Cisco Advanced Malware Protection (Cisco AMP for Endpoints) (AMP)

2018: April updating of AMP for Endpoints

The Cisco company announced on April 25, 2018 expansion of the list of available functions of a cloud solution of protection of termination points Cisco Advanced Malware Protection (AMP) for Endpoints which prevents the attacks and helps to reveal the undetected threats capable to cause damage to business.

So, among the opportunities which appeared in AMP for Endpoints:

• Complex mechanisms of identification of threats and counteraction to it, including to such modern threats as programs racketeers and virus cryptocurrency mining.
  • Now Cisco protects from threats even if the user was disconnected from network. Function of protection against exploits fights against the besfaylovy attacks, including with such which are located only in memory of the device, and function of prevention of harmful activity stops programs racketeers, interrupting the performed processes and preventing their distribution.
  • Having analyzed different versions of programs racketeers, analysts of Cisco revealed the common methods of enciphering used in them. On the basis of data retrieveds the mechanism of protection of business against data encryption by programs racketeers and from their distribution was developed.
  • Growth of popularity of the besfaylovy malware observed recently partially is explained by difficulty of its detection, noted in Cisco. The protection gear which does not require any setup and adjustment for fight against similar threats is built directly in the solution Cisco AMP. The mechanism protects from use of vulnerabilities for which there are no updates, and works round the clock even upon transition of users to the mode ofalayn.

• Cisco Visibility is the application for a research of threats.
  • The cloud applicaion which is built in the management console by terminal units simplifies and accelerates process of a research of incidents of security, facilitating work of analysts who will be able quickly to investigate incidents in required scale now. The application collects, normalizes and supplements security events, giving visual representation of scales of incident from termination points to network and a cloud.
  • For the purpose of simplification of investigations, reduction of complexity and reduction of terms of classification of incidents and elimination of effects the solution Cisco Visibility integrates internal events of security and abnormal data of internal infrastructure of security of the organization with analytical data on the threats received from Cisco Talos and third parties.
  • At accomplishment of standard tasks of Cisco Visibility minimizes need of switching between a set of consoles. It is enough to user to make several mouse clicks to go deep into data from Talos, Cisco Umbrella Investigate, Threat Grid, AMP and other sources for understanding of how observed events exist in the environment and as they correspond with each other.

2016: AMP for Endpoints

On February 9, 2016 information on upgrade of opportunities of the solution, increase in its efficiency and usability was published in the corporate blog of Cisco company, helping those services cybersecurity to increase protection against difficult on the attacks^[1].

Screenshot of application window 2015

Main changes of Cisco AMP for Endpoints:

• support of Windows 10;
• support of Mac OS X 10.11 El Capitan;
• new API interface of the solution AMP for terminal units;
• updates for the virtual device AMP in a private cloud.

AMP for terminal units can work on Windows Mac OS Linux, CentOS and RedHat, on mobile devices with OS Android. Now OS Windows 10 and Mac OSX 10.11 under protection of Cisco AMP for Endpoints.

The API interface of the solution AMP for terminal units allows users to integrate third-party instruments of protection and to address data or events in the account, without coming into a control panel.

In need of protection of terminal units and the high requirements to security in the organization which are not allowing to use a public cloud it is possible to use the virtual device AMP in a private cloud. The AMP platform locates opportunities of advanced function for detection of vulnerabilities and access control on the basis of roles. Function on detection of vulnerabilities warns the system administrator about what on the terminal unit is set vulnerable to software and malefactors can use it. Access control on the basis of roles grants the rights and access for accomplishment of certain tasks depending on roles of users.

On November 1, 2016 the Cisco company provided software of AMP for Endpoints as the innovation approach to information security support of the equipment of users.

In AMP for Endpoints cloud management by the principle "software as service" (SaaS) is implemented. The product has means of identification and reflection of threats and gives to users the chance to prevent the attacks, blocking the malware in point of entry, eliminating need for use on terminal units of security technologies.

The product executes continuous monitoring, the retrospective analysis and provides the integrated protection against threats. The technology helps to reduce detection time of several days till several o'clock and even minutes. The product will help to react quicker and more effectively to the attacks: by means of the simple cloud interface users can define an attack area of coverage, find threats and delimit, eliminate threats on all points.

Representation of Cisco AMP for Endpoints, (2016)

The solution AMP for Endpoint gives such opportunities:

• technology of prevention of the attacks of the next generation in which the checked and advanced methods of protection allowing to detect and reflect more effectively the attacks in point of entry are combined; the means of analytics of information security developed by division of Cisco Talos and which are successfully resisting to again appearing threats; built-in "sandbox" where unknown files and also means of preventive protection for closing of ways of penetration and minimization of vulnerabilities are analyzed.
• acceleration of detection thanks to continuous monitoring. AMP for Endpoints registers all file activity and quickly reveals malicious actions, announcing them to divisions of information security support. Mailing and correlation of information on threats is made using the open program interfaces API and AMP Everywhere technology. Use of the innovative technology of agentless detection allows the organizations to detect on average 30% more defeats where agents are not used or their use is impossible.
• increase in efficiency of reaction using retrospective protection, the profound overview and the detailed history of actions of a malicious code in time (from where got where it was executed that did) for complete localization of the attack. AMP for Endpoints helps to accelerate the analysis and to reduce complexity by search on all termination points of indicators of a compromise using the simple cloud user interface. Then users of devices (the PC, Mac, Linux computers, mobile devices) will be able quickly to take response.

