Posts Tagged ‘amp’

Threat Grid + Meraki MX: A Win-Win



It’s been a little over a year since we launched Threat Grid integration with the Meraki MX, and since then, it’s become an invaluable tool for the customers that have enabled this integration. But the customers who haven’t enabled it may not understand why this integration isn’t just important for them — it’s also important for everyone on the internet!

This isn’t the first time we’ve talked about Threat Grid on the Meraki blog. Since its debut, both Threat Grid and the MX have gotten better, but they have also gotten better together.  In this blog post we will explore in more technical detail what Threat Grid is and how it fits into the Meraki security architecture. Most importantly, we’ll explore why it’s made the internet a safer place for everyone.

AMP + Threat Grid

Cisco Advanced Malware Protection (AMP) is an intrinsic part of the Meraki MX advanced security offering and has been for over two years. Over that time AMP has scanned hundreds of million of files per week, blocked hundreds of thousands of malicious files per week, and sent thousands of retrospective alerts per week. This is particularly important when you consider that the volume of malware has increase by 10x in the last two years.

As you’d expect, Meraki does this by leveraging cloud technology. Once upon a time, there was a startup company called Immunet AV and they had a super smart solution for telling whether a file was good, bad or hadn’t been seen before; in security geek language, files were labeled “Clean,” “Malicious,” or “Unknown.”  That company was acquired by SourceFire, who in turn was acquired by Cisco, just like Meraki. Today, Meraki MX leverages this technology, resulting in customers getting real-time protection from known malicious files across multiple file types and multiple threat vectors.

OK, that’s great, but what about those scary “day-zero” exploits that we hear about in the news all the time? Whilst it’s still true that you shouldn’t believe everything you read, day-zero exploits certainly exist, as after all someone has to get hit first with every exploit. Though we are all tempted to think “it won’t happen to me,” there is a tangible probability that it will. If you’re the person responsible for information security risk management at your organization, then it’s your responsibility to demonstrate duty of care and mitigate as much risk as possible.

This is what Threat Grid helps you do by authoritatively and quickly letting you know if “unknown” files going through your MX are day-zero malware or not.

Threat Grid Deep Dive

As you would expect, Threat Grid is super easy to enable for a MX network. Once enabled, it starts working immediately.  When a file is downloaded through the MX, the hash of the partial file is compared against the AMP cloud; if it is unknown to AMP, then it gets sent straight to Threat Grid, as shown below:

The file is then detonated, which is a fancy way of saying opened up and allowed to do its thing, in a virtual Microsoft Windows sandbox environment that is completely separate and distinct from the customer infrastructure. Threat Grid now both actively and passively observes how the file behaves, by looking at how it interacts with system software, services, and network resources. At the same time, Threat Grid parses the things the file does through around 900 behavioral indicators to understand whether the file is malicious or not.

Once this is complete, Threat Grid automatically creates a report with both a high level “Threat score” and links to forensic investigation tools, also built into the platform. An example of this report is shown below:

If you want to see this report and the forensic tools being used in a demo, take a look at this great Meraki webinar.

Finally, if the file was malicious, you’ll receive an email to let you know that something bad got through and with links to Security Center and any relevant remediation steps you need to follow to get back to safety.

The cloud just got smarter

Now if anyone else sees that file come through their Meraki MX, Cisco FirePower, Cisco WSA or AMP for Endpoints-enabled smartphone, it will be instantly blocked because Threat Grid updated the disposition state of the file in the Cisco AMP Cloud. Meaning that you not only detected and can stop the bad guys on your network, but you also stopped the bad guys for the rest of the world!

The people who make this automatic protection happen are Cisco Talos and they are a team of hundreds of guys and girls who are the internet security equivalent of the Justice League (or Avengers, if you prefer). They have had a hand in defusing, deconstructing and protecting against every internet threat you have heard about in the past 2 years.  And once they’ve figured out how to stop the bad guys, they pump that knowledge right back in the Meraki MX and other Cisco products. This means that, indirectly, you are helping make the internet a safe place just by being a Meraki customer, more so if you have Threat Grid.

