Cisco AMP Protects Your Network Before, During and After an Attack
Most people think of a malware scan as something that happens at a predetermined time, or when files enter the network. For example, antimalware software is often set to run once a day on a particular device. An antimalware system might also scan attachments in incoming email or websites that a user is attempting to visit.
Point-in-time-malware scans are a critical component of cybersecurity, but they may not be able to detect these types of attacks:
- Stealth malware evades antimalware systems by hiding in memory, copying itself to an undetectable area or encrypting the infected file. Increasingly, hackers are using steganography, which hides malicious code in image, video or sound files.
- File-less malware uses malicious script that are stored in memory or the system registry and disappear without a trace when the system is rebooted. There are no files or other artifacts for traditional signature-based antimalware systems to detect.
- Advanced persistent threats (APTs) not only infiltrate a network but try to stay there undetected for as long as possible. To do so the attacker must use sophisticated evasion techniques and continuously modify code.
By continuously monitoring systems for signs of malicious activity, organizations can detect these kinds of threats faster and minimize the potential damage. That’s why Cisco Advanced Malware Protection (AMP) uses a three-pronged approach to reduce the risk of a security breach.
Advanced Malware Prevention
First, Cisco AMP helps to prevent malware from entering the network by blocking it in real time. It uses traditional signature-based techniques to block known malware, fuzzy fingerprinting to create “generic” signatures that can more quickly spot evolving threats, and machine learning heuristics to identify threats based upon their characteristics.
Suspicious files are sent to the Cisco AMP sandbox, an isolated virtual testing environment where unknown files and URLs can be “detonated” and observed for malicious behavior. Sandboxing makes it possible to discover previously unknown, undocumented malware, including zero-day attacks and APTs, and to assess the attack method, the source of the threat and the potential impact of a breach. This enables security teams to prioritize remediation activities.
In addition, Cisco AMP uses the global threat intelligence of Cisco Talos to detect emerging malware. Talos collects data from 600 billion emails and 125 billion web requests every day, along with data acquired from Cisco product telemetry, honeypots, sandboxes and the malware community. Hundreds of full-time researchers use machine learning tools to reverse-engineer malware. When threats are identified, that information is automatically pushed to Cisco AMP.
Detection and Response
Cisco AMP doesn’t stop with malware prevention. It goes beyond initial inspection by continually monitoring the network and systems to detect malicious activity, and analyzing files that have been permitted entry for evidence of possible malware. If a potential threat is detected, security teams are alerted and provided information on the origin of the attack, what device(s) may have been compromised and what the malware is doing.
This rich contextual information facilitates rapid response by helping security teams investigate the incident. Compromises that would have gone undetected for months can be identified, scoped, contained and remediated in days or even hours. In fact, the Cisco median time to detection is only 4.6 hours compared to an industry average of 100 days.
Traditional antimalware solutions scan files when they enter the network, and provide a point-in-time snapshot of malicious activity. While these tools can detect and block some of the most common forms of malware, sophisticated attacks can evade them. Cisco AMP protects your network before, during and after an attack through continuous monitoring and advanced detection techniques.
