Advantage to using AMP for Endpoints + AMP for Network (FirePower) + Umbrella?

superadmin9 · ‎08-10-2019

Right now we use Umbrella for endpoint security and FirePower with AMP for network security. I think this is a good solution since we get the advantage of DNS level protection on all computers, even if they are outside of our network. But we also can use FirePower with AMP to protect against malicious files traversing our network.

It was recommended to us that we buy AMP for Endpoints to better secure our environment. My question to the community is, is this overkill? We already have AMP for Network with FirePower, so would AMP for Endpoints add any more protection?

I understand that AMP for Endpoints will protect devices that are outside of our network (away from FirePower), but that is what we have Umbrella to protect us for. I also understand that AMP for Endpoints will scan files and devices inside of our network and before it traverses the FirePower, but doesn't the malware need to go across our network at some point, thus having FirePower/Umbrella block it?

Does anyone have all three of these products in their environment and can speak to how they work together? Any recommendations from the community if it is worth adding AMP for Endpoints?

Ken Stieers · ‎08-10-2019

No, it's not overkill to have Amp for Endpoints as well, there are other ways for malware to get to machines that Umbrella won't catch. Umbrella doesn't look at content for most traffic, it looks at DNS... so if you allow webmail, and someone gets sent malware, Umbrella won't stop the attachment download. Umbrella won't stop my workstation running a worm from hitting the machines on my subnet... Firepower may catch that, but you'll still have 100 machines to clean up...
Also AMP will show you what exactly happened on a machine when something does get through, and there are interesting things coming (e.g. endpoint isolation, Orbital).
I have all of them. They all report data to/can be queried from Cisco Threat Response (CTR), Firepower incidents can be sent to CTR so its sort of SEIM like... There's an integration between AMP and FMC, so you can use FMC as a starting point for incidents if you want... They're still shaking out ways to tie all of these pieces together...

Mark McRitchie · ‎11-06-2019

What about that old USB key that has been lying about for ages? Or that USB hard drive people are using to swap files? Or that dodgy encrypted file that's come in over email?

We also discovered malware on a critical DVD that someone at the company had burned years before we implemented AMP.

AMP4E also catches suspicious behaviour on the endpoint using cloud based machine learning. Eg fileless malware, suspicous macros in Office documents, various uncommon actions relating to the registry or command line stuff like suspicious invocations of netsh or rundll.exe.

AMP4E, Umbrella and Firepower all work together - you can see everything in CTR. If Firepower catches a malicious hash on the network, you can even see the activities related to that file on the end points in the trajectory.

Also, don't forget that Talos can change it's mind about a file and move the disposition from good/unknown to bad AFTER it's passed through Umbrella or Firepower - how do handle that without AMP?