topic Cisco AMP in Endpoint Security

Cisco AMP

miterkint — Wed, 22 Dec 2021 16:29:22 GMT

Evaluating Cisco AMP, and I would like some community feedback on how you see this product stacking up against Defender ATP etc.

IMO:

AMP is lacking user logon monitoring. There is no analysis on this part. Failed logons to a server, creation of new accounts and so on, will not be detected. 2) Also the network connection monitoring is per default disabled for the server profile. Thats half the product, and it is not recommended for servers? Even when enabled it does not look for incoming connections, but only outbound. Because of this a externally initiated port scan is not registered. Same goes for inbound connections from malicious IPs. They are simply not traversing the engine. 3) Orbital (and addons)appears to give even more insight. Is it worth it or just garbage? Appears it only works on W10.

Maybe I got something wrong. Hope to get some feedback from active customers.

Re: Cisco AMP

Ken Stieers — Wed, 22 Dec 2021 16:58:08 GMT

1. That's a SEIM function.. I wouldn't expect ANY AV/EDR/XDR to do that.
2. So with ANY EDR/XDR product performance is always a concern. TEST IT with your stuff and see how it goes for you. Default config is conservative so you don't freak out when your box takes a performance hit because you didn't read the deployment guide.
3. Win10/Server 2016 and higher. I think it is... but YMMV.

Re: Cisco AMP

Troja007 — Mon, 10 Jan 2022 13:17:57 GMT

Hello @miterkint ,
some infos from my side.

Ad1: The endpoint itself does not monitor and analyse user logons, even directly installed on a Domain Controller. This is out-of-scope for the endpoint product, and can be done with other Cisco Security products. We provide a Splunk app for Secure Endpoint, where we stream all Endpoint events into Splunk. For long term monitoring storing Windows Event Log and doing the necessary correlation may be an option, as Secure Endpoint is not a data lake.
If you want to query the endpoint directly for users related information, you can leverage Orbital to do so.
Ad2: The policy in the UI is a recommendation to start. There are many customers enabling all engines on Server OS. You may review the Best Practice Guide for more insights: https://www.cisco.com/c/en/us/products/collateral/security/fireamp-endpoints/secure-endpoint-og.html
Monitoring all connections between all Servers in a Data Center, including the Applications is out-of-scope for the endpoint. This security layer is provided by our Data Center Security Products. Or, using network anomaly detection using Cisco Stealthwatch.
- Portscan: True, today such a feature is not available with Secure Endpoint. Hopefully in future versions when Host based Firewall (no ETA) will be added to the product.
Ad3: Orbital works on Windows Workstation/Server, macOS and Linux. Find infos here. It is a main component for investigation.
- Real time search on the endpoint using simple SQL statements
- Generating a forensic snapshot (manually or automated using automated actions)
- Integration into an existing Security Architecture using the API
- It is used by our managed Threat Hunting Service to investigate endpoints.
- You may review the drawing showing the features included with Secure Endpoint and the Role of Orbital.

Hope this helps,
Greetings, Thorsten