Cisco Advanced Malware Protection (AMP) for Endpoints [Product Review]
In today’s cyber-threat landscape, the network infrastructure is often viewed as a prized possession by the cyber-attacker. There are numerous reasons for this, one of them being that once he or she has some sort of entry into the infrastructure, they can over a period of time gain access to many of the servers and the databases that reside on it.
Many businesses and corporations are taking the strategy of simply doubling or even tripling down of the technologies that they deploy in order to beef up their lines of defenses. This is actually the wrong approach to take, as it merely increases the attack surface for the hacker and gives them more points of entry.
In this article, we examine one tool that can provide the needed security from beginning to the end for your critical network-based assets – the Cisco Advanced Malware Protection (AMP) for Endpoints.
What Exactly Is the AMP?
The AMP provides a high-powered, enterprise-grade level protection system to protect your network infrastructure from all sorts of malware, which will help prevent newer variants of it from attacking your business (examples of this include Ransomware, Business Email Compromise, etc.). This tool also provides high level analytics so that you can further study attack profiles and signatures before they become a threat to you.
With the AMP, you get protection at three distinct levels:
- Before an attack actually occurs: The AMP makes use of the Talos Security Intelligence and Research Group and Threat Grid feeds to alert you of any potential cyber-threats that are on the horizon
- When an attack actually occurs: If your organization is hit by malware, the AMP uses the above-described feeds in order to identify and prevent malicious data packets that are attempting to break through and infiltrate your network
- After an attack occurs: After this situation has occurred, the AMP will then provide detailed information to your IT security staff as to the origin of the malware, what its point of impact was in your in-network infrastructure, and what the current status of the malware is. In fact, with just a few clicks of the mouse, the malware can be contained, and isolated from causing further damage.
The Features of the AMP
The following are the main features:
- Indications of Compromise: It automatically correlates event-driven data (in particular malware and intrusion events) so that your IT security staff can better model what the cyber-threat landscape could potentially look like into future
- File reputation: Sophisticated intelligence tools are used to determine if a file (such as an attachment in an email) is safe to enter, or is malicious (and thus should not enter the network)
- An antivirus engine: This includes rootkit scanning mechanisms. With this, the customer has a choice of bringing together the endpoint protection and antivirus functionalities into one cohesive unit
- Static/dynamic malware analysis: A sandboxing environment is provided with the AMP so that your IT security staff can safely analyze any malware that has gotten through, in order to further examine its effects and signature profiles
- Retrospective detection: This is an advanced alert system to notify you that the malware is about to hit a second line of defense, in case it was not detected earlier as it broke through the first defense layer
- File trajectory: The AMP is constantly keeping track of all of the files that are entering your network or already inside of it. The goal here is to notify you immediately if there are any warning signs that a file is about to become malicious in nature
- Device trajectory: This functionality of the AMP is also constantly keeping track of all devices in your network infrastructure that are communicating with one another. This is all in an effort to fully put together the chain of events that allowed the malware to enter and cause a security breach
- Elasticsearch: This allows you to conduct iterative searches (using the intelligence tools provided by Cisco) in an effort to fully break down the “context and scope” of a particular piece of malware
- Prevalence: This aspect of the AMP allows you to further examine all of the files that have been launched and executed from within your organization. A prioritization ranking system is used here in order to unearth any unknown security risks that become an imminent threat
- Endpoint IoCs: This system allows for all employees across your business to submit their own observations of any malicious or suspicious activity in your network systems
- An analysis into the vulnerabilities: This component of the AMP displays a listing of all vulnerabilities that are associated with the software packages that reside on your network. It even gives you further insight into those apps that pose the most and least risk
- Outbreak control: This AMP feature allows your IT security staff to quickly take control and isolate of any suspicious files before they can do their damage.
Integration With Event-Activated Learning
In training your employees about security, it is one thing just to merely describe and lecture about a particular event in the hopes that they will apply what they have learned. But in most cases, this is not the case. For example, he or she may claim to understand the concept, but what is the probability that they will act upon it when faced in real-time? Probably not too high. Therefore, it is very important to make a lasting impression on your employees so that they will maintain good standards of cyber-hygiene in your business. For example, instead of just lecturing about what a phishing attack is and how to act on it, it’s better to have them actually engage in this activity in real-time.
The AMP can be easily integrated into this educational awareness program, in order to make students (your employees) have and maintain a proactive mindset about the network security landscape they are exposed to in their job roles and associated tasks.
Conclusion: The Benefits of the AMP
Any network security solution must be supported by robust intelligence, so that any business or corporation can be rest assured that their tools are up to date in tracking down the latest network threats and risks. As described earlier in this article, the AMP makes use of a specialized feed system that encompasses the following in real time:
- The analysis of the signature profiles of 1.5 million pieces of malware on a daily basis
- Over 1.6 billion network sensors that are dispersed on a global basis
- 100 terabytes of information and data are collected on a daily basis
- Over 13 billion Web requests
- Operated 24 hours a day, 7 days a week, 365 days a year
All of these benefits of the AMP are made available to your IT security staff via easy to use and quickly understandable dashboards.
The AMP can also detect one of the latest and deadliest cyber-threats that exists today – fileless memory attacks. This is where the memory of a particular IT asset is targeted and virtually destroyed. This solution from Cisco can has also been designed to operate with the iOS and Android, so that your network administrator(s) can react to a security breach wherever they are located.