We are very pleased to share the news that Cisco Advanced Malware Protection (AMP) for Endpoints earned high marks in malware protection tests, while achieving the lowest false alarms in the first AV Comparatives Business Main Test Series for 2020. This achievement demonstrates our steadfast commitment to delivering consistent security efficacy, enabling our customers to get superior protection from advanced threats.
The test series includes two types of tests, the Malware Protection Test and Business Real-World Protection Test. Cisco consistently showed a balance of high protection rates with very low false alarm across both tests. Here’s how.
The Malware Protection Test
The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. We did very well, garnering a protection rate of 100% with zero false positive – performing better than Crowdstrike, Sophos, Fortinet, Kaspersky, Cybereason and FireEye among others. This test ran in March and consisted of having 1,192 recent malware samples thrown at us during that time. A passing score required a 90% or higher detection rate.
The Real-World Protection Test
The Real-World Protection Test examines how well the security product protects the endpoint in the most realistic way, using all protection capabilities at its disposal. We came in with 99.3% real-world protection rate. The whole idea here is to simulate what happens in the real world. In addition, products were also tested for false positive (FP) alarms on non-business applications to better determine the ability to distinguish good from bad. Cisco ranked in the lowest false positive group achieving a “Very Low” FP rate, performing better than Crowdstrike, VMware Carbon Black, Microsoft, FireEye, Cybereason and Panda. Vendors in the “Very High” FP rate had as many as 101-150 false positives.
To sum up, AMP for Endpoints achieved test results that demonstrated a balance of strong protection rates with very low false positives. In the end, our customers benefit the most from our solution’s top-rated accuracy, reliability and consistency in protecting their endpoints from malware and other threats.
Beyond Testing: What Our Customers Are Saying
We believe it’s important to put our technology to the test and we feel the results speak to how our solution helps our customers protect their organizations. But real-world feedback from customers who are using our endpoint security solution is critical. Now let’s take a look at the following examples of what our customers are saying about how Cisco AMP for Endpoints has protected them against from two of the most dangerous threats to their environment: fileless malware and ransomware.
Fileless malware operates in memory to avoid detection. Unlike traditional malware, these types of attacks do not have signatures, making them more difficult to detect and prevent. Fileless malware targets our day-to-day applications and can infiltrate the endpoints by exploiting vulnerabilities in software and operating system processes.
To defend against threats that target vulnerabilities in applications and operating system processes, Cisco AMP for Endpoints uses our exploit prevention engine to monitor the memory structure before attacks even begin. Exploit prevention is a true preventive engine that does not require policy tuning, prior knowledge, or rules to operate. When it stops an attack, it stops the application from running and logs contextual data in the AMP for Endpoints device trajectory, allowing users to see exactly where and how the malware entered a device.
Ransomware is a type of malicious software that typically attempts to encrypt the files on a victim’s computer. Upon successful encryption, it demands payment before the ransomed data is decrypted and access returned to the victim. Ransomware attacks are typically carried out using a malicious payload that is distributed as a legitimate file that tricks the user into downloading or opening when it arrives as an email attachment.
Cisco AMP for Endpoints defends your endpoints by monitoring the system and identifying processes that exhibit malicious activities when they execute. We detect threats by observing the behavior of the process at run time, allowing us to determine if a system is under attack, by a new variant of ransomware or malware that may have eluded other security products and detection technology, such as legacy signature-based malware detection, and stop them from running. As a result, we are able to quickly identify, block, and quarantine ransomware attacks on the endpoint.
Beyond fileless malware and ransomware defense, Cisco AMP for Endpoints provides multiple, powerful protection capabilities that work together to protect the endpoint from advanced threats in-memory (e.g. exploit prevention), on-disk (e.g. next gen AV) and post-infection (e.g. Indication of Compromise or IOC). For details on our protection techniques, click here.
We also know that endpoint protection is only as good as the intelligence it acts on. That’s why we employ machine learning and multiple protection engines fueled by Cisco Talos, the largest non-governmental threat intelligence organization on the planet. We discover more vulnerabilities than other vendors and push out protection before the bad guys can exploit them, giving you an advantage. And because we’re Cisco, Talos sees more network traffic than any other vendor. Whether a threat originates on the Internet, in an email, or on someone else’s network, our cloud-based global telemetry sees a threat once, anywhere in the world, and blocks it everywhere, across AMP for Endpoints and our entire security platform.
What’s Next?
AV-Comparatives’ testing is continuing through the rest of the year and we are looking forward to their ensuing reports.
In the meantime, experience threat hunting with AMP for Endpoints for yourself at one of our Threat Hunting Workshops or sign up for a free trial of AMP for Endpoints and take it for a test run.
What about MITRE?
Hi Joe,
Cisco continues to advance our capabilities to maximize your benefits from MITRE ATT&CK, including the release of built-in ATT&CK mappings, enhanced behavioral protection techniques and participation in the MITRE ATT&CK evaluation. Please view this blog on this topic for details: https://blogs.cisco.com/security/the-endless-evolution-for-endpoint-security.