Cisco Secure Endpoint Virtual Workshop

Cisco Secure
Endpoint
Virtual Workshop
Customer Success Central
“ “
At Cisco, everything starts with
our customers, and our Customer
Experience organization exists to
ensure they are consistently
having the best possible
experience with our technology.
Chuck Robbins CEO
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
Customer Success Central
CSE/SPM Team
Customer Success Executives Success Programs Managers
Yves Caroline Denis Alona Sylvia Juergen Michal Maria Liza

Bron Knapp Popov Marchukova Pawelczyk-Mika Stoiber Ostrowski Antonova Kalachova
SWITZERLAN SWITZERLAN RUSSIA SWITZERLAND SWITZERLAND AUSTRIA POLAND RUSSIA CIS
D D ROMANIA HUNGARY
CROATIA CZECH REPUBLIC
SLOVENIA SLOVAKIA
BALKANS
amarchuk@cisco.com spawelcz@cisco.com jstoiber@cisco.com michostr@cisco.com mantonov@cisco.com ykalacho@cisco.com

Customer Success Central Team
Katarzyna
Zieziula Customer Success Specialists (CSS) TECHNOLOGIES coverage
CSS Manager
IBN Security
IBN / DNA Data Center
DNA SD WAN Wireles

s
Kuba Hatam Jaroslav Juan Ponce Dominik Stanislav

Zabiega Shukur Cizek Dominguez Stefaniak Martinicky
Sohaib Michal Anita Tetiana Nikita

Abid Navorka Pietrzyk Fedosieieva Pavlov
Kamil Vladimir Frankelly

Stopa Andryushchenko De Leon
Cross – domain automation Dennis

Cruceru
Cisco Customer Lifecycle Overview
Customer experience is a perception of value; how our customers perceive the value
of Cisco products, services and support throughout the lifecycle
Purchase Advocate
Align
Recommend
Renew
Select
Optimize
Accelerate
Adopt
Evaluate Engage
Use
Need Onboard Implement
Logistics Add
screenshot of
how to raise
hand in
Ask our experts a question: WebEx
Events
• Raise your hand by clicking on
the hand icon in the Attendees Center,
panel polling pane
or
• Type your question into the Q&A
panel and click Send
Raise your hand
Link in chat
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Q&A Panel 6
Presenters
Anita Pietrzyk Radek Olszowy

Customer Success Specialist Technical Consulting Engineer
Juan Jose Ponce Ruben Maia

Customer Success Specialist Customer Success Specialist
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Panelists
Jacob Hannoun Henry Maria

Customer Success Specialist Customer Success Specialist
Cisco Secure Endpoint
Virtual Workshop
Endpoint security that works for you
Anita Pietrzyk
Customer Success Specialist
June 2021
*formerly AMP for Endpoints

Cisco Secure Branding
https://www.cisco.com/c/dam/en/us/products/collateral/security/secure-product-naming-qrm.pdf
‣ See more. Respond faster
Agenda ‣ Am I compliant?
‣ Get back to the basics
‣ Connecting the dots

See more. Respond faster
Secure Endpoint value proposition
Juan Jose Ponce

June 2021
“People don’t want
to buy a quarter-inch
drill. They want a
quarter-inch hole!”
Theodore Levitt
Attackers need the
endpoint
• Last line of defense

• Often the weakest link
ENDPOINT
Nowadays everything is Encrypted
https://transparencyreport.goo
gle.com/https?hl=en
You can do “SSL/TLS” Decryption today
Cisco FTD
Web Security Appliance
Web traffic
Applications Cisco Encrypted

using Cert pinning Traffic Analytics
Where are the places with richer visibility?
Application
Endpoint
Identify Protect Detect Respond Recover

Cisco and the NIST Cybersecurity Framework
https://www.cisco.com/c/dam/en/us/products/collateral/security/nist-cybersecurity.pdf
Cisco Secure Endpoint – AMP for Endpoints E A P

