cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

504
Views
5
Helpful
1
Replies
n-russell-biggie
Beginner

Mitigating malware from internal (partner) Laptop / PC

Hello,

I have a client that has been infected with malware. They use Cisco Umbrella and also have Cisco Firepower (no AMP license).

It appears that the malware originated from a third party partner / contractor connection to my clients internal network with their laptop.

It has taken almost a week for my client to go through all their logs on all their different systems and they are still on their knees.

How would we mitigate this in future with Cisco solutions? I thought that Umbrella would have blocked this, but this was not the case. y

It appears that my client AlienVault is showing multiple connections from private IP addresses in subnets that do not exist on the network out to public IP addresses.

Would licensing the clients firepower for AMP help out here? Any suggestion on Cisco products that can mitigate this sort of issues would be great.

 

Many thanks 

Nick

1 REPLY 1
Rob Ingram
VIP Mentor

Hi @n-russell-biggie 

If the laptop was already infected before connecting to the network umbrella wouldn't help much at that point, the device is free to infect the local network.

 

Yes you could get AMP for Endpoints, but usually that would be deployed to corp owned assets, it's not that practical to deploy to contractor devices.

 

Ideally use NAC, with ISE and TrustSec. The contractor would connect to the network, be classified differently to a corp user/device and have limited access to the network. Their limited access would prevent them from communicating with corp devices and give them only the required access. You could also use posturing to determine whether the devices connecting to the network are compliant.

 

If you have FTD you could also integrate with ISE and automatically/manually quarantine the device, restricting their access completely.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad