Solved: How should we position AMP & CTA together

Rohitashva Verma · ‎08-15-2016

Greetings!

Please help ,as how should we position AMP & CTA together to any customer which could generate their interest on both (how utilizing CTA with AMP can further enhance their security), like anything which AMP missed is caught by CTA.

brmcmaho · ‎08-30-2016

Sorry for being so late to reply ... just a few thoughts, and I'll try to keep this short.

Each piece of our architectural security portfolio has a unique view and therefore, as you say, each piece will catch things that another might miss. Most people these days understand that no single tool can be 100% right 100% of the time. An important corollary to that basic fact of life is this: some malware will get inside the network, and we must design our solutions for that reality.

In the case of AMP, that means first prevention, and then retrospection; we do our best (and independent tests indicate that we're doing pretty well) to catch things up front, using a combination of detection, analysis (Threat Grid), and intelligence (Talos), but we also keep track of everything we see, no matter what the disposition. That way, when things inevitably change, we're prepared.

Cognitive (CTA) provides a valuable addition, because it focuses on a separate source of telemetry (web proxy logs) and focuses on advanced machine learning for anomaly detection, part of the larger field of breach detection and response. As of a few months ago, all AMP for Endpoints customers have the option of feeding their proxy logs to CTA, with indications of compromise from CTA integrated into the AMP cloud console. This allows you to do things like detect previously unknown command and control (C&C) channels.

This response is necessarily high level -- a complete answer could fill many pages -- but I hope it is of some use.

View solution in original post

brmcmaho · ‎08-30-2016

Sorry for being so late to reply ... just a few thoughts, and I'll try to keep this short.

Each piece of our architectural security portfolio has a unique view and therefore, as you say, each piece will catch things that another might miss. Most people these days understand that no single tool can be 100% right 100% of the time. An important corollary to that basic fact of life is this: some malware will get inside the network, and we must design our solutions for that reality.

In the case of AMP, that means first prevention, and then retrospection; we do our best (and independent tests indicate that we're doing pretty well) to catch things up front, using a combination of detection, analysis (Threat Grid), and intelligence (Talos), but we also keep track of everything we see, no matter what the disposition. That way, when things inevitably change, we're prepared.

Cognitive (CTA) provides a valuable addition, because it focuses on a separate source of telemetry (web proxy logs) and focuses on advanced machine learning for anomaly detection, part of the larger field of breach detection and response. As of a few months ago, all AMP for Endpoints customers have the option of feeding their proxy logs to CTA, with indications of compromise from CTA integrated into the AMP cloud console. This allows you to do things like detect previously unknown command and control (C&C) channels.

This response is necessarily high level -- a complete answer could fill many pages -- but I hope it is of some use.