Integrate Yourself into the Threat Grid
Updated July 08, 2022
Integrate Yourself into the Threat Grid
Score 8 out of 10
Overall Satisfaction with Cisco Secure Malware Analytics (Threat Grid)
Threat Grid is our primary source for testing questionable websites or executable files. We have integrated it with Cisco Advanced Malware Protection (AMP), so that AMP automatically sends anything "iffy" to Threat Grid for analysis. In a university environment, there is a large amount diverse software in use or downloaded daily. We are unable to enforce a "whitelist" of sorts, so we rely on tools like AMP and Threat Grid to help eliminate malicious software while maintaining the most available network we can.
- Virtual Machine Testing
- Analytics from Other Organizations
- Quick and Easy Sample Submission
- The VMs are very sluggish (probably unavoidable at this scale)
- Sometimes it seems unclear how Threat Grid is evaluating a site
- Integration With AMP
- Custom/On Demand Sample Submission
- Interactivity with the Running test VMs
- Threat Grid and AMP together have allowed for higher confidence against Ransomware attacks
- Threat Grid provokes positive responses from cyber-insurance providers
VirusTotal is great for the price of free and still something we use to get a second opinion. However, it does not as easily integrate into our Cisco stack and free is only a best effort service. Furthermore, VirusTotal does not spin up a VM for you on the stop, Threat Grid does. You can then interact with that VM and test yourself to see what kind of havoc a concerning program might cause.
Do you think Cisco Secure Malware Analytics (Threat Grid) delivers good value for the price?
Are you happy with Cisco Secure Malware Analytics (Threat Grid)'s feature set?
Did Cisco Secure Malware Analytics (Threat Grid) live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Cisco Secure Malware Analytics (Threat Grid) go as expected?
I wasn't involved with the implementation phase
Would you buy Cisco Secure Malware Analytics (Threat Grid) again?
Threat Grid is best suited to integration along side other Cisco products. On its own, its neat, but with VirusTotal and other free malware submission sites, it may seem not worth the price. However, integrated into Cisco's AMP product, it provides a continuous investigation of sties and files. If AMP has an alert, you can hop over to ThreatGrid to see what it found out.
Resilience and Reliability
Threatgrid impacts our resilience by helping alleviate some of the stress in analyzing and detecting malware. When a questionable file is found in OneDrive or on a workstation, it can be very hard to determine if the file is actively malicious, previously malicious, or benign.
For example, we found some old decryption instructions in a one drive folder. These file were of significant age and seemed recently added to OneDrive. Rather than panic, consume lots of man hours, and stress our teams, we ran the files through Threatgrid and found them all currently benign. They were from an old attack.
Threatgrid allows us to stretch our resources farther by giving us a picture into those kinds of files sites like Virus Total haven't see before. It automates understanding the oddball stuff.
Today's market favors the employee particularly in cyber. While proper staffing is one answer to this issue, it is harder to grow staff in parity to growing cyber needs. Ultimately, resilience can't happen in environment that cracks under the weight of its workload.
Hence, the way forward in cyber is with as much automation as possible. Not everything can be automated, but more things then the average technician realizes can gain significant value from automation. Threatgrid is one such example. Our EDR finds something it is unsure about? The EDR pitches it to ThreatGrid for automatic analysis. This frees up time from techs needing to gain access to workstations. It also helps avoid chasing our tails with false positives.
We lean heavily on the Cisco security stack currently and really find value in Threat Grid. However, we are investigating level 5 licensing with Microsoft, so there is small chance we may lift our security stack elsewhere. However, I am unaware of an equivalent at Microsoft. It would be hard to do without Threat Grid, so without an equivalent we would continue with it and AMP.
Overall it is good, but I believe our implementation needs some tuning. Currently, it is integrated with Cisco Secure Endpoint (AMP). It is able to pull data from there and AMP can upload files directly to it. I would like to improve our range of scenarios and playbooks that Threat Grid uses. Currently, I can only select one type of VM profile in my AMP settings. It would be great if a group of plays could be run on an individual file. I would also like an integration with Umbrella and our Cisco Firepowers to further leverage automation.
We have seen no availability issues with Threat Grid. It has always been online in whenever I have needed it. I use it many times throughout the week at variable times. I have seen no outage and no slowdowns in performance. I have have used it considerably for the last 1.5 years.
It was very easy to integrate into Cisco Secure Endpoint (AMP). However, I have yet to integrate into other product and services. I have not found an easy way to do that. So while the key use case for integration was smooth, I really want all my Cisco security product to communicate to each other. I don't understand why that isn't the default case.
- When a machine is suspected of infection, we activate isolation with Cisco AMP and then upload the suspected files to Threat Grid. We stop any spreading of an infection while at the same time determining if the threat is real. This allows us to avoid wiping PCs that do no need to be wiped.
- Most of use follows the standard use case, have the EDR upload unknown files for analysis or have the tech manually upload a file for analysis.