Products and Services

Cisco AMP for Endpoints - Simplified!

February 11, 2019

AMP stands for Advanced Malware Protection.The term malware derives from malicious software and is any piece of software that was written with the intent of doing harm to data, devices or to people. When you hear talk of viruses, trojans, spyware and the like, what you're really hearing is talk of different kinds of malware.Cisco provide various AMP products; the network version (AMP for Networks) is integrated into network infrastructure such as firewalls, routers and intrusion prevention systems, another variant concentrates on improving security for cloud email systems like Outlook within Office 365.Cisco AMP for Endpoints is of course aimed specifically at ‘endpoints’ – and in this case an ‘endpoint’ refers to any PCs, Macs, Linux, and mobile devices that are connected to your network.Most organisations will have anti-virus protection in place, but AMP for Endpoints goes beyond the traditional ‘point-in-time’ detection to provide another level of visibility and control that is needed in these modern times of advanced threats.

It’s vital for security investigations

Files on your endpoints are initially inspected by AMP, just like traditional anti-virus products do - but things don’t stop there. AMP continues to monitor, analyse, and record all file activity and behaviour, even if the file doesn’t initially seem to contain any threat.If a previously deemed “unknown” or “good” file then exhibits malicious behaviour, AMP automatically sends an alert and shows you the history of that file’s activity and behaviour so that you can investigate and quickly remediate.It also gives you the ability to roll back time on attacks and find evidence of what the malware has been doing, addressing fundamental questions such as:

  • Where did the malware come from?
  • What systems were affected?
  • What is the threat doing / What did the threat do?
  • How do we stop it?
  • Can we eliminate the root cause?
  • How do we recover from the attack?
  • How do we prevent it from happening again?

AMP’s easy-to-use browser-based management console helps to answer these questions allowing security teams to quickly take action.

Investigation that turns the hunted into the hunter

AMP for Endpoints introduces a new level of intelligence, as it gathers information from all of your endpoints over a period of time. It looks for patterns of malicious behaviour that are common across a number of devices, and once it finds something that looks suspicious, it presents that information to you for analysis, allowing you to hunt down and eliminate further attacks.

Dashboards that actually do something

The Cisco AMP for Endpoints console interface provides complete management, deployment, policy configuration, and reporting for Windows systems, Mac systems, Linux systems, mobile devices, and virtual systems. The dashboards show exactly where threats have been, what they did, and the root causes so you can quickly contain and remediate them (see Figure 1 below).

Protect your organisation before, during, and after an attack

Organisations are under attack, and security breaches are happening every day. Hackers are creating advanced malware that can evade even the best signature based detection tools, like anti-virus and intrusion prevention systems. These tools inspect traffic at the point of entry into your extended network, but they will never detect 100 percent of all the threats trying to infiltrate the organisation.Furthermore, they provide little visibility into the activity of threats after they evade these first-line defences. This leaves IT security teams blind to the scope of a potential compromise and unable to quickly detect and contain malware before it causes damage.Organisations are rendered incapable of stopping an outbreak from spreading or preventing a similar attack from happening again.Cisco AMP for Endpoints goes beyond point-in-time capabilities and is built to protect organisations before, during, and after an attack:Before an attack, AMP uses Cisco Talos global threat intelligence to strengthen defences.Cisco Talos is the world’s largest and most accurate hub of global threat intelligence. It is staffed by a team of leading threat researchers and supported by advanced analytical technology. Talos gathers information after cyber-attacks, surveys a large swath of the public internet to learn how these threats operate, and thereby develop solutions to prevent them in the future.The scale of this operation cannot be overstated:

  • 1.36 Million Global Sensors
  • 100TB of Data Received Per Day
  • >150 Million Deployed Endpoints
  • >600 Engineers, Technicians, and Researchers
  • 35% of the World’s Email Traffic Surveyed
  • 13 Billion Web Requests
  • 24x7x365 Operations
  • 40 Languages

During an attack, AMP uses that intelligence, known file signatures, and dynamic file analysis technology to block malware trying to infiltrate your IT environment.After an attack, AMP continuously monitors and analyses all file activity, processes, and communications. If a file exhibits malicious behaviour, AMP will detect it and provide retrospective alerts, indications of compromise, tracking, and analysis, so security teams can quickly respond and resolve issues.

See more than ever before

Today’s malware is more sophisticated than ever. Evolving quickly, it can evade discovery after it has compromised a system while providing a launching pad for a persistent attacker to move throughout an organisation. Here are just some of the ways that malware can hide from view:Sleep techniquesSome malware designers avoid traditional anti-virus software and catch their victims unaware, or "sleeping" by having their creation sleep for a defined period of time before executing - waiting perhaps to detect mouse movements to ensure that a human is at the wheel.PolymorphismOther malware (viruses, trojans, worms or spyware) constantly morph, evolve or change appearance to make it difficult for anti-virus programs to detect.EncryptionTraditional anti-virus gateways are not generally able to scan the contents of files protected by encryption.Use of unknown network protocolsSometimes there is a reasonable explanation for suspicious, unknown network traffic; it could be caused by a new and unfamiliar application, but it might also indicate the presence of dangerous command and control malware that is trying to avoid detection.The continuous analysis and retrospective security features of Cisco AMP for Endpoints let you uncover these types of elusive malware.

