Category Archives: threat hunting

Why Endpoint Security Matters in Protecting Remote Workers – Part 1

As customers secure their remote workers, they tell us they are getting better visibility, better efficacy and getting time back!

Enabling your workforce to work securely on any endpoint, anywhere, at any time is more important now than ever before. And as such, Cisco has recently offered a new Cisco Secure Remote Worker solution that unifies user and endpoint protection at scale, making it easy to verify, enable secure access and defend remote workers at anytime from anywhere. Cisco AMP for Endpoints is a key component of and plays a critical role in this new solution.

To best describe this critical role, we recently conducted an endpoint survey to get our customer’s thoughts on the value that AMP for Endpoints brings to their business, and therefore to the Secure Remote Worker solution. This first blog of a 4 blog series summarizes the top 3 business values our customers highlighted. Later, in the next 3 blogs we will provide an in-depth look at each one of these values and demonstrate why they are so effective.

Now let’s look at these top 3 business values from the endpoint survey; each described in challenges, why it’s important to customers, the customer comments and how AMP for Endpoints helps.

Business Value #1: Better visibility into endpoints

Customer challenge:  My endpoints are under constant attack through phishing attempts, advanced persistent threats (APTs) and exploits. I want to arm my team with actionable insights.

Why it’s important: If you can’t see what’s in your endpoints, you really don’t know what malware exists or what malware type is there. If not, your team will spend an inordinate amount of time attempting to eradicate threats and be subject to lateral movement.

How Cisco helps: AMP for Endpoints, as part of the Cisco SecureX platform, provides seamless integration with other security technologies, backed by Talos threat intelligence, to help you block, detect, investigate, and respond to threats across your entire environment – not just at your endpoints.

Business Value #2: Better efficacy

Customer challenge:  I want tools refined enough and accurate enough so I can understand what malware may be on my endpoints so my team can take the appropriate action.

Why it’s important: I don’t want my team wasting time on false positives and I want to see accurate clear threat intelligence so my team can determine what the priority level is and what steps to take and feel confident about it. And clearly the process needs to be in sync with best practices such as the MITRE ATT&CK framework.

 How Cisco helps: Block known threats automatically using machine learning, exploit prevention, file reputation, antivirus, and a wide array of other attack prevention techniques that will stop both fileless and file-based attacks in their tracks – as proof of this Cisco AMP for Endpoints earned high marks in malware protection tests, while achieving the lowest false positives in the first AV Comparatives Business Main Test Series for 2020. You can count on AMP for Endpoint delivering consistent security efficacy, enabling you to get superior protection from advanced threats.

Business Value #3: Get time back

Customer challenge: I want my team to spend less time on each incident in their everyday workflows so they can do more with less effort.

Why it’s important: With better tools that are complementary to my security infrastructure and that actively leverage automation, enables my team to maximize our security investments, and respond faster to threats on my endpoints instead of spending time on manual, error prone tasks.

How Cisco helps: AMP for Endpoints, and the underlying platform, enable you to increase the efficiency and precision of your existing resources via automation. You can multiply your threat hunting capabilities by connecting your security infrastructure to get more value from your existing investments. This provides you with the best ability to orchestrate and automate your threat response capability in a timelier manner, and thus gives you time back to focus on more strategic efforts.

For the next entry in this series

In the next blog entry of this series we will provide a deep dive into the first of the 3 business values described above and demonstrate how our customers are getting the results they need.

In the meantime, please visit the TechValidate Survey to see examples of what our customer’s challenges were, and in their own words, express how they were able to achieve their business goals with Cisco AMP for Endpoints as part of the Cisco SecureX platform.

The post Why Endpoint Security Matters in Protecting Remote Workers – Part 1 appeared first on Cisco Blogs.

What hinders successful threat hunting?

As more organizations implement successful threat hunting operations, a SANS Institute survey finds that they are facing common challenges with employing skilled staff and collecting quality threat intelligence. “Without a sufficient number of skilled staff, high-quality intelligence, and the right tools to get visibility into the infrastructure, success with threat hunting will remain limited,” says survey author Mathias Fuchs. “A world where we’ll see a unified, widely accepted golden standard of threat hunting remains in … More

The post What hinders successful threat hunting? appeared first on Help Net Security.

Endpoint Security from Cisco Earns High Marks in Independent Malware Protection Test

We are very pleased to share the news that Cisco Advanced Malware Protection (AMP) for Endpoints earned high marks in malware protection tests, while achieving the lowest false alarms in the first AV Comparatives Business Main Test Series for 2020. This achievement demonstrates our steadfast commitment to delivering consistent security efficacy, enabling our customers to get superior protection from advanced threats.

The test series includes two types of tests, the Malware Protection Test and Business Real-World Protection Test. Cisco consistently showed a balance of high protection rates with very low false alarm across both tests. Here’s how.

The Malware Protection Test

The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. We did very well, garnering a protection rate of 100% with zero false positive – performing better than Crowdstrike, Sophos, Fortinet, Kaspersky, Cybereason and FireEye among others. This test ran in March and consisted of having 1,192 recent malware samples thrown at us during that time. A passing score required a 90% or higher detection rate.

The Real-World Protection Test

The Real-World Protection Test examines how well the security product protects the endpoint in the most realistic way, using all protection capabilities at its disposal. We came in with 99.3% real-world protection rate. The whole idea here is to simulate what happens in the real world. In addition, products were also tested for false positive (FP) alarms on non-business applications to better determine the ability to distinguish good from bad. Cisco ranked in the lowest false positive group achieving a “Very Low” FP rate, performing better than Crowdstrike, VMware Carbon Black, Microsoft, FireEye, Cybereason and Panda. Vendors in the “Very High” FP rate had as many as 101-150 false positives.

To sum up, AMP for Endpoints achieved test results that demonstrated a balance of strong protection rates with very low false positives. In the end, our customers benefit the most from our solution’s top-rated accuracy, reliability and consistency in protecting their endpoints from malware and other threats.

Beyond Testing: What Our Customers Are Saying

 We believe it’s important to put our technology to the test and we feel the results speak to how our solution helps our customers protect their organizations. But real-world feedback from customers who are using our endpoint security solution is critical. Now let’s take a look at the following examples of what our customers are saying about how Cisco AMP for Endpoints has protected them against from two of the most dangerous threats to their environment: fileless malware and ransomware.

Fileless malware operates in the memory to avoid detection. Unlike traditional malware, these types of attacks do not have signatures, making them more difficult to detect and prevent. Fileless malware targets our day-to-day applications and can infiltrate the endpoints by exploiting vulnerabilities in software and operating system processes.

Tech Validate quote

To defend against threats that target vulnerabilities in applications and operating system processes, Cisco AMP for Endpoints uses our exploit prevention engine to monitor the memory structure before attacks even begin. Exploit prevention is a true preventive engine that does not require policy tuning, prior knowledge, or rules to operate. When it stops an attack, it stops the application from running and logs contextual data in the AMP for Endpoints device trajectory, allowing users to see exactly where and how the malware entered a device.

Ransomware is a type of malicious software that typically attempts to encrypt the files on a victim’s computer. Upon successful encryption, it demands payment before the ransomed data is decrypted and access returned to the victim. Ransomware attacks are typically carried out using a malicious payload that is distributed as a legitimate file that tricks the user into downloading or opening when it arrives as an email attachment.

Cisco AMP for Endpoints defends your endpoints by monitoring the system and identifying processes that exhibit malicious activities when they execute. We detect threats by observing the behavior of the process at run time, allowing us to determine if a system is under attack, by a new variant of ransomware or malware that may have eluded other security products and detection technology, such as legacy signature-based malware detection, and stop them from running. As a result, we are able to quickly identify, block, and quarantine ransomware attacks on the endpoint.

Tech Validate quote

Beyond fileless malware and ransomware defense, Cisco AMP for Endpoints provides multiple, powerful protection capabilities that work together to protect the endpoint from advanced threats in-memory (e.g. exploit prevention), on-disk (e.g. next gen AV) and post-infection (e.g. Indication of Compromise or IOC). For details on our protection techniques, click here.

We also know that endpoint protection is only as good as the intelligence it acts on. That’s why we employ machine learning and multiple protection engines fueled by Cisco Talos, the largest non-governmental threat intelligence organization on the planet. We discover more vulnerabilities than other vendors and push out protection before the bad guys can exploit them, giving you an advantage. And because we’re Cisco, Talos sees more network traffic than any other vendor. Whether a threat originates on the Internet, in an email, or on someone else’s network, our cloud-based global telemetry sees a threat once, anywhere in the world, and blocks it everywhere, across AMP for Endpoints and our entire security platform.

What’s Next?

AV-Comparatives’ testing is continuing through the rest of the year and we are looking forward to their ensuing reports.

In the meantime, experience threat hunting with AMP for Endpoints for yourself at one of our Threat Hunting Workshops or sign up for a free trial of AMP for Endpoints and take it for a test run.

The post Endpoint Security from Cisco Earns High Marks in Independent Malware Protection Test appeared first on Cisco Blogs.

