Solved: Secure Endpoint & Endpoint Visibility

larry.siegelman · ‎02-08-2022

Hello,

We would like to distribute Secure Endpoint to other devices that are considered BYOD in our organization.

The issue of privacy concerns popped up, and we need to reassure the end-user of a private device, that Secure Endpoint cannot see files or folders on the device.

johnosn · ‎02-09-2022

That is partially correct. There are various methods for files to be pulled into the File Repository. The most common is "Automatic Analysis" which is limited to PE files. However other file types can end up in the File Repository from a request by the user in the Cisco Secure Endpoint console or via an "Automated Action". If the "Submit to Secure Malware Analytics upon Detection" automated action is enabled, it will put the detected file into the File Repository and send it to Cisco Secure Malware Analytics for analysis. Depending on your privacy setting for submission by Cisco Secure Endpoint to Secure Malware Analytics, the analysis results could be available to the "public".

There is the potential for bleeding over user data into the various Cisco Security products.Automated Action and User request for .doc* files

View solution in original post

Enrico Werner · ‎02-10-2022

Every Sample submitted to Cisco Secure Malware Analytics gets tagged:

•Public –Sample will be visible globally (each user can access all the details of the report)
•Private –Sample is only visible to the submitting Organization

Automated Submissions from an AMP-Enabled Integration are always marked private

View solution in original post

Ken Stieers · ‎02-08-2022

That's just sort of how Secure Endpoint works....
You can turn off file uploads/retrieval for a group, but when it finds something, it will tell you what and where the file is.
If you look at device trajectory, it will tell you where a file executed from, what files it created, etc., so there is a certain amount of data that could be extracted from the UI without any "extra" effort...

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

larry.siegelman · ‎02-08-2022

Hi,
The identification of suspected malware and the affected file makes sense.
But, you cannot traverse to other folders to see their contents, correct?

Ken Stieers · ‎02-08-2022

You'll also see what's happening on the box, "chrome downloaded a file, Word opened it.", etc.
But no you can't go generally browsing with just AMP... you could get that info if you enable Orbital.

Troja007 · ‎02-09-2022

BTW, just wanted to mention... even you can query the endpoint and looking for files with Orbital, you cannot view the content of a file...
Regarding file uploads, Secure Endpoint support PEs only, so Text files or documents will not be uploaded to the File Repository.
Greetings, Thorsten

johnosn · ‎02-09-2022

That is partially correct. There are various methods for files to be pulled into the File Repository. The most common is "Automatic Analysis" which is limited to PE files. However other file types can end up in the File Repository from a request by the user in the Cisco Secure Endpoint console or via an "Automated Action". If the "Submit to Secure Malware Analytics upon Detection" automated action is enabled, it will put the detected file into the File Repository and send it to Cisco Secure Malware Analytics for analysis. Depending on your privacy setting for submission by Cisco Secure Endpoint to Secure Malware Analytics, the analysis results could be available to the "public".

There is the potential for bleeding over user data into the various Cisco Security products.Automated Action and User request for .doc* files

larry.siegelman · ‎02-09-2022

Thank you for that detailed explanation.
I had not considered the potential exposure of documents once sent for
analysis.
However, is it not recommended to send automatically for analysis upon
detection?
I know it is company-dependent, but is there a benefit of just blocking
detections without any analysis?

Enrico Werner · ‎02-10-2022

Every Sample submitted to Cisco Secure Malware Analytics gets tagged:

•Public –Sample will be visible globally (each user can access all the details of the report)
•Private –Sample is only visible to the submitting Organization

Automated Submissions from an AMP-Enabled Integration are always marked private

larry.siegelman · ‎02-10-2022

Thank you very much @Enrico Werner.

That really helps us with privacy and issues related to possible "info bleed."