Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
9470
Views
10
Helpful
1
Comments

Secure Endpoint Frequently Asked Questions

E.L. Howard
Cisco Employee
Cisco Employee

on ‎06-09-2021 10:39 AM

Cisco Secure Endpoint

New packages fit for every organization

Every Cisco Secure Endpoint (formerly AMP for Endpoints) package comes with Cisco SecureX built-in. It’s our cloud-native platform that integrates all your security solutions into one view with the ability to orchestrate and deliver threat detection and response, meaning Secure Endpoint goes beyond EPP and EDR to give you Extended Detection and Response (XDR) capabilities. You’ll be able to investigate and identify multiple files with context from multiple security products, for a deeper and wider view of what’s happening. SecureX integration brings efficiency to your team for detection and response that’s up to 85% faster.

Essentials License

Replace legacy antivirus (AV) with our next-gen AV. Powered by Cisco Talos, the largest non-governmental threat intelligence in the world, we block more threats than any other security provider. See a threat once and block it everywhere – automating threat responses with one-click isolation of an infected host, while getting broader control beyond just the endpoint.

Essentials Key Features

  • NGAV
  • Continuous Monitoring
  • Dynamic File Analysis
  • Behavioral Monitoring and Protection
  • Vulnerability Identification
  • Endpoint Isolation
  • Secure Malware Analytics

 

Essentials Frequently Asked Questions

What value do I get from the Essentials package?

A full Endpoint Protection and Detection and Response platform, the Essentials package allows you to:

  • Block known threats automatically using machine learning, exploit prevention, file reputation, antivirus, and a wide array of powerful protection engines that stop both fileless and file-based attacks.
  • Use our patented technology to continuously analyze and monitor file and process activity. Automatically generate retrospective alerts at the first sign of malicious behavior.
  • Identify Indicators of Compromise (IOC) at both the network and system levels, typically missed by single-purpose detection technologies.
  • Stop threats from spreading with one-click isolation of an infected endpoint, without losing control of the device – shrinking the footprint of the attack.
  • Leverage global threat intelligence from across Cisco’s products and Services including Talos. Whether a threat originates on the Internet, in an email, or on someone else’s network, our cloud-based global telemetry sees a threat once, anywhere in the world, and blocks it everywhere.

 

Advantage License

Secure Endpoint Advantage includes all capabilities offered in the Essentials package, plus the ability to simplify security investigations with advanced endpoint detection and response (EDR), and easy access to our advanced malware analysis and threat intelligence portal – Cisco Secure Malware Analytics Cloud.

Advantage Key Features

  • NGAV
  • Continuous Monitoring
  • Dynamic File Analysis
  • Behavioral Monitoring and Protection
  • Vulnerability Identification
  • Endpoint Isolation
  • Orbital Advanced Search
  • Secure Malware Analytics Cloud

 

Advantage Frequently Asked Questions

Why should I consider the Advantage package?

With the Advantage package, you get everything the Essentials package offers, plus the ability to simplify and accelerate security investigations and incident response using the following advanced EDR capabilities:

  • Orbital Advanced Search allows Threat Hunters, SOC Analysts, and Incident Responders to do their jobs more efficiently by providing information about the endpoints they manage, all at their fingertips. Utilizing over a hundred specifically designed queries, security personnel can run complex queries on any or all endpoints. Advanced search provides deep visibility into what happened on any endpoint at any given time by taking a snapshot of its current state.
  • Secure Malware Analytics Cloud console and API access allow security teams to perform in-depth static and advanced dynamic file analysis to identify malware quickly in a safe and secure environment.

 

Orbital Advanced Search

What is Orbital Advanced Search?

Orbital Advanced Search is a new advanced capability in Secure Endpoint designed to make security investigation and threat hunting simple by providing over a hundred pre canned queries, allowing you to quickly run complex queries on any or all endpoints. This enables you to gain deeper visibility on what happened to any endpoint at any given time by taking a snapshot of its current state. Whether you are doing an investigation as part of incident response, threat hunting, IT operations, or vulnerability and compliance, we get you the answers you need about your endpoints fast.

