Cisco Secure Endpoint (AMP) - An Introduction to Cisco Secure Endpoint (AMP)

This document is intended to provide general information about the Cisco Secure Endpoint (AMP) Console & Endpoint Applications offered by UW-Madison Office of Cybersecurity.
Summary

Cisco Secure Endpoint (AMP) is an advanced endpoint protection software which is supported and monitored by a central console. Secure Endpoint (AMP) is an application that monitors the machine on which it is installed, searching for suspicious activity. Endpoints with Secure Endpoint (AMP) clients installed will report back to a central console, where IT administrators can view events, set up alerts, and get an overview of the volume of suspicious activity occurring on their network. Finally, Secure Endpoint (AMP) also provides traditional Anti-Virus scanning through Tetra (Windows) and Clam AV (Mac & Linux) which can be enabled via policy settings within the console.  

Useful AMP Resources

Requesting access to the Secure Endpoint (AMP) Console
Performing event analysis using the Secure Endpoint (AMP) Console
Creating exclusions and greenlisting files
Secure Endpoint (AMP) User Guide
Responding to Suspicious or Malicious Events
Additional Secure Endpoint (AMP) documentation



  •  About the Tool

      Cisco Secure Endpoint (AMP) is an application that can be installed on a host to provide real-time event and file monitoring. Secure Endpoint (AMP) can simply alert the endpoint user about suspicious activity, or it can automatically act to block that activity and quarantine potentially malicious files. Information about actions taken or suspicious events is sent back to the central Cisco Secure Endpoint (AMP) console. Groups are configured within the Secure Endpoint (AMP) console so that distributed IT administrators have autonomy and control over their environment. The role that Secure Endpoint (AMP) plays (Auditing or Protecting) is based off of configurations set in the console.

      Below is a screenshot from the Cisco Secure Endpoint (AMP) Dashboard in the Secure Endpoint (AMP) console. The dashboard is a great tool for an administrator to gain a quick picture of the health of their environment. The Timelines beneath the Compromise & Quarantined Detections section shows the number of compromises and Quarantined files over a 1-month period. The other sections of the dashboard can show more specific information when a mouse is hovered over them.
      Picture1.png

      Below is a screenshot from the Dashboard -> Events subtab in the Secure Endpoint (AMP) console for an event that occurred on Cybersecuritys test network. The event information shows the Name of the machine (Win7TestLaw2), the Type of file detected (Win.Trojan.EICAR-Test-File), the File Path of the file, the File Size, and the Parent File that brought the file onto the system (Chrome.exe).
      Picture2.png

      Cisco Secure Endpoint (AMP) Features:
      • Customizable Endpoint Protection: Secure Endpoint (AMP) can be configured to either be in audit or protect modes, or a mix of both depending on the type of event.
      • Can be installed on many host types: Laptop, desktop, server, virtual machine.
      • Real time data: Extracts and consolidates endpoint event data, and checks in with the console to report events as they occur.
      • Easy installation: can be automated.
      • Built-in antivirus scanner: The Secure Endpoint (AMP) application comes with a built-in anti-virus scanner (Tetra & Clam AV) that can be activated & deactivated from within the console, which allows for offline endpoint scanning.

      Advantages of using Cisco Secure Endpoint (AMP):
      • Secure Endpoint (AMP) is a powerful tool for the end user and the IT administrator as both can see events as they occur.
      • Quick event reporting and notifications allow IT administrators to address a malicious event quickly before further damage can occur.
      • When in Protect Mode AMP can immediately stop malicious activity in its tracks.
      • Easily greenlist applications that are friendly in the case that they are flagged as suspicious by AMP.

      Event Types Monitored:
      • Threats (rootkits, malicious activity, suspicious system activity, etc.)
      • Indications of compromise (multiple infected files, dropper infection, suspicious download, ransomware, Cloud IOCs, etc.)
      • Quarantine status
      • Endpoint status
      • Miscellaneous events (vulnerable application detected, application installed, application uninstalled)


  •  Secure Endpoint (AMP) FAQ

    • What does the Secure Endpoint (AMP) Endpoint Connector (client) do exactly?
      The Endpoint Connector sits on the endpoint, monitoring for and potentially blocking malicious/suspicious activity. If the machine is connected to the internet, the connector will send event information to the console for easy management.

    • How quickly does the console receive event information from endpoints?
      So long as the machine is connected to the internet, the endpoint connector will send information to the console as events occur. This means that the console is aware of events within minutes of their occurrence.

