Cisco Blogs
Share

EPP? EDR? Cisco AMP for Endpoints is Next Generation Endpoint Security

- February 9, 2017 - 3 Comments

You may be wondering why Cisco AMP for Endpoints was not included in Gartner’s 2017 Magic Quadrant for Endpoint Protection Platforms (EPP). Traditionally, Gartner placed Cisco AMP for Endpoints within their Endpoint Detection and Response (EDR) category of endpoint security tools. But as buyer needs evolve, so does the market category. In fact, looking at Gartner’s parameters for EPP in the recently released report, AMP for Endpoints satisfies and exceeds in many feature categories of EPP. Gartner also added a few AMP for Endpoints competitors to the EPP MQ that they traditionally categorized as EDR, like Carbon Black, Crowdstrike and Palo Alto Networks.

So, where does an EPP end and an EDR begin? The lines are pretty blurred on this, as even Gartner points out in the report. The evolution of the marketplace is driving a convergence of capabilities. This convergence is creating a new breed of endpoint security tools that can no longer be neatly packed into a well-defined box, like EPP or EDR. In fact, Gartner predicts that “by 2019, EPP and EDR capabilities will have merged into a single offering.” This development is a positive one for consumers of endpoint security technology, as it provides a comprehensive set of capabilities within one platform, eliminating the need to manage two different tools and interfaces. It also means tighter integration and correlation between the primary functions of a comprehensive endpoint security strategy – prevention capabilities provided by EPPs, and detection and response capabilities (if something evades preventative measures) provided by EDRs.

We appreciate that Gartner recognizes this changing landscape and convergence of capabilities, as Cisco AMP for Endpoints embodies this evolution. Cisco AMP for Endpoints provides next generation capabilities to prevent attacks (like an EPP is designed to do), as well as capabilities to quickly detect and respond to advanced malware if it evades preventative measures (like an EDR is designed to do).

So how does Cisco AMP for Endpoints do this?

Prevent: AMP for Endpoints blocks malware and helps strengthen endpoints from attack:

  • Global Threat Intelligence – Prevention starts with strengthening your defenses using the best global threat intelligence so you can block malware as new threats emerge. Cisco’s team of threat researchers continuously feed threat intelligence into AMP for Endpoints so customers are protected 24/7.
  • Malware Blocking – AMP for Endpoints uses a framework of complementary detection engines, including one-to-one signatures, fuzzy fingerprinting, machine learning, and an AV detection engine—all working together to catch and block malware before it can execute.
  • File Sandboxing – A built-in sandbox automatically analyzes unknown files against over 700 behavioral indicators to detect malicious files and automatically block and quarantine them.
  • Proactive Protection – Closing attack pathways before they can be exploited is a key strategy for preventing compromise. AMP’s vulnerable software feature shows you all the software on your endpoints that can be exploited, with the ability use application control to harden against attacks. AMP’s low prevalence capability detects targeted malware and prevents it from slipping under the detection radar.

One of the key tenets of a next generation endpoint security solution is the ability to go beyond prevention, since no prevention method will ever catch 100% of threats, 100% of the time.

Detect: That’s why AMP continually monitors all activity on your endpoints to quickly spot malicious behavior, detect indicators of compromise, and drastically decrease time to detection.

  • Continuous Monitoring and Analysis – Once a file lands on the endpoint, AMP for Endpoints continues to watch, analyze, and record all file activity, regardless of the file’s disposition. If malicious behavior is detected at some point in the future, AMP can automatically block the file across all endpoints, and show the security team the entire recorded history of the malware’s behavior. You can see where it came from, where it’s been, and what it’s doing across all of your endpoints: PC, Mac, Linux, mobile devices. This helps you understand the full scope the compromise and quickly respond.
  • Agentless Detection – AMP for Endpoints delivers agentless detection, a unique capability that detects compromise across customer environments, even if a host does not (or cannot) have an agent installed. Using Cisco’s Cognitive Threat Analytics (CTA) technology, AMP inspects web proxy logs to uncover things like memory-only malware and infections that live in a web browser only.
  • File-less detection – Get visibility into what command line arguments are used to launch executables to determine if legitimate applications, including Windows utilities, are being used for malicious purposes. For instance, see if vssadmin is being used to delete shadow copies or disable safe boots; see PowerShell-based exploits; see into privilege escalation, modifications of access control lists (ACLs), and attempts to enumerate systems.

Respond: AMP for Endpoints provides a suite of response capabilities to quickly contain and eliminate threats across all endpoints, before damage can be done.

  • Threat Hunting Made Easy: Accelerate investigations and reduce management complexity by easily searching for threats across all endpoints using AMP’s simple, cloud-based UI. Search across the cloud and the endpoint to see file, telemetry, IoC, and threat intelligence data. Uncover artifacts left behind as part of the malware ecosystem. These capabilities let you quickly understand the context and scope of an attack so you can stop it fast.
  • Surgical, Automated Remediation: When AMP sees a threat, it automatically contains and remediates it across all of your endpoints. Instantly, full-stop. No need to wait for a content update. Also, with just a few clicks, you can block a specific file across all or selected systems; block families of polymorphic malware; contain a compromised application being used as a malware gateway and stop the re-infection cycle; and stop malware call-back communications at the source, even for remote endpoints outside the corporate network.

To learn more about Cisco AMP for Endpoints, visit www.cisco.com/go/ampendpoint

Tags:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

3 Comments

  1. How it stop ransomware?

      Hi Zee, check out this video: https://learn-umbrella.cisco.com/webcasts/tracking-the-most-significant-cyber-threat-ransomware

      are there any endpoints that are not protected by AMP?