Cisco Blogs
Share
tweet

AMP for Endpoints + Cognitive Threat Analytics = More Visibility than Ever Before

- June 8, 2016 - 6 Comments

No matter how many security tools you deploy to defend your organization, malware is going to get in. You need to see it if you want any chance of stopping it. Cisco AMP for Endpoints provides deep visibility into the activity of files on your system so that you can spot malicious behavior quickly and then contain and eliminate threats before damage can be done. But malware is constantly evolving, becoming more sophisticated and stealthy every day. Your security tools need to evolve as well.

This is why we have added new capabilities to AMP for Endpoints. We recently integrated our Cognitive Threat Analytics (CTA) platform with AMP for Endpoints.

What is CTA? It’s a cloud-based software as a service (Saas) that turns an existing web proxy—like Cisco Cloud Web Security (CWS), Cisco Web Security Appliance (WSA), and Blue Coat ProxySG—into a security sensor that analyzes traffic for command and control communications. Analyzing over 3 billion web requests daily, CTA finds malicious activity that has bypassed security controls, and is now operating inside an organization’s environment. CTA does this by:

  1. Establishing a baseline of normal network activity using trust modeling and event classification
  2. Parsing out abnormal activity to find compromised devices in your environment
  3. Using machine learning, CTA continuously updates, improves, and evolves with threats over time

We integrated CTA with AMP for Endpoints. This is how the integration works:

If you have AMP for Endpoints deployed alongside Cisco CWS, WSA, or a Blue Coat web proxy, CTA capabilities can be turned on with a few clicks inside the AMP for Endpoints console. Then follow a few easy steps to configure CTA with your web proxy, and you’re ready to go.

CTA inspects web logs, traffic and telemetry from the web proxy, and then CTA detection events are pushed to AMP for Endpoints for further investigation, giving you an added level of visibility.

This integration allows AMP for Endpoints users to:

  1. See more malware than before. With added visibility from the CTA integration, you can find additional types of malware, like additional polymorphic malware; file-less or memory-only malware; powershell script attacks; and infections that live in a web browser only.
  1. You can reduce endpoint exposure to threats because with the CTA integration, you can catch more malware before it compromises the operating system level. By catching it early, you can prevent those infections from reaching a terminal stage. For instance, if you can catch ransomware before it hits the OS-level, you can stop it in time before it starts encrypting files, and it makes remediation a lot easier.
  1. You can also get visibility into devices where you can’t install an AMP for Endpoints connector. AMP for Endpoints can be deployed on Windows, Macs, Linux, and mobile devices, and gives you deep visibility into activities on those devices. But since CTA analyzes web traffic across all devices on the network, the security team can get an expanded view into other devices like connected TVs or printers, and BYOD devices where a user might not want a connector on their personal device.
  1. And finally, this integration makes investigations easier and faster because now that CTA is pushing information to AMP for Endpoints, you can see results from both systems in one place (and act on them) all from the AMP for Endpoints console.

As a result of this integration with CTA, our engineers have reported that AMP for Endpoints is seeing about 30% more infections on average.

To learn more and watch a demo, visit cisco.com/go/ampendpoint-cta.

 

Tags:

All comments in this blog are held for moderation. Your comment will not display until it has been approved

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

6 Comments

    Not only will this help provide more threat detections, IoC's and events in the AMP console...this will help customer achieve rapid time to value with an AMP POV and purchase. This is very useful update to the AMP for Endpoint product.

    Is there any additional license cost?

    • If you deploy AMP for Endpoints alongside one of the compatible web proxies mentioned above, no, there is no license cost for CTA. It is available to you as a customer of AMP for Endpoints AND if you have one of the web proxies listed.

    Oh, btw, what would also be nice is if AMP on my ESA and WSA could report to my AMP for Endpoints console...

    • Thank you for your enhancement request, I will be sure to pass it on to the AMP Product Management team

  1. Any integration for CTA with Sourcefire FireAMP and NetworkAMP?

Share
tweet