Chapter 11: Endpoint Protection and Detection PDF

Summary

This chapter covers endpoint protection and detection topics, including Cisco Secure Endpoint and Cisco Threat Response. It outlines the relevant SCOR 350-701 exam objectives.

Full Transcript

# Chapter 11: Endpoint Protection and Detection

## This chapter covers the following topics:

* Introduction to endpoint protection and detection
* Cisco Secure Endpoint (formerly Cisco Advanced Malware Protection [AMP] for Endpoints)
* Cisco Threat Response

## The following SCOR 350-701 exam objectives are covered in this chapter:

* Domain 5.0 Endpoint Protection and Detection
* 5.1 Compare Endpoint Protection Platforms (EPP) and Endpoint Detection & Response (EDR) solutions
* 5.2 Explain antimalware, retrospective security, indicator of compromise (IOC), antivirus, dynamic file analysis, and endpoint-sourced telemetry
* 5.3 Configure and verify outbreak control and quarantines to limit infection
* 5.4 Describe justifications for endpoint-based security
* 5.5 Describe the value of endpoint device management and asset inventory such as MDM
* 5.7 Describe endpoint posture assessment solutions to ensure endpoint security
* 5.8 Explain the importance of an endpoint patching strategy

## "Do I Know This Already?" Quiz

The "Do I Know This Already?" quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the "Exam Preparation Tasks" section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 11-1 lists the major headings in this chapter and their corresponding "Do I Know This Already?" quiz questions. You can find the answers in Appendix A, "Answers to the 'Do I Know This Already?' Quizzes and Q&A Sections."

| Foundation Topics Section | Questions |
|:---------------------------|:-----------|
| Introduction to Endpoint Protection and Detection | 1 |
| Cisco Secure Endpoint | 2-9 |
| Cisco Threat Response | 10 |

## CAUTION

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you incorrectly guess skews your self-assessment results and might provide you with a false sense of security.

## 1. Which of the following is not a feature of the Cisco Secure Endpoint solution?

a. File reputation
b. File sandboxing
c. File retrospection
d. Web content filtering and redirect

## 2. You are hired to deploy Cisco Secure Endpoint. In order to allow a connector to communicate with Cisco cloud servers for file and network disposition lookups, a firewall must allow the clients to connect to the Cisco servers over which of the following protocols and ports?

a. TCP port 443 and TCP port 80
b. TCP port 443 or TCP port 32137
c. UDP port 32137 and TCP port 443
d. TCP port 443, UDP port 53, and UDP port 500

## 3. Which of the following Cisco Secure Endpoint features allow you to create lists for Custom Detections, Application Control, Network, and Endpoint indicators of compromise (IOC)?

a. Inbox feature
b. Group Policies
c. Outbreak Control
d. None of these answers are correct.

## 4. Advanced custom detections offer many more signature types to the detection, including which of the following?

a. File body-based signatures
b. MD5 signatures
c. Logical signatures
d. All of these answers are correct.

## 5. You can use outbreak control IP lists in conjunction with ____ detections, which allows you to flag or even block suspicious network activity.

a. Device flow correlation (DFC)
b. PAC files
c. group policies
d. AVC

## 6. You are hired to deploy Cisco Secure Endpoint, and one of the requirements is that you must use an exclusion set to resolve conflicts with other security products or mitigate performance issues by excluding directories that contain large files that are frequently written to, like databases. Which of the following is an exclusion type available in Cisco Secure Endpoint that can help you accomplish this task?

a. Threat-based exclusion
b. Extension-based exclusion
c. Wildcards
d. All of these answers are correct.

## 7. Cisco Secure Endpoint has connectors for which of the following operating systems?

a. Windows
b. macOS
c. Android
d. All of these answers are correct.

