Mapping Secure Endpoint (and Malware Analytics) to NIST CSF Categories and Sub-Categories


Cisco Secure Endpoint (AMP for Endpoints) with Malware Analytics (ThreatGrid) offers Avoidance, Detection, Threat Reaction and Hunting capabilities within a solution. It protects Endpoints (Windows, Mac, Linux, Android, and iOS) and prevents breaches, blocks malware at the idea of access and monitors and analyses documents and processes to rapidly detect continuously, include, and remediate threats that may evade other security manage mechanisms. Secure Endpoint provides these features by way of a private or general public cloud deployment.

NIST CSF Sub-Categories and Categories IDENTIFY – Asset Administration (H/W and S/W inventories; communication and data movement mapping) [ID.AM-1 and ID.AM-2] Orbital gives detailed information regarding the H/W and working applications/processes by querying endpoints using WMI. It can benefit in tracking disk area also, memory and any IT Ops artifacts. All of this given information may then be used to generate H/W and S/W inventories for the organisation. Secure Endpoint could also be used to check on system status (OS variations, patches, if web host firewall is allowed, what application is permitted through etc). IDENTIFY – Risk Evaluation (vulnerabilities recognized; threat cleverness received; threats determined; threats, vulnerabilities and impacts to find out risk) [ID.RA-1, ID.ID and ra-3.RA-5] Cisco Safe Endpoint identifies the vulnerable applications within an endpoint environment. It shows the quantity and severity of vulnerable apps and just how many endpoints the application form has been observed on within the surroundings. Vulnerabilities may then be linked for every app to the associated Typical Vulnerabilities and Exposures (CVE) entries. Secure Endpoint could also be used to find in case a host is owning a particular edition (vulnerable) of software program. Orbital in Protected Endpoint with Malware Analytics may be used to seek out computers that display indications of compromise from the sample analysis. This permits quick changeover from analysing a danger in Malware Analytics to looking for hosts that will be at an increased risk in the environment. [ID.ID and ra-2.RA-3] Cisco Secure Endpoint will be directly linked with Cisco’s industry-top threat intelligence organisation (Talos) and therefore has a worldwide view of threats across all threat vectors. It could see whatever Talos sees immediately. Talos continuously analyses malware to find new threat varieties and create behavioural and forensic profiles for emerging threats, otherwise referred to as Indicators of Compromise (IoC). [ID.RA-5] Safe Endpoint uses all of this information to greatly help administrators identify systems which have been breached and bring risk to the organisation. PROTECT – Access Manage (System Integrity; User/Gadget authentication predicated on transaction risk) [PR.AC-5] Document Trajectory helps in safeguarding the Network Integrity of an organisation since it shows the life span cycle of every file in the surroundings from the very first time it had been seen to the final time, along with all computers within the network that had obtained the file. Where applicable, the patient-zero that delivered the threat in to the network is displayed which includes any files developed or executed by the risk. [PR.AC-7] Cisco Protected Endpoint employs a robust group of preventative technologies to avoid malware, in real-time, safeguarding endpoints against today’s most typical attacks. The Secure and IoCs Endpoint’s detection capabilities indicate the chance a device carries. It can help the organisation to choose if that gadget is ‘healthy’ sufficient to be permitted to hook up to the network. PROTECT – Data Protection (information leak protection) [PR.DS-1, PR.DS-2, PR.DS-5] Endpoint Isolation feature blocks incoming and outgoing network activities to avoid threats such as for example data exfiltration and malware propagation. Cisco Safe Endpoint identifies and blocks the malicious program code that’s so often the reason for data leaks these days, while protecting information ‘at relax’ and ‘in transit’. It prevents control and control call-backs for information exfiltration and stops execution of ransomware encryption. PROTECT – Protective Technologies (defense of communication and manage networks) [PR.PT-4] Cisco Protected Endpoint employs a robust group of preventative technologies to avoid malware in real-time, safeguarding endpoints against today’s most typical attacks. It identifies and blocks the malicious program code that may affect the dependability and option of communications and manage networks. DETECT – Anomalies and Activities detection (analysing events to comprehend attack targets and strategies; event information corelation and selection from multiple sources; event and impact determination; alert threshold) [DE.AE-2, DE.DE and ae-4.AE-5] Cisco Secure Endpoint leverages several approaches for comprehensive detection. The device learning capability in Safe Endpoint might help detect never-before- noticed malware at the idea of entry. Cisco Protected Endpoint analyses data files for malware threats both at system entry period and continuously. Cisco Safe Endpoint continuously analyses software data to comprehend threat and attack strategies, measure the potential alerts and effect and quarantines when documents become actual malware. [DE.AE-3] Protected Endpoint accelerates incident tracking and fast threat remediation with automated data corelation and enrichments from multiple sources. Organisations can easily pivot from the sandbox to your advanced search user interface with appropriate pre-populated queries. DETECT – Security Constant supervising (malicious code detection; unauthorised cellular code; vulnerability scan) [DE.CM-1, DE.DE and cm-4.CM-5] Cisco Secure Endpoint employs constant analysis beyond ‘point-in-period’ detection. It can detect retrospectively, alert, monitor, analyse, and remediate innovative malware. It’s the premier remedy for malicious program code detection on both endpoints and networks, including cellular devices. Cisco Malware Analytics offers advanced malware evaluation and threat intelligence abilities and identifies attacks with context-driven security analytics. [DE.CM-8] Safe Endpoint could also be used to find in case a host is owning a specific (vulnerable) version of software. It exposes the vulnerable programs within an endpoint environment dynamically. RESPOND – Incident evaluation (Investigate notifications from detection techniques; understand the influence of an incident; perform forensics and categorise the incidents according to the response plan) [RS.A good-1, RS.AN-2, RS.AN-3 and RS.AN-4] Cisco Protected Endpoint provides up-to-moment threat data and traditional context regarding domains, IPs, and file hashes for faster investigation. It offers ‘File Trajectory’ and ‘Gadget Trajectory’ features to get visibility in to the scope of a breach and assist analyse the effect for quicker reaction. These features display which systems were impacted and how strong the malware proceeded to go into each system to comprehend the malware’s influence to categorise the incident based on the response plan also to perform the required forensics analysis to aid response and recovery routines. [RS.AN-3] Cisco Safe Endpoint analyses files for malware threats both at network entry period and continuously to greatly help responders quickly measure the real cause and implement correct enforcement against more instances. RESPOND – Mitigation (that contains incidents, mitigating incidents) [RS.MI-1 and RS.MI-2] Cisco Secure Endpoint gets the capabilities to recognize, contain, and remediate incidents. It could automatically quarantine or get rid of malicious code to avoid its propagation and guard other techniques from being affected. Customized Detection Helps administrators rapidly enforce full safety against questionable data files and focused attacks across both endpoint and system control planes predicated on endpoint activity. It generates advanced IoCs to respond quickly and efficiently also. Orbital works in conjunction with Secure Endpoint sponsor isolation to provide a way of quarantining a suspicious web host while performing a study.

[NB: For advanced mapping of other Cisco Safety Items to NIST  CSF, please read my prior Blog right here .]


      Cisco Protected Endpoint User Guideline          

      Cisco Safe Endpoint At-a-Glance Record          

      Cisco Protected Endpoint Datasheet          

      Cisco Malware Analytics Datasheet          

      Cisco Malware Analytics At-a-Glance Record     


We’d want to hear everything you think. Ask a relevant question, Comment Below, and Remain Linked to Cisco Secure on interpersonal!


Cisco Secure Interpersonal Channels