最近,我一直在花费在安全系统集成在一起了大量的时间,并特别侧重于思科的高级威胁安全产品系列我的很多能量。(披露:我被思科使用。)
这是什么使我对思科的高级恶意软件防护(AMP),这是为了让恶意软件检测,阻断,不断的分析和回顾性的行动和报警的解决方案。
In fact, when theTalos cyber-vigilantes空降到免受攻击-AMP的环境中,并执行他们的取证分析,主动防御是的,他们使用的主要工具之一。
Since the acquisition of SourceFire, Cisco has been integrating AMP into many other security products such as: FirePOWER NGIPS’s, Firepower NGFW’s, Cisco (Ironport) Web Security Appliances (WSA), Cisco Ironport Email Security Appliances (ESA), as well as the Meraki MX Security Appliances.
In my opinion, Meraki typically looks at things a bit differently than traditional products, including traditional Cisco product lines. My interpretation of the Meraki approach is that they follow an approach that prioritizes ease-of-operation and management as the No. 1 priority. This means their interfaces tend to keep things simple instead of providing all the many options and nerd-knobs that are traditional at Cisco. The Meraki MX certainly continues that paradigm, and that is the main focus of this article.
我用的是MX很多时候我需要在远程位置将调配好的UTM,但仍然有集中管理。在MX上运行有针对入侵检测与防御Snort的。然后加入Meraki的先进的恶意软件保护(AMP)的MX与集中白名单网址,并在白名单文件。
The latest Threat Protection feature to be added to the MX security appliance is an integration with Cisco’s威胁电网sandboxing and threat intelligence solution. You may not have known about the release, because Cisco announced the Network Intuitive at the same time, which took the spotlight (naturally).
So, let’s have a quick review of AMP, how Threat Grid plays within the AMP story, and then how that works with the Meraki MX.
Once upon a time, there was a startup company named Immunet AV. They took a fresh and different approach to endpoint security where they kept the security intelligence in the cloud, which helps to maintain a lightweight footprint on the endpoint. Also by keeping the intelligence in the cloud instead of downloading a giant database of signatures to the endpoint, ensures the intelligence is as up-to-date as possible.
As files that are moved/copied/executed within the endpoint, the Immunet client (called a cloud connector) grabs a SHA hash of the file (like this: 0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f) and sends that hash to the cloud where the hash is compared to a giant database of file hashes and their disposition (clean, malicious or unknown).
Fast forward a few years and Marty Roesch, the creator of Snort & founder of SourceFire, likes this technology and the vision of it, and,嘭!Sourcefire的收购在2008年一月他们的解决方案被重命名为FireAMP,许多今天仍然调用它。
After Cisco acquired SourceFire in 2013, the product was renamed to Advanced Malware Protection (AMP), and it’s been integrated into many security products and services. While a consumer version of Immunet AV is still available for free, it does not have all the features and functions of the commercial version.
These days, AMP connectors run on endpoints, as well as the network security products, like the Meraki MX. The basic explanation is: When a file traverses one of the devices with an AMP connector, AMP grabs a SHA hash of the file and sends it to the cloud to learn the file’s disposition. If a file hash is known to be malicious, then it can be blocked. If it’s clean, let the file go on through, but make note that the hash was seen & what date/time, etc. Unknown is often up to you, the admin. In many cases, based on your defined settings, unknown files can be sent off to Threat Grid for dynamic analysis.
注意:使用AMP,文件永远不会发送到云,只有文件的哈希值。然而,为了威胁电网正确分析一个文件,该文件的行为(认为可执行文件或启用了宏的Word文档),该文件必须上传到沙箱。
现在,让我们来看看在Meraki的团队如何执行他们的魔法,使这一切简单。他们先用AMP集成。该配置下可以找到Security Appliance > Threat Protection。正如你在图1中看到,AMP整合可以启用或禁用。您可以添加白名单的网址,而您可以添加白名单的SHA256哈希值。
亚伦T. Woland
而已!保持简单。
网格的威胁呢?我们需要to be able to send those unknown files over for sandboxing and analysis. That is just below the AMP section on the configuration page, and as you can see in Figure 2, it is also very simple: enabled/disabled, and rate limiting the appliance to a certain number of submissions per day.
亚伦T. Woland
Why would anyone want to limit the number of submissions to Threat Grid? Well, it’s because dynamic analysis is not cheap and Threat Grid pricing is all based on “submission packs,” which is a license for the number of submissions per day.
威胁电网has two form-factors. It can be the more common cloud-service model, or it can be an on-premise appliance for those environments who are worried about sending files into the cloud. Well, the folks in the Meraki team thought of that, too. You can configure your Threat Grid integration to go to either the cloud, or to an on-premise appliance.
亚伦T. Woland
That configuration is underOrganization > Settings,这是你去哪里你的MX设定链接到威胁电网实例(云或设备),如图3所示。
好了,关于它会为这个光写了。是在寻找一些未来的文章中,我会更深入地了解许多非常强大的技术。