Cisco Rolls Out Threat Intelligence, Incident Response Services

Cisco integrates ThreatGrid with AMP to provide additional malware analysis and intelligence capabilities and launches its own incident response services.


In the modern world of security threats, intelligence and the ability to rapidly respond to incidents are the keys to survival. To that end, Cisco today announced new threat intelligence and incident response services.

The new capabilities come to Cisco thanks in part to the integration of technologies from ThreatGrid, a company Cisco acquired in May 2014. Helping to push forward the new threat intelligence capabilities is
co-founder and former CTO of ThreatGrid Dean De Beer, who is now principal engineer of Advanced Threat Solutions, AMP ThreatGrid at Cisco.

The AMP (Advanced Malware Protection) platform is now being expanded with the help of ThreatGrid's platform. The original AMP product was first integrated into Cisco's security portfolio in February 2014, after the $2.7 billion acquisition of SourceFire in 2013.

"There is now an integration of AMP with the ThreatGrid platform that I developed," De Beer told eWEEK.

AMP is a file reputation, behavior and sandbox technology, and the expanded AMP ThreatGrid integration provides additional malware analysis and intelligence capabilities. An enterprise can manually submit a potential malware sample for analysis, and once the analysis is complete, the system can determine where else the sample can be found on the network to perform full remediation, according to De Beer. The AMP system provides the ability for an organization to do a retrospective analysis to potentially help determine the source of infection, he added.

In addition to the manual submission, there is now a new low-prevalence file submission feature. De Beer explained that the low-prevalence feature is a way for an organization to automatically submit files to AMP for analysis based on certain criteria.

"Files that are unique or seldom seen that have certain characteristics and that might be of interest are automatically submitted to ThreatGrid," he said. "The samples are scored, and when a certain threshold is met, we change the disposition of the file."

For example, a file could come into the AMP system as being unknown and then, after analysis, AMP determines the file is in fact malicious. De Beer explained that by changing the file's disposition, AMP automatically kicks off a retrospective analysis across an organization's infrastructure searching for any other signs of the file and taking remediation actions against the file.

"The added benefit of ThreatGrid is that we're not just analyzing the files that are coming from AMP, whether those files were submitted manually or automatically," De Beer said. "We're seeing hundreds of thousands of samples going through our own infrastructure every day, and they all go through the same analysis and disposition changes."

The information from the ThreatGrid analysis gets pushed into the AMP cloud, where it is used to help secure the broader base of Cisco AMP customers. ThreatGrid integration with AMP also enables users to query for a given technology item, which could include a file hash or a URL.

"So as you search with the AMP console, you not only search your infrastructure for the data, but also the ThreatGrid infrastructure," De Beer said.

Incident Response

Being able to detect security incidents is only one part of the modern security challenge, with another key part being the ability to actually respond to incidents. As such, Cisco is formally launching its own incident response services to help companies both respond to and prepare for security incidents.

Paul Davis, director of the Advanced Threats Security Solutions Architecture Team at Cisco, explained that the preparation component of the incident response services is about helping organizations have the right people, processes and infrastructure in place to deal with security incidents.

There are multiple vendors in the incident response market today, including FireEye's Mandiant division and Rapid7, which recently entered the market.

"The market for incident response is big, and we do think we have some unique differentiators, based upon our history, experience and tools," Davis told eWEEK. "We have tools like ThreatGrid and the infrastructure that is enabled to support it."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.