It’s been a little over a year since we launched Threat Grid integration with the Meraki MX, and since then, it’s become an invaluable tool for the customers that have enabled this integration. But the customers who haven’t enabled it may not understand why this integration isn’t just important for them — it’s also important for everyone on the internet!

This isn’t the first time we’ve talked about Threat Grid on the Meraki blog. Since its debut, both Threat Grid and the MX have gotten better, but they have also gotten better together.  In this blog post we will explore in more technical detail what Threat Grid is and how it fits into the Meraki security architecture. Most importantly, we’ll explore why it’s made the internet a safer place for everyone.

AMP + Threat Grid

Cisco Advanced Malware Protection (AMP) is an intrinsic part of the Meraki MX advanced security offering and has been for over two years. Over that time AMP has scanned hundreds of million of files per week, blocked hundreds of thousands of malicious files per week, and sent thousands of retrospective alerts per week. This is particularly important when you consider that the volume of malware has increase by 10x in the last two years.

As you’d expect, Meraki does this by leveraging cloud technology. Once upon a time, there was a startup company called Immunet AV and they had a super smart solution for telling whether a file was good, bad or hadn’t been seen before; in security geek language, files were labeled “Clean,” “Malicious,” or “Unknown.”  That company was acquired by SourceFire, who in turn was acquired by Cisco, just like Meraki. Today, Meraki MX leverages this technology, resulting in customers getting real-time protection from known malicious files across multiple file types and multiple threat vectors.

OK, that’s great, but what about those scary “day-zero” exploits that we hear about in the news all the time? Whilst it’s still true that you shouldn’t believe everything you read, day-zero exploits certainly exist, as after all someone has to get hit first with every exploit. Though we are all tempted to think “it won’t happen to me,” there is a tangible probability that it will. If you’re the person responsible for information security risk management at your organization, then it’s your responsibility to demonstrate duty of care and mitigate as much risk as possible.

This is what Threat Grid helps you do by authoritatively and quickly letting you know if “unknown” files going through your MX are day-zero malware or not.

Threat Grid Deep Dive

As you would expect, Threat Grid is super easy to enable for a MX network. Once enabled, it starts working immediately.  When a file is downloaded through the MX, the hash of the partial file is compared against the AMP cloud; if it is unknown to AMP, then it gets sent straight to Threat Grid, as shown below:

The file is then detonated, which is a fancy way of saying opened up and allowed to do its thing, in a virtual Microsoft Windows sandbox environment that is completely separate and distinct from the customer infrastructure. Threat Grid now both actively and passively observes how the file behaves, by looking at how it interacts with system software, services, and network resources. At the same time, Threat Grid parses the things the file does through around 900 behavioral indicators to understand whether the file is malicious or not.

Once this is complete, Threat Grid automatically creates a report with both a high level “Threat score” and links to forensic investigation tools, also built into the platform. An example of this report is shown below:

If you want to see this report and the forensic tools being used in a demo, take a look at this great Meraki webinar.

Finally, if the file was malicious, you’ll receive an email to let you know that something bad got through and with links to Security Center and any relevant remediation steps you need to follow to get back to safety.

The cloud just got smarter

Now if anyone else sees that file come through their Meraki MX, Cisco FirePower, Cisco WSA or AMP for Endpoints-enabled smartphone, it will be instantly blocked because Threat Grid updated the disposition state of the file in the Cisco AMP Cloud. Meaning that you not only detected and can stop the bad guys on your network, but you also stopped the bad guys for the rest of the world!

The people who make this automatic protection happen are Cisco Talos and they are a team of hundreds of guys and girls who are the internet security equivalent of the Justice League (or Avengers, if you prefer). They have had a hand in defusing, deconstructing and protecting against every internet threat you have heard about in the past 2 years.  And once they’ve figured out how to stop the bad guys, they pump that knowledge right back in the Meraki MX and other Cisco products. This means that, indirectly, you are helping make the internet a safe place just by being a Meraki customer, more so if you have Threat Grid.

Talos also takes threat intelligence information from many other Cisco security products, including lots that run on or are integrated natively with the Meraki MX, as shown below:


So, if you are already one of the many Meraki customers with an MX network, walk a little taller, because Talos has your back. And if you really need to know whether or not that file the CEO just downloaded was a cat video or a piece of ransomware, then Threat Grid is for you.  

Reach out to your local Meraki sales rep to discuss further and start helping make the internet a safer place through simple, powerful cloud technology.