## 8. Which of the following is used by the Cisco ESA to handle incoming SMTP connection requests? These entities demarcate the email-processing service configured on a Cisco ESA interface.

a. WCCP redirects
b. MX records
c. SMTP MSAS
d. Listeners

## 9. Which of the following clients allow you to aid the distribution of the Cisco Secure Endpoint connector and can be used for remote access VPN, secure network access, and posture assessments with Cisco's Identity Services Engine?

a. DUO
b. Cisco Secure Client
c. Cisco Secure Workload
d. Cisco SMA

## 10. Which of the following is a "one-pane-of-glass" console that automates integrations across Cisco security products (including Cisco Secure Endpoint) and threat intelligence sources?

a. Cisco SMA
b. Cisco Threat Response (CTR)
c. Cisco Secure Workload
d. Firepower Management Console

## Foundation Topics

### Introduction to Endpoint Protection and Detection

Throughout this book, you have been learning about the various technologies that can also help detect threats in endpoint devices. You have learned that security technologies and processes should not just focus on detection but should also provide the capability to mitigate the impact of an attack. Organizations must maintain visibility and control across the extended network during the full attack continuum:

* Before an attack takes place
* During an active attack
* After an attacker starts to damage systems or steal information

In Chapter 4, "Authentication, Authorization, Accounting (AAA) and Identity Management," you learned about the Cisco ISE, 802.1X, Network Access Control (NAC), endpoint posture assessment, and how clients like Cisco Secure Client are used to interact with network devices and Cisco solutions to protect not only the endpoint, but also the underlying network. You also learned the uses and importance of a multifactor authentication (MFA) strategy.

In Chapter 7, "Cisco Secure Firewall," you learned all about the components that make up the Cisco Secure Firewall Malware Defense (AMP for Networks) architecture and the Malware Analytics Cloud.

In Chapter 7, you also learned that the Cisco Secure Malware Defense solution enables malware detection, blocking, continuous analysis, and retrospective views with the following features:

* **File reputation**: Cisco Secure Firewall Malware Defense allows you to analyze files inline and block or apply policies.
* **File sandboxing**: Cisco Secure Firewall Malware Defense allows you to analyze unknown files to understand true file behavior.
* **File retrospection**: Cisco Secure Firewall Malware Defense allows you to continue to analyze files for changing threat levels.

**TIP**: Remember that the architecture of the Cisco Secure Firewall Malware Defense can be broken down into three main components: the Malware Analytics Cloud, Cisco Secure Firewall Malware Defense client connectors, and intelligence sources. This chapter focuses on the Cisco Secure Endpoint client connector.

This chapter will go over the Cisco Secure Malware Defense in more detail. This chapter looks at where Cisco Secure Endpoint fits into the AMP architecture. You'll also learn about the types of Cisco Secure Endpoint connectors, how to create policies for them, and how to install them. The chapter describes how to use the Malware Analytics Cloud console, and you will even get a look at Cisco Secure Firewall Malware Defense detecting and remediating malware.

**NOTE**: After Cisco acquired SourceFire, the solution previously known as FireAMP was renamed Cisco Secure Endpoint.

## Endpoint Threat Detection and Response (ETDR) and Endpoint Detection and Response (EDR)

Before diving deep into Cisco Secure Endpoint, let's define what the industry refers to as Endpoint Threat Detection and Response (ETDR) and Endpoint Detection and Response (EDR). Gartner defines EDR as the "tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints."

**NOTE**: Cisco also provides a great definition and an overview of EDR at the following website: [https://www.cisco.com/c/en/us/products/security/endpoint-security/what-is-endpoint-detection-response-edr.html](https://www.cisco.com/c/en/us/products/security/endpoint-security/what-is-endpoint-detection-response-edr.html)

EDR solutions monitor endpoint and network events and record the information in a central database so that you can perform further analysis, detection, investigation, and reporting. Typically, software (an agent) is installed on the endpoint that allows ongoing monitoring and detection of potential security threats.

**TIP**: Not all EDR solutions work the same way or offer the same range of capabilities. Some EDR solutions perform more analysis on the agent and others focus on the backend (using a management console). Modern EDR solutions integrate with threat intelligence delivered from the cloud.

The minimum capabilities of a good EDR solution are as follows:

* **Filtering**: The ability to filter out false positives (to help reduce "alert fatigue," which increases the potential for real threats to go undetected).
* **Threat blocking**: At the end of the day, the EDR solution must be able to contain the threats, not just detect them.
* **Help with digital forensics and incident response (DFIR)**: The ability to allow an organization to effectively perform DFIR tasks, as well as threat hunting to prevent data loss (data breaches).

