Cisco Blogs
Share

Prevent, Detect and Respond with Cisco AMP for Endpoints


December 9, 2016 - 0 Comments

Cyberattacks are ever evolving to circumvent and evade “protection-only” technologies. Despite your best efforts to protect against compromise, a persistent attacker will eventually breach your defenses and get inside. Then what? IT security teams need to automatically detect a threat when it gets in. They need to know where it came from, how it entered, where it has been, what it is doing, and how to contain and remediate it before data is stolen and damage is done.

The good news for IT security teams is that next generation capabilities that go beyond protection, to also include automated detection and response, are rapidly emerging. The convergence of these capabilities marks a next generation in endpoint security.

Cisco AMP for Endpoints provides next generation capabilities to prevent, detect, and respond to cyberattacks quickly and effectively.

CIsco AMP Dashboard

Prevent: AMP for Endpoints blocks malware and helps strengthen endpoints from attack:

  • Global Threat Intelligence – Prevention starts with strengthening your defenses using the best global threat intelligence so you can block malware as new threats emerge. Cisco’s team of threat researchers continuously feed threat intelligence into AMP for Endpoints so customers are protected 24/7.
  • Malware Blocking – AMP for Endpoints uses a framework of complementary detection engines, including one-to-one signatures, fuzzy fingerprinting, machine learning, and an AV detection engine—all working together to catch and block malware before it can execute.
  • File Sandboxing – A built-in sandbox automatically analyzes unknown files against over 700 behavioral indicators to detect malicious files and automatically block and quarantine them.
  • Proactive Protection – Closing attack pathways before they can be exploited is a key strategy for preventing compromise. AMP’s vulnerable software feature shows you all the software on your endpoints that can be exploited, with the ability use application control to harden against attacks. AMP’s low prevalence capability detects targeted malware and prevents it from slipping under the detection radar.

One of the key tenets of a next generation endpoint security solution is the ability to go beyond prevention, since no prevention method will ever catch 100% of threats, 100% of the time.

Detect: That’s why AMP continually monitors all activity on your endpoints to quickly spot malicious behavior, detect indicators of compromise, and drastically decrease time to detection.

  • Continuous Monitoring and Analysis – Once a file lands on the endpoint, AMP for Endpoints continues to watch, analyze, and record all file activity, regardless of the file’s disposition. If malicious behavior is detected at some point in the future, AMP can automatically block the file across all endpoints, and show the security team the entire recorded history of the malware’s behavior. You can see where it came from, where it’s been, and what it’s doing across all of your endpoints: PC, Mac, Linux, mobile devices. This helps you understand the full scope the compromise and quickly respond.
  • Agentless Detection – AMP for Endpoints delivers agentless detection, a unique capability that detects compromise across customer environments, even if a host does not (or cannot) have an agent installed. Using Cisco’s Cognitive Threat Analytics (CTA) technology, AMP inspects web proxy logs to uncover things like memory-only malware and infections that live in a web browser only.
  • File-less detection – Get visibility into what command line arguments are used to launch executables to determine if legitimate applications, including Windows utilities, are being used for malicious purposes. For instance, see if vssadmin is being used to delete shadow copies or disable safe boots; see PowerShell-based exploits; see into privilege escalation, modifications of access control lists (ACLs), and attempts to enumerate systems.

Respond: AMP for Endpoints provides a suite of response capabilities to quickly contain and eliminate threats across all endpoints, before damage can be done.

  • Threat Hunting Made Easy: Accelerate investigations and reduce management complexity by easily searching for threats across all endpoints using AMP’s simple, cloud-based UI. Search across the cloud and the endpoint to see file, telemetry, IoC, and threat intelligence data. Uncover artifacts left behind as part of the malware ecosystem. These capabilities let you quickly understand the context and scope of an attack so you can stop it fast.
  • Surgical, Automated Remediation: When AMP sees a threat, it automatically contains and remediates it across all of your endpoints: PCs, Macs, Linux, and mobile devices. Instantly, full-stop. No need to wait for a content update. Also, with just a few clicks, you can block a specific file across all or selected systems; block families of polymorphic malware; contain a compromised application being used as a malware gateway and stop the re-infection cycle; and stop malware call-back communications at the source, even for remote endpoints outside the corporate network.

Furthermore, AMP for Endpoints is not a siloed point product. It has an API that lets customers sync AMP for Endpoints with their other security tools or SIEMs. But most importantly, AMP for Endpoints is part of the larger, integrated security ecosystem of “AMP Everywhere”. In other words, AMP for Endpoints can share and correlate information from the endpoint to the network IPS, to the firewall, to your web or email gateways, and more. So that when you see a threat in one place, your whole entire security ecosystem can respond systemically. This allows you to respond faster and more comprehensively. This integrated architecture is a force multiplier for security teams.

To learn more about how AMP for Endpoints can protect your organization, please visit www.cisco.com/go/ampendpoint. View a demo or watch an overview video.



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.