Cisco AMP for Endpoints v1.1 – Instant Demo...AMP for Endpoints is the only product today that goes beyond point-time-detection to provide the visibility and control you need to
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Cisco Advanced Malware Protection (AMP) for Endpoints provides advanced malware protection for PCs, Macs, Linux systems, mobile devices, and virtual environments.
AMP for Endpoints is the only product today that goes beyond point-time-detection to provide the visibility and control you need to stop advanced threats missed by other security layers. AMP for Endpoints is an intelligent, enterprise-class, advanced malware analysis and protection product. It uses a telemetry model to take full advantage of big data, continuous analysis, and advanced analytics.
With AMP for Endpoints you can continuously detect, track, analyze, control, and block advanced malware outbreaks across endpoints, including PCs, Macs, Linux systems, mobile devices, and virtual systems.
• Before: AMP for Endpoints uses the best global threat intelligence to strengthen defenses.
• During: AMP for Endpoints uses that intelligence, known file signatures, and dynamic file analysis engines powered by AMP Threat Grid to block policy-violating file types, exploit attempts, and malicious files trying to infiltrate the network.
• After: Inevitably, some advanced malware can evade your first lines of defense. AMP for Endpoints provides a lattice of detection capabilities, combined with big data analytics and continuous analysis, to determine if advanced, unknown malware evaded front-line defenses. Sophisticated machine learning techniques evaluate hundreds of behavioral characteristics associated with each file. If a file with an unknown or previously deemed "good" disposition starts behaving badly, AMP will detect it and instantly alert security teams with an indication of compromise, or automatically remediate the malware based on policy controls.
The Threats section contains alert data generated by comparing endpoint traffic flows to SourceFIRE supply or user configured custom IP reputation lists. A policy decision can configure the endpoint connector to block traffic to suspicious sites and quarantine the file responsible for initiating this traffic.
The Vulnerabilities section contains alert data generated by comparing file data from the endpoints to known malware signatures, heuristics engines, behavioral engines, and file relationship data, among others.
The Compromises section contains alert data calculated using large data sets that are reviewed using:
• Contextual information in order to continually analyze event data
• Updated security information for a daily reassessment of historic file and flow logs
• File and flow events (or a combination of both) to analyze behavior patterns over time
7. Scroll to the left to see the history for the endpoint. The highlighted area illustrates the indicators of compromise, allowing you to pin point what led up to that infection. Click one of the indicators to see event detection details.
NOTE: You can also select an event from the right hand panel to jump to that event in the timeline. This timeline shows an exact, detailed replay of what happened on the machine.
8. The Event Details tell you where the malware was identified, moved and executed.
11. This displays the File Trajectory results for the incident.
12. Click on the link for the File Trajectory. The entry point tells you where the file was first encountered, while the trajectory shows all the executions of the file over time on the network.