**TIP**: Another term in the industry is Endpoint Protection Platform (EPP). An EPP provides not only detection, but also protection (threat blocking). In many cases, people refer to EPP and EDR as the same thing. The following blog post provides a good overview of EPP, EDR, and Cisco Secure Endpoint: [https://blogs.cisco.com/security/epp-edr-cisco-amp-for-endpoints-is-next-generation-endpoint-security](https://blogs.cisco.com/security/epp-edr-cisco-amp-for-endpoints-is-next-generation-endpoint-security)

## Cisco Secure Endpoint

Cisco Secure Endpoint provides more than just endpoint-level visibility into files. It also provides cloud-based detection of malware, in whcih the cloud constantly updates itself. This enables very rapid detection of known malware because the cloud resources are used instead of endpoint resources. This architecture has a number of benfits. With the majority of the processing power being performed in the cloud, the endpoint software remains very lightweight.

The Malware Analytics Cloud is able to provide a historical view of malware activity, segmented into two activity types:

* **File trajectory**: What endpoints have seen the files
* **Device trajectory**: Actions the files performed on given endpoints

With the data storage and processing in the cloud, the Cisco Secure Endpoint solution is able to provide powerful and detailed reporting, as well as provide very robust management. The Cisco Secure Endpoint agent is also able to take action. For example, it can block malicious network connections based on custom IP blacklists or intelligent dynamic lists of malicious IP addresses.

Cisco Secure Endpoint is the connector that resides on - you guessed it - endpoints. It resides on Windows, Mac, Linux, and Android endpoints. Unlike traditional endpoint protection software that uses a local database of signatures to match a known bad piece of software or a bad file, Cisco Secure Endpoint remains lightweight, sending a hash to the cloud and allowing the cloud to make intelligent decisions and return the verdicts Clean, Malware, and Unknown.

## Cisco Secure Endpoint Connectors

Cisco Secure Endpoint is available for multiple platforms: Windows, Android, Mac, and Linux. The Download Connector page provides you with the option to download installation packages for every type of connector, or copy the URL from which these packages can be downloaded after you've selected a group. These installer packages can be saved on a network share or disseminated through management software. Alternatively, you can email the download URL to users, empowering them to download and install the packages independently. This capability could prove especially useful for users working remotely.

You can see the available connectors from the cloud console by navigating to Management > Download Connector.

## Cisco Secure Endpoint Policies

You can configure different policies for each of the supported platforms, respectively. To create a new policy, navigate to Management > Policies. A policy is applied to an endpoint via groups. Groups allow the computers in an organization to be managed according to their function, location, or other criteria as determined by the administrator.

**TIP**: Outbreak Control and Exclusion sets are combined with other settings into a policy. The policy affects the behavior and certain settings of the connector.

You can create a new group by navigating to Management > Groups.

## Cisco Secure Client AMP Enabler

You can use the AMP Enabler add-on to Cisco Secure Client to aid in the distribution of the Cisco Secure Client AMP connector to clients who use Cisco Secure Client for remote access VPN, secure network access, posture assessments with Cisco's Identity Services Engine, and more.

## Cisco Secure Endpoint Engines

There are three detection and protection "engines" in Cisco Secure Endpoint:

* **TETRA**: A full client-side antivirus solution. Do not enable the use of TETRA if there is an existing antivirus product in place. The default Cisco Secure Endpoint AMP setting is to leave TETRA disabled, as it changes the nature of the Cisco Secure Endpoint AMP connector from being a very lightweight agent to being a "thicker" software client that consumes more disk space for signature storage and more bandwidth for signature updates. When you enable TETRA, another configuration subsection is displayed, allowing you to choose what file scanning options you wish to enable.
* **Spero**: A machine learning-based technology that proactively identifies threats that were previously unknown. It uses active heuristics to gather execution attributes, and because the underlying algorithms come up with generic models, they can identify malicious software based on its general appearance rather than basing identity on specific patterns or signatures.
* **Ethos**: A "fuzzy fingerprinting" engine that uses static or passive heuristics.