Essentials Advantage Premier
World Class Protection

Context • Prevent Ransomware
• IoCs • Fileless malware
• MITRE • Malicious IP communications
• Low Prevalence • Files using SHA256 hashes or AV
• Vulnerable Software Signatures.
• AMP Cloud
Deep Visibility
• Copy • Execute Control
• Move • Install Endpoint Isolation
• Create • Command line Allow / Deny Application/Files
Cisco Secure Endpoint – AMP for Endpoints

E
Execution and Command Line Visibility Essentials
Example of Ransomware
displaying Instructions for
payment
Cisco Secure Endpoint – Orbital Advanced Search A

Advantage
Search for malicious artifacts in near real-time
200+ queries available Instant results Easy to read descriptions
Mapped to MITRE
Scheduled or On-demand
Secure Endpoint Engines E

Essentials
Reduce
Prevent Detect
Risk
•Cloud lookups (1:1, 1:many) •Static analysis •Vulnerable software
•Antivirus (TETRA, ClamAV) •Sandboxing (Dynamic analysis) •Low prevalence
•Exploit Prevention: •Malicious Activity Protection •Proxy log analysis (Cognitive)
• Fileless malware detection •Machine learning •Endpoint Isolation
• Adware Removal •Device flow correlation •Advanced Search (Orbital) A
• Process Hollowing
•Cloud Indicators of •API Integrations
•System Process Protection Compromise
•Client Indicators of
Compromise
SecureX Threat Hunting P

Premier
Tap into unrivalled threat intelligence and hunting expertise from Cisco
Key Capabilities
Analyst-centric process from Cisco that enables
organizations to uncover hidden advanced threats
Benefits
Proactive threat hunting across your assets by skilled threat
hunters
Visibility into advanced and highly evasive threats

lurking in your environment
Endpoint Isolation Contain attacks fast E

Essentials
• Isolate infected hosts from the rest

of the network
• Contain the threat without losing
forensics data
• Shrink remediation cost by limiting
the scale of attack
• Fast endpoint reactivation once
remediation is complete
Continuous Analysis and Retrospective Security E

Essentials
Recording
Identify point See what it is

of entry doing
See where
it's been
Surgically target
Identify how it and
spread remediate
Key Takeaways
Engines Features
Local,
SecureX
Network Behavioral
Analysis Orbital Threat
and
hunting Several
Cloud
Engines &
Features
Integrated
Threatgrid,
SecureX
ISE, Stealthwatch
Meraki, SIG,
E A P
Agent
Umbrella
Secure: Email, Essentials Advantage Premier
Web, Firewall

Am I compliant?
Role Play – A life of a Cybersecurity Specialist
Anita Pietrzyk Mr. Bob

Customer Success Specialist Globex Security Specialist
Cisco Customer
Cisco Secure Endpoint Offers
Is your Secure Endpoint deployment meeting your expectations?
Health Check and Accelerators program Ask the experts
http://cs.co/security_atx
Best Practices Report of
YOUR deployment
Guidance from a Subject
Matter Expert
Reach out your account team today

Get back to the basics
Secure Endpoint’s best practices and common problems
Radek Olszowy
Technical Consulting Engineer
June 2021
Known issues
Upgrades
Agenda
Main topics Exclusions
Exploit Prevention
False positives
Secure Endpoint-related cases
Private Cloud Integrations
0,6%
3,9%
Threat Grid
6,8%
Efficacy / Remediation /
Compliancy Connectors
16,6% 45,9%
Public Cloud
26,2%
Known issues
• CSCvc64688 - Windows Connector cannot run IPtray
under multiple users. Second IP tray will not be able to
connect to the agent process and will appear to be
disconnected from the cloud.
• CSCvx47570 - [ExPrev] Issue with Tiger Lake Processors &
Windows 10 20H2 (fixed in 7.3.15).
• CSCvx41502 - Disabling Behavioral Protection engine
causing high CPU consumption by sfc.exe (fixed in 7.3.15).
High CPU problems
AMP Windows Connector might consume a lot of PC resources. Some of the high CPU
times might be expected, but sometimes there is a need for intervention to ‘adjust’
AMP configuration for specific environments.
Common high CPU problems:

