Cisco Blogs
Share

Uncover the Where, When, and How of an Attack with “Trajectory” from Cisco AMP for Endpoints

- September 26, 2017 - 0 Comments

You’re walking down the sidewalk, headphones in your ears, music blasting, and your head is buried in your phone reading a text message.

CRUNCH.

You look down and you’ve just stepped in a pile of… (no, not that)… broken glass. A car parked on the street was broken-into, and the glass from the shattered window is strewn all over the sidewalk. If you live in a city, especially San Francisco, this is a familiar scene.

As seasoned city folk, we take all the necessary precautions to prevent our street-parked cars from being burglarized. Lock the car, set the alarm, and don’t leave items visible in the car. But despite our best efforts to prevent break-ins, they happen.

The same can be said when it comes to defending your laptops, servers and mobile devices from cyberattacks. Despite your best efforts to prevent an attack (using tools like antivirus and signature detection), you know that no prevention method will ever be 100% effective. Cybercriminals are too smart and too persistent—they want to get inside to steal your stuff.

So when hackers evade prevention measures and get into your endpoints, you need the ability to quickly identify the attack, and understand how the perpetrator got in and what they’ve been up to. Only then can you quickly stop an attack before they flee with your sensitive data. If you had a complete recording of the attack from start to finish – that could give you a really great contextual picture of everything that happened so you could mount a rapid, informed response.

The last time my car was burglarized, I thought I scored the jackpot – a recording of the devious act. One morning, I came across the sad scene of my driver’s-side window busted out, and then spotted a security camera on a nearby apartment building. I talked to the building manager and got a hold of the footage, which showed the shadow of a car pulling up alongside mine, and then a person hop out, smash my window and grab a whole bunch of nothing (a $6 USB car lighter charger adapter) in a matter of seconds. The footage was blurry, the make and model of the getaway car was outside of the camera’s field of view, and the perpetrator had done a very good job of masking their face. There was no way this footage would have helped police (not that a stolen USB charger was worth their effort anyway).

That security camera is an example of the problem with endpoint security solutions today. After preventative measures fail, they still don’t provide you and your security team with:

  1. the deep visibility you need to fully understand the attack and help you mount a rapid response
  2. a clear picture of what happened
  3. a wide enough field of view to capture every aspect of the attack

Advanced malware is also adept at masking itself, using techniques like polymorphism, to fool your endpoint security tools and evade detection.

But what if that camera worked? What if every endpoint deployed throughout your organization had a magic all-seeing eagle eye, watching and recording everything it saw? And at the first sign of trouble, could automatically block the attack and show you in crystal clear detail where the attack came from, when the threat entered your system, where else it’s been, and what it’s doing.

That’s what you get with Device and File Trajectory from Cisco AMP for Endpoints. In addition to a slew of preventative techniques, AMP continuously analyzes and records all file activity on endpoints, regardless of a file’s disposition. At the first sign of malicious behavior, AMP alerts you with an indication of compromise, can automatically block the file, and show you the complete recorded history of the threat across the entire environment.

Device Trajectory shows the origin of the threat on a single endpoint, how and when that file infiltrated the endpoint, and what it did.

Device Trajectory shows the origin of the threat on a single endpoint, how and when that file infiltrated the endpoint, and what it did.

File Trajectory then lets you expand your view from the first endpoint that saw the threat, to all endpoints across your entire environment that also saw the threat.

File Trajectory then lets you expand your view from the first endpoint that saw the threat, to all endpoints across your entire environment that also saw the threat.

For an in-depth look at the Device and File Trajectory features in Cisco AMP for Endpoints, watch the video below or check out our website.

 

Tags:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.