you can see here that you know based on a number of conditions I was able to to see a lot of indicators of compromise and you can pull up that report I really like how how clean this is so you can download samples of the malware which is comes password protected so you don't break yourself yeah there's an analysis video usually these are pretty boring to watch unless of course you're watching kind of ransomware and then as soon as it's executed you'll see that ransomware pop up and say please a you know your computer is now encrypted go ahead and and you know send bitcoins to this this web address you can download pcap captures of of things that it tried to do on the network artifacts of like you know things that have changed and it really you know it talks about you know the indicators of compromised and is exactly what what it did and and how it determined that this was a piece of malware so as you can see here what I was talking about before like DNS rewriting trying to reach certain certain poor traffic sites so it really goes into some pretty good detail and explains each of these things and going back here really quickly you know talking about like you can see where where the device is seen on the network weather input what other endpoints how the device behaved you know once it once it was on to download on the computer how it moved you know downloaded more files it's a pretty awesome tool to be honest so it makes you know recovering from those incidents very very quick and you know kind of reduces your exposure there there's a lot of ways to analyze analyze that data as it's coming in they've got a lot of really cool dashboards and we were just looking at the events you know the detection and quarantine if you wanted to dig into you know where was a quarantined there's something called in integrates with something called cognitive threat analytics so let's say you have a iron Porter web security appliance you can send your logs with into the cloud with to this thing called cognitive threat analytics with and it integrates also as amp so it combines the two two products together to look for things that one thing wouldn't necessarily see so it uses analytics to kind of determine threats that you normally would have seen with just one you could do file analysis and and test files check file hashes upload files you know you find some root causes of like malware that was seen and where where the infection came from the applications that introduced it it also looks at like at vulnerabilities like hey we've we noticed that you have you know really outdated malware or I'm sorry Java you need to update that like use your vulnerable software the risk the CBS s score so it's got some really cool features as far as how to go to about connecting it configuring it you have policies that you associate with a group and you download that that am for endpoint connector for that group so I have a pre-built one or currently so let me go ahead and take pull it up so security demo audit and let me dig into some of the things so you can create a block list of custom features of like like you know if you are custom blocks like certain applications or signatures you want to block maybe you don't want anyone having you know just Java at all this is a great way to kind of block custom custom applications just keep them outta your environment you know the first tab you you know very simple stuff send username interface edson file name and path name you know capture command line capture you can you can really customize what your users can see there's the if you're behind a proxy you would want to go ahead and configure this before you download download this because you don't you don't want it has to pretty much connect to the cloud initially so if you want to make sure that it can and in this case I'm going to go ahead and add a proxy because I am most certainly behind a if one so let me give me just about why pull it up I'll never connect if I don't do this so and you can specify the product version I'm just going to go with the latest and greatest and if you need to update or reboot or update the connector upgrade you can pretty much have this pushed out from your policy you can also include exclusions so if you have other AV installed or anything like that you don't want it to necessarily override it it was the one cool thing is amp does give the ability for your like now AV to try first essentially so if your it's not doesn't want to step on its toes it'll if it detects it also if it doesn't it's going to go ahead and step in and try to take a look it is it is recording all the information of like what the files are doing but you know if your AV is going to hit it first it will allow it to essentially the file can do fiction mode is what is it going to do if it finds Mauer so if something determines the risk now I put on it because I want to show what happens if I download something that's potentially malicious and I'm going to go ahead and you know your cache settings ethos is what is talking about that kind of a that kind of fuzzy fingerprinting of files to look to see that's it's a family of files one thing you can also do is you can turn on you can turn on AV so if you wanted this to be potentially a replacement for AV if you wanted to just have a checkbox it there is av installed so it's not connected to to the cloud you've got that I mean some people do have those VI PCI requirements and they don't want to have you know they want to pay for another AV service that box is checked checked' essentially if you just said you know tetra right there that will do the offline engine now is am for endpoints more effective than just regular AV I would say so but you know again depends on what your auditors tell you you have to have so you have that option to just check it there and and have that just in case I see so I'm going to go ahead and and this is the flow of correlation looking for like malicious IP addresses