• Scans done on ‘noisy’ processes, which copy/move/creates a lot of files
• Scans done on the big files, which should not be scanned – like .log or .db
• Another security products running on the same machine
Collecting debugs
1. Open Connector’s GUI > Settings

> Enable Debug Logging
2. Start Menu > Support Diagnostic

Tool
High CPU - Windows Tuning Tool
> C:\Users\Radek\Downloads>python Diag_Analyzer_v1_03.py -i
1. Download the latest Windows Endpoints tuning tool CiscoAMP_Support_Tool_2021_05_08_23_14_17.zip
Creating directory
(Diag_Analyzer_v1_03.py) from: Successfully created the directory
’C:\Users\Radek\Downloads\CiscoAMP_Support_Tool_2021_05_08
https://github.com/CiscoSecurity/amp-05-windows-tune and read _23_14_17’
README.md file. Moving log files into the output directory.
Parsing the logs.
Would you like to view the exclusions from your policy? [y/n]
2. Run the Diag Analyzer application with chosen options.
3. Diag_analyzer.py will check the provided AMP diagnostic

file for sfc.exe.log files and policy.xml. It will copy those to
new folder. Logs will be parsed, and the output will be
printed to the screen and to a {Diagnostic}-summary.txt
file.
Using proxy – don’t inspect!
• AMP communication must be excluded from SSL Interception on a proxy:
AMP4E communication with AMP cloud is a binary protocol encapsulated into TLS.
Any RFC compliant proxy expects HTTP inside a TLS connection (if intercepted).
If a proxy does any kind of Man-in-the-Middle with AMP traffic, it will detect a non-HTTP protocol
inside TLS and will drop the communication!
MITM
• Fallback to direct connection:
If a proxy is configured, AMP for Endpoints connector will do a fallback to system configured proxy
and then to direct communication if the configured proxy is not available.
AMP Connector version recommendations
• There is no recommended version of Windows
Connector, but:
• The latest connector is always containing the most recent

bug fixes and latest version of engines (which can be good
and bad at the same time);
• Common sense is advised when upgrading, create Test

Group with Test Policy (duplicate of your main one) and be
sure it is not making any problems before going fully with
production upgrade.
Upgrade using AMP installer
• You can manually upgrade your connector using the installation package downloaded
from the AMP console.
• This procedure can be automated using third party tool which allows software
management.
• Command line switches:

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-
endpoints/118587-technote-fireamp-00.html
Upgrade troubleshooting
• Immpro_install.log is log file created during the installation/upgrade of connector.
Can be found:
C:\ProgramData\Cisco\AMP\immpro_install.log
%TEMP%\immpro_install.log
• If problem is reproducible, do it again with the debugs enabled – preferably from the
cloud (cloud policy change)
• Check and collect Windows Events Logs.
Exclusions
When to use exclusion?
• Exclude other security applications (anti-malware, anti-
virus, DLP etc),
• Exclude important system/system-related services and

processes,
• Adjust performance usage,
• Hide a particular activity from a cloud console.
Types of exclusions - Windows
• AMP Windows Connector can be configured to make use of different types of
exclusions:
1. Threat
2. Path
3. File Extension
4. Wildcard
5. Process – File Scan
6. Process – MAP
7. Process – SPP
Types of exclusions – mac OS
• AMP mac OS Connector on the other hand can be configured to add following types
of exclusions:
1. Threat
2. Path
3. File Extension
4. Wildcard
5. Process – File Scan
Path Exclusion
Path exclusions are application conflicts usually involve excluding a directory. You can create
a path exclusion using an absolute path or the CSIDL. Don’t use it for files e.g., C:\app.exe!
An example of the CSIDL would be:

CSIDL_DESKTOPDIRECTORY which refers to the:
C:\Documents and Settings\username\Desktop folder.
Files in excluded directories and sub-directories:

- won’t be scanned by AMP
- won’t appear in the Device
To exclude a file, use Allowed Application functionality.
Wildcard Exclusion
These exclusions are the same as path exclusions except using an asterisk (*) character
triggers as a wildcard.
Facts about wildcards exclusion:

