для Cisco Cisco Firepower Management Center 4000
1-13
FireSIGHT System User Guide
Chapter 1 Introduction
FireSIGHT System Components
Regardless of whether you store a detected file, you can submit it to the Collective Security Intelligence
Cloud for a simple known-disposition lookup using the file’s SHA-256 hash value. You can also submit
files for dynamic analysis, which produces a threat score. Using this contextual information, you can
configure the system to block or allow specific files.
Cloud for a simple known-disposition lookup using the file’s SHA-256 hash value. You can also submit
files for dynamic analysis, which produces a threat score. Using this contextual information, you can
configure the system to block or allow specific files.
You configure malware protection as part of your overall access control configuration; file policies
associated with access control rules inspect network traffic that meets rule conditions.
associated with access control rules inspect network traffic that meets rule conditions.
FireAMP Integration
FireAMP is Cisco’s enterprise-class, advanced malware analysis and protection solution that discovers,
understands, and blocks advanced malware outbreaks, advanced persistent threats, and targeted attacks.
understands, and blocks advanced malware outbreaks, advanced persistent threats, and targeted attacks.
If your organization has a FireAMP subscription, individual users install FireAMP Connectors on their
computers and mobile devices (also called endpoints). These lightweight agents communicate with the
Cisco cloud, which in turn communicates with the Defense Center.
computers and mobile devices (also called endpoints). These lightweight agents communicate with the
Cisco cloud, which in turn communicates with the Defense Center.
After you configure the Defense Center to connect to the cloud, you can use the Defense Center web
interface to view endpoint-based malware events generated as a result of scans, detections, and
quarantines on the endpoints in your organization. The Defense Center also uses FireAMP data to
generate and track indications of compromise on hosts, as well as display network file trajectories.
interface to view endpoint-based malware events generated as a result of scans, detections, and
quarantines on the endpoints in your organization. The Defense Center also uses FireAMP data to
generate and track indications of compromise on hosts, as well as display network file trajectories.
Use the FireAMP portal (http://amp.sourcefire.com/) to configure your FireAMP deployment. The
portal helps you quickly identify and quarantine malware. You can identify outbreaks when they occur,
track their trajectories, understand their effects, and learn how to successfully recover. You can also use
FireAMP to create custom protections, block execution of certain applications based on group policy,
and create custom whitelists.
portal helps you quickly identify and quarantine malware. You can identify outbreaks when they occur,
track their trajectories, understand their effects, and learn how to successfully recover. You can also use
FireAMP to create custom protections, block execution of certain applications based on group policy,
and create custom whitelists.
Network File Trajectory
The network file trajectory feature allows you to track a file’s transmission path across a network. The
system uses SHA-256 hash values to track files; so, to track a file, the system must either:
system uses SHA-256 hash values to track files; so, to track a file, the system must either:
•
calculate the file’s SHA-256 hash value and perform a malware cloud lookup using that value
•
receive endpoint-based threat and quarantine data about that file, using the Defense Center’s
integration with your organization’s FireAMP subscription
integration with your organization’s FireAMP subscription
Each file has an associated trajectory map, which contains a visual display of the file’s transfers over
time as well as additional information about the file.
time as well as additional information about the file.
Application Programming Interfaces
There are several ways to interact with the system using application programming interfaces (APIs). For
detailed information, you can download additional documentation from either of the following Support
Sites:
detailed information, you can download additional documentation from either of the following Support
Sites:
•
Sourcefire:
•
Cisco:
eStreamer
The Event Streamer (eStreamer) allows you to stream several kinds of event data from a Cisco appliance
to a custom-developed client application. After you create a client application, you can connect it to an
eStreamer server (Defense Center or physical managed device), start the eStreamerservice, and begin
exchanging data.
to a custom-developed client application. After you create a client application, you can connect it to an
eStreamer server (Defense Center or physical managed device), start the eStreamerservice, and begin
exchanging data.