Talos also takes threat intelligence information from many other Cisco security products, including lots that run on or are integrated natively with the Meraki MX, as shown below:


So, if you are already one of the many Meraki customers with an MX network, walk a little taller, because Talos has your back. And if you really need to know whether or not that file the CEO just downloaded was a cat video or a piece of ransomware, then Threat Grid is for you.  

Reach out to your local Meraki sales rep to discuss further and start helping make the internet a safer place through simple, powerful cloud technology.

Ensure you’re secure from VPNFilter

The newest blog post from the Cisco Talos intelligence team, one of the largest commercial threat intelligence teams in the world, highlights VPNFilter, the newest malware threat spreading across the Internet. This attack can lead to stolen website credentials, IoT device vulnerabilities, Internet connection cut-offs, and devices potentially rendered completely unusable.

At this point in time, no Meraki devices are known to be affected. Meraki and Talos are conducting ongoing investigations into this threat and its signatures. Meraki MX users who use the Advanced Security license have the capability to protect their network from security vulnerabilities such as VPNFilter.

MX Ensures Security

The Meraki MX makes it very easy to implement powerful Cisco security technologies like Snort and Advanced Malware Protection (AMP). In addition to AMP and Snort, Meraki MX allows for intuitive URL blocking, as well as Layer 3 firewall rules to ban nefarious IP addresses. These capabilities play an integral role in keeping networks safe from malware.

With Cisco Snort technologies enabled, the MX performs real-time traffic analysis and can generate alerts or take actions based on a constantly updated database of threat signatures. For example, Snort has already updated and pushed out rulesets to allow identification and prevention of VPNFilter malware for Meraki MX users who have IPS enabled. IPS rulesets are updated every 24 hours and pushed out to the MX, constantly keeping you safe from new threats. The Meraki cloud also delivers firmware, bug, and feature updates to the MX.

Example of Meraki MX blocking VPNFilter exploit with Intrusion Prevention

In addition to IDS/IPS, the MX’s integrated AMP technology can detect malware and block it from being downloaded on the network. AMP can also retroactively detect files that have been downloaded on the network that have malicious markers. VPNFilter is known to infect networks by downloading files to the network from specific URLs. Fortunately, Cisco AMP has already updated its malware database for file hashes associated with VPNFilter and pushed these updates over the cloud to Meraki MX users with AMP enabled. The Meraki MX is helping protect your network by delivering these technologies via the cloud directly to your doorstep.

Blocking Threats in 3 Steps with Meraki MX

As highlighted in the detailed post from Talos, action can be taken on a list of identified URLs, IP addresses, Snort signatures, and AMP file identifiers related to VPNFilter. All of these threats can be easily neutralized within the Meraki dashboard. To enable AMP, Snort, and URL blocking features on the MX, an Advanced Security license is required. The Layer 3 firewall rules are incorporated in both MX licenses (Enterprise License and the Advanced Security License).

Following Step 1 is most important, and only takes 15 seconds, while Steps 2 & 3 take less than one minute each. Being able to secure your network easily is the hallmark of Meraki MX.

1. Enabling AMP & Snort

Visit the Security appliance > Configure > Threat protection section. A few simple clicks allow you to enable AMP and set Snort IPS to ‘Prevention’ mode with the ‘Security’ ruleset.

2. URL Blocking

Go to Security appliance > Content filtering to block the URLs listed in the Cisco Talos blog post.

3. Blocking nefarious IP addresses

Under Security appliance > Firewall you have the ability to deny traffic to all known IP addresses associated with VPNFilter malware, as listed by Cisco Talos.

For more detailed information on VPNFilter, please refer to this post from Cisco Talos. We will continue to monitor the threat landscape and work with our Talos team to provide you updates on VPNFilter and other security vulnerabilities as they develop. To learn more about the many capabilities of the Meraki MX, including SD-WAN and Security, visit the Meraki website or sign up for one of our webinars.