• Wildcard exclusion does not stop at path separators; this can lead to unintended
exclusions. Example: C:*\test will exclude C:\sample\test as well as
C:\1\2\3\4\5\6\test123.
• Beginning an exclusion with an asterisk(*) can cause major performance issues and is not
recommended. CSCvm37634. Any-Drive instead.
Process Exclusions
There are three types of Process Exclusions:
1. File Scan
2. Malicious Activity Protection (MAP)
3. System Process Protection (SPP)
Only File Scan type is excluding the process from being scan by the SHA256 engine, MAP
and SPP are related to those engines.
Process exclusion is done by either: specifying the full path to the process executable, the
SHA-256 value of the process executable, or both the path and the SHA-256.
Process Exclusion – File Scan
Process Exclusions allow admins to exclude running
processes from scans.
Facts about Process - File scan exclusions:

• Specifying both Path and SHA-256 are required both conditions to be
met to exclude the process.
• You can use CSIDL. Link.
• If the file size of the process is greater than the maximum scan file size
set in your policy, exclusion will not work. Use a path-based process
exclusion for files larger than the maximum scan file size
• Connector versions 7.3.1+ - limit of 00 process exclusions across all
process exclusion types. The connector only honor the process
exclusions up to the limit, from the top of the process exclusions list in
policy.xml.
• Child processes created by an excluded process are not excluded by
default.
Process Exclusion – System Process Protection
Idea of the SPP exclusions is to not block access to the specific calls/requests for the
protected processes.
We do not care if the process is CLEAN, UNKNOWN or MALICIOUS from the cloud
perspective. Thing is, that if we will be blocking access for the CLEAN disposition from cloud,
we will not be sending any notification.
SPP is not blocking every call, but rather we are blocking operations which are in
power to modify/terminate system processes.
Exclusion's knowledgebase
https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-
practices-for-amp-for-endpoint-excl.html
https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf#G5.3
400437
https://video.cisco.com/detail/video/6038277786001/create-exclusions-in-cisco-amp-for-
endpoints?autoStart=true&q=amp
Exploit Prevention
ExPrev - Theory
• Exploit Prevention moves the libraries of the protected
process to a different location
• Malicious code injection is done against the cloned libraries
• Exploit prevention detects the malicious activity and kills

the bad process
• Exclusions are managed from TAC
• There is an Audit mode from version 7.3.1
ExPrev - Troubleshooting
• If any of the processes (or child processes)
which are protected by ExPrev is behaving
incorrectly with Connector enabled, try to
disable or enable an audit setting for ExPrev in
the policy and test the situation.
• Troubleshoot with the help of a TAC engineer
• Then – open the TAC case and let us know that

problem points to the Exploit Prevention
engine.
False positives
How to spot a false positives:
• Known, trusted file, e.g. drivers, well-known developer
• It was working fine, but it has stopped
• No detections in VirusTotal
• Low score in ThreatGrid (below 90)
• ZIP archive with only ASCII text inside
How to send them for a review:
• Open a Talos ticket on talosintelligence.com site
• Open a TAC case and provide the following:
1. What is the origin of the file/executable? Where and how it was obtained?
2. Why do you think it should be clean?
3. What is the purpose of this application/file?
4. What is the SHA256 of that file in AMP console?
5. Attach it to the case, preferably zipped with the password ‘Infected’.
6. What is the current business impact? On how many machines it was seen?
• Review takes usually 1-2 days to be processed. If you are convinced that file is
benign, add SHA256 to the Allowed Applications list, to override the disposition to
clean.
Additional documentation
• For more information about false detections, outbreaks, and Incident
Response visit:
https://www.cisco.com/c/en/us/support/docs/security/advanced-malware-
protection-endpoints/200618-Work-with-the-Advanced-Malware-
Protectio.html