Cisco Threat Response takes the leap with SecureX

Reimagine the grocery delivery experience

Even in typical times, grocery and household shopping is time consuming. Especially, if you need to visit multiple stores – a main supermarket for your basics, a specialty store to accommodate diet restrictions, and another for bulk items. In a fast-paced world – with time spent working, family caregiving, and other responsibilities – grocery shopping is a tedious but necessary chore…or is it? The evolution of acquiring groceries and household goods has been one to watch as grocery delivery services, such as Instacart and Shipt, is increasingly relevant. These companies have each built a platform with a network of grocery providers to solve the problem – a simple and efficient way for customers to purchase groceries without having to leave their homes.

Now let’s take grocery shopping to the next level. What if you didn’t even need to proactively browse items and put them in your Instacart grocery order. Imagine if your “smart” refrigerator had sensors to detect inventory levels, and connected to Instacart, your recipes, and meal planning apps. Groceries could be ordered automatically or on-demand based on the menu you’ve planned and what you actually need. One platform with all of your apps integrated and automated to simplify not only your grocery shopping experience but your entire cooking experience. This and many other platform experiences have been developing over the last several years to bring two (or more) sides of a connection together with more efficiency and use cases.

What does grocery shopping have in common with cybersecurity?

The cybersecurity industry is ripe for this type of innovation. We all know that the industry has historically been quite fragmented – at last count, an estimated 3000+ vendors are in this space and customers use, on average, 75 security tools[1]. What does that mean for your security teams? Multiple tools share limited context between them with incomplete, labor-intensive workflows. Going back to the grocery experience, this is akin to visiting seven different stores in one day to tackle a shopping list for each store, and hoping you don’t miss an item. Also consider high lifecycle costs associated with maintaining interoperability, which is often limited. When you need to take into account an ever-evolving threat landscape and attack surface, this trend is not sustainable.

A platform journey two years in the making

Nearly two years ago, Cisco Threat Response debuted to combat this problem for Security Operations teams. As a valuable add-on application to several Cisco Security products — at no additional cost – Threat Response accelerated investigations and remediation by aggregating and correlating intelligence and data across your security products, both Cisco and third party. Threat Response has helped nearly 9,000 customers simplify their security operations. As Don Bryant, CISO for The University of North Carolina at Pembroke, says, “Having a holistic security platform has helped us simplify and accelerate our security operations. All of our tools seamlessly integrated through Threat Response gives us one view into our layered protection and valuable time back.”

Cisco Threat Response application for threat investigation and remediation
Figure 1: Cisco Threat Response application for threat investigation and remediation

As background, Threat Response provides a visual, real-time answer for if, and how, threats have impacted your environment, so, you can take first-strike response actions in the same interface. Security operations teams use Threat Response to:

  • Aggregate global threat intelligence: Search, consume, and operationalize threat intelligence, both public and private sources, with one application.
  • Accelerate threat hunting and investigations: Visualize threats and incidents across multiple technologies in one view, then take response actions without leaving the console.
  • Simplify incident management: Coordinate security incident handling across technologies and teams by centralizing and correlating alerts and triaging those that are high priority.

Now we’re continuing our mission of simplifying security and building on Threat Response core capabilities with SecureX, a built-in platform experience included with Cisco Security products. SecureX will make life even easier for Security Operations, and will also benefit Network Operations and IT Operations. Let’s talk about this evolution.

Is SecureX just a cool new name for Threat Response?

Since we announced SecureX at RSA Conference in February, you might be wondering, what’s the difference between Threat Response and SecureX? Are they one and the same – and SecureX is just a sleek rebranding?

The short answer is no. If Threat Response is like the Instacart of today, SecureX is the reimagined seamless grocery shopping experience we’ve envisioned above. Whether it’s the grocery or cybersecurity industry, the goal is always simplification. SecureX builds upon Threat Response’s core concepts of integrating your security products – both Cisco and third-party tools – to simplify security operations. Leveraging the success of Threat Response with Security Operations teams, SecureX takes this foundation to the next level to drive collaboration between SecOps, NetOps, and ITOps. SecureX simplifies security through:

Unifying visibility across your entire security environment.

Enabling automation in workflows to maximize your operational efficiency by eliminating repetitive tasks and human error.

Adding more out-of-box interoperability to unlock new potential from your Cisco Security investments and cascade them across your existing security infrastructure.