is reaching out to I'm going to update the policy I didn't really make much in terms of changes and that's fine product update is valid what did I do [Music] done and time done all right and window must be in the future let's go into the future all right all right awesome then what you do is you make sure that these these policies are associated with a group and in this case I just have to I have a security devil lab group so now the next thing I can do is I can go ahead and have one of my endpoints that are currently located on here download it and you can push this through Active Directory you do it now you can push this through you know whatever corporate the thing that you use to essentially push your push your corporate applications but in this case I'm just going to manually download it because I'm you know this is a lab obviously so let's go ahead and login and you go to management download connector select the group which in my case would be security demo lab and let's go ahead and download this it might take a little bit so I'm going to pause the video really quickly so you don't have to wait for my very slow internet connection all right and we're back so I'm going to going ahead and installing us now sure I may have not given myself access to view it but that's fine as long as I was connected and up there we go so it's connected and we see my policy right there you see the history of the files have been downloaded and their disposition some of these you can change some of you can't it just depends on uh on actually looks like I can't change this that's fine probably my settings you can also make sure your policies updates but it should check it automatically on intervals so now that we've got am four endpoints installed in a random host let's go ahead and integrate it with ice so bear with me so this is the threat centric nak feature and ice so I can go to threat centric administration threat centric neck and you want to make sure in your deployment you system you do have that enabled right here which is enable threat centric nak service so I go over here to sort centric nak and I want to add add an instance so so you can see here there's quite a few you can use this is not px grid this is something different but it is still awesome because it gives you this ability to kind of view your vulnerabilities and threats on it on this dashboard and kind of make craft policies around them so let's go ahead and add an FIR endpoint so we're going to call this fire app and give it a second so we're going to configure it and let me find out what my socks proxy is have to remember what the port is I already figured it out so I'm behind a proxy you do have to use a Sox proxies to DZ configuration on a on a on a proxy it just has to be Sox give it a moment while it syncs all righty that's C I hope I spelled this right but give me a moment might have to check the upstream proxy okay alright I might have to check the proxy so if you bear with me I'm going to pause the video and come back all right I'm back fix the proxy problem so this is the next screen you'll get which is which you get to pick the the amp cloud which in this case I'm just going to go with the US clouds because that's where I'm at and it gives you a nice little amp kicks external URL so you click on that and ask you to log in so let me go ahead and go about doing so and it'll ask you to authorize this so I'm going to click security demo lab and allow to have access to just that group if you export the events to ampere endpoint or from an friend point to ice so it's going to redirect me back in just a moment awkwardly while we wait on my hiya various little internet connection there we go alright and I can now click finish but I think it does it is going to show me if I want to see this wait for a second well it's going to refresh and show connected usually take some moment there you go connected active and I want to see the events that are coming through all of those events are coming from the clouds that you you'll kind of get to see all that in action shortly so got my ant friend point uh installed now I have to do bad things so I usually like to test eicar test download and since this is an audit mode there's not really going to be any quarantine so it's just going to detect it and let's go ahead and do do it through HTTP right there it's detected so that was detected if I go over to threats I now see one endpoint has been compromised potentially and let me go ahead and create just so you guys can see a quarantine policy in action so go over to operations policy lists under adaptive network control let's go ahead and create one for quarantine I'm just not having good luck at spelling quarantine today quarantine submit and we are going to go ahead and create a policy under some under global exceptions I like to put create a global exception for quarantine so there's two things I'm going to call out here it's going to first one's going to be endpoints and this is something I'm going to [Music] I may have moved it in this version hold on second session the right session equals quarantine and/or session equals Nancy policy equals quarantined and right now I'm just going to go ahead and give it a deny axis alright so going back here oh no we downloaded malware and it wasn't contained it's a painful threat threat detected what should we do so let's go ahead and quarantine this guy he's been bad so we're going to sign a policy and get quarantine them right now so they get knocked off the network and if I go back to my live lock operations should see them get booted off yep can't connect to the network anymore can also change it doesn't necessarily have to be a swift boot to off the network you could always
Info
Channel: Katherine McNamara
Views: 12,454
Rating: undefined out of 5
Keywords:
Id: 5rOD9yt_I_c
Channel Id: undefined
Length: 25min 48sec (1548 seconds)
Published: Tue Feb 28 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.