cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2410
Views
15
Helpful
2
Replies

AMP for endpoints _and_ AMP for ESA

DOMJAHN DAVID
Level 1
Level 1

Hello,

does it make sense to use AMP for Endpoints and also an AMP license on the Email Security Appliance (ESA)?

AMP for endpoints is installed on every client and server so we are just wondering if licensing also the ESA appliance with AMP would provide additional security?

 

Thanks a lot and best regards

 

David

2 Accepted Solutions

Accepted Solutions

I think so.

1. Stuff that's known bad doesn't make it to email boxes, period.

2. We use Mailbox auto-remediation to remove stuff from mailboxes if its later found to be bad.

3. You'll see that it came in via email in the file trajectory, and if you're using CTR, all the email data is available there too.






View solution in original post

Troja007
Cisco Employee
Cisco Employee

Hello @DOMJAHN DAVID,

from detection perspective and from a Threat Investigation perspective, both makes sense. Because, both products are not only doing Just-in-Time detection. They are also generating "Sensor Data" to enable Threat Response.

  • ESA AMP integration: we highly recommend this, because the AMP cloud holds billions of classified hash files, URL/IP reputation and more. You cannot hold all this information OnPremise. With the AMP enablement, your e-mail product gets access to a worldwide information network receiving necessary information for Threat Detection.

E-mail and Endpoint Integration into Threat Response: For forensics, the example shows how CTR shows the Relation Graph, if both products are integrated into CTR.

CTR and mail.jpg

Answered question by E-mail integrated into CTR?

  • Which email messages have seen this filename?
  • Which email messages were targeted by this sender email address?
  • Which email messages have seen this file hash?
  • Which email messages have seen this subject?
  • Which email messages have been affected by this sender IP or sender domain?
  • What are the details surrounding a specific Cisco Message ID (MID)?
  • What are the details surrounding a specific Message ID header?

In addition, all information from the endpoint, if this hash was seen, who generated the hash, which e.g. command line was executed by the hash. You als can use "Unity" to see a whole timeline, when a hash was seen and how the product handled the hash.

 

Hope this helps,

Greetings, Thorsten

View solution in original post

2 Replies 2

I think so.

1. Stuff that's known bad doesn't make it to email boxes, period.

2. We use Mailbox auto-remediation to remove stuff from mailboxes if its later found to be bad.

3. You'll see that it came in via email in the file trajectory, and if you're using CTR, all the email data is available there too.






Troja007
Cisco Employee
Cisco Employee

Hello @DOMJAHN DAVID,

from detection perspective and from a Threat Investigation perspective, both makes sense. Because, both products are not only doing Just-in-Time detection. They are also generating "Sensor Data" to enable Threat Response.

  • ESA AMP integration: we highly recommend this, because the AMP cloud holds billions of classified hash files, URL/IP reputation and more. You cannot hold all this information OnPremise. With the AMP enablement, your e-mail product gets access to a worldwide information network receiving necessary information for Threat Detection.

E-mail and Endpoint Integration into Threat Response: For forensics, the example shows how CTR shows the Relation Graph, if both products are integrated into CTR.

CTR and mail.jpg

Answered question by E-mail integrated into CTR?

  • Which email messages have seen this filename?
  • Which email messages were targeted by this sender email address?
  • Which email messages have seen this file hash?
  • Which email messages have seen this subject?
  • Which email messages have been affected by this sender IP or sender domain?
  • What are the details surrounding a specific Cisco Message ID (MID)?
  • What are the details surrounding a specific Message ID header?

In addition, all information from the endpoint, if this hash was seen, who generated the hash, which e.g. command line was executed by the hash. You als can use "Unity" to see a whole timeline, when a hash was seen and how the product handled the hash.

 

Hope this helps,

Greetings, Thorsten

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: