Chapter11

Questions and Answers

What is a primary benefit of using Endpoint Detection and Response (EDR)?

• Limiting access to network resources
• Reducing the need for user interaction
• Identifying known malware only
• Proactively detecting and responding to threats (correct)

Which mechanism is used to determine if a file should be deemed safe or potentially harmful?

• Observing user behavior related to the file
• Checking the file against a predefined whitelist (correct)
• Executing the file in a sandbox environment
• Analyzing the file’s creation date

In Digital Forensics and Incident Response (DFIR), what is one of the primary goals when responding to a security incident?

• To identify the source and impact of the incident (correct)
• To immediately disconnect all affected systems
• To restore all services without analysis
• To ensure all devices are completely wiped

Which of the following describes a cloud-based malware detection approach?

Using centralized threat intelligence and updates (B)

What is one of the minimum capabilities that a good EDR solution should have?

Threat blocking (C)

What can filtering help reduce in the context of endpoint security?

False positives during monitoring (D)

Which feature distinguishes Endpoint Detection & Response (EDR) from traditional Endpoint Protection Platforms (EPP)?

Behavioral threat detection (D)

Which algorithm is primarily used by Cisco Secure Endpoint engines to identify previously unknown threats?

Machine learning heuristics (B)

How does effective filtering in an EDR solution help organizations?

By reducing alert fatigue (A)

In the context of Cisco Secure Endpoint, what is the purpose of an Exclusion Set?

To list files and directories that should be ignored during scans (C)

What mechanism is typically used by endpoint protection solutions to mitigate threats before they affect the system?

Threat intelligence feeds (A)

What is the purpose of digital forensics and incident response (DFIR) in EDR solutions?

To assist with threat hunting and data loss prevention (D)

Which of the following best describes the role of digital forensics in incident response?

Collecting and analyzing evidence after a breach (A)

Which aspect is critical for effectively blocking suspicious activities in endpoint security?

Real-time monitoring of user actions (D)

Which aspect of EDR solutions typically varies between different products?

Monitoring capabilities (D)

In cloud-based malware detection, what is a common challenge that organizations face?

Delayed threat detection (D)

What was the previous name of Cisco Secure Endpoint before its rebranding?

FireAMP (A)

What is one primary concern regarding filtering mechanisms in endpoint protection solutions?

Increased rate of false positives (A)

In the context of EDR, what is meant by threat blocking?

Preventing identified threats from causing harm (A)

Cloud-based malware detection enhances EDR capabilities by providing what type of resource?

Threat intelligence from the cloud (B)

Which of the following is a primary component of a successful outbreak control strategy?

Timely endpoint telemetry collection (D)

Which factor is essential for effective endpoint posture assessment?

Automated compliance reporting (A)

Why is alert fatigue considered a significant issue in EDR systems?

It causes real threats to go undetected. (D)

What is a major benefit of implementing an endpoint patching strategy?

Enhanced overall cybersecurity posture (C)

Flashcards

Endpoint Threat Detection and Response (ETDR)

A security solution that detects and responds to threats on endpoint devices.

Endpoint Detection and Response (EDR)

Technology for detecting and responding to threats by monitoring and analyzing activity on endpoints.

Exclusion Set

A list of directories, file extensions, or threat names that aren't scanned by the Cisco Secure Endpoint agent for malware.

Cisco Secure Endpoint Engine

A component of Cisco Secure Endpoint that performs threat detection and response.

Application Control

Cisco Secure Endpoint's capability to detect, block, and whitelist application activities.

Mobile Device Management (MDM)

Tools to manage and secure mobile devices.

Threat Identification: Machine Learning

Use active heuristics and generic models to find malicious software by its overall characteristics, not specific signatures.

Device Flow Correlation (DFC)

A way to correlate logs from Cisco Secure Endpoint with other Cisco security products' logs.

What does EDR record in a central database?

EDR solutions monitor endpoint and network events, recording the information in a central database for analysis, detection, investigation, and reporting.

False Positives

Non-malicious events or activities flagged as threats by an EDR solution.

Threat Blocking

The ability of an EDR solution to prevent threats from impacting a system.

Endpoint Protection Platform (EPP)

A security solution that provides both detection and protection against threats.

What does a good EDR solution do?

A good EDR solution filters out false positives, blocks threats, and helps with digital forensics and incident response.

How does modern EDR integrate threat intelligence?

Modern EDR solutions integrate threat intelligence delivered from the cloud, enhancing their ability to detect and respond to threats.

What is the purpose of endpoint protection?

Endpoint protection aims to safeguard individual devices (like laptops and servers) from security threats, ensuring data remains secure and preventing malicious activities.

What's the key difference between Endpoint Protection Platforms (EPP) and Endpoint Detection & Response (EDR)?