The solution AMP for Endpoints executes transfer and correlation of information on threats on all architecture, including, both an ecosystem of AMP, and other platforms of security of Cisco. It helps once having defined threat, to automatically block it everywhere.

2014: May updating of AMP

Responding to the requests of customers for fight against zero day attacks and the purposeful attacks, the Cisco company expanded systems capabilities of Advanced Malware Protection (AMP) and solutions for protection of data processing centers in May, 2014. These innovations announced on May 21, 2014 at the annual CiscoLive conference!, cover all set of the products Cisco for information security, providing protection against threats during all lifecycle of the attack.

Updates of the Cisco Advanced Malware Protection system do it by the first solution which correlates data of indicators of a compromise (IoC) between network and an endpoint using the integrated means of protecting and the general system of analytics. It, in turn, provides continuous and universal protection against the most modern threats. The AMP system supports also Mac OSX now and includes the separate device for a private cloud — local solution for the continuous analysis.

In addition, Cisco strengthens protection of data processing centers and cloud systems thanks to improvements of the family of ASA firewalls leading in the market. These improvements provide the excellent performance, scalability and flexibility and also support the latest solutions for environments of the software-defined networks (SDN) and infrastructures focused on applications (Application Centric Infrastructure, ACI).

In one of the last reports of Security Value Map of NSS Labs company the AMP system is called one of the best solutions for detection of threats exceeding the competing products on indicators of security and profitability. Unlike other solutions which just detect a malicious code at a certain point in time the AMP system provides tough and continuous detection and elimination of threats in expanded network, including endpoints, mobile devices, the virtual systems and also web gateways and gateways electronic

New opportunities in a set of the products AMP:

• the AMP system for endpoints. Using advanced means of analytics and correlation of information, the AMP system accelerates investigation of indicators of a compromise and behavior of files and also prioritizes to the aspects of a compromise requiring special attention. The new feature of flexible search allows users to narrow quickly the field of the attack, and function of the remote analysis of files improves possibilities of retrospective protection thanks to extraction and storage of files for the subsequent assessment and the analysis. Cisco also implements support of AMP for endpoints based on the Mac OS X operating system, helping the organizations to protect the diverse environments entirely.
• The AMP device for private clouds. Customers with the strict requirements to confidentiality limiting use of a public cloud can use the new local AMP device for private clouds allowing to provide a comprehensive protection from modern threats using the analysis of Big Data, the continuous analysis and locally stored means of the analysis of security.
• The AMP system for networks. Implementation of high-performance networks and the requirement to reduction of time of detection of threat force the companies to resort to optimization of solutions of protection of network against a malicious code. Using new mechanisms of processing of indicators of a compromise from different sources it is possible to correlate events from different solutions and to prioritize them, improving thereby possibilities of the analysis, and function of automatic dynamic analysis uses the isolated cloud environment for assessment of files of unknown character for the purpose of ensuring more reliable protection against unknown threats. Users can also create the configured detection profiles immediately to block files. The new feature of record of the file allows groups to save and take files for the further analysis.
• New AMP FirePOWER devices. The customers needing the improved opportunities of processing and data storage can use two new Cisco AMP devices for networks:

• • FirePOWER AMP8150 with a speed up to 2 Gbps;
  • FirePOWER AMP7150 with a speed up to 500 Mbps.

Improving protection of data processing centers and cloud systems for support of modern environments of software-defined networks (SDN) of the infrastructures focused on applications (ACI), the virtual devices ASAv and the updated firewalls of ASA 5585-X Cisco provide also excellent performance, scalability and flexibility. These products are created for reliable protection without decline in production of a data processing center. The solutions ASA which are set up immediately or even minutes provide flexible scalability, eliminate bottlenecks of a security system and build in means of protecting not only perimeter, but also infrastructure of an intellectual data processing center. Cisco also releases the new version of the checked standard architecture of Cisco (CVD) for a safe data processing center which significantly simplifies reliable deployment of new solutions.

• The new virtual device ASAv is easily built in architecture of DPC, providing the guaranteed protection of critical applications not further of one transition from them thanks to dynamic scaling on demand in virtual environments and integration with the infrastructure focused on applications without restrictions of a hypervisor or vSwitch. Besides, in comparison with competitors the virtual device ASAv provides the highest performance in terms of capacity and the number of connections per second.
• The improved ASA 5585-X firewall provides incredibly high performance for the traditional environments, software-defined networks and infrastructures focused on applications with excellent scalability applicable both to the number of connections per second, and to a total quantity of connections (to 640 Gbps in a cluster configuration with 16 nodes). All this does ASA by 5585-X one of the fastest hardware firewalls in the market. It also gives unique flexible opportunities of deployment, integrating virtual and physical infrastructure of security in one domain the politician and managements.
• The checked standard architecture of Cisco for security of DPC contains the advanced practicians for planning, design, implementation and use of completely integrated architecture of DPC with the high level of security, integrating the solutions Cisco, Sourcefire and partners of Cisco. This architecture helps users to expand visibility and control in physical, virtual and cloud environments.

Notes