How is Orbital Advanced Search data handled in the cloud?

Details about Orbital data processing and handling can be found in the Orbital Advanced Search Privacy Data Sheet.

How does Orbital Advanced Search work?

Whether you are investigating an incident or hunting for threats we can help you simplify and accelerate these tedious processes in the following ways:

  • Forensics snapshots. We can capture a snapshot of data from an endpoint such as running processes, open network ports, and a lot more at the time of detection or on-demand. You can think about it as a “freeze-framing activity” on an endpoint at the moment when something malicious was seen. This allows you to know exactly what was happening on your endpoint then.
  • Predefined and customizable queries. We provide over a hundred predefined queries that you can quickly run as they are or easily customized as needed. These queries are simply organized in a catalog of common use cases and mapped to the MITRE ATT&CK.
  • Live search. You can run complex queries on your endpoints for threat indicators, on-demand, or a schedule, capturing the information you need about your endpoints in near real-time.
  • Storage options. The results of your queries can be stored in the cloud or sent to other applications such as Cisco Threat Response for further or future investigations.

 

What challenges can you help address?

Dealing with a data breach can put many strains on your security team – even more so when they are already reeling from talent shortage. Faced with an incident, they now have to spend copious amount of time investigating the problem. With malicious attacks from malware and other perpetrators as the major root cause of a breach, they often find it difficult to address these more evasive threats. But as traditional antivirus falls short in protecting your endpoints, one thing is clear, today’s modern malware requires modern defenses. And we can help with that by getting all the information you need from your endpoints, allowing you to stop breaches and attacks fast.

What business value can I gain from this capability?

We help you get the information you need in near real time to investigate and respond to threats quickly and confidently. As a result, we can help shrink the lifecycle of an incident or a data breach that you may be dealing with – mitigating any or further damaging cost of the breach to your business.

In what ways (use cases) can I use the Orbital Advanced Search capability?

With Orbital Advanced Search, we can help you do the following important tasks better, faster:

  • Threat hunting. Search for malicious artifacts in near real-time to accelerate your hunt for threats.
  • Incident investigation. Get to the root cause of the incident fast, accelerating remediation.
  • IT operations. Simply track disk space, memory, and other IT operations artifacts.
  • Vulnerability and compliance. Quickly check the status of Operating Systems for things like versions and patch updates, ensuring your endpoints comply with current policies.

 

Secure Malware Analytics Cloud

What value do I get from having full access to Secure Malware Analytics Cloud?

By integrating Secure Endpoint with a Secure Malware Analytics Cloud subscription, customers gain the ability to perform a comprehensive analysis of any potential malware attempting to compromise their endpoints. The Secure Malware Analytics Cloud portal allows users to easily pivot and drill down on data elements, search for related samples and behaviors in their environment, and interact with malware in a secure way that avoids the latest malware evasion techniques.

Secure Malware Analytics is powered by a globally sourced repository of malware samples and threat intelligence which offers crucial context to suspicious files that have been observed on a customer’s endpoints. Secure Malware Analytics Cloud also has the ability to enrich the other tools in your security environment leveraging premium threat feeds and an easy-to-use REST API. Users can automate sample submissions from 3rd party products and feed the resulting analysis into a variety of security and threat intelligence tools. This allows you to have a common analysis platform and gain a holistic view of all malware samples within their network. For a list of supported 3rd party integrations, view the link here.

In what ways (use cases) can I use Secure Malware Analytics Cloud?

