Cisco AMP - Migrating from Pilot to Production

This article is for administrators that participated in the AMP pilot, which ultimately included over 7,000 active machines across more than 30 departments. Now the time has come to shift from piloting the tool to using it in production. Follow the steps in this article to successfully complete the migration process.
Recommendations for use of Cisco Advanced Malware Protection (AMP) in production.

  1. Install AMP on all compatible endpoints in your environment.
      If there are any remaining endpoints in your environment that can have AMP that do not, it is time to install AMP on them. This will give you full visibility into the health of your environment, and expand the umbrella of protection across all your AMP-compatible endpoints. For departments utilizing BigFix/TEM for deployment, there are fixlet templates in the Shared_Fixlets group to assist with this effort, one to install AMP and another to uninstall Symantec Endpoint Protection.

  2. Move endpoints from Audit mode to Protect mode.
      If your endpoints are still in Audit an audit mode group, you will need to move them to Protect mode. You can do this by migrating endpoints from the Audit group to the Protect group for your department. Instructions on how to migrate endpoints from one group to another can be found here.

  3. Update AMP connectors, and continue to do so twice yearly.
      Please follow the instructions here to update AMP connectors. Cybersecurity recommends the method of upgrading via the console as it is a simple and efficient option. We ask that you update AMP connectors twice yearly to maintain secure endpoint connectors and to ensure that connector features are up to date.

  4. Review alerts and events regularly in the console.
      AMP works best when paired with consistent review and analysis from console administrators. As such, we recommend that console admins perform regular analysis and event-review in the console. You can learn more about AMP event analysis here, and AMP reporting/alerting here.

  5. Enable Two-Factor Authentication - Now Duo-Compatible!
      Due to the sensitive nature of information displayed in the console, we ask that you please follow the steps here to enable two-factor authentication if you have not already. If you've already enabled two-factor and do not want to use the Google Authenticator app any more, you can easily switch to Duo by following the directions here (same directions as linked above).

  6. Turn on traditional AV scanning (Optional).
      AMP connectors, aside from having the capability to monitor files and processes in motion, also have traditional Anti-Virus scanning capabilities that can be enabled. While Cisco maintains that AMP replaces the need for a traditional AV tool, for some environments, particularly those in which traditional AV scans are required, enabling AV scanning is necessary. Follow the steps shown here to enable AV via policy settings.

Keywordsrecommended AMP configuration prod   Doc ID93717
OwnerRachel L.GroupCybersecurity
Created2019-08-09 09:42:32Updated2023-08-07 13:24:27
SitesDoIT Help Desk, Office of Cybersecurity
Feedback  0   0