Connecting the dots
Boosting your investment with integrations
out of the cloud
Ruben Maia
June 2021
Adding new security technology is a
double-edged sword
It gives you new functionality, but it “Without solid foundations the
also creates a lot of complexity… house will fall..”
Threat intelligence and visibility are siloed
You constantly pivot between interfaces
You spend too much time on integration
Your workflows are slow and disconnected
Automation should
We believe reduce the burden

on the SOC
security systems
should empower Security products and threat
your people to intel should all
work together
investigate and
respond to
threats faster Make it easier and faster
to investigate threats
CISOs want to efficiently manage cybersecurity risks
SOC Managers want to demonstrate their team’s effectiveness
• Would you like to improve your cybersecurity
posture while efficiently and effectively
managing risks?
• Would you like to manage fewer
security vendors while dramatically improving
your cybersecurity capabilities?
• Would you like to shorten time-consuming
investigations while focusing your staff on
higher-value activities?
Introducing SecureX
A cloud-native, built-in platform experience within our portfolio
Cisco Secure Your Infrastructure
Network Endpoint 3rd Party/ITSM Intelligence
Cloud Applications Identity SIEM/SOAR
Unified Visibility
Detection Investigation Managed Orchestration

Analytics Remediation Policy Automation
Your teams
SecOps ITOps NetOps
Our portfolio includes XDR capabilities and beyond
SOAR XDR
API-based
integration X-product integration
These values in SOAR/XDR Simplified experience
Simplified platforms
policy
and beyond are a Unified visibility
Process
+ Simplified analytics
fundamental right
automation
Response efficiency in SecureX Operational efficiency
And more
Separate
license
Separate license Already entitled to it
Integration
experts
Automation experts Unlike SOAR/XDR No special skills required
No data
+ platforms, these pains do
normalization
Massive data lake not exist in SecureX No data storage required
Context lacks
Third party limitations No vendor lock-in
breadth *SIEM/SOAR is easier to use!
Demo
integrations ribbon & sign-on dashboard threat response orchestration

built-in, pre-built never leaves you customizable for what is at the core drag-drop GUI
or custom maintains context matters to you of the platform for no/low code
Make it easier and faster
We believe alerts to investigate threats
should be smart and

prescriptive to
empower your team
Email
Address
Malicious URL
to take decisive Message Malicious

Target
Domain
Email
action against bad

IP
IP
Malicious
Domain SHA-256 Message
actors Suspicious URL

Target
Endpoint
Target Target SHA-256 Target

Network Endpoint Email
How true simplicity is experienced
Before: 32 minutes After: 5 minutes
1. IOC/alert SecureX threat response

is integrated across your
security infrastructure
2. Investigate incidents in multiple consoles

Product Product Product Product
dashboard 1 dashboard 2 dashboard 3 dashboard 4
Email Malicious
Subject domain
Target endpoint SHA - 256

IP
3. Remediate by coordinating multiple teams
Product Product Product Product In one view
dashboard 1 dashboard 2 dashboard 3 dashboard 4
Query intel Quickly visualize Remediate
and telemetry the Threat impact directly from
from multiple in your one UI
integrated products environment
SecureX threat response integrates across the Cisco
Secure portfolio
Included at no additional cost with the following licenses
Secure Network Secure Malware Secure Endpoint

Analytics Analytics
Cisco Secure Web

Secure Email Secure Firewall
Umbrella Appliance
Demo

Automation should
We believe your tools reduce the burden
and technology on the SOC
should be automated
as much as possible
to free up your
ALERT
Cisco or
resources’ valuable
non-Cisco task
infrastructure
condition task
time. task task
while
loop
task:
REMEDIATE
Introducing SecureX orchestration
Investigate Automate
Reduce research and response Eliminate repetitive tasks and
Process automation times with workflows and

playbooks that execute at
machine speed
reduce MTTR to increase
productivity and focus on
mission-critical projects
made simple with a
no/low-code drag-drop
interface Integrate Scale
Unique turnkey approach to Automation that scales infinitely
quickly integrate with other and never takes a day off,
systems and solutions to expand delivering the same SLA around
your toolbox the clock
SecureX Automation & Orchestration
Phishing use case – user experience
1 Receives email they think is 2a Notified if email is

