Cisco Cisco ScanSafe Wi-Fi Hotspot Security 白皮書
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 3 of 7
Figure 2. Overview of CTA
CTA learns from what it sees. It adapts over time, identifying new command-and-control channels not previously
detected by the security industry. It assesses the behavior of entities (for example, individual users) in the network
and uses behavior modeling to predict how those entities should behave. CTA uses a long-term modeling of
network behavior to correlate seemingly disparate activities. It then compares that correlated data to individual user
behaviors across the specific customer network so it can detect threats more quickly.
detected by the security industry. It assesses the behavior of entities (for example, individual users) in the network
and uses behavior modeling to predict how those entities should behave. CTA uses a long-term modeling of
network behavior to correlate seemingly disparate activities. It then compares that correlated data to individual user
behaviors across the specific customer network so it can detect threats more quickly.
It doesn’t matter what a detected threat may be. If there is a discrepancy in expected behavior that is significant or
sustained, CTA will flag it. CTA’s actions are like those of a security team trying to identify a shoplifter before that
person has a chance to steal: What is that person doing that is different from what other shoppers are doing?
Carrying a big bag instead of pushing a shopping cart? Trying to exit through the back door instead of the front?
Even though the suspicious behavior may turn out to be legitimate, it is worthy of investigation.
sustained, CTA will flag it. CTA’s actions are like those of a security team trying to identify a shoplifter before that
person has a chance to steal: What is that person doing that is different from what other shoppers are doing?
Carrying a big bag instead of pushing a shopping cart? Trying to exit through the back door instead of the front?
Even though the suspicious behavior may turn out to be legitimate, it is worthy of investigation.
CTA spots anomalies and then directs security analysts toward potential problems, helping them to reduce their
workload and prioritize threats. It also complements existing security technology from Cisco, making these
solutions more accurate as well as more capable of detecting unknown or unusual behavior on the network. Cisco
security capabilities are thus extended into the “after” phase of the attack continuum. Most important, CTA helps to
provide security that evolves with the ever-changing threat landscape.
workload and prioritize threats. It also complements existing security technology from Cisco, making these
solutions more accurate as well as more capable of detecting unknown or unusual behavior on the network. Cisco
security capabilities are thus extended into the “after” phase of the attack continuum. Most important, CTA helps to
provide security that evolves with the ever-changing threat landscape.
Advanced Malware Protection
The second detection system in Cisco CWS Premium is Advanced Malware Protection (AMP) from Sourcefire.
AMP does not rely on malware signatures, which can take weeks or months to create for each new malware
sample. Instead, it uses a combination of file reputation, file sandboxing, and retrospective file analysis to identify
and stop threats across the attack continuum.
AMP does not rely on malware signatures, which can take weeks or months to create for each new malware
sample. Instead, it uses a combination of file reputation, file sandboxing, and retrospective file analysis to identify
and stop threats across the attack continuum.