How did it get here and what systems were affected?

Powerful innovations like ‘file trajectory’ and ‘device trajectory’ (Figure 3) use AMP’s big data analytics and continuous analysis capabilities to show you the systems affected by malware.

These capabilities help you quickly understand the scope of the problem by identifying malware gateways and the path that attackers are using to gain a foothold into other systems.

What did the threat do to our systems?

Cisco AMP for Endpoints File Analysis (Figure 4), is backed by the Talos Security Intelligence and Research Group and powered by AMP Threat Grid’s sandboxing technology.This provides a safe, highly secure sandbox environment for you to upload malware and suspect files to analyse their behaviour.The AMP Threat Grid technology provides over 350 unique behavioural indicators that evaluate the actions of a file submission, providing insight to unknown malware and providing users with context-rich, actionable content, every day. More than 8 million samples are analysed every month!

File analysis produces detailed information on file behaviour, including the severity of behaviours, the original filename, screenshots of the malware executing, and sample packet captures. Armed with this information, you’ll have a better understanding of what is necessary to contain the outbreak and block future attacks.

Can we prevent it from happening again?

Cisco AMP for Endpoints Outbreak Control gives you a suite of capabilities to effectively stop the spread of malware and malware-related activities, like call-back communications or dropped file execution, without waiting for updates from your security vendor.This gives you the power to move directly from investigation to control with a few mouse clicks, significantly reducing the time a threat has to spread or do more damage and the time it normally takes to put controls in place.Furthermore, AMP can automatically fix systems without a full scan. The technology continuously cross-references files analysed in the past against the latest threat intelligence and quarantines any files that are now known to be a threat.

Simple to deploy and lightweight

Cisco AMP for Endpoints protects you against advanced malware and increases security intelligence across all endpoints - PCs, Macs, mobile devices, and virtual systems.Its lightweight connector requires less storage, computation, and memory than other security solutions and speeds up protection against advanced malware attacks, eliminating the need for traditional anti-virus security layers that can affect performance and put resource constraints on endpoints.

Works for organisations of all shape and size

AMP works well for any organisation and is optimised for the larger enterprises. In terms of privacy, all Cisco AMP for Endpoints connectors use metadata for analysis and actual files are not needed and not sent to the cloud for analysis, unless you allow it.For organisations with high privacy requirements, a private cloud option is also available. This single on-premises solution delivers comprehensive advanced malware protection using big data analytics, continuous analysis, and security intelligence stored locally on premises.

Where do Ironshare fit in?

Ironshare can help you to get up and running with Cisco AMP for Endpoints within days.We not only provide step-by-step guidance on deployment within your organisation, we can also manage the day-to-day running and reporting, leaving your teams to get on with their usual day job.Our aim is to provide Security, Simplified. That means we can communicate in a non-technical manner (or technical if you prefer) and just give you the information you want.Step 1 – Simple PricingIronshare are Certified Cisco partners who specialise in security and operate in a completely transparent manner. Unlike other providers we make no secret of our pricing and you can simply click here to get an accurate price estimate. No nonsense – simple!

Cisco Select

Step 2 – Simple DeploymentCisco AMP for Endpoints requires no on-site hardware and can be deployed very easily, providing advanced protection for all of your endpoints.Our technical team would need to speak with your software deployment teams but rolling out the lightweight connector is straightforward. There might be other factors to consider for wider deployments – but none will be complicated and even the largest of companies can have this up and running very quickly.We will guide you through the entire process. No hidden costs – simple!Step 3 – Simple ManagementAlthough AMP for Endpoints has a great management interface, it does take time to get up to speed with the product, so to manage this yourself would require some dedicated resource to first of all learn, but then maintain and get the best out of AMP for Endpoints.Our team at Ironshare are experienced with the product, and we would talk to you about what you want to achieve, then after the initial setup we will deliver you a managed service that ensures your IT support or security team are aware of threats from day one.In addition, we’ll provide you with a monthly report that summarises all of the interesting facts and figures, and we’ll also give you recommendations on internal actions you might need to take.ConclusionIronshare are a small, niche security consultancy focused on delivery of fast and efficient solutions to businesses. Our experienced team aim to provide a fully managed service that takes the strain away from your employees and allows you to focus on your core business.Ironshare – Security, Simplified If you have any questions – please Contact Us here.


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi