Cisco AMP or Advanced Malware Protection, is Cisco’s answer to the Next Generation of visibility, control, and protection against advanced threats for today’s internet connected world. AMP gives you real-time blocking of malware and advanced sandboxing, that is backed up by world class global threat intelligence, to provide rapid detection, containment and removal of advanced malware.

This post will highlight the features that make AMP’s continuous analysis, monitoring and retrospective security capabilities possible.

Comprehensive global threat intelligence

Cisco Talos Security Intelligence and Research Group, in conjunction with Threat Grid threat intelligence feeds, provides one of the largest collections of real-time threat intelligence with extensive visibility, the largest footprint, as well as the ability to put this collection of intelligence to work across multiple security platforms.

The image below displays a summary of the Talos groups make up and threat intelligence functions.

File reputation

Cisco AMP combines the use of advanced file behaviour patterns, along with collective intelligence to determine whether a file is good (safe) or bad (malicious). This allows AMP to perform more accurate detections during file analysis and inspection.

File reputation is based upon a variety of factors determined over a period of time, it supports most file types, and identifies each file by its content, so is not dependant on the file extension to determine type.

Indications of Compromise (IOCs)

IOCs (also known as Indications or Indicators of Compromise) are pieces of information that can help identify specifics around abnormal or malicious behaviour on a network or system. With AMP, File activity and recorded events are linked together and prioritized as potential active breaches.

AMP automatically captures and links this security event data from multiple sources (such as intrusion and malware events) to help security teams connect the individual events to larger, coordinated attacks and prioritize them as high-risk.

Antivirus Engine

The built-in AV engines perform offline system-based detections, which includes scanning for the presence of rootkits, to complement Cisco’s advanced endpoint protection capabilities such as local IOC scanning, and device and network flow monitoring.

If a customer wishes to consolidate both their antivirus and their advanced endpoint protection to run under a single agent, then the AV engine can be enabled in policy to achieve this. Two engines exist in the AMP for Endpoints product; the ClamAV engine is available for running on Linux and Mac based devices, while the Tetra engine is available for Windows devices.

Static and dynamic malware analysis

A safe and highly secure sandboxing environment helps you execute, analyse, and test both malware and files with unknown reputation or behaviour, in order to discover previously unknown zero-day threats.

Cisco has integrated Threat Grid’s advanced sandboxing, using it’s static and dynamic malware analysis technology, into their AMP solutions. This integration results in a more comprehensive analysis by performing checks against a large set, of more than a 1000 highly accurate behavioural indicator’s. Threat Grids analysis produces very few false positive results (a result which indicates something is bad when it is not), increasing your confidence, so you can make fast and accurate decisions.

Retrospective Security

Instead of just analysing network traffic or a file when it first arrives, Cisco AMP uses continuous analysis and retrospective security, even after the initial inspection occurs. We have come to realise over the years that traditional signature-based scanning and blocking methods are not 100% effective, especially against modern day threats.

Through continuous analysis techniques, AMP monitors and records file activity and network communications, to detect if behaviour changes, and help identify stealthy or malicious threats. Alerts are sent at the first sign of suspicious activity, i.e. when a file disposition changes after extended analysis (a good file turns bad); giving the security team awareness of and visibility into the malware that evades initial defences.

As AMP records all activity, it knows where these files or network communications have been seen across your organisation, then using retrospective security can quickly respond and remove, or quarantine, the malware for all users and endpoints, eliminating the threat.


The Prevalence feature displays all files that have been run in your organization, ordered by a prevalence rating from lowest to highest. This helps you become aware of previously undetected threats that have been seen by a small number of users.

Generally, files that are run by a large number of users (high prevalence) tend to be valid applications. Whereas files that are run by only a few users (low prevalence) may be considered malicious (such as a targeted advanced threats) or questionable applications you may not want on your extended network.

Prevalence is another powerful feature of AMP for the detection of advanced threats, with all low prevalence files being automatically sent to Threat Grid for analysis.

