Latest

Cisco AMP for Endpoint Vs VMWare Carbon Black Endpoint Security

Today I am going to talk about one of the major topic on Advance Malware protection for Endpoints and it is very important to secure your endpoints from the external world. Now a days it seems that the attacks on the end points are the major break through and which has major set backs to various enterprises. For securing the endpoints one should have the AMP solution for the endpoints.

In today's topic I will cover the features and information on the AMP for endpoints for Cisco, Carbon Black endpoint security and Cylance Protection. I will cover the comparison between these vendors to set the expectation to use in your enterprise network.

Cisco AMP for Endpoints
The Cisco AMP for Endpoints employs continuous analysis beyond the event horizon (point in time) and can retrospectively detect, alert, track, analyse, and remediate advanced malware that may appear clean or that evades initial defenses and is later identity ed as malicious.

Cisco AMP maps how hosts interact with files, including malware  across your endpoint environment. It can see if there is a transfer was blocked or if the file was quarantined. It can scope the threat, provide outbreak controls, and identify patient zero. An automated detonation engine observes, deconstructs, and analyses using several methods. It’s impervious to sandbox-aware malware. 

In the Case of Cisco, Cisco AMP for Endpoints employs has :
  1. 1:1 SHA matching engine (public, private, or hybrid)
  2. TETRA AV and sand-boxing
  3. ETHOS fuzzy fingerprinting
  4. SPERO machine learning
  5. cloud IOCs and reputation analytics
  6. CLI capture; memory and file-less  script
  7. Mutation protection and vulnerable software
  8. CTA (threat analytics) and custom hash detection, 
  9. Clam Av signatures and application blocking. 
Fig 1.1- Cisco AMP for Endpoint

If I talked about the Threat Grid sandbox. It is fully integrated within the AMP for Endpoints solution. File analysis can also be an on-premises solution. Because AMP Threat Grid uses a proprietary analysis mechanism and 100 other anti- evasion techniques, it is virtually undetectable by malware trying to avoid analysis and sand boxing. 

Threat Grid uses the widest set of analysis techniques, including but not limited to host, network, static, and dynamic analysis, as well as pre- and post-execution analysis of the master boot record. 

Use REST API access to pull events, IOCs, and device data. You can script and customize the API to the environment.Gain visibility into the scope of a breach it discover patient zero: when the malware was first seen on which computer in your environment, what its parentage is, and how it moves between hosts. 

Fig 1.2- Cisco AMP protection and Open DNS with Cisco ISE and Stealth-watch


Carbon Black End point security
Carbon Black employs whitelisting, machine learning, behavioral analytics, and next-gen antivirus.Carbon Black employs continuous analysis using Cb Defense . Carbon Black end point security is very rich process tree for investigation. It also shows a lot of eye candy which makes the investigation process visually appealing. As comparing to Cisco end point security, Carbon black having 150 behaviors but sad it has no trajectory. 

As you saw for the Cisco AMP for end point, Carbon Black end point security have no behavioral IoCs. Even the events in the Carbon black end point security are based on signatures, vulnerabilities, and point-in-time analysis.

As you already saw there is a feature of sand boxing for the cisco AMP for end point but here in the Carbon black end point security you need to have an integration point with a partner for sand boxing technology. Needs an integration point with a partner for sand boxing technology. Scope is focused on local host processes and does not track from the aspect of file and where it has traveled. 

Bit9 was one of the first to whitelist and blacklist. Now called Carbon Black Enterprise Protection, it is the base of the endpoint security architecture that Carbon Black provides. Needs to integrate with IBM Big-fix to provide hosts with vulnerabilities related to CVE 

By itself, Carbon Black doesn’t offer a closed-loop ATP. Carbon Black may integrate with other vendors such as FireEye and Palo Alto Networks with separate licensing, support, and management. 

Carbon Black does not employ its own ATP or sandbox. It must integrate with Palo Alto Networks, FireEye, or others to provide malware detonation capabilities. None of the third-party integrations can detect ATP or sandbox-aware malware. 

Carbon Black can remediate malware, but it depends on if you have Carbon Black Defense, Carbon Black Response, Carbon Black Protection, or the whole platform and Only with integration point to third-party solution. 

Below showing the difference of the features between Cisco AMP for endpoints and Carbon Black Endpoint security

Fig 1.3- Comparing Cisco AMP vs Carbon Black

Cisco Talos consists of over 250 researchers, making it one of the largest threat intelligence organizations in the world. Mean while Palo Alto are working on the same threat intelligence organisation named as Unit 42.