EPP focuses on preventing threats through traditional methods like antivirus scanning, while EDR goes further, detecting suspicious activity and responding actively to incidents.

What is the purpose of an 'exclusion set' in Cisco Secure Endpoint?

An exclusion set allows you to exclude specific directories, file types, or threats from being scanned by the Cisco Secure Endpoint agent. This is helpful to avoid false positives or unnecessary scans.

How does dynamic file analysis help in endpoint security?

Dynamic file analysis examines files in a controlled environment to understand their behavior. This helps identify malware that might not be detected by traditional signature-based methods.

What are the benefits of endpoint device management and asset inventory?

Device management solutions help track and control devices, while asset inventory provides a comprehensive list of all company assets. These tools help manage risks, ensure security compliance, and improve overall security posture.

What is a key benefit of an endpoint patching strategy?

A strong patching strategy keeps devices updated with the latest security fixes, closing vulnerabilities and reducing the risk of exploitation.

What is Cisco Threat Response?

Cisco Threat Response is a powerful threat intelligence platform that integrates with Cisco Secure Endpoint to provide comprehensive threat analysis, investigation, and response capabilities.

What is the value of endpoint-sourced telemetry?

Endpoint-sourced telemetry provides valuable data about device activity and potential threats, which can be analyzed to detect security incidents and improve your security posture.

Study Notes

Endpoint Protection and Detection

• The chapter covers topics like Introduction to Endpoint Protection and Detection, Cisco Secure Endpoint, and Cisco Threat Response.
• The chapter covers these SCOR 350-701 exam objectives: Domain 5.0 Endpoint Protection and Detection, 5.1 Compare Endpoint Protection Platforms (EPP) and Endpoint Detection & Response (EDR) solutions, 5.2 Explain antimalware, retrospective security, indicator of compromise (IOC), antivirus, dynamic file analysis, and endpoint-sourced telemetry, 5.3 Configure and verify outbreak control and quarantines to limit infection, 5.4 Describe justifications for endpoint-based security, 5.5 Describe the value of endpoint device management and asset inventory such as MDM, 5.7 Describe endpoint posture assessment solutions to ensure endpoint security, and 5.8 Explain the importance of an endpoint patching strategy.
• A "Do I Know This Already?" quiz is included to determine if the chapter needs to be read thoroughly.
• There's a table that maps the chapter sections to quiz questions.
• The answers to the quiz questions are located in Appendix A.

Cisco Secure Endpoint Solution

• Features include File reputation, File sandboxing, File retrospection, and Web content filtering and redirect.
• Protocols and ports like TCP port 443 and TCP port 80 or TCP port 443 or TCP port 32137, UDP port 32137 and TCP port 443, TCP port 443, UDP port 53, and UDP port 500 are needed for communication with Cisco cloud servers for file and network lookups.
• Custom detections, application control, network, and endpoint indicators of compromise (IOC) are allowed.
• Advanced custom detections include File body-based signatures, MD5 signatures, Logical signatures, and all of these answers.
• Outbreak control IP lists can be used with detections.
• The solution supports multiple operating systems, including Windows, macOS, Android.

Foundation Topics

• The chapter discusses Endpoint Protection and Detection technologies to detect threats in endpoint devices.
• Technologies and processes should focus on mitigation as well as detection.
• Chapters 4 (Authentication, Authorization, Accounting [AAA], and Identity Management) and 7 (Cisco Secure Firewall) are related and useful to this chapter..
• Cisco Secure Endpoint connectors are available for various operating systems.
• File reputation, file sandboxing, file retrospection are key features for analyzing files.
• Cisco Secure Firewall Malware Defense provides malware detection, blocking, continuous analysis, and retrospective views.
• Cisco Secure Endpoint integrates with Malware Analytics Cloud, connectors, and intelligence sources.

Outbreak Control

• Customizable lists of custom detections, application control, network and endpoint IOC, can be created.
• Simple custom detections involve SHA-256 hashes for files.
• Advanced custom detections include more signature types, based on ClamAV signatures.
• Advanced custom detections include types like MDS, PE section-based, File Body-based, Extended Signature Format (offsets, wildcards, regular expressions), Logical Signatures, and Icon Signatures .
• IP blacklists and whitelists are useful for flagging or blocking suspicious network activity.
• Exclusion sets exclude specific directories, file extensions, or threat names, preventing scanning.
• Cisco Threat Response integrates with multiple Cisco security products and threat intelligence sources.

Cisco Secure Endpoint Reporting

• The dashboard provides various views to monitor threat activity, compromised computers, etc.
• The Inbox report is for compromised computers needing manual intervention.
• The Overview dashboard shows environmental status and recent threats.
• The Events dashboard displays recent events.
• The iOS Clarity dashboard summarizes iOS device activity (if linked to Meraki SM).