File trajectory

This feature is used to continuously track a files presence throughout your network environment over time, to achieve visibility and reduce the time required to scope a malware breach.

File trajectory maps the file to which endpoints it has been seen on, and how the file has been transferred across the network. It contains the files disposition (good, bad or unknown), determines the first endpoint that saw the threat, and whether you have other hosts containing the file that are also at risk. This is a key component of AMP’s retrospective security.

The below image shows the file trajectory from AMP for Networks.

Device trajectory

Device trajectory continuously tracks the file activity and communications at an endpoint device level to quickly understand both the root cause and the history of events leading up to and after a compromise. This trajectory is the view of the threat that is seen from a single endpoints perspective.

This feature allows us to see when the file was first executed on the endpoint, what process was involved in the creation of the file, and what happened as a result of the file executing.

The below image shows the file trajectory from AMP for Endpoints.

Endpoint IOCs

Security administrators who use AMP have the ability to submit their own IOCs in order to catch new targeted attacks. These endpoint IOCs let security teams perform deeper levels of analysis and investigation on advanced threats that are specific to users or applications in their environment.

An Endpoint IOC feature is a powerful tool used in post-compromise incident response. It can be setup using custom made signatures to trigger on file attributes such as: name, type, size and hash to name a few.

Elastic search

Elastic search is simply a search tool that lets you search for all sorts criteria without specifying the type of item you are searching for. AMPs elastic search allows for queries on file properties, telemetry, security intelligence data, IP address and domains etc. to help you quickly understand the information related to an IOC or malicious application.


With AMP for Endpoints you can also scan for vulnerable software on your system. Once a scan is completed its shows a list of vulnerable software, the hosts containing that software, and the hosts most likely to be compromised. Powered by Cisco’s threat intelligence and security analytics, AMP also identifies vulnerable software being targeted by malware, as well as the potential exploit, this information is then displayed to give you a prioritized list of hosts that need software to be patched.

This feature does not scan all software for vulnerabilities but focuses on the common software found in most environments. E.g. Internet browsers (IE & Chrome etc.), Adobe Acrobat, Oracle Java Platform, Microsoft office etc.

Outbreak control

You can achieve control over suspicious files or outbreaks and remediate an infection without waiting for a content update, with AMP’s outbreak control feature. Outbreak control provides:

  • Simple custom detections can be created to quickly block a specific file across all or selected devices.
  • Advanced custom signatures can be created to block polymorphic malware (malware that changes itself constantly to evade detection).
  • Application block lists can be used to enforce an organisations application policy. There maybe an application for instance that you do not want your users to run, but you don’t want to quarantine it either. Or alternatively you may need to contain a compromised application being used as a malware gateway and stop the cycle of reinfection.
  • Custom application whitelists can also help to ensure that safe, custom, or mission-critical applications continue to run no matter what.
  • Network or IP Blacklists and Whitelists use Device flow correlation to stop malware call-back communications at the source, this is especially useful for remote endpoints outside the corporate network.


The information above gives you a breakdown of the many features that work together to make Cisco AMP a great Malware Protection technology. These features combined provide AMP customers with comprehensive levels of visibility, protection and control, that is necessary to quickly detect and respond to advanced modern-day threats. New benefits and features are also on the horizon as all of Cisco’s security products continue to evolve on a regular basis.

Where do Ironshare fit in?

Ironshare are a small, niche security consultancy focused on delivery of fast and efficient solutions to businesses. Our experienced team aim to provide a fully managed service that takes the strain away from your employees and allows you to focus on your core business.

Ironshare can help you to get up and running with Cisco AMP for Endpoints within days.

We not only provide step-by-step guidance on deployment within your organisation, we can also manage the day-to-day running and reporting, leaving your teams to get on with their usual day job.

Our aim is to provide Security, Simplified. That means we can communicate in a non-technical manner (or technical if you prefer) and just give you the information you want.

Ironshare – Security, Simplified

If you have any questions or would like to get in touch to find out how Cisco AMP can be used to improve your organisations security, then please Contact Us here.