News & Events

Cisco AMP – An Introduction Into Cisco’s Advanced Malware Protection Platform

  • 3 January, 2018

Article, Cisco, Security

In 2017, hearing about well-known, global organisations falling victim to largescale cyber-attacks became a daily occurrence. These household names are being struck down within minutes by hacking communities all over the world with no way to stop them. Cisco AMP is the new way to prevent such disasters.

The cyber-space is more dangerous now than it has ever been as tens of thousands of new malware samples are being pumped out every hour. Research shows that 95% of organisations have already been targeted by malicious traffic. Evading outdated anti-virus software is a walk in the park for even the most unskilled hackers now as their capabilities are growing exponentially.

It’s not just small-time hackers or crime syndicates you need to be wary of anymore, nation states such as China and Russia are infamous for orchestrating largescale attacks for political gains and just a few months ago a story broke that the United Arab Emirates ordered the hacking of a Qatari news agency, helping to incite a crisis in the Middle East.

It’s blatant that cyber-security need to be an absolute priority for an organisation of any type.

Independent headline from July 2017.

UAE hack independant headline

The new forms of malware that these crime syndicates and hacking communities are constructing constantly can easily evade point-in-time detection (anti-virus and IPS) and begin creating havoc in minutes. Its not just the network that can be devastated but any endpoints or mobile devices connected to it will also be infected.

Huge organisations in the past have been forced to shut down primary business functions for lengthy periods causing losses of millions in some cases. The prime reason for the majority of these attacks is to steal data from companies. Once they have full access to a company’s confidential information the hackers can choose to either hold the business to ransom or sell the information on to other malicious groups.

In 2016, 60% of small businesses that experienced a cyber-attack were bankrupt within six months. If the initial attack does not bring you down, once word gets out to the public that their personal information has been stolen due to a trusted brand’s negligence to secure their customers data, your reputation as a business will be in tatters.

How It Used To Happen


In the past, businesses would solely rely on point-in-time detection technology such as IPS or anti-virus software. These worked by evaluating traffic that was entering the network at a single point in time and giving a verdict of whether it was safe or unsafe based on existing intelligence. The safe would be allowed to enter while the unsafe was swiftly blocked from entering. However this was where the analysis stopped.

These types of security do not possess the ability to understand the scope of the malware breach as once it has entered the network, point-in-time software cannot monitor it. Therefore any hope of actually removing it from the system in time to stop any damage is non-existent.

Organisations could employ third parties to try and remove the malware but this would take significant time and heavily drain monetary resources at a time when they need cash the most as business functions will be reduced and customer lawsuits could be on the horizon.

As you can see in the diagram below, point-in-time does stop some basic malware if it has prior knowledge of it. However advanced malware can disguise itself as a safe file and be cleared through the security checkpoint without anyone realising. Once inside, the malware is free to do what it pleases and the hackers job is complete.

point in time cyber security cisco amp

How We Do It With Cisco AMP


It’s obvious that cyber-security needs a completely new approach, that’s why Cisco AMP was created. AMP stands for Advanced Malware Protection and has revolutionised the way organisations can protect themselves from cyber-attacks. Although Cisco AMP does still utilise point-in-time protection, it employs several other technologies such as Global Threat Intelligence, Advanced Sandboxing, Continuous Analysis, and Retrospective Security to closely monitor everything in-and-around your network.

Cisco AMP is unique because it does not just evaluate your files when they enter, but it also constantly scans the internet (with the help of Talos) and strictly monitors and records anything that enters, as you can see in the diagram below.

cisco amp cyber security

Global Threat Intelligence


The whole of the Cisco cyber-security ecosystem is underpinned by Cisco Talos, the industry leading threat intelligence group. With over 250 full-time experts employed, they are able to continuously scan millions of malware samples and terabytes of data every day to keep their extensive knowledge base growing and valuable.

This information is shared with Cisco AMP where it is correlated against files entering your network, telemetry data, and file behaviour. AMP will also feedback into the knowledge base with any findings; keeping it up-to-date and content rich.


Advanced Sandboxing


Sandboxes are mechanisms seen in many security solutions that act as a networks last line of defence. They essentially work by allowing the malware to do what it likes in a controlled environment where it is closely monitored. However infamous ransomware software has been known for its ability to evade sandbox detection.

Cisco developed AMP Threat Grid sandboxing technology, a far more advanced type of security. It can easily contain both known and unknown malware while also blocking command-and-control call backs to ransomware hosts. Automated dynamic and static analyses against over 700 behavioural indicators means stealthy threats are flagged up efficiently allowing security teams to understand, prioritise, and block sophisticated attacks.


Continuous Analysis and Retrospective Security


Every file that enters your network remains under strict supervision for the entire time it spends there. Cisco AMP watches, analyses, and records its activity regardless of the file’s disposition. If a file starts behaving out of the ordinary or maliciously your security team will be immediately alerted by Cisco AMP. This alert includes details such as where the malware came from, where it’s been, and what it is currently doing. In just a few clicks of a mouse you can contain and exterminate it, preventing any damage from occurring.

The ability to retrospectively view every action a malware has performed was not previously possible and is large part of the reason Cisco AMP is so revolutionary and well regarded as it allows security teams to know exactly what information a hacker may have had access to so the situation can be rectified.

To Sum Things Up


The internet is a scary place now, there’s no doubting that. For organisations, there are threats and bandits around every corner but enabling Cisco AMP is like slipping on a suit of armour and gives you the peace of mind that the industry leading cyber-security platform is on your side.

This was a simple explanation of how Cisco AMP works and how it can protect you. If you would like to know more about how it could benefit you personally, our engineering team is always happy to have a more substantial and case-specific discussion with you about how it could fit in within your own environment.

If this article has sparked your interest in Cisco AMP and you’d like to find out more or give it a try, please get in touch with us and we can have a more in-depth conversation and answer any questions you may have.


Tesrex also provide a full range of services centred around Cyber-Security Contact us to arrange a consultation and to find out more about how we can help you understand where you are and how to get to where you want to be.