    • How do I stay up to date on events occurring in my environment?
      You can configure the console to send alerts and reports to your email in real time, or on an aggregated hourly/daily/weekly basis. Additionally, you can log in to the console to monitor events on your environment. See the following KB article to learn about setting up alerts and reports: https://kb.wisc.edu/internal/page.php?id=89843

    • How can I get set up on the console?
      If your IT group already has access to the AMP console and you're looking for account access for yourself, use the following KB to request access to the console: https://kb.wisc.edu/internal/page.php?id=89544

      If you are the first person in your IT group to request access to the console, you will need follow the steps in this kb to get a new group and account provisioned in AMP: https://kb.wisc.edu/internal/page.php?id=89564

    • What Operating Systems are supported by Secure Endpoint (AMP) Endpoint Connector?

    • How often should I update Secure Endpoint (AMP) endpoint clients?
      It is recommended to regularly check for AMP Connector updates (perhaps on a monthly basis) to ensure that Secure Endpoint (AMP) is functioning as it should. Secure Endpoint (AMP) connectors can be updated through the Secure Endpoint (AMP) console, which is often the most convenient method of updating. For instructions on how to update the Secure Endpoint (AMP) endpoint connectors see the KB article Updating Endpoint Clients.

    • It's too good to be true. Are there any disadvantages of doing this?
      Secure Endpoint (AMP) is a very powerful tool, but it needs to be configured correctly. For instance, Secure Endpoint (AMP) does not mix well with other endpoint protection software or anti-virus software unless these applications are greenlisted from within the console. Occasionally, Secure Endpoint (AMP) can flag benign files as suspicious but this can be easily remedied by adding file exclusions through the console.

    • What if I'm not sure that an event flagged by Cisco Secure Endpoint (AMP) is malicious or not?
      Cisco Secure Endpoint (AMP) offers a variety of methods for investigating files and events. See the KB article here for more information on investigating an event: https://kb.wisc.edu/internal/page.php?id=90059

    • What can I do once I confirm an event was malicious?
      If the Cisco Secure Endpoint (AMP) Endpoint Connector is set to protect mode, it will generally have already killed the malicious process or quarantined the suspicious file. If the Endpoint Connector is set to Audit mode you will have to follow up on the suspicious activity on the endpoint yourself. However, even if you have protect mode on, it is still generally a good idea to follow up on suspicious activity as having one malware infection can often lead to others.

    • Hey! I'm certain this file or event flagged by Secure Endpoint (AMP) is a false positive!
      When this occurs, the best way to address this issue is to add the file to the exclusion list or the application to the greenlist. See instructions on how to do so here: https://kb.wisc.edu/internal/page.php?id=89648

    • My endpoints are already running an anti-virus application. Should I use Secure Endpoint (AMP) along with it or as a replacement for it?
      Secure Endpoint (AMP) can work quite well when used in tandem with another anti-virus application. In most cases we would recommend using both AMP and additional anti-virus software if you already have other AV software installed on your endpoints. However, if the proper exclusions are not configured in Secure Endpoint (AMP), it is not uncommon for Secure Endpoint (AMP) to identify anti-virus activity as malicious activity. As such, it is important to make sure that the anti-virus executable and file folders are listed as exclusions (items not to take action on or monitor) in the Secure Endpoint (AMP) console.

    • What is the usage footprint of AMP on the endpoint? Will it bog the endpoint down?
      For most machines AMP has a quite minimal footprint, and should not typically slow the endpoint down. However, if the endpoint is a server or processes a lot of data on a regular basis, it will be necessary to configure filepath exclusions for high-volume filepaths to keep the AMP resource footprint low.

    • Who manages the Cisco Secure Endpoint (AMP) console, me or DoIT?
      As an IT administrator, you generally have control over the policies, exclusions, and greenlists for your department. You can request access to the console and request DoIT to create a console group for your endpoints. At this time DoIT does not mandate any particular Secure Endpoint (AMP)configurations, so you will generally have full autonomy as the Secure Endpoint (AMP) administrator for your managed area.

      To request the creation of a new group in the Secure Endpoint (AMP) console: https://kb.wisc.edu/internal/page.php?id=89564

      To request access to the console: https://kb.wisc.edu/internal/page.php?id=89544

    • Where can I get more information?
      See the KB articles found here for more information: https://kb.wisc.edu/search.php?q=cisco+amp

      If you have additional questions, please contact cybersecurity@cio.wisc.edu.