Introduction to Advanced Malware Protection (AMP)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi there my name is Brian McNeil I'm a technical marketing engineer in Cisco's advanced threat Solutions Group and I'm here to talk to you about one of the major features in amp the advanced malware protection product line app can run on endpoints on the network as part of the firepower a sa protections or as part of our content security products like the SA and the WUSA appliances for email and web security I'm going to talk to you first about the way it works on the endpoint and then we'll talk about what might change with the other pieces so there's an amp connector that gets deployed a lightweight piece of software on Windows Mac or Linux endpoints and then the rest of it lives in the cloud so here's the app cloud service which is actually two distinct things there's the management console which is what you interact with to set up policies to deploy to endpoints and also to see what's actually going on and then there is a database which is where amp keeps track of everything and the way the file reputation feature works in amp is whenever a file gets accessed executed copied moved whatever on the endpoint the amp connector will calculate a file hash using the sha-256 algorithm and it will provide some context like file characteristics and it will send this to the amp cloud as a lookup and if the information is found in the database amp will come back with a verdict if it's not found then we'll add a new entry but the verdict or the disposition can be one of three things in amp the file can be known to be good or benign the file can be known to be bad or malicious and the third possibility and the most vexing for typical security scenarios is the file can be unknown that is to say we simply don't have enough information to say yes this is good or no this is bad now in that case amp can actually use another piece of our app portfolio namely threat grid and it can submit the file to threat grid where it runs in a sandbox environment and threat grid produces a couple hundred indicators of behavior that it looks for which it uses to calculate an overall threat score the threat score is a number between 0 and 100 and let's say in this particular scenario this unknown file runs in threat grid and we actually get a score of 98 which is quite high so this file is displaying a lot of bad behavior now the score of 98 or actually anything 95 or higher is sufficiently deterministic that we will automatically update apps database so that instead of being unknown this file is now considered malicious well what about our endpoint where this file is already present well here the app feature called retrospection comes into play retrospection is based on the knowledge that no tool can be a hundred percent right 100 percent of the time so we need to design the ability to handle changes after the fact and what happens here is a retrospective event gets sent back to amp and the disposition of the file will change to malicious which means it can then be blocked quarantined on the endpoint and prevented from moving any further so that's the file reputation and the retrospection piece of amp on endpoints in the cloud now what changes if you're deploying not with a public cloud but with what we call the private cloud which is an on-premise solution well basically the whole diagram still applies the only difference is that your cloud now resides on a server in your own data center similarly if you're using the on-premise threat grid appliance rather than the cloud based threat grid service then that too is running on a box in your data center so you can actually have a fully self-contained amp environment for customers who are privacy conscious what changes if instead of the endpoint we have say an esa appliance or email security or if we have a fire power or on a SA running fire power services with the amp license applied well everything about what happens here still applies you get lookups sent to the amp cloud and you get dispositions benign malicious or unknown returned and if things change you still get the retrospective event so that is a key piece of the entire amp Everywhere portfolio based on reputation lookups and retrospection when the picture changes there's a lot more to the product line which all visit in subsequent videos but for now thank you very much these are key moving pieces of and I'll talk to you more about the rest of it later
Info
Channel: Cisco
Views: 45,458
Rating: 4.952569 out of 5
Keywords: Advanced Malware Protection, AMP, Threat Grid, malware, small business malware, malware protection for small business, how to protect against malware, anti malware, malware removal
Id: ZDBMH7X4Dr4
Channel Id: undefined
Length: 6min 35sec (395 seconds)
Published: Wed Nov 23 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.