With Secure Malware Analytics, we help you do threat analysis and investigations more efficiently:

  • Security operations. Secure Malware Analytics provides an intuitive analysis environment that allows all types of analysts to quickly understand the details and scope of a threat using an advanced threat scoring system and behavioral indicators that are backed by advanced search capabilities across processes, file, disk, memory, network, and network artifacts and present findings in plain language. Secure Malware Analytics Cloud also provides more advanced capabilities such as detailed sample analysis reports, process execution charts, and direct user interaction with malware through its Glovebox feature.
  • Threat intelligence. With access to a robust API to integrate sample submission, Secure Malware Analytics enriches security event and threat content, allowing customers to enhance the capabilities of their existing IT security infrastructure and to produce data feeds that can be ingested by SIEMS and other threat management tools.
  • Data enrichment. Secure Malware Analytics leverages a robust store of analyzed malware content that is rich in historical context and fully correlated, enabling rapid development of actionable defense and IR remediation plans.
  • Drill down. Secure Malware Analytics' depth of malware analysis and data pivoting capabilities provide reverse engineers and incident responders the context, depth of data, and malware analysis they require to be effective.

 

Premier License

Threat Hunting is now available to you through Cisco Secure Endpoint Premier. And, with SecureX Threat Hunting, you’ll have elite human security experts from Cisco proactively searching for threats in your actual environment providing high-fidelity alerts with remediation recommendations.

Premier Key Features

  • NGAV
  • Continuous Monitoring
  • Dynamic File Analysis
  • Behavioral Monitoring and Protection
  • Vulnerability Identification
  • Endpoint Isolation
  • Orbital Advanced Search
  • Secure Malware Analytics Cloud
  • SecureX Threat Hunting

 

Premier Frequently Asked Questions

What is SecureX Threat Hunting?

SecureX Threat Hunting is an analyst-centric process, driven by Cisco Security experts, that enables organizations to uncover hidden advanced threats. Once threats are detected, customers are notified within their Secure Endpoint Console, so they can begin remediation. Threat Hunting is a proactive approach to threat detection, which tells the incident responders a narrative of how an attack was spotted and how it evolved. The purpose is to discover and thwart attacks before they cause any damage. As a side-effect of leveraging regular and continuous Threat Hunting, an organization increases their knowledge of vulnerabilities and risks which further allows the hardening of their security environment.

What makes SecureX Threat Hunting different than other solutions?

SecureX Threat Hunting is not a managed service, it is a feature embedded of Secure Endpoint and works along with all of its other detection mechanisms. As such it is designed to produce additional net new high-impact findings.

What impact can I expect from SecureX Threat Hunting?

SecureX Threat Hunting is a feature embedded tightly inside the Cisco Secure Endpoint product and along-side all its other detection mechanisms. As such it is designed to produce additional net new high-impact findings.

What is in scope for the service (incident notification only, recommendations, actions, etc.)?

Customers get notified of an incident that does include a summary of what type of threat or behavior has been observed and what that means for the customer in terms of the possible impact. If there are events associated with the incident, they will be shown on a timeline. Finally, there are additional references such as mapping to MITRE ATT&CK and a clear set of recommendations on what to do next in terms of investigation and remediation of the threat.

Is the service for increasing net new detections or improving and providing additional context for existing detections, or both?

Detections triggered as part of a SecureX Threat Hunt event are going to be net new, high-fidelity detection events.

What are the major features of SecureX Threat Hunting?

The AMP Console features a Threat Hunting report that shows the new findings with all of the relevant context and events mapped to MITRE ATT&CK TTP’s, together with recommendations for customer incident responders on what to do next in terms of further investigation or remediation of the findings.

How does SecureX Threat Hunting complement other Cisco products and services?

SecureX Threat Hunting is specific to the Secure Endpoint product initially and it does complement its existing capability with new hypothesis-driven detections continuously executed and maintained by Cisco experts.

Is SecureX Threat Hunting available for AMP Private Cloud?

No, SecureX Threat Hunting will not be available for AMP Private Cloud.

Is SecureX Threat Hunting an MDR offering?

SecureX Threat Hunting is not a managed service. It does not replace a customer analyst in front of the AMP Console. It instead focuses on delivering and highlighting high-impact findings that should receive priority from the customer analysts in terms of response.

How does SecureX Threat Hunting Compare with services such as MDR/MSSP?

