Scribd Logo
Upload

Welcome to Scribd!

  • File Trajectory Device Trajectory: To Start A Free Trial

    Uploaded by

    Ahmad Ali
    29 views14 pages

    Original Title

    SCOR 11

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    29 views14 pages

    File Trajectory Device Trajectory: To Start A Free Trial

    Uploaded by

    Ahmad Ali

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    SCOR 11

    Endpoint Protection and Detection.


    • EDR (Endpoint Detection and Response) solutions monitor endpoint and network events and record the
    information in a central database, so that you can perform further analysis, detection, investigation, and
    reporting.
    • Software is installed on the endpoint that allows ongoing monitoring and detection of potential security
    threats.
    • Cisco AMP for endpoints.
    • Can provide cloud-based detection of malware, in which the cloud constantly updates itself.
    • AMP cloud is able to provide a historical view of malware activity, segmented into two activity types:
    - File trajectory: What endpoints have seen the files
    - Device trajectory: Actions the files performed on given endpoints
    • With the data storage and processing in the cloud, the AMP solution is able to provide powerful and detailed
    reporting
    • AMP sends a hash to the cloud and allowing the cloud to make intelligent decisions and return the verdicts
    Clean, Malware, and Unknown.

    • AMP for Endpoints connectors must be able to reach the AMP cloud (TCP 443 or TCP 32137) even through a
    firewall or proxy.
    • To start a free trial
    • https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/demos.html
    • Live instant demo: Secure Endpoint
    • Login with your cisco free account, View Now
    • Outbreak Control.
    • Allows you to create lists that customize AMP for Endpoints to your organization’s needs.
    • You can view the main lists from the AMP cloud console

    SCOR Page 1

    • Simple custom detection allows you to add file signatures.


    • Define one or more files that you are trying to quarantine by building a list of SHA-256 hashes.
    • You can paste the hash or upload files directly and allow the cloud to create the SHA-256 hash for you.
    • To create a simple custom detection
    • Outbreak Control > Custom Detections > Simple

    • You must click Save, or the hash will not be stored as part of your simple custom detection.
    • Advanced custom detections offer many more signature types to the detection:
    - File body-based signatures

    SCOR Page 2
    - File body-based signatures
    - MD5 signatures
    - MD5, PE section–based signatures
    - An extended signature format (with wildcards, regular expressions, and offsets)
    - Logical signatures
    - Icon signatures
    • To create an advanced custom detection.
    • Outbreak Control > Custom Detections > Advanced,

    • The android detections look for specific applications, and you build them by either uploading the app’s .apk
    file or selecting that file from the AMP console’s inventory list.
    • Use Android custom detections for two main functions:
    • Outbreak control.
    • You are using the detection to stop malware that is spreading through mobile devices.
    • When a malicious app is detected, the user of the device is notified and prompted to uninstall it.
    • Application control.
    • You can also use custom detections to stop applications that you don’t want installed on devices in your
    organization.
    • Simply add apps to an Android custom detection list that you don’t want installed.
    • IP Blacklists and Whitelists.
    • You use an IP whitelist to define IPv4 addresses that should not be blocked.
    • Traffic that matches entries in the blacklist are flagged or blocked

    SCOR Page 3
    • You name the list, choose whether it is a whitelist (IP Allow List) or a blacklist (IP Block List), and enter a
    series of IPv4 addresses, one line at a time.
    • Each line must contain a single IP or CIDR.

    SCOR Page 4
    • AMP for Endpoints Application Control
    • Like files, applications can be detected, blocked, and whitelisted.
    • AMP does not look for the name of the application but the SHA-256 hash.
    • To create a new application control list for blocking an application.
    • Outbreak Control > Application Control > Blocked Applications.

    SCOR Page 5
    • If you already have the SHA-256 hash, add it.
    • Otherwise, you can upload one application at a time and have the AMP cloud console calculate the hash for
    you, as long as the file is not larger than the 20MB limit.

    • Exclusion Set.

    SCOR Page 6
    • A list of directories, file extensions, or even threat names that you do not want the AMP agent to scan and
    ubsequently not convict as malware.
    • Any files stored in a location that has been added to an exclusion set will not be subjected to application
    blocking, simple custom detections, or advanced custom detections.

    • Available exclusion types:


    • Threat.
    • This type excludes specific detections by threat name.
    • Extension.
    • This type excludes files with a specific extension.
    • Path
    • This type excludes files in a given path.
    • Wildcard.
    • This type excludes files or paths using wildcards for filenames, extensions, or paths.

    SCOR Page 7
    • AMP for Endpoints is available for multiple platforms: Windows, Android, Mac, and Linux.
    • To see the available connectors from the cloud console:
    • Management > Download Connector.

    SCOR Page 8

    • You can configure different policies for each of the supported platforms.
    • Management > Policies

    SCOR Page 9
    • A policy is applied to an endpoint via groups.
    • Groups allow the computers in an organization to be managed according to their function, location, or other
    criteria that is determined by the administrator.
    • To create a new group
    • Management > Groups.

    SCOR Page 10

    • AnyConnect AMP Enabler.


    • Downloads and deploys AMP for endpoints as configured by administrator
    • Use the AMP Enabler add-on to AnyConnect to aid in the distribution of the AMP connector to clients who
    use AnyConnect for remote access VPN, secure network access, posture assessments with ISE.

    SCOR Page 11

    • There are three detection and protection “engines” in AMP for Endpoints:
    • TETRA.
    • A full client-side antivirus solution.
    • Do not enable the use of TETRA if there is an existing antivirus product in place.
    • The default AMP setting is to leave TETRA disabled
    • Consumes more disk space for signature storage and more bandwidth for signature updates.
    • Spero.
    • A machine learning–based technology that proactively identifies threats that were previously unknown.
    • Can identify malicious software based on its general appearance rather than basing identity on specific
    patterns or signatures.
    • Ethos
    • A “fuzzy fingerprinting” engine that uses static or passive heuristics.
    • Uses automated created of generic signatures.

    • AMP for Endpoints Reporting


    • Includes a series of reporting dashboards that can be very useful to understand what’s happening in your
    endpoints.
    • You can filter by platform, date ranges, and other attributes.

    SCOR Page 12
    • The AMP for Endpoints Overview dashboard, which displays the status of your environment and highlights
    recent threats and malicious activity in your AMP for Endpoints deployment.

    SCOR Page 13

    SCOR Page 14

    You might also like