https://community.cisco.com/t5/endpoint-security/how-should-we-position-amp-cta-together/m-p/3434399#M1748 <HTML><HEAD></HEAD><BODY><P>Sorry for being so late to reply ... just a few thoughts, and I'll try to keep this short.</P><P></P><P>Each piece of our architectural security portfolio has a unique view and therefore, as you say, each piece will catch things that another might miss.&nbsp; Most people these days understand that no single tool can be 100% right 100% of the time.&nbsp; An important corollary to that basic fact of life is this: some malware <EM>will</EM> get inside the network, and we <EM>must</EM> design our solutions for that reality.</P><P></P><P>In the case of AMP, that means first <STRONG>prevention</STRONG>, and then <STRONG>retrospection</STRONG>; we do our best (and independent tests indicate that we're doing pretty well) to catch things up front, using a combination of detection, analysis (Threat Grid), and intelligence (Talos), but we also keep track of everything we see, no matter what the disposition. That way, when things inevitably change, we're prepared.</P><P></P><P>Cognitive (CTA) provides a valuable addition, because it focuses on a separate source of telemetry (web proxy logs) and focuses on advanced machine learning for <STRONG>anomaly detection</STRONG>, part of the larger field of breach detection and response. As of a few months ago, all AMP for Endpoints customers have the option of feeding their proxy logs to CTA, with indications of compromise from CTA integrated into the AMP cloud console.&nbsp; This allows you to do things like detect previously unknown command and control (C&amp;C) channels.</P><P></P><P>This response is necessarily high level -- a complete answer could fill many pages -- but I hope it is of some use.</P></BODY></HTML> Tue, 30 Aug 2016 07:24:06 GMT brmcmaho 2016-08-30T07:24:06Z https://community.cisco.com/t5/endpoint-security/how-should-we-position-amp-cta-together/m-p/3434398#M1722 <HTML><HEAD></HEAD><BODY><P>Greetings!</P><P>Please help ,as how should we position&nbsp; AMP &amp; CTA together to any customer which could generate their interest on both (how utilizing CTA with AMP can further enhance their security), like anything which AMP missed is caught by CTA.</P></BODY></HTML> Fri, 21 Feb 2020 05:01:36 GMT https://community.cisco.com/t5/endpoint-security/how-should-we-position-amp-cta-together/m-p/3434398#M1722 Rohitashva Verma 2020-02-21T05:01:36Z https://community.cisco.com/t5/endpoint-security/how-should-we-position-amp-cta-together/m-p/3434399#M1748 <HTML><HEAD></HEAD><BODY><P>Sorry for being so late to reply ... just a few thoughts, and I'll try to keep this short.</P><P></P><P>Each piece of our architectural security portfolio has a unique view and therefore, as you say, each piece will catch things that another might miss.&nbsp; Most people these days understand that no single tool can be 100% right 100% of the time.&nbsp; An important corollary to that basic fact of life is this: some malware <EM>will</EM> get inside the network, and we <EM>must</EM> design our solutions for that reality.</P><P></P><P>In the case of AMP, that means first <STRONG>prevention</STRONG>, and then <STRONG>retrospection</STRONG>; we do our best (and independent tests indicate that we're doing pretty well) to catch things up front, using a combination of detection, analysis (Threat Grid), and intelligence (Talos), but we also keep track of everything we see, no matter what the disposition. That way, when things inevitably change, we're prepared.</P><P></P><P>Cognitive (CTA) provides a valuable addition, because it focuses on a separate source of telemetry (web proxy logs) and focuses on advanced machine learning for <STRONG>anomaly detection</STRONG>, part of the larger field of breach detection and response. As of a few months ago, all AMP for Endpoints customers have the option of feeding their proxy logs to CTA, with indications of compromise from CTA integrated into the AMP cloud console.&nbsp; This allows you to do things like detect previously unknown command and control (C&amp;C) channels.</P><P></P><P>This response is necessarily high level -- a complete answer could fill many pages -- but I hope it is of some use.</P></BODY></HTML> Tue, 30 Aug 2016 07:24:06 GMT https://community.cisco.com/t5/endpoint-security/how-should-we-position-amp-cta-together/m-p/3434399#M1748 brmcmaho 2016-08-30T07:24:06Z