Explaining Security Concepts to Protect Endpoints¶
Antivirus & Dynamic File Analysis¶
Why Endpoints Need Protected¶
Defense in-depth
Endpoints contain sensitive information
They now leave the protected network infrastructure
Computer Viruses¶
Attach themselves to otherwise benign files or programs
Lay dormant until file or program is executed
Antivirus¶
Create signatures to identify viruses
Analyzed known viruses
Without a signature, antivirus won’t detect a virus
Malicious actors slightly change the virus so a new signature needs to be created
Required scanning of the endpoint
Heuristics¶
Looks at the behavior of the software rather than a predefined signature.
Machine Learning¶
Dynamically creates algorithms and finds patterns based on large sets of both malicious files and benign files.
Cisco AMP for Endpoints Overview¶
Cisco AMP Cloud¶
Heavy lifting is done in the cloud and not on the endpoint
Quickly integrate to other security products
Connectors communicate to the Cisco AMP cloud
Cisco AMP’s Engines¶
Uses a file’s SHA-256 hash to quickly determine if it has been seen and if it is malicious
Ethos¶
Looks at the different artifacts of the file, rather than the entire file itself
Spero¶
Uses machine learning in order to find patterns to determine malicious files from benign files
TETRA¶
Provides antimalware capabilities when the device is not connected to the cloud
Additional Cisco AMP Benefits¶
Evaluate indicators of compromise (IOCs)
Anomalies that could mean a compromise
AMP can protect endpoints in real time
Dynamic analysis
Execute that file in a sandbox
Exploit prevention
AMP moves the location RAM that the program is running
Cisco AMP Flow¶
Hash of file is used to determine if it has been seen
If it has been seen, previous verdict is used
AMPs engines, IOCs, & dynamic analysis are used
AMP will update the rest of the security suite of the new threat
Retrospective Security¶
Go back in time and see which endpoints the malicious file has touched.
Device Trajectory¶
Determine every interaction between the malicious file and other files on the endpoint.
AMP can dynamically create rules based on the events that occurred.
Endpoint Protection Platform & Endpoint Detection and Response¶
EPP vs EDR¶
Endpoint Protection Platform |
Endpoint Detection & Response |
---|---|
Known threats are not allowed |
Retroactively find malware |
Machine learning & big data |
Contain the malicious files |
Sandbox capability |
Investigate the malicious files |
Threat Intelligence |
Eliminate the threat |
Cisco AMP provides both EPP and EDR capabilities