suspicious, so submits to malicious and
SecureX for analysis remediation action
taken.
End Security
User Analyst
Optionally, a team
space can be created,
2b Notified if email is invite people, and add
malicious or not with case link/details.
next steps
Phishing use case - playbook
Playbook integrates 6 products
Malware Endpoint
Cloud Security
Analysis Security
Threat
Email Security ServiceNow
Response
SecureX automates an action orchestrator using a prebuilt, yet customizable playbook
START Pre-process Deliberate Prevent Investigate Identify Mitigate Remediate
Email received from Extract DIRECT Perimeter blocking Hunt malicious or Internal blocking Case management
Determine verdict for
investigation observables from (e.g. malicious suspicious Identify asset details (e.g. isolate host create Threat
observables
mailbox email domains) observables after approval) Response incident
Post-
MVP
Add hashes linked
Acknowledge user Gather INDIRECT Create
with domains to Internal targets
for the submission observables IT ticket
outbreak control list found?
Update email
spam rules or retract
Post- emails
MVP
STOP
Demo

We believe in a
seamlessly
integration and
experience
SecureX sign-on
• Adaptive, layered, and simplified authentication

• Enter a single username and password to access all
integrated applications, and maintain context
through your workflows
• Duo's Multi-Factor Authentication (MFA)
integrated secure sign-on feature means one push
notification, one tap, instant access.
Meaningful integrations with your investments
Not just a simple syslog data dump
Third-party Cisco Third-party
General infrastructure
security infrastructure infrastructure
Scripting/dev tools, system interfaces,
Operational tools, intelligence Networking, collaboration, IT service management, data exchanges,
sources, infrastructure protections server/app, and multicloud and cloud/virtual and and messaging protocols
and visibility management platforms devop platforms
ACI
…and
UCS Director CloudCenter more!
HTTP SMTP SNMP
SecureX seamlessly integrates into your SOC
Products with built-in SecureX features
In summary…
Unlock new value from your current investments
From partial awareness to complete and

actionable insights
From inefficient workflows to the strength of

automation
From siloed product usage to shared context
From complexity to simplicity
SecureX in the classroom
Multiple, global threat hunting workshops
Every quarter and now as virtual classes
to educate teams with real-world scenarios
https://www.cisco.com/c/en/us/products/security/threat-
hunting-workshop.html#~events
Now features SecureX use cases

Learn how to defend against advanced
adversaries with the platform
SecureX resources
Continue your SecureX journey with us
SecureX Threat Response
SecureX Orchestration
Learn more at Learn more at
cs.co/SXO_docs cisco.com/go/threatresponse
Find out more in our GitHub

Join the Community
cs.co/SXO_repo
cs.co/ctr_community
Find us on YouTube
cs.co/SXO_videos
Find us on YouTube
Check our DevNet SecureX space cs.co/CTRvideos
developer.cisco.com/securex/orchestration/
cisco.com/go/securex
cs.co/SecureX_videos
cs.co/SecureX_faq
https://learnsecurex.cisco.com/
Customer satisfaction
rating
“Easy to investigate threats”

“Single pane of glass security”
“Insight that I have not had in the past”
“Amazing levels of detail in one spot”
“Everything is integrated”
“It just works”
8.4 Average rating out of 10
TechValidate survey, June 2020

https://www.techvalidate.com/product-research/cisco-threat-response/facts
We’ve
reached our
goal
https://www.ciscofeedback.vovici.com
/se/6A5348A71DF95914
Google Transparency Report
https://transparencyreport.google.com/https?hl=en
Cisco and the NIST Cybersecurity Framework

https://www.cisco.com/c/dam/en/us/products/collateral/security/ni
st-cybersecurity.pdf
Deployment of Cisco AMP for Endpoints with Identity Persistence

https://www.cisco.com/c/en/us/support/docs/security/advanced-
References
malware-protection-endpoints/200318-Deployment-of-Cisco-
AMP-for-Endpoints-wi.html
How To Prepare a Golden Image with AMP for Endpoints

