Which of the following statements about Cisco AMP is true?
A. It relies on the LINA engine and the Snort engine to detect threats.
B. It is based on IETF standards and allows security products to communicate.
C. It enables other technologies to use its services through connectors.
D. It evolved from OpenDNS and blocks access to malicious sites.
Explanation:
Cisco Advanced Malware Protection (AMP) is a cloud-based technology that enables other technologies to use its services through connectors. AMP conducts malware analysis that is less limited in scope than malware scanning products. AMP contains features that attempt to prevent infection from known and emerging threats by using information from Cisco Talos, a threat intelligence system, and Cisco Threat Grid, a file analysis system. In addition, AMP uses a file reputation system to validate nonmalware and a retrospective system to identify potential compromise.
Other Cisco services can connect to AMP by using AMP connectors. For example, Cisco AMP for Endpoints is a host-based malware detection and prevention platform that runs on Microsoft Windows, Mac OS X, Linux, and Google Android. Like many other antimalware packages, AMP for Endpoints monitors network traffic and application behavior to protect a host from malicious traffic. However, unlike many of its competitors, AMP for Endpoints continues its analysis after a disposition has been assigned to a file or traffic flow.
Other AMP connectors include AMP for Networks, AMP for Email, AMP for Web, and AMP for Meraki MX. AMP for Networks connects to Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Integrated Services Routers (ISRs). AMP for Email connects to Cisco Email Security Appliance (ESA). AMP for Web connects to Cisco Web Security Appliance (WSA).
Cisco Platform Exchange Grid (pxGrid), not Cisco AMP, is an open and scalable product based on Internet Engineering Task Force (JEFF) standards. It is a means of facilitating communication among heterogenous network security and asset management applications. Modern versions of Cisco pxGrid rely on Representational State Transfer (REST) and Websocket protocols to facilitate either unidirectional or bidirectional communication. Older versions of pxGrid relied on Extensible Messaging and Presence Protocol (XMPP) to achieve the same result that is now provided by REST. Using XMPP, which was originally intended for person-to-person chat applications over the Internet, created overhead that involved the modification of Extensible Markup Language (XML) documents between clients and servers. In addition, XMPP was not intended to handle the amount of machine data transmitted by pxGrid. REST, on the other hand, is intended to be an application-to-application transfer system.
Cisco Firepower Threat Defense (FTD) appliances, not Cisco AMP, use two primary engines to detect and prevent attacks: the LINA engine and the Snort engine. The LINA engine receives an incoming packet and performs checks that are mostly related to routing and Network Address Translation (NAT). The LINA engine then passes the packet to the Snort engine if the FTD policy is configured to do so. The Snort engine inspects the packet and returns a verdict of either blacklist or whitelist to the LINA engine. Based on the Snort engine’s verdict, the LINA engine will either drop the packet or perform outbound checks and forward the packet.
Cisco Umbrella, not Cisco AMP, evolved from OpenDNS and is a Domain Name System (DNS) service that helps protect endpoints by automatically blocking access to known malicious sites on the Internet. Cisco Umbrella identifies threats by gathering information from DNS requests from millions of users, analyzing those requests, and comparing information about those requests against intelligence collected by Tabs. From a user’s perspective, Cisco Umbrella simply blocks access to sites that it has deemed malicious. Instead of delivering site content to a user’s browser, Cisco Umbrella produces a page indicating that the site has been identified as a security threat and has therefore been blocked.