Advantage to using AMP for Endpoints + AMP for Network (FirePower) + Umbrella?
Right now we use Umbrella for endpoint security and FirePower with AMP for network security. I think this is a good solution since we get the advantage of DNS level protection on all computers, even if they are outside of our network. But we also can use FirePower with AMP to protect against malicious files traversing our network.
It was recommended to us that we buy AMP for Endpoints to better secure our environment. My question to the community is, is this overkill? We already have AMP for Network with FirePower, so would AMP for Endpoints add any more protection?
I understand that AMP for Endpoints will protect devices that are outside of our network (away from FirePower), but that is what we have Umbrella to protect us for. I also understand that AMP for Endpoints will scan files and devices inside of our network and before it traverses the FirePower, but doesn't the malware need to go across our network at some point, thus having FirePower/Umbrella block it?
Does anyone have all three of these products in their environment and can speak to how they work together? Any recommendations from the community if it is worth adding AMP for Endpoints?
No, it's not overkill to have Amp for Endpoints as well, there are other ways for malware to get to machines that Umbrella won't catch. Umbrella doesn't look at content for most traffic, it looks at DNS... so if you allow webmail, and someone gets sent malware, Umbrella won't stop the attachment download. Umbrella won't stop my workstation running a worm from hitting the machines on my subnet... Firepower may catch that, but you'll still have 100 machines to clean up... Also AMP will show you what exactly happened on a machine when something does get through, and there are interesting things coming (e.g. endpoint isolation, Orbital). I have all of them. They all report data to/can be queried from Cisco Threat Response (CTR), Firepower incidents can be sent to CTR so its sort of SEIM like... There's an integration between AMP and FMC, so you can use FMC as a starting point for incidents if you want... They're still shaking out ways to tie all of these pieces together...
What about that old USB key that has been lying about for ages? Or that USB hard drive people are using to swap files? Or that dodgy encrypted file that's come in over email?
We also discovered malware on a critical DVD that someone at the company had burned years before we implemented AMP.
AMP4E also catches suspicious behaviour on the endpoint using cloud based machine learning. Eg fileless malware, suspicous macros in Office documents, various uncommon actions relating to the registry or command line stuff like suspicious invocations of netsh or rundll.exe.
AMP4E, Umbrella and Firepower all work together - you can see everything in CTR. If Firepower catches a malicious hash on the network, you can even see the activities related to that file on the end points in the trajectory.
Also, don't forget that Talos can change it's mind about a file and move the disposition from good/unknown to bad AFTER it's passed through Umbrella or Firepower - how do handle that without AMP?
I shared with you this detailed document I created with 27 pages about Cisco ISE Integration With F5 BIG-IP Locar Traffic Manager LTM Load Balancer for Guest Acces.
The method used for Guest Access is the Self-Registration.
Healt Monitor using HTTP...
I created an IPSEC Site to site Tunnel between two ASA Firewalls in EVE-NG topology and i want to plot the IPSEC Site to Site VPN graph on PRTG ? The SNMP Walk command is not getting any output . As the firewall is making SNMP inbound connections with the...
The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and resea...
On Cisco Firepower Threat Defense there are two ways to do SSL Decryption (two actions in the SSL Policy).Decrypt-Resign: for outbound connection (from an inside PC to an external server).Decrypt-Known-Key: for inbound connection (from an external PC to y...
Cisco Secure Endpoint offers several protection engines which fight against threats like ransomware and zero-day.
Are you an admin looking for protection on a short to mid-term basis or beginning to roll out protection across your organisation? The best p...