SecureX connects your entire security infrastructure
Figure 2: SecureX connects your entire security infrastructure

Enhanced Threat Response capabilities, now part of SecureX

Now as a key component of SecureX, Threat Response is enhanced to unlock even more value from your investments. Here’s how:

  • You already know that Threat Response aggregates and correlates security context from multiple technologies into a single view, but now as SecureX threat response, users will have a customizable dashboard with ROI metrics and operational measures. And when you leave the dashboard, SecureX follows you to maintain contextual awareness and improve collaboration wherever you are in your Cisco Security infrastructure.
  • Users will now be able to cut down investigation time even further by automating threat hunting and investigation workflows. With the orchestration feature in SecureX, users can set up event-based triggers to periodically hunt for indicators of compromise, create or add to a casebook, and post a summary in a chat room for collaboration.
  • Threat Response had been rapidly growing its partner ecosystem, and SecureX not only expands the ecosystem instantly upon commercial availability but extends past it to include your core infrastructure. Together, our out-of-box interoperability with built-in and pre-packaged integrations from Cisco or select technology partners reduces the time spent integrating multiple technologies, or worse, working across multiple consoles. We’ll continue to support custom integrations via APIs, so any of the features of SecureX will work with your existing investments.

Similar to the reimagined grocery experience, SecureX brings greater efficiency and simplification in the midst of major market forces. The enhanced visibility, automation, and integrated platform capabilities with SecureX threat response further reduces mean dwell time by accelerating investigations and MTTR for SecOps. Without having to swivel between multiple consoles or do the heavy lifting integrating disjointed technologies, you can speed time to value and reduce TCO. SecureX will enable better collaboration across SecOps, NetOps, and ITOps – and ultimately simplify your threat response.

To get warmed up for SecureX access next month, activate Cisco Threat Response today!

[1] Momentum Cyber Cybersecurity Almanac 2019

The post Cisco Threat Response takes the leap with SecureX appeared first on Cisco Blogs.

Getting more value from your endpoint security tool #2: Querying Tips for security and IT operations

As far back as I can remember, I have had a fascination with power tools. My father was an auto mechanic and he had a toolbox filled with both hand tools and power tools. As a youngster, I watched him wield them with confidence, knowing exactly which tool to use for the task at hand. I recall thinking “real, professional mechanics use compressed air powered tools”. As I mentioned in my last blog, he always took the time to teach me how to handle them and I realized that power tools offered efficiencies and saved tremendous amounts of manual labor. The adage holds about “working smarter, not harder”. Using a power tool, “Pops” was able to complete tasks quickly and without breaking a sweat.

The same holds true with cybersecurity tools today. With so many tools in our toolboxes and so many threats to combat, we need to drive for efficiencies – reducing the manual labor required to accomplish the goal of securing environments.

As a feature in Cisco’s AMP for Endpoints Advantage, Orbital Advanced Search, our power tool for Threat Hunting. Orbital Advanced Search enables you to search your endpoints for malicious artifacts such as suspicious registry and system file changes. Orbital has an entire section of its Catalog, mapped to the MITRE ATT&CK™ framework, and dedicated to Threat Hunting with descriptions of live and on-demand easy-to-run-queries to get you the information you need, fast.

Whether you plug your tools into air compressors or electrical outlets to be efficient, let the machine do the work, and be safe.

Let’s start with one threat hunting Catalog query that you can run daily.

Threat Hunting LogoYOU WANT TO: Check to see if any Windows logs have been cleared by a suspect user account.

Orbital Catalog Query to run: Windows Events Monitoring – retrieves data from Windows Event Logs including such things as time event received, time event occurred on the host, source of the event: application, security, system, setup, and many more.

WHY IS THIS IMPORTANT: Windows Event Logs can provide great insight into actions taken on a host as part of a breach. Finding those items can be challenging, unless you know what to look for. The Windows Event Monitoring search in Orbital Advanced Search is preconfigured to pull back events specific to Threat Hunting and can be customized with additional Event IDs to push your hunt even further. Queries such as these can power organizations to a more productive, more efficient way of working.


  1. Select the endpoints you wish to query
  2. Search the Catalog for “Windows Event Monitoring”
  3. Click the “+” to copy into your SQL query window
  4. Close the Query Catalog Window
  5. Click the Query button

QUERY RESULT: Each event should have an Account Name and a Domain Name field to identify who took the action logged. If the log is cleared by a suspect user account, you may have a problem and need to continue investigations.

FREQUENCY TO RUN: Daily for specific groups of systems

That’s it! It’s easy to get you started on your first threat hunt using Cisco’s Orbital Advanced Search. Orbital Advanced Search’s Catalog has dozens of pre-built threat hunting queries to streamline your endpoint threat hunting operations, from checking if malware has disabled the task manager to providing a list of listening ports on a host.

If you don’t already have Cisco AMP for Endpoints and are interested in trying Orbital Advanced Search, sign up for our virtual Threat Hunting Workshop, or request a free trial.

Stay tuned, our next blog discusses Incident Investigation and how you can use Orbital Advanced Search to establish a timeline, determine installed programs on a host, if and what types of failed logins occurred, and, lastly, how to assess the damage.

The post Getting more value from your endpoint security tool #2: Querying Tips for security and IT operations appeared first on Cisco Blogs.