This is because the endpoint is, well, the end. That is where data resides; where individuals organize, communicate, and conduct nearly all activities of their lives; and is often considered the crown-jewel of your organization by the bad-guys. I’ve heard some people call the endpoint the new perimeter. Similarly, where your data goes is your perimeter, so you better continue to protect the edge.


The last line

Ultimately, endpoints are the last line of defense. Whether that’s the CFO’s laptop, an executives mobile device (phone, tablet, wearable tech…), or even your servers, these devices contain the sensitive information that someone is looking for. In the case of the CFO, the credentials he/she uses are just as valuable as banking information – and perhaps more so. Credentials belonging to an IT admin, those are like striking gold.

The most in-your-face example is ransomware.  Nothing says you’ve been owned like your screen being taken over with a demand for some kind of Cryptocurrency. Yet sometimes it’s not so obvious.

Let’s take malicious cryptocurrency mining for example. The goal here is to go undetected for as long as possible in order to maintain control of your hosts. Threat actors get to use all your resources and slowly affect your corporate machines by running them at 98% CPU utilization during non-business hours perform mining on their behalf.

But hey, thanks for the free resources for my mining operation and enjoy replacing those computers in 12 months.


How the endpoint is used in investigations

While the endpoint is the last line of defense, it’s not the last line of investigation. These days, it’s generally the start.

Legacy endpoint security solutions were so focused on prevention, they did little to nothing towards aiding the post-compromise investigation (detection). These are categorized as Endpoint Protection Platform (EPP) tools.

When the original version of AMP for Endpoints (called Immunet Protect back then) was invented in 2009, it was the first approach to cloud managed security that would continually monitor for malicious activity. Today these tools are categorized as Endpoint Detection & Response (EDR) tools. AMP for Endpoints has lead the way towards a new category known as Next generation endpoint security solutions, and these tools have incorporated EDR with traditional prevention measures.

EDR capabilities provide the detailed visibility into malicious activity and files across the entire organization.  EDR capabilities should at the very least provide:

  • Detect security incidents, as the name implies. Ideally the solution continuously monitors and analyzes based on new threat intelligence and can provide retrospective alerting.
  • Contain the incident at the endpoint; and at the very least it eliminates the possibility for a threat to propagate.
  • Allow rapid investigation of security incidents; The quality of contextual data is the key differentiator between solutions.
  • Use Casebook across AMP for Endpoints and other integrated products while performing an investigation to ensure you never lose what you are working on.
  • Provide remediation guidance, whether that is remediation from the solution, or what you should be doing (you don’t always have to reimage).


Contextual awareness

Having a rich view of what happened on the endpoint is critical to incident response. Any professional responder will tell you it’s the single most important information source, but they still need so much more information. The defender needs to know how it happened to prevent a recurrence, but also what more do they need to know? There are so many possible tools, products and other telemetry sources that they need to ask: “do you know more about anything involved in my incident?”

Most incident response professionals have scripts they run in an attempt to automate the time intensive and pain-staking activity of correlating the endpoint events with other global threat intelligence and telemetry. Cisco takes this much further, extending that mindset & capability to the Cisco customer through Cisco Threat Response (CTR).  Threat Response brings together global threat intelligence and localized security context, which reduces complexity by automatically enriching observables across multiple sources and collating the results into an intuitive format in one location.

Cisco Threat Response will identify malicious observables and speed up incident response by showing incident responders the threats on their network through the gathering and combining of threat intelligence available from Cisco and 3rd parties alike.

Using CTR, a organizations can:

  • Quickly answer questions about observables.
  • Easily hunt for an observable associated with a known actor and immediately see organizational impact.
  • Rapidly block and unblock domains and file executions from Cisco Threat Response.
  • Reduce response time using snapshots of their investigations for future analysis.
  • Seamlessly document analysis in a cloud-based casebook from all integrated or web-accessible tools, via an API.
  • Effortlessly integrate Cisco Threat Response into existing processes and custom tools

This video provides a comprehensive overview of Cisco Threat Response, and how you can gain full visibility of an incident from the point in which an alert appeared on the endpoint, to gaining full contextual awareness across the organization. When you correlate rich endpoint telemetry with the network data, you finally get the full picture in just a matter of minutes.

If you are interested in trying out Cisco Threat Response for yourself, you can get a 30 day free trial of AMP for Endpoints with Threat Response here: www.cisco.com/go/tryamp




Aaron Woland

Principal Engineer

Advanced Threat Security & Integrations