SecureX Threat Hunting is deeply embedded with Secure Endpoint, as a feature. The feature delivers continuous hunts. It is not a managed service, and it does not provide direct interaction with Cisco analysts.

How do I engage with analysts?

There is no direct engagement with SecureX Threat Hunters. Should the customer need assistance, they can engage TAC, CX or Talos IR, based on need.

Can customers have bi-directional communications with threat hunters?

Not at this time.

What is the escalation process for the service, how to file disputes / provide feedback?

All disputes, false positive/negative reports, and feedback should be initiated through Cisco TAC.

Who is behind the threat hunts (human-driven vs machine-driven detections vs combined)?

Cisco delivers highly automated human-driven hunts based on playbooks producing high fidelity alerts. The process uniquely combines the new Orbital Advanced Search technology with expertise from elite threat hunters, with 20 years of industry experience, to proactively find more sophisticated threats. The entire process is highly automated and that does also include algorithmic machine-driven detections. 50+ daily hunts are scheduled and automated, the results are investigating by analysts. Researchers develop various engines to perform data stacking, masquerading detection, and process analytics. Results are investigated by analysts.

Is the team behind the service a part of Talos or does it include Talos team members, what’s the interaction with Talos?

Threat Hunting in Secure Endpoint is managed by Cisco and leverages the expertise of both Talos and the Cisco Research and Efficacy Team to help identify threats found within the customer environment.

How is SecureX Threat Hunting deployed and managed?

SecureX Threat Hunting is a native part of the Secure Endpoint cloud. Customers are encouraged to deploy Orbital so that the SecureX Threat Hunting can tap into richer telemetry.

With SecureX Threat Hunting is any endpoint data captured and if so, what type?

The endpoint data captured is from the Secure Endpoint and Orbital telemetry data sets.

What data sources used for threat hunts (which Cisco products if not just AMP)?

Currently, the data sources used for SecureX Threat Hunting are AMP and Orbital.

Where is the data stored that SecureX collects stored?

All data used for hunting is stored in a private AWS data store in North America, that is only accessible by SecureX Threat Hunters.

How is data privacy guaranteed for the service?

Details can be found in the Secure Endpoint Privacy Data Sheet.

What operating systems are supported?

All OSes currently supported by Secure Endpoint.

Will customers need to redeploy agents to take advantage of SecureX Threat Hunting?

No – but customers are encouraged to deploy Orbital across their environment. Deploying Orbital adds a layer of telemetry, and insight to confirm suspected findings by our Threat Hunters.

In what regions and supported languages will this be available?

SecureX Threat Hunting is available worldwide. Data Centers for Secure Threat Hunting are initially located only in North America. Threat Hunting information will only be in English, however, menus and titles will be localized.

What if I don’t see any alerts?

There will be individual statistics for each hunt based on the entire data set of AMP to showcase how many businesses and hosts are affected by the threat. This is confirmation that your organization hasn’t experienced this specific threat. SecureX Threat Hunting metrics reports will also be available.

How are threat hunts executed on the backend?

All threat hunts executed are based on intelligence, TTPs, anomaly detection, machine learning, and manual research, along with the data sources available (i.e. Secure Endpoint telemetry, Orbital, Umbrella).

How will existing customers upgrade if they have Essentials? Advantage?

Upgrades depend on the PID’s used during their original order. SBP (Software Buying Program) customers can use SBP to update and effectively upgrade the tier in their orders. TnC customers can be dealt with as rebooking.

What is the pricing and packaging model? New customers and existing customers?

Packaging and pricing are available in the standard Secure Endpoint Ordering Guide. SecureX Threat Hunting is included in the Secure Endpoint Premier license.

Are there any SLAs for the feature and how are they managed?

There are no SLAs for this feature.

How do I get more information about these buying options?

For more information about the new Cisco Secure Endpoint packages, check our new Ordering Guide or contact your Cisco account manager.

 

Comments
jonahhill
Level 1
Level 1
‎06-24-2021 11:24 PM

Thank you so much.  McDVOICE con

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents