Endpoint Protection and Detection Flashcards

1
Q

AMP solutions enables malware detection, blocking, continuous analysis and retrospective views with the following features

A
  • File reputation : AMP allows you to analyze inline and block or apply policies
  • File Sandboxing : AMP allows you to analyze unknown files to understand true file behavior
  • File retrospection : AMP allows you to continue analyze files for changing threat levels
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Tools primarily focused on detecting and investigating suspicious activities other problems on host/endpoints.
It also monitor endpoints and network events and record the information in a central database so that you can perform further analysis, detection, investigation and reporting

A

EDR (Endpoint Detection and Response)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The minimum capabilities of good EDR are?

A
  • Filtering (ability to filter out false positive)
  • Threat blocking (containing the threat)
  • help with digital forensic and incident response (DFIR).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Another term in the industry which people refer to same as EDR

A

EPP (Endpoint protection platform)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Provides more than just endpoint-level visibility into files. It also provides cloud based detection of malware, in which the cloud constantly update itself.

A

AMP for Endpoints

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

AMP cloud is able to provide a historical view of malware activity, segmented into two activity types

A

File Trajectory : what endpoint have seen the files
Device Trajectory : actions file performed on given endpoints

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AMP for Endpoint Connectors use this port to communicate with Cisco Cloud servers for file and network disposition lookups

A

TCP 443 by default or TCP 32137

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Allows you to create lists that customize AMP for Endpoints to your organizations needs.

A

Outbreak Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You can think of this as blacklist detection. When this detection is defined , not only endpoints quarantine matching files when they see them but any AMP for endpoints agents that have seen the files before this detection is created can also quarantine the files thru retrospection. Also known as cloud recall.

-Allows you to add traditional antivirus signatures.

A

Custom Detection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Difference between simple and advance custom detection

A

Simple custom detection allows you to add file signatures
(Creating a simple custom detection is similar to adding new entries to blacklist, you define one or more files that you are trying to quarantine by building a list of SHA-256 hashes)

Advance custom detection are more like traditional antivirus signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Difference between simple and advance custom detection

A

-Simple custom detection just look for SHA-256 hash of a file.

-Advance custom detection include the following
>File body-based signatures
>MD5 Signatures,
>MD5, PE section based-signatures
>An extended signature format
>Logical signatures
>Icon signatures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Allows you to flag or even block suspicious network activity. You can use policies to specify the behavior of AMP for endpoints when a suspicious connection is detected and also to specify whether connector should use address in Cisco Intelligence feed

A

DFC (device flow correlation)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Allows you to block application. This does not look into the name of application but the SHA-256 hash. If you dont have SHA-256, you can upload one application at a time and have AMP cloud console calculate the SHA-256 hash. App must be not larger than 20MB

A

Application Control - Blocked Applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A list of directories, file extensions or even threat names that you do not want the AMP agent to scan subsequently not convict as malware. You can use this to resolve conflict with other security products or mitigate performances issues by excluding directories that contain large file that are frequently written to like database

A

Exclusion Set

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Available exclusion type

A
  • Threat (threat name)
  • Extension (file extension)
  • Wildcard (filenames, path , extension)
  • Path (path)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Amp for Endpoints is available for multiple platforms: Windows,Android,Mac,Linux. Where can you see the available connectors from the cloud console ?

A

Management > Download Connector>

17
Q

To create this , you navigate to Management > Policies. This is applied to an endpoint via groups.

A

AMP for Endpoint Policies

18
Q

You can use this to AnyConnect to aid in distribution of the AMP connector to client who use AnyConnect remote access VPN, secure network access, posture assessment with CIsco ISE.

A

AnyConnect AMP Enabler

19
Q

Three detection and protection engines in AMP for Endpoints

A
  • TETRA (full client antivirus solution, do not enable if there is an existing antivirus. Default setting is TETRA Disabled as it changes AMP nature from lightweight to thick client that consumes more disk space).
  • SPERO (machine-learning based technology that proactively identifies threats that were previously uknonwn. It actively uses heuristic to gather execution attributes, and because the underlying algorithms come up with generic models)
  • ETHOS (a “fuzzy fingerprinting” engine that uses static or passive heuristics)
20
Q

Provide MDM functionallity that ensures that diverse user equipment (mobile phones, tablet, laptop, and so on) is configured to a consistent standard and a supported set of application, functions or corporate policies

A

Cisco Meraki SM

21
Q

Is “one-pane-of-glass” console that automate integrations across Cisco Security products and threat intelligence sources. This is ongoing effort from Cisco to provide a single console for the management of most of its security products. Integrates with the following

  • Cisco AMP
  • Amp for Endpoints
  • Cisco Threat Grid
  • Cisco Umbrella
  • Cisco Email Security
  • Cisco Next-Generation Firewall (NGFW)
  • Next-Generation Intrustion Prevention System (NGIPS)
A

Cisco Threat Response