Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1365
Views
5
Helpful
2
Replies

Cisco AMP

miterkint
Level 1
Level 1

‎12-22-2021 08:29 AM

Evaluating Cisco AMP, and I would like some community feedback on how you see this product stacking up against Defender ATP etc.

IMO:

  1.  

AMP is lacking user logon monitoring. There is no analysis on this part. Failed logons to a server, creation of new accounts and so on, will not be detected. 2) Also the network connection monitoring is per default disabled for the server profile. Thats half the product, and it is not recommended for servers? Even when enabled it does not look for incoming connections, but only outbound. Because of this a externally initiated port scan is not registered. Same goes for inbound connections from malicious IPs. They are simply not traversing the engine. 3) Orbital (and addons)appears to give even more insight. Is it worth it or just garbage? Appears it only works on W10.

Maybe I got something wrong. Hope to get some feedback from active customers.

router login
Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎12-22-2021 08:58 AM

1. That's a SEIM function.. I wouldn't expect ANY AV/EDR/XDR to do that.
2. So with ANY EDR/XDR product performance is always a concern. TEST IT with your stuff and see how it goes for you. Default config is conservative so you don't freak out when your box takes a performance hit because you didn't read the deployment guide.
3. Win10/Server 2016 and higher. I think it is... but YMMV.

0 Helpful

Troja007
Cisco Employee
Cisco Employee

‎01-10-2022 05:17 AM - edited ‎01-10-2022 05:17 AM

Hello @miterkint , 
some infos from my side.

  • Ad1: The endpoint itself does not monitor and analyse user logons, even directly installed on a Domain Controller. This is out-of-scope for the endpoint product, and can be done with other Cisco Security products. We provide a Splunk app for Secure Endpoint, where we stream all Endpoint events into Splunk. For long term monitoring storing Windows Event Log and doing the necessary correlation may be an option, as Secure Endpoint is not a data lake.
    If you want to query the endpoint directly for users related information, you can leverage Orbital to do so.

  • Ad2: The policy in the UI is a recommendation to start. There are many customers enabling all engines on Server OS. You may review the Best Practice Guide for more insights: https://www.cisco.com/c/en/us/products/collateral/security/fireamp-endpoints/secure-endpoint-og.html
    Monitoring all connections between all Servers in a Data Center, including the Applications is out-of-scope for the endpoint. This security layer is provided by our Data Center Security Products. Or, using network anomaly detection using Cisco Stealthwatch. 
    • Portscan: True, today such a feature is not available with Secure Endpoint. Hopefully in future versions when Host based Firewall (no ETA) will be added to the product.

  • Ad3: Orbital works on Windows Workstation/Server, macOS and Linux. Find infos here. It is a main component for investigation.
    • Real time search on the endpoint using simple SQL statements
    • Generating a forensic snapshot (manually or automated using automated actions)
    • Integration into an existing Security Architecture using the API
    • It is used by our managed Threat Hunting Service to investigate endpoints.
    • You may review the drawing showing the features included with Secure Endpoint and the Role of Orbital.
      Orbital role in the Secure Endpoint Architecture.png

Hope this helps,
Greetings, Thorsten

Customers Also Viewed These Support Documents