Cisco AMP

cariebens · ‎05-16-2022

Evaluating Cisco AMP, and I would like some community feedback on how you see this product stacking up against Defender ATP etc.

IMO:

AMP is lacking user logon monitoring. There is no analysis on this part. Failed logons to a server, creation of new accounts and so on, will not be detected. 2) Also the network connection monitoring is per default disabled for the server profile. Thats half the product, and it is not recommended for servers? Even when enabled it does not look for incoming connections, but only outbound. Because of this a externally initiated port scan is not registered. Same goes for inbound connections from malicious IPs. They are simply not traversing the engine. 3) Orbital (and addons)appears to give even more insight. Is it worth it or just garbage? Appears it only works on W10.

Maybe I got something wrong. Hope to get some feedback from active customers.

https://9apps.ooo/

Ken Stieers · ‎05-16-2022

1. Its not a SEIM...
2. The various "recommended" options are pretty conservative. They also used to say don't install the network driver. Also not a firewall... though I hope that might change one day.
3. Orbital is interesting when you have to start digging during an event, but can't put your hands on the box... Orbital is also a source for Device Insights, and Secure Endpoint Premier, where they go digging for you... It's OSQUERY, so if you're familiar with that, or Alienvault OTX and their scan endpoints feature... same thing underneath. Orbital is available on Windows 10 (1803 or later) / 11, Windows Server 2016 / 2019 / 2022,macOS 10.15 / 11 / 12,RedHat Enterprise Linux (and compatible distributions) 6.10 / 7 (7.2 or later) / 8,Ubuntu 18.04 / 20.04,Oracle Linux (UEK) 7 / 8,Debian 10 / 11