Professional Documents
Culture Documents
Endpoint
Virtual Workshop
Customer Success Central
“ “
At Cisco, everything starts with
our customers, and our Customer
Experience organization exists to
ensure they are consistently
having the best possible
experience with our technology.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
Customer Success Central
CSE/SPM Team
D D ROMANIA HUNGARY
CROATIA CZECH REPUBLIC
SLOVENIA SLOVAKIA
BALKANS
IBN Security
IBN / DNA Data Center
Purchase Advocate
Align
Recommend
Renew
Select
Optimize
Accelerate
Adopt
Evaluate Engage
Use
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
Logistics Add
screenshot of
how to raise
hand in
Ask our experts a question: WebEx
Events
• Raise your hand by clicking on
the hand icon in the Attendees Center,
panel polling pane
or
• Type your question into the Q&A
panel and click Send
Raise your hand
Link in chat
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Q&A Panel 6
Presenters
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Panelists
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco Secure Endpoint
Virtual Workshop
Endpoint security that works for you
Anita Pietrzyk
Customer Success Specialist
June 2021
https://www.cisco.com/c/dam/en/us/products/collateral/security/secure-product-naming-qrm.pdf
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
‣ See more. Respond faster
Agenda ‣ Am I compliant?
‣ Get back to the basics
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Attackers need the
endpoint
ENDPOINT
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Nowadays everything is Encrypted
https://transparencyreport.goo
gle.com/https?hl=en
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
You can do “SSL/TLS” Decryption today
Cisco FTD
Web Security Appliance
Web traffic
Application
Endpoint
Deep Visibility
• Copy • Execute Control
• Move • Install Endpoint Isolation
• Create • Command line Allow / Deny Application/Files
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Identify Protect Detect Respond Recover
Example of Ransomware
displaying Instructions for
payment
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Identify Protect Detect Respond Recover
Mapped to MITRE
Scheduled or On-demand
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Identify Protect Detect Respond Recover
Reduce
Prevent Detect
Risk
•Cloud lookups (1:1, 1:many) •Static analysis •Vulnerable software
•Antivirus (TETRA, ClamAV) •Sandboxing (Dynamic analysis) •Low prevalence
•Exploit Prevention: •Malicious Activity Protection •Proxy log analysis (Cognitive)
• Fileless malware detection •Machine learning •Endpoint Isolation
• Adware Removal •Device flow correlation •Advanced Search (Orbital) A
• Process Hollowing
•Cloud Indicators of •API Integrations
•System Process Protection Compromise
•Client Indicators of
Compromise
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Identify Protect Detect Respond Recover
Tap into unrivalled threat intelligence and hunting expertise from Cisco
Key Capabilities
Analyst-centric process from Cisco that enables
organizations to uncover hidden advanced threats
Benefits
Proactive threat hunting across your assets by skilled threat
hunters
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Identify Protect Detect Respond Recover
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Identify Protect Detect Respond Recover
Recording
See where
it's been
Surgically target
Identify how it and
spread remediate
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Key Takeaways
Engines Features
Local,
SecureX
Network Behavioral
Analysis Orbital Threat
and
hunting Several
Cloud
Engines &
Features
Integrated
Threatgrid,
SecureX
ISE, Stealthwatch
Meraki, SIG,
E A P
Agent
Umbrella
Secure: Email, Essentials Advantage Premier
Web, Firewall
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
‣ See more. Respond faster
Agenda ‣ Am I compliant?
‣ Get back to the basics
http://cs.co/security_atx
Best Practices Report of
YOUR deployment
Guidance from a Subject
Matter Expert
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Reach out your account team today
‣ See more. Respond faster
Agenda ‣ Am I compliant?
‣ Get back to the basics
Radek Olszowy
Technical Consulting Engineer
June 2021
Known issues
Upgrades
Agenda
Main topics Exclusions
Exploit Prevention
False positives
Secure Endpoint-related cases
Private Cloud Integrations
0,6%
3,9%
Threat Grid
6,8%
Efficacy / Remediation /
Compliancy Connectors
16,6% 45,9%
Public Cloud
26,2%
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Known issues
• CSCvc64688 - Windows Connector cannot run IPtray
under multiple users. Second IP tray will not be able to
connect to the agent process and will appear to be
disconnected from the cloud.
• CSCvx47570 - [ExPrev] Issue with Tiger Lake Processors &
Windows 10 20H2 (fixed in 7.3.15).
• CSCvx41502 - Disabling Behavioral Protection engine
causing high CPU consumption by sfc.exe (fixed in 7.3.15).
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
High CPU problems
AMP Windows Connector might consume a lot of PC resources. Some of the high CPU
times might be expected, but sometimes there is a need for intervention to ‘adjust’
AMP configuration for specific environments.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Collecting debugs
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
High CPU - Windows Tuning Tool
> C:\Users\Radek\Downloads>python Diag_Analyzer_v1_03.py -i
1. Download the latest Windows Endpoints tuning tool CiscoAMP_Support_Tool_2021_05_08_23_14_17.zip
Creating directory
(Diag_Analyzer_v1_03.py) from: Successfully created the directory
’C:\Users\Radek\Downloads\CiscoAMP_Support_Tool_2021_05_08
https://github.com/CiscoSecurity/amp-05-windows-tune and read _23_14_17’
README.md file. Moving log files into the output directory.
Parsing the logs.
Would you like to view the exclusions from your policy? [y/n]
2. Run the Diag Analyzer application with chosen options.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Using proxy – don’t inspect!
• AMP communication must be excluded from SSL Interception on a proxy:
AMP4E communication with AMP cloud is a binary protocol encapsulated into TLS.
Any RFC compliant proxy expects HTTP inside a TLS connection (if intercepted).
If a proxy does any kind of Man-in-the-Middle with AMP traffic, it will detect a non-HTTP protocol
inside TLS and will drop the communication!
MITM
• Fallback to direct connection:
If a proxy is configured, AMP for Endpoints connector will do a fallback to system configured proxy
and then to direct communication if the configured proxy is not available.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
AMP Connector version recommendations
• There is no recommended version of Windows
Connector, but:
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Upgrade using AMP installer
• You can manually upgrade your connector using the installation package downloaded
from the AMP console.
• This procedure can be automated using third party tool which allows software
management.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Upgrade troubleshooting
• Immpro_install.log is log file created during the installation/upgrade of connector.
Can be found:
C:\ProgramData\Cisco\AMP\immpro_install.log
%TEMP%\immpro_install.log
• If problem is reproducible, do it again with the debugs enabled – preferably from the
cloud (cloud policy change)
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Exclusions
When to use exclusion?
• Exclude other security applications (anti-malware, anti-
virus, DLP etc),
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Types of exclusions - Windows
• AMP Windows Connector can be configured to make use of different types of
exclusions:
1. Threat
2. Path
3. File Extension
4. Wildcard
5. Process – File Scan
6. Process – MAP
7. Process – SPP
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Types of exclusions – mac OS
• AMP mac OS Connector on the other hand can be configured to add following types
of exclusions:
1. Threat
2. Path
3. File Extension
4. Wildcard
5. Process – File Scan
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Path Exclusion
Path exclusions are application conflicts usually involve excluding a directory. You can create
a path exclusion using an absolute path or the CSIDL. Don’t use it for files e.g., C:\app.exe!
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Wildcard Exclusion
These exclusions are the same as path exclusions except using an asterisk (*) character
triggers as a wildcard.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Process Exclusions
There are three types of Process Exclusions:
1. File Scan
2. Malicious Activity Protection (MAP)
3. System Process Protection (SPP)
Only File Scan type is excluding the process from being scan by the SHA256 engine, MAP
and SPP are related to those engines.
Process exclusion is done by either: specifying the full path to the process executable, the
SHA-256 value of the process executable, or both the path and the SHA-256.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Process Exclusion – File Scan
Process Exclusions allow admins to exclude running
processes from scans.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Process Exclusion – System Process Protection
Idea of the SPP exclusions is to not block access to the specific calls/requests for the
protected processes.
We do not care if the process is CLEAN, UNKNOWN or MALICIOUS from the cloud
perspective. Thing is, that if we will be blocking access for the CLEAN disposition from cloud,
we will not be sending any notification.
SPP is not blocking every call, but rather we are blocking operations which are in
power to modify/terminate system processes.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Exclusion's knowledgebase
https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-
practices-for-amp-for-endpoint-excl.html
https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf#G5.3
400437
https://video.cisco.com/detail/video/6038277786001/create-exclusions-in-cisco-amp-for-
endpoints?autoStart=true&q=amp
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Exploit Prevention
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
ExPrev - Theory
• Exploit Prevention moves the libraries of the protected
process to a different location
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
ExPrev - Troubleshooting
• If any of the processes (or child processes)
which are protected by ExPrev is behaving
incorrectly with Connector enabled, try to
disable or enable an audit setting for ExPrev in
the policy and test the situation.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
False positives
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
How to spot a false positives:
• Known, trusted file, e.g. drivers, well-known developer
• It was working fine, but it has stopped
• No detections in VirusTotal
• Low score in ThreatGrid (below 90)
• ZIP archive with only ASCII text inside
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
How to send them for a review:
• Open a Talos ticket on talosintelligence.com site
• Open a TAC case and provide the following:
1. What is the origin of the file/executable? Where and how it was obtained?
2. Why do you think it should be clean?
3. What is the purpose of this application/file?
4. What is the SHA256 of that file in AMP console?
5. Attach it to the case, preferably zipped with the password ‘Infected’.
6. What is the current business impact? On how many machines it was seen?
• Review takes usually 1-2 days to be processed. If you are convinced that file is
benign, add SHA256 to the Allowed Applications list, to override the disposition to
clean.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Additional documentation
• For more information about false detections, outbreaks, and Incident
Response visit:
https://www.cisco.com/c/en/us/support/docs/security/advanced-malware-
protection-endpoints/200618-Work-with-the-Advanced-Malware-
Protectio.html
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
‣ See more. Respond faster
Agenda ‣ Am I compliant?
‣ Get back to the basics
Ruben Maia
Customer Success Specialist
June 2021
Adding new security technology is a
double-edged sword
It gives you new functionality, but it “Without solid foundations the
also creates a lot of complexity… house will fall..”
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Automation should
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
CISOs want to efficiently manage cybersecurity risks
SOC Managers want to demonstrate their team’s effectiveness
• Would you like to improve your cybersecurity
posture while efficiently and effectively
managing risks?
• Would you like to manage fewer
security vendors while dramatically improving
your cybersecurity capabilities?
• Would you like to shorten time-consuming
investigations while focusing your staff on
higher-value activities?
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Introducing SecureX
A cloud-native, built-in platform experience within our portfolio
Cisco Secure Your Infrastructure
Unified Visibility
Your teams
SecOps ITOps NetOps
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Our portfolio includes XDR capabilities and beyond
SOAR XDR
API-based
integration X-product integration
These values in SOAR/XDR Simplified experience
Simplified platforms
policy
and beyond are a Unified visibility
Process
+ Simplified analytics
fundamental right
automation
Response efficiency in SecureX Operational efficiency
And more
Separate
license
Separate license Already entitled to it
Integration
experts
Automation experts Unlike SOAR/XDR No special skills required
No data
+ platforms, these pains do
normalization
Massive data lake not exist in SecureX No data storage required
Context lacks
Third party limitations No vendor lock-in
breadth *SIEM/SOAR is easier to use!
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Demo
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
How true simplicity is experienced
Before: 32 minutes After: 5 minutes
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
SecureX threat response integrates across the Cisco
Secure portfolio
Included at no additional cost with the following licenses
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Demo
should be automated
as much as possible
to free up your
ALERT
Cisco or
resources’ valuable
non-Cisco task
infrastructure
condition task
while
loop
task:
REMEDIATE
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Introducing SecureX orchestration
Investigate Automate
Reduce research and response Eliminate repetitive tasks and
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
SecureX Automation & Orchestration
Phishing use case – user experience
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Phishing use case - playbook
Playbook integrates 6 products
Malware Endpoint
Cloud Security
Analysis Security
Threat
Email Security ServiceNow
Response
Email received from Extract DIRECT Perimeter blocking Hunt malicious or Internal blocking Case management
Determine verdict for
investigation observables from (e.g. malicious suspicious Identify asset details (e.g. isolate host create Threat
observables
mailbox email domains) observables after approval) Response incident
Post-
MVP
Add hashes linked
Acknowledge user Gather INDIRECT Create
with domains to Internal targets
for the submission observables IT ticket
outbreak control list found?
Update email
spam rules or retract
Post- emails
MVP
STOP
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Demo
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
SecureX sign-on
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Meaningful integrations with your investments
Not just a simple syslog data dump
Third-party Cisco Third-party
General infrastructure
security infrastructure infrastructure
Scripting/dev tools, system interfaces,
Operational tools, intelligence Networking, collaboration, IT service management, data exchanges,
sources, infrastructure protections server/app, and multicloud and cloud/virtual and and messaging protocols
and visibility management platforms devop platforms
ACI
…and
UCS Director CloudCenter more!
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
SecureX seamlessly integrates into your SOC
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Products with built-in SecureX features
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
In summary…
Unlock new value from your current investments
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
SecureX in the classroom
Multiple, global threat hunting workshops
Every quarter and now as virtual classes
to educate teams with real-world scenarios
https://www.cisco.com/c/en/us/products/security/threat-
hunting-workshop.html#~events
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
SecureX resources
Continue your SecureX journey with us
SecureX Threat Response
SecureX Orchestration
Learn more at Learn more at
cs.co/SXO_docs cisco.com/go/threatresponse
cisco.com/go/securex
cs.co/SecureX_videos
cs.co/SecureX_faq
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
https://learnsecurex.cisco.com/
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Customer satisfaction
rating
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
We’ve
reached our
goal
https://www.ciscofeedback.vovici.com
/se/6A5348A71DF95914
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Google Transparency Report
https://transparencyreport.google.com/https?hl=en
References
malware-protection-endpoints/200318-Deployment-of-Cisco-
AMP-for-Endpoints-wi.html
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Known issues
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc64688
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx47570
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx41502
References
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-
fireamp-endpoints/118587-technote-fireamp-00.html
Exclusion's knowledgebase
https://www.cisco.com/c/en/us/support/docs/security/amp-
endpoints/213681-best-practices-for-amp-for-endpoint-excl.html
https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%
20User%20Guide.pdf#G5.3400437
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
https://video.cisco.com/detail/video/6038277786001/create-
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
exclusions-in-cisco-amp-for-endpoints?autoStart=true&q=amp
Additional documentation about false detections, outbreaks and
incident response
https://www.cisco.com/c/en/us/support/docs/security/advanced-
malware-protection-endpoints/200618-Work-with-the-Advanced-
Malware-Protectio.html
References
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
What questions do
you have?