https://www.cisco.com/c/en/us/support/docs/security/amp-
endpoints/214462-how-to-prepare-a-golden-image-with-amp-
f.html
Customer Success Ask the Experts

http://cs.co/security_atx
Known issues
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc64688
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx47570
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx41502
High CPU - Windows Tuning Tool

https://github.com/CiscoSecurity/amp-05-windows-tune
Upgrade using AMP installer
References
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-
fireamp-endpoints/118587-technote-fireamp-00.html
Process Exclusion – File Scan

https://docs.microsoft.com/en-us/windows/win32/shell/csidl
Exclusion's knowledgebase
https://www.cisco.com/c/en/us/support/docs/security/amp-
endpoints/213681-best-practices-for-amp-for-endpoint-excl.html
https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%
20User%20Guide.pdf#G5.3400437
https://video.cisco.com/detail/video/6038277786001/create-
exclusions-in-cisco-amp-for-endpoints?autoStart=true&q=amp
Additional documentation about false detections, outbreaks and
incident response
https://www.cisco.com/c/en/us/support/docs/security/advanced-
malware-protection-endpoints/200618-Work-with-the-Advanced-
Malware-Protectio.html
References
What questions do
you have?

Cisco Secure Endpoint Virtual Workshop

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Secure Endpoint Virtual Workshop

Uploaded by

Copyright:

Available Formats

Cisco Secure

Chuck Robbins CEO

Customer Success Executives Success Programs Managers

Yves Caroline Denis Alona Sylvia Juergen Michal Maria Liza

SWITZERLAN SWITZERLAN RUSSIA SWITZERLAND SWITZERLAND AUSTRIA POLAND RUSSIA CIS

amarchuk@cisco.com spawelcz@cisco.com jstoiber@cisco.com michostr@cisco.com mantonov@cisco.com ykalacho@cisco.com

DNA SD WAN Wireles

Kuba Hatam Jaroslav Juan Ponce Dominik Stanislav

Sohaib Michal Anita Tetiana Nikita

Kamil Vladimir Frankelly

Cross – domain automation Dennis

Need Onboard Implement

Anita Pietrzyk Radek Olszowy

Juan Jose Ponce Ruben Maia

Jacob Hannoun Henry Maria

*formerly AMP for Endpoints

‣ Connecting the dots

Juan Jose Ponce

• Last line of defense

Applications Cisco Encrypted

Identify Protect Detect Respond Recover

Cisco Secure Endpoint – AMP for Endpoints E A P

World Class Protection

Cisco Secure Endpoint – AMP for Endpoints

Cisco Secure Endpoint – Orbital Advanced Search A

Secure Endpoint Engines E

SecureX Threat Hunting P

Visibility into advanced and highly evasive threats

Endpoint Isolation Contain attacks fast E

• Isolate infected hosts from the rest

Continuous Analysis and Retrospective Security E

Identify point See what it is

‣ Connecting the dots

Anita Pietrzyk Mr. Bob

Health Check and Accelerators program Ask the experts

‣ Connecting the dots

Common high CPU problems:

1. Open Connector’s GUI > Settings

2. Start Menu > Support Diagnostic

3. Diag_analyzer.py will check the provided AMP diagnostic

• The latest connector is always containing the most recent

• Common sense is advised when upgrading, create Test

• Command line switches:

• Check and collect Windows Events Logs.

• Exclude important system/system-related services and

• Adjust performance usage,

• Hide a particular activity from a cloud console.

An example of the CSIDL would be:

Files in excluded directories and sub-directories:

To exclude a file, use Allowed Application functionality.

Facts about wildcards exclusion:

Facts about Process - File scan exclusions:

• Malicious code injection is done against the cloned libraries

• Exploit prevention detects the malicious activity and kills

• Exclusions are managed from TAC

• There is an Audit mode from version 7.3.1

• Troubleshoot with the help of a TAC engineer

• Then – open the TAC case and let us know that

‣ Connecting the dots

Threat intelligence and visibility are siloed

You constantly pivot between interfaces

You spend too much time on integration

Your workflows are slow and disconnected

We believe reduce the burden