Right now we use Umbrella for endpoint security and FirePower with AMP for network security. I think this is a good solution since we get the advantage of DNS level protection on all computers, even if they are outside of our network. But we also can use FirePower with AMP to protect against malicious files traversing our network.
It was recommended to us that we buy AMP for Endpoints to better secure our environment. My question to the community is, is this overkill? We already have AMP for Network with FirePower, so would AMP for Endpoints add any more protection?
I understand that AMP for Endpoints will protect devices that are outside of our network (away from FirePower), but that is what we have Umbrella to protect us for. I also understand that AMP for Endpoints will scan files and devices inside of our network and before it traverses the FirePower, but doesn't the malware need to go across our network at some point, thus having FirePower/Umbrella block it?
Does anyone have all three of these products in their environment and can speak to how they work together? Any recommendations from the community if it is worth adding AMP for Endpoints?
What about that old USB key that has been lying about for ages? Or that USB hard drive people are using to swap files? Or that dodgy encrypted file that's come in over email?
We also discovered malware on a critical DVD that someone at the company had burned years before we implemented AMP.
AMP4E also catches suspicious behaviour on the endpoint using cloud based machine learning. Eg fileless malware, suspicous macros in Office documents, various uncommon actions relating to the registry or command line stuff like suspicious invocations of netsh or rundll.exe.
AMP4E, Umbrella and Firepower all work together - you can see everything in CTR. If Firepower catches a malicious hash on the network, you can even see the activities related to that file on the end points in the trajectory.
Also, don't forget that Talos can change it's mind about a file and move the disposition from good/unknown to bad AFTER it's passed through Umbrella or Firepower - how do handle that without AMP?