Зарегистрируйтесь сейчас для лучшей персонализированной цитаты!

AMP for Endpoints Updates: Fall 2018

Nov, 28, 2018 Hi-network.com

Written by Evgeny Mirolyubov, Ben Greenbaum, Jesse Munos on behalf of the AMP for Endpoints engineering and research team

The AMP for Endpoints engineering and research team continuously releases new features and capabilities in the AMP for Endpoints Console with the goal of providing a superior user experience while addressing feedback from customers, partners, and prospects. But it doesn't stop there. That same team also invests a lot of time and effort into continually improving the security efficacy of the product. These improvements often come in the form of new security engines and capabilities.

In short, the team is tireless, working 24/7 to ensure business continuity for our customers. This blog highlights some of the enhancements that were made available in the last quarter.

Device Trajectory version 2

One of the critical prerequisites for effective incident response and threat hunting is in-depth historical endpoint visibility and comprehensive data collection. The Device Trajectory feature of AMP for Endpoints has been delivering these capabilities for years now. Most recently we have run through multiple iterations to improve its performance, data representation, and usability even further. Customers are now able to locate spikes in endpoint activity easily (representing an increase in network or file activity), precisely identify and double-click on compromises using the improved timeline feature, and enjoy enhanced activity filter customization. Performance improvements are achieved by loading the data on demand as you scroll through the timeline allowing access to a full 30 days of historical data. On top of that, the new Device Trajectory shows a more in-depth view of the endpoint; you can now see the full relationship mappings between clean processes and files.

New search capabilities are now available as well (not reflected in the video above). If you are an AMP for Endpoints user, you can experience the new Device Trajectory by enrolling into a public beta (navigate to Management -> Beta Features in the AMP Console). We sincerely thank our customers and partners for their valuable feedback provided during the open beta.

 

Threat Severity

When understanding and prioritizing alerts becomes a challenge, high-impact threats can be left without proper attention. The new threat severity feature was introduced to help security teams make better-informed incident triage and response decisions. Sorting by severity brings the most severe compromises to the top of your AMP Console Inbox. Related events now have associated severity tags (Critical, High, Medium, Low) and corresponding color-coding. The tags are assigned by Cisco's research team based on the global threat landscape knowledge and are continuously tuned to maintain a high level of accuracy. Critical severity level represents incidents involving known malware families identified with very high precision (for example, Cloud IOCs signifying that Poweliks infection has been identified post-compromised). High severity tag can be assigned to incidents representing generic malicious behaviors and generic malware, not attributed to a particular family (for example, 'Executed Malware' events). And finally, Medium and Low severity levels are reserved for possibly malicious or risky detections, that could indicate about a potential compromise or degraded security posture (for example, 'Threat Detected' or 'Vulnerable Application Detected' events).

 

Casebook and Pivot Menus

The daily workflows can be significantly optimized through the integrated case management tool named "Casebook". This is a powerful tool for gathering and pivoting on observables, assigning names to investigations, taking notes, and much more. Casebook and the pivot menus allow you to execute common actions for observables such as IP addresses, files, and URLs across the entire Cisco Advanced Threat Solutions portfolio from pretty much anywhere in the AMP Console. As a result, it provides enhanced user experience through tighter integrations. This feature is made possible by Cisco Threat Response, our new integration platform that helps you increase the efficiency and effectiveness of your existing Cisco Security investments. You can enable Casebooks and Pivot Menus under your AMP for Endpoints account settings.

 

New Overview Page

What could be more powerful for the business leaders than seeing the real-time value of their investments? The new Overview Page is designed to serve as a visual representation, that gives executives a quick and easy way to view their endpoint security state. Such information allows executives and security staff an "At A Glance" view of critical security metrics. The color-coded indicators provide an easy to parse summary of threats, compromises, vulnerabilities, and more while simultaneously allowing users to rapidly pivot into specific areas of interest.

 

New Exclusions User Interface

An exclusion set is a list of directories, file extensions, processes, or threat names that won't be scanned or convicted by the AMP Connector (or other endpoint security products). Sometimes exclusions are necessary to ensure a healthy balance of performance and security on an endpoint system. The key is that exclusions often need to be uniquely tailored to each customer environment based on business needs and security policies. The AMP for Endpoints engineering team has recently updated the user interface of the Exclusions configuration page to bring it to a consistent look and feel in line with the rest of the interface. Additionally, AMP Console administrators are now able to apply multiple Exclusion Lists to a single policy. Although the user interface has changed, the functionality of Exclusions stays fundamentally the same.

 

Exploit Prevention Enhancements

Strong prevention capability is one of the most highly-desired building blocks of any endpoint security offering. That may include preventing exploits (0-day or against unpatched vulnerabilities), evasive malware, and file-less attacks, all without relying on rules or signatures for detection. The Exploit Prevention engine, first introduced in AMP for Endpoints with the AMP Windows Connector version 6.0.5, has been enhanced to provide greater coverage against the evolving threat landscape. It does so by applying a truly proactive prevention technology, that does not affect system performance or imply compatibility issues. The ease of enabling Exploit Prevention and the value it provides has led to the rapid adoption, and we strive to continue improving the protection levels. Check back soon for a technical whitepaper on that strong prevention capability.

 

tag-icon Горячие метки:

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.