In one of the previous articles, we explained that you can realise immediate benefit from Cisco Secure Endpoint against ransomware and vulnerabilities when you're starting out. These are excellent to utilise in the short to medium term but to bolster your organisation's long term security defences, you'll need to consider protecting against advanced threats.
Such threats target core operating system processes and Microsoft scripting applications which are commonly known as file-less malware. Such attacks (e.g. originating from scripting engines like PowerShell) are becoming exceedingly common these days as their volume is expected to double year over year according to 2021 Internet Security Report by WatchGaurd. Just to put that in perspective 77% of the attacks, according to Ponemon Institute's 2017 State of Endpoint Security report, was file-less malware.
Cisco Secure Endpoint offers the below protection engines against such types of attacks. Consider your environment and see which endpoint might benefit the most e.g. some engines may not be suitable for servers as opposed to workstations. In the video below, we walk you through an example of turning on Network Engine from the Secure Endpoint console. Follow the same steps for other protection engines
| Network Engine |
The Network engine dictates the network flow capabilities of your connectors, such as device flow correlation settings. Device Flow Correlation allows you to monitor network activity and determine which action the connector should take when connections to malicious hosts are detected. |
| System Process Protection (connector version 6.0.5 and later) |
SPP blocks attacks on critical Windows system processes compromised through memory injection attacks by other processes. |
| Script Protection (connector version 7.2.1 and later) | This will block malicious script files from executing when in Quarantine mode. Audit mode will create an event when a malicious script is executed but will not prevent it from executing. |
| Script Control (Secure Endpoint Windows connector 7.3.1 and later) |
This prevents certain DLLs from being loaded by some applications and their child processes. In Block mode, the engine will kill a process if it or one of its child processes attempts to load certain DLLs. Audit mode will create events when the activity is detected but won’t kill any processes. |
| Behavioral Protection (connector version 7.3.1 and later) | This helps prevent malicious activity that matches a set of behavioral signatures by alerting on activity, quarantining files, and ending processes in Protect mode. Audit mode will create events when matching activity is detected but will not take any actions. |
As an example, you can use this policy set for workstations (also available as a preset via Secure Endpoint Console)
- Files: Quarantine
- Network: Block
- Malicious Activity Protection: Quarantine
- System Process Protection: Protect
- Script Protection: Quarantine
- Exploit Prevention: Block
- Exploit Prevention - Script Control: Audit
- Behavioral Protection: Protect
Here’s where all the protection engines fall on the protection lattice:
If you want to dig deeper, you can join a live Q&A session at the following Ask the Experts Sessions:
- Installation / Implementation Best Practices: Endpoint Protection
- Architecture Transformation Planning: Endpoint Protection
Review Schedule and Register
Comment on this post if you have any questions