## Cisco Secure Endpoint Reporting

Cisco Secure Endpoint includes a series of reporting dashboards that can be very useful to understand what's happening in your endpoints. The main dashboard, illustrated in Figure 11-19, provides a view of threat activity in your organization over the past 30 days, as well as the percentage of compromised computers. You can filter by platform, date ranges, and other attributes.

## Cisco Threat Response

Cisco Threat Response is a "one-pane-of-glass" console that automates integrations across Cisco security products and threat intelligence sources. This is an ongoing effort from Cisco to provide a single console for the management of most of its security products. Cisco Threat Response integrates with the following Cisco security solutions:

* Cisco Secure Malware Defense (formerly known as Advanced Malware Protection)
* Cisco Secure Endpoint
* Cisco Secure Malware Analytics
* Cisco Umbrella
* Cisco Secure Email
* Cisco Secure Firewalls

The screenshots in the previous sections were collected using a Cisco Threat Response console.

**TIP**: The following video provides an overview of the Cisco Threat Response solution: [https://www.youtube.com/watch?v=ycwkY53ve1U](https://www.youtube.com/watch?v=ycwkY53ve1U). The following video provides a detailed demo and walkthrough of Cisco Threat Response: [https://www.youtube.com/watch?v=sHEbKivwTJM](https://www.youtube.com/watch?v=sHEbKivwTJM).

## Exam Preparation Tasks

As mentioned in the section "Book Features" in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 12, “Final Preparation," and the exam simulation questions in the Pearson Test Prep Software Online.

## Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 11-2 lists these key topics and the page numbers on which each is found.

| Topic Key Topic Element | Description | Page Number |
|:---------------------------|:-----------|:------------|
| List | Surveying the Cisco Secure Endpoint core features | 675 |
| Section | Endpoint Threat Detection and Response (ETDR) and Endpoint Detection and Response (EDR) | 676 |
| List | Reviewing file trajectory and device trajectory | 677 |
| Figure 11-1 | Understanding the Cisco Secure Endpoint Architecture | 677 |
| Section | Outbreak Control | 677 |
| Section | IP Blacklists and Whitelists | 681 |
| Section | Cisco Secure Endpoint Application Control | 683 |
| Section | Exclusion Sets | 684 |
| Section | Cisco Secure Endpoint Connectors | 687 |
| Section | Cisco Secure Endpoint Policies | 687 |
| Section | Cisco Secure Endpoint Engines | 689 |
| Tip | Describing the value of endpoint device management and asset inventory such as MDM | 692 |

## Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary.

* TETRA
* Spero
* Ethos
* mobile device management (MDM)

## Review Questions

1. Which of the following is a Cisco Secure Endpoint engine that uses machine learning to proactively identify threats that were previously unknown? This solution uses active heuristics to gather execution attributes, and because the underlying algorithms come up with generic models, they can identify malicious software based on its general appearance rather than basing identity on specific patterns or signatures.

a. TETRA
b. Ethos
c. Spero
d. All of these answers are correct.

2. Which of the following is a list of directories, file extensions, or even threat names that you do not want the Cisco Secure Endpoint AMP agent to scan and definitely not to convict as malware?

a. Exclusion set
b. Application blacklist
c. TETRA blacklist
d. None of these answers are correct.

3. Like files, applications can be detected, blocked, and whitelisted with Cisco Secure Endpoint. Cisco Secure Endpoint does not look for the name of the application but which of the following elements?

a. An SHA hash (checksum)
b. An outbreak signature
c. A custom signature
d. A Spero signature

4. Device flow correlation (DFC) can be used for which of the following scenarios?

a. To correlate Cisco Secure Endpoint logs with Cisco ISE logs
b. To correlate Cisco Secure Endpoint logs with Cisco FMC logs
c. To correlate Cisco Secure Endpoint logs with Cisco Secure Workload logs
d. To flag or block suspicious network activity

5. You are investigating a potential threat outbreak in your organization. Which of the following can be used to see what endpoints have seen a potential malware file?

a. Outbreak groups
b. Outbreak filters
c. Device trajectory
d. File trajectory