Endpoint Protection and Detection Flashcards
AMP solutions enables malware detection, blocking, continuous analysis and retrospective views with the following features
- File reputation : AMP allows you to analyze inline and block or apply policies
- File Sandboxing : AMP allows you to analyze unknown files to understand true file behavior
- File retrospection : AMP allows you to continue analyze files for changing threat levels
Tools primarily focused on detecting and investigating suspicious activities other problems on host/endpoints.
It also monitor endpoints and network events and record the information in a central database so that you can perform further analysis, detection, investigation and reporting
EDR (Endpoint Detection and Response)
The minimum capabilities of good EDR are?
- Filtering (ability to filter out false positive)
- Threat blocking (containing the threat)
- help with digital forensic and incident response (DFIR).
Another term in the industry which people refer to same as EDR
EPP (Endpoint protection platform)
Provides more than just endpoint-level visibility into files. It also provides cloud based detection of malware, in which the cloud constantly update itself.
AMP for Endpoints
AMP cloud is able to provide a historical view of malware activity, segmented into two activity types
File Trajectory : what endpoint have seen the files
Device Trajectory : actions file performed on given endpoints
AMP for Endpoint Connectors use this port to communicate with Cisco Cloud servers for file and network disposition lookups
TCP 443 by default or TCP 32137
Allows you to create lists that customize AMP for Endpoints to your organizations needs.
Outbreak Control
You can think of this as blacklist detection. When this detection is defined , not only endpoints quarantine matching files when they see them but any AMP for endpoints agents that have seen the files before this detection is created can also quarantine the files thru retrospection. Also known as cloud recall.
-Allows you to add traditional antivirus signatures.
Custom Detection.
Difference between simple and advance custom detection
Simple custom detection allows you to add file signatures
(Creating a simple custom detection is similar to adding new entries to blacklist, you define one or more files that you are trying to quarantine by building a list of SHA-256 hashes)
Advance custom detection are more like traditional antivirus signatures.
Difference between simple and advance custom detection
-Simple custom detection just look for SHA-256 hash of a file.
-Advance custom detection include the following >File body-based signatures >MD5 Signatures, >MD5, PE section based-signatures >An extended signature format >Logical signatures >Icon signatures
Allows you to flag or even block suspicious network activity. You can use policies to specify the behavior of AMP for endpoints when a suspicious connection is detected and also to specify whether connector should use address in Cisco Intelligence feed
DFC (device flow correlation)
Allows you to block application. This does not look into the name of application but the SHA-256 hash. If you dont have SHA-256, you can upload one application at a time and have AMP cloud console calculate the SHA-256 hash. App must be not larger than 20MB
Application Control - Blocked Applications.
A list of directories, file extensions or even threat names that you do not want the AMP agent to scan subsequently not convict as malware. You can use this to resolve conflict with other security products or mitigate performances issues by excluding directories that contain large file that are frequently written to like database
Exclusion Set
Available exclusion type
- Threat (threat name)
- Extension (file extension)
- Wildcard (filenames, path , extension)
- Path (path)