Updated: Aug 31, 2021
It’s no longer a question of if you’ll be breached, it’s a matter of when. Prevention tools alone will never be 100 percent effective at preemptively detecting and blocking all attacks. Something will get in. Therefore, in the event of a breach, organizations need to be prepared with tools to quickly detect an intrusion, then respond to and remediate it.
Most network and endpoint-based antimalware systems inspect files only at the point in time when they traverse a control point into your extended network. That’s where the analysis stops. But malware is sophisticated and very good at evading initial detection. Sleep techniques, polymorphism, encryption, and the use of unknown protocols are just some of the ways that malware can hide from view.
You can’t defend against something you can’t see, and that is how most major security breaches occur. Security teams don’t have the visibility to quickly detect it or contain it, and before long, the malware has achieved its objectives, and the damage has been done.
Cisco AMP is different
AMP system continuously analyzes files and traffic even after initial inspection. At the first sign of trouble, AMP will alert security teams and provide detailed information on the behavior of the threat, so you can answer crucial security questions, such as:
● Where did the malware come from?
● What was the method and point of entry?
● Where has it been and what systems were affected?
● What did the threat do and what is it doing now?
● How do we stop the threat and eliminate the root cause?
Using this information, security teams can quickly understand what happened and use AMP’s containment and remediation functionality to take action. With a few clicks from AMP’s easy-to-use browser-based management console, administrators can contain the malware by blocking the file from ever running on another endpoint again. And since AMP knows everywhere the file has been, it can pull the file out of memory and quarantine it for all other users. In the event of a malware intrusion, security teams no longer need to reimage complete systems to eliminate malware. That takes time, costs money and resources, and disrupts critical business functions.
This is the power of continuous analysis, continuous detection, and retrospective security: the ability to record the activity of every file in the system and, if a supposedly “good” file turns “bad,” the ability to detect it and rewind the recorded history to see the origin of the threat and the behavior it exhibited.
AMP also remembers what it sees, from the threat’s signature to the behavior of the file, and logs the data in AMP’s threat intelligence database to further strengthen front-line defenses so this file and files like it will not be able to evade initial detection again.
With AMP, security teams have the level of deep visibility and control necessary to quickly and efficiently detect attacks and discover stealthy malware; understand and scope a compromise; quickly contain and remediate malware (even zero-day attacks) before any damage can be done; and prevent similar attacks from happening.
Cisco® Advanced Malware Protection (AMP) is a security solution that addresses the full lifecycle of the advanced malware problem. It not only prevents breaches but also gives you the visibility, context, and control to rapidly detect, contain, and remediate threats if they evade front-line defenses, all cost-effectively and without affecting operational efficiency.
AMP offers comprehensive protection for your organization across the attack continuum: before, during, and after an attack.
● Before an attack, AMP uses global threat intelligence from Cisco’s Talos Security Intelligence and Research Group and Threat Grid’s threat intelligence feeds to strengthen defenses and protect against known and emerging threats.
● During an attack, AMP uses that intelligence coupled with known file signatures and Cisco Threat Grid’s dynamic malware analysis technology to identify and block policy-violating file types and exploit attempts and malicious files trying to infiltrate the network.
● After an attack, or after a file is initially inspected, the solution goes beyond point-in-time detection capabilities and continuously monitors and analyzes all file activity and traffic, regardless of disposition, searching for any indications of malicious behavior. If a file with an unknown or previously deemed “good” disposition starts behaving badly, AMP will detect it and instantly alert security teams with an indication of compromise. It then provides visibility into where the malware originated, what systems were affected, and what the malware is doing. It also provides the controls to rapidly respond to the intrusion and remediate it with a few clicks. This gives security teams the level of deep visibility and control they need to quickly detect attacks, scope a compromise, and contain malware before it causes damage.
