(844) 773-7734 mk@mkss.us

Mapping Secure Endpoint (and Malware Analytics) to NIST CSF Categories and Sub-Categories

Cisco Secure Endpoint (AMP for Endpoints) with Malware Analytics (ThreatGrid) offers Prevention, Detection, Threat Hunting and Response capabilities in a single solution. It protects Endpoints (Windows, Mac, Linux, Android, and iOS) and prevents breaches, blocks malware at the point of entry and continuously monitors and analyses files and processes to quickly detect, contain, and remediate threats that can evade other security control mechanisms. Secure Endpoint offers these features through a public or private cloud deployment.

NIST CSF Categories and Sub-Categories

IDENTIFY – Asset Management (H/W and S/W inventories; communication and data flow mapping)

[ID.AM-1 and ID.AM-2] Orbital gives detailed information about the H/W and running applications/processes by querying endpoints using WMI. It can also help in tracking disk space, memory and any other IT Ops artifacts. All this information can then be used to create H/W and S/W inventories for the organisation. Secure Endpoint can also be used to check system status (OS versions, patches, if host firewall is enabled, what application is allowed through etc).

IDENTIFY – Risk Assessment (vulnerabilities identified; threat intelligence received; threats identified; threats, vulnerabilities and impacts to determine risk)

[ID.RA-1, ID.RA-3 and ID.RA-5] Cisco Secure Endpoint identifies the vulnerable applications in an endpoint environment. It tells the number and severity of vulnerable applications and how many endpoints the application has been seen on within the environment. Vulnerabilities can then be linked for each application to the associated Common Vulnerabilities and Exposures (CVE) entries. Secure Endpoint can also be used to find if a host is running a particular version (vulnerable) of software. Orbital in Secure Endpoint with Malware Analytics can be used to search for computers that show indications of compromise from a sample analysis. This enables quick transition from analysing a threat in Malware Analytics to searching for hosts that is at risk in the environment.

[ID.RA-2 and ID.RA-3] Cisco Secure Endpoint is directly tied to Cisco’s industry-leading threat intelligence organisation (Talos) and hence has a global view of threats across all threat vectors. It can immediately see anything that Talos sees. Talos constantly analyses malware to discover new threat types and build behavioural and forensic profiles for emerging threats, otherwise known as Indicators of Compromise (IoC).

[ID.RA-5] Secure Endpoint uses all this information to help administrators identify systems that have been breached and carry risk to the organisation.

PROTECT – Access Control (Network Integrity; User/Device authentication based on transaction risk)

[PR.AC-5] File Trajectory helps in protecting the Network Integrity of an organisation as it shows the life cycle of each file in the environment from the first time it was seen to the last time, as well as all computers in the network that had received the file. Where applicable, the patient-zero that brought the threat into the network is displayed including any files created or executed by the threat.

[PR.AC-7] Cisco Secure Endpoint employs a robust set of preventative technologies to stop malware, in real-time, protecting endpoints against today’s most common attacks. The IoCs and Secure Endpoint’s detection capabilities indicate the risk a device carries. It helps the organisation to decide if that device is ‘healthy’ enough to be allowed to connect to the network.

PROTECT – Data Security (data leak protection)

[PR.DS-1, PR.DS-2, PR.DS-5] Endpoint Isolation feature blocks incoming and outgoing network activities to prevent threats such as data exfiltration and malware propagation. Cisco Secure Endpoint identifies and blocks the malicious code that is so often the cause of data leaks today, while protecting data ‘at rest’ and ‘in transit’. It prevents command and control call-backs for data exfiltration and stops execution of ransomware encryption.

PROTECT – Protective Technology (protection of communication and control networks)

[PR.PT-4] Cisco Secure Endpoint employs a robust set of preventative technologies to stop malware in real-time, protecting endpoints against today’s most common attacks. It identifies and blocks the malicious code that can affect the availability and reliability of communications and control networks.

DETECT – Anomalies and Events detection (analysing events to understand attack targets and methods; event data collection and corelation from multiple sources; impact and event determination; alert threshold)

[DE.AE-2, DE.AE-4 and DE.AE-5] Cisco Secure Endpoint leverages multiple techniques for comprehensive detection. The machine learning capability in Secure Endpoint can help detect never-before- seen malware at the point of entry. Cisco Secure Endpoint analyses files for malware threats both at network entry time and continuously. Cisco Secure Endpoint continuously analyses application data to understand threat and attack methods, assess the potential impact and alerts and quarantines when files become actual malware.

[DE.AE-3] Secure Endpoint accelerates incident tracking and rapid threat remediation with automatic data enrichments and corelation from multiple sources. Organisations can quickly pivot from the sandbox to our advanced search interface with relevant pre-populated queries.

DETECT – Security Continuous monitoring (malicious code detection; unauthorised mobile code; vulnerability scan)

[DE.CM-1, DE.CM-4 and DE.CM-5] Cisco Secure Endpoint employs continuous analysis beyond ‘point-in-time’ detection. It can retrospectively detect, alert, track, analyse, and remediate advanced malware. It is the premier solution for malicious code detection on both networks and endpoints, including mobile devices. Cisco Malware Analytics provides advanced malware analysis and threat intelligence capabilities and identifies attacks with context-driven security analytics.

[DE.CM-8] Secure Endpoint can also be used to find if a host is running a particular (vulnerable) version of software. It dynamically exposes the vulnerable applications in an endpoint environment.

RESPOND – Incident analysis (Investigate notifications from detection systems; understand the impact of an incident; perform forensics and categorise the incidents as per the response plan)

[RS.AN-1, RS.AN-2, RS.AN-3 and RS.AN-4] Cisco Secure Endpoint provides up-to-minute threat data and historical context about domains, IPs, and file hashes for faster investigation. It provides ‘File Trajectory’ and ‘Device Trajectory’ features to gain visibility into the scope of a breach and help analyse the impact for quicker response. These features show which systems were affected and how deep the malware went into each system to understand the malware’s impact to categorise the incident according to the response plan and to perform the necessary forensics analysis to support response and recovery activities.

[RS.AN-3] Cisco Secure Endpoint analyses files for malware threats both at network entry time and continuously to help responders quickly assess the root cause and implement proper enforcement against further instances.

RESPOND – Mitigation (containing incidents, mitigating incidents)

[RS.MI-1 and RS.MI-2] Cisco Secure Endpoint has the capabilities to identify, contain, and remediate incidents. It can automatically quarantine or remove malicious code to prevent its propagation and protect other systems from being affected. Custom Detection Helps administrators quickly enforce full protection against questionable files and targeted attacks across both endpoint and network control planes based on endpoint activity. It also creates advanced IoCs to respond rapidly and efficiently. Orbital works in combination with Secure Endpoint host isolation to provide a means of quarantining a suspicious host while performing an investigation.

[NB: For high level mapping of other Cisco Security Products to NIST  CSF, please read my previous Blog here.]


Cisco Secure Endpoint User Guide

Cisco Secure Endpoint At-a-Glance Document

Cisco Secure Endpoint Datasheet

Cisco Malware Analytics Datasheet

Cisco Malware Analytics At-a-Glance Document

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels