I'm working on bringing an "ask the expert" program to you where you can chat, in the community forums, directly with a Cisco expert about a designated topic for a set period of time (24-48 hours or so). Right now I want to collect your ideas for topics.
If you had access to a Cisco expert (or multiple experts), what topics regarding AMP would you like to chat about? Let me know by replying to this discussion thread. Your answers will give me the basis of formulating a calendar of topics so we can deliver on a regular basis.
Thanks in advance!
Hi Pantelis - thanks for the response. We will be having an upcoming AMP Ask the Experts in November so stay turned for the date. I'll ping you to remind you about it and perhaps you can ask some questions around this topic as well. Thank you!
Hi pantelis1 and others interested in CTA,
I was one of the first employees of Cognitive Security that is behind CTA.
Let me know your questions and I will try to help.
I would like to get more information about comparison of your product against the big players? Also I understand it to be a cloud based solution so does that mean that all the analysis runs in the cloud (i.e. customer traffic sent to the cloud for analysis etc)
CTA is all about analytics and transforming information available locally (such as proxy logs) into intelligence about breached machines by the means of statistics based command and control detection. There is currently no head-to-head competition with any of the big players and while there are some smaller companies working in the same field, none has the level of sophistication, experience (10 years for CTA) nor amount of data to build it upon.
We see lots of customers trying to do analytics in-house in their SIEM only realizing the that SIEM is not suitable for broad analytics as they would need to employ mathematicians, statisticians and machine learning experts to perform sane analytics and those need completely different toolset. At the end SIEM is not the suitable for advanced analytics but is perfectly suitable for more targeted investigation where a subset of users is considered or an indicator is already available. Traditionally these indicators came from external researchers, feed updates and so on. With CTA identification of those machines can finally be done using local intelligence (CTA does not use any feeds or blacklists) and as a result allows for a much more effective use of SIEM during breach investigations. Analytics (in any form) are becoming as a key ingredient in breach detection as they use local data and do not rely on previous experience of the same attacks elsewhere.
The sheer amount of processing required for detection and classification makes it a cloud service only. Proxy is configured to send proxy logs on a regular basis, no actual content is needed. I would be highly suspicious of anybody who claims doing advanced analytics within a "box" or inline. The correlations that allow us to link communication days and weeks apart to spot signs of command and control activity, modelling of individual users and their comparison to others require large processing power.
Im planning to enable AMP in Ironport. I would like to understand the security controls around protecting the privacy of the mails attachments that are uploaded to the CISCO cloud.
The only time actual content is uploaded by AMP for content security appliances (ESA or WSA) is when something is submitted to Threat Grid for analysis. By default, such files are marked as "private" in Threat Grid, which means that they will not be visible to other parties.
Should work just fine, as long as the OS is supported (Windows, CentOS/RHEL, or even OS X if you can work with Apple's restrictive virtualization policies) and the VM is able to communicate with the AMP cloud. There's no significant difference between the same OS running as a virtual machine or physical, or between local VM and cloud-hosted VM, as far as the connector is concerned.