AMP is built on exceptional security intelligence and dynamic malware analytics. The Cisco Talos Security Intelligence and Research Group, and Threat Grid threat intelligence feeds, represent the industry’s leading collection of real-time threat intelligence and big data analytics. This data is pushed from the cloud to the AMP client so that you have the latest threat intelligence to proactively defend against threats. You benefit from:
● 1.5 million incoming malware samples per day
● 1.6 million global sensors
● 100 TB of data per day
● 13 billion web requests
● A global team of engineers, technicians, and researchers
● 24-hour operations
AMP correlates files, behavior, telemetry data, and activity against this robust, context-rich knowledge base to quickly detect malware.
The integration of Threat Grid technology into AMP also provides:
● Highly accurate and context-rich intelligence feeds delivered in standard formats to integrate smoothly with existing security technologies
● Analysis of millions of samples every month, against more than 700 behavioral indicators, resulting in billions of artifacts
● An easy-to-understand threat score to help security teams prioritize threats
AMP uses all of this intelligence and analysis to either inform your security decision making or automatically take action on your behalf.
● Cisco Talos: Security Intelligence and Research Group, and Threat Grid threat intelligence feeds, represent the industry’s largest collection of real-time threat intelligence with the broadest visibility, the largest footprint, and the ability to put it into action across multiple security platforms.
● Indications of compromise (IoCs): File and telemetry events are correlated and prioritized as potential active breaches.
● File reputation: Advanced analytics and collective intelligence are gathered to determine whether a file is clean or malicious, allowing for more accurate detection.
● Antivirus Engine: Perform offline and system-based detections, including rootkit scanning, IOC scanning, and device and network flow monitoring.
● Static and dynamic malware analysis: A highly secure sandboxing environment helps run, analyze, and test malware in order to discover previously unknown zero-day threats.
● Retrospective detection: Alerts are sent when a file disposition changes after extended analysis, giving awareness of and visibility into malware that evades initial defenses.
● File trajectory: Continuously track file propagation over time throughout your environment in order to achieve visibility and reduce the time required to scope a malware breach.
● Device trajectory: Continuously track activity and communication on devices and on the system level to quickly understand root causes and the history of events leading up to and after a compromise.
● Prevalence: Display all files that have been run in your organization, ordered by prevalence from lowest to highest, to help surface previously undetected threats seen by a small number of users.
● Vulnerabilities: Shows a list of vulnerable software on your system, the hosts containing that software, and the hosts most likely to be compromised. Powered by our threat intelligence and security analytics, AMP identifies vulnerable software being targeted by malware, and the potential exploit, providing you with a prioritized list of hosts to patch.
Deployment Options for Protection Everywhere
Cisco AMP for Endpoints
Cisco AMP for Networks with Cisco Firepower NGIPS security appliances
Cisco AMP on Firewalls and ASA with FirePOWER Services
Cisco AMP Private Cloud Virtual Appliance
Cisco AMP on ESA, or WSA
Cisco AMP for Meraki MX
Cisco AMP Leads in Third-Party Test
Cisco is the leader in NSS Labs’ Breach Detection Systems Report for the third year in a row, according to the 2016 NSS Labs Breach Detection Systems Comparative Analysis Report. The 2016 NSS Labs comparative product test provides the details on how Cisco AMP achieved:
● 100% Security Effectiveness rating-the highest of all vendors tested
● Only vendor to detect and block 100% of malware, exploits, and evasion techniques during testing
● Fastest time to detection of all vendors tested
● Excellent performance with minimal impact on endpoint or application latency
Cisco AMP is an intelligence-powered, integrated, enterprise-class advanced malware analysis and protection solution. It provides global threat intelligence to strengthen network defenses, analysis engines to block malicious files in real time, and the ability to continuously monitor and analyze all file behavior and traffic even after initial inspection. These capabilities provide unmatched visibility into potential threat activity and the control to then rapidly detect, contain, and eliminate malware.
Q & A
Q What all OS does AMP (Secure End Point) suports?
A Cisco Secure Endpoint supports Windows, Mac and Linux to protect users.