Cisco has announced that it has added its Sourcefire-developed Advanced Malware Protection (AMP) into its Content Security Portfolio of products, including Web and Email Security Appliances and Cloud Web Security Service.
At the same time, the company has started delivering the ability to create and integrate new open source application identification capabilities into its Snort engine through the release of OpenAppID.
The integration of AMP is one of the initial technology integration efforts between Cisco and Sourcefire, and extends the option of advanced malware protection for more than 60 million enterprise and commercial users currently protected with Cisco Content Security solutions.
AMP joins Cognitive Threat Analytics, acquired last year via Cognitive Security, as an option for Cisco Cloud Web Security customers. Cognitive Threat Analytics is a highly intuitive, self-taught system that uses behavioural modelling and anomaly detection to identify malicious activity and reduce time to discovery of threats operating inside the network. Both are available on Cisco Cloud Web Security as an optional license.
The addition expand Cisco’s ability to provide more threat-centric security by providing advanced malware protection `everywhere’ a threat can manifest itself. With this integration, Cisco addresses the broadest range of attack vectors across the extended network.
Instead of relying on malware signatures, which can take weeks or months to create for each new malware sample, AMP uses a combination of file reputation, file sandboxing, and retrospective file analysis to identify and stop threats across the attack continuum.
File Reputation analyses file payloads inline as they traverse the network, providing users with the insights required to automatically block malicious files and apply administrator-defined policies using the existing Cisco Web or Email Security user interface and similar policy reporting frameworks.
File Sandboxing provides a place to analyse and understand the true behaviour of unknown files traversing the network. This allows AMP to glean more granular behaviour-based details about the file and combine that data with detailed human and machine analysis to identify a file’s threat level.
File Retrospection solves the problem of malicious files that have passed through perimeter defences but are subsequently deemed a threat. Rather than operating at a point in time, it provides continuous analysis, using real time updates from AMP’s cloud-based intelligence network to stay abreast of changing threat levels. As a result, AMP helps identify and address an attack quickly, before it has a chance to spread.
Christopher Young, senior vice president, Cisco Security Business Group, said: “Today’s advanced threats that can attack hosts through a combination of different vectors require a continuous security response versus point in time solutions. Web and Email gateways do a large amount of heavy lifting in the threat defense ecosystem, blocking the delivery of malicious content. By bringing together AMP and threat analytics with our Web, Cloud Web and Email Security gateways, we provide our customers with the best advanced malware protection from the cloud to the network to the endpoint.”
The company has also commenced delivering its open source OpenAppID application detection and control tool. This allows users to create, share and implement custom application detection so that they can address new app-based threats as quickly as possible.
Open source application detection and control is enabled by Cisco’s new OpenAppID. OpenAppID uses an application-focused detection language to provide application visibility, accelerate development of application detectors, and empower the community to share detectors for greater protection.
As new applications are developed and introduced into corporate environments at an unprecedented rate, this new language provides users with increased flexibility to control new or custom apps on the network.
OpenAppID is especially important for organisations utilising custom-built or specialised applications and those in highly regulated industries that require the highest levels of identification and control. Cisco claims it will accelerate and expand the breadth of application detection, by facilitating open community sharing and enhancement of new application detectors.
It also supports application detection and reporting by enabling Snort users to utilise the new OpenAppID detectors to detect and identify applications, and to report on application use, application context associated with network intrusion events by providing application-layer context with security-related events, and actionable application detection and control by enabling Snort to block or alert on detection of certain applications.
Martin Roesch, creator of Snort and Vice President and Chief Architect, Cisco Security Business Group, said, “Open source is very important because it creates real collaboration and trust between vendors and the experts that are tasked with addressing advanced and aggressive threats. By open sourcing application visibility and control, Cisco is empowering the community to create technically superior solutions to address their most complex and unique security challenges.”
As part of this announcement, Cisco is delivering a special release of the Snort engine that includes the new OpenAppID preprocessor. This enables the Snort community to begin working with OpenAppID to build application detectors.
In addition, a library of more than 1,000 OpenAppID detectors will be available at no charge through the Snort community. Any community member may contribute additional detectors, including end user organisations with custom applications that are not commercially available.