Cisco Extends Endpoint Protection With Advanced Email Security

Cisco adds new email security capabilities including Domain-based Message Authentication, Reporting and Conformance support to its AMP for Endpoints platform.

Cisco AMP for Endpoints Visibility

Cisco announced on April 16 a series of enhancements to its Advanced Malware Protection (AMP) for Endpoints platform that provide improved email security and visibility capabilities.

The new capabilities include Cisco Visibility, which provides a threat hunting capability to AMP for Endpoints, enabling security professionals to gather insights for investigations. Fileless malware detection and prevention has also been enhanced, as has email security with advanced phishing and domain protection services. The new email security features in AMP for Endpoints come to Cisco by way of an OEM integration with email security vendor Agari, which former Cisco executives founded in 2009.

Jason Lamar, senior director in Cisco's Security Business Group, said Cisco has had secure email gateway technology since it acquired IronPort in 2007. What Cisco had been missing is a Domain-based Message Authentication, Reporting and Conformance (DMARC) email authentication capability. 

DMARC is a protocol that helps protect the integrity and authenticity of email. With the new domain protection services in AMP for Endpoints, Cisco is providing capabilities to enable organizations to set up DMARC for their own domains.

"Through our OEM agreement with Agari, we are enhancing our email security product," Lamar told eWEEK. "Agari has solid traction in the marketplace and the best technology to help protect our customers' company domains from being misused as the delivery mechanism of malicious emails, as well as protect their internal users from phishing and spoofing attacks from emails with suspect senders."

Cisco is also using Agari's technology to provide an advanced phishing protection technology that also benefits from DMARC. What happens with phishing emails is that organizations get third-party actors that send email that looks like email that is sent within the company, according to Lamar.

"By implementing our DMARC-compliant email authentication service, the email gateway will not accept emails that are not authenticated," he said.

Fileless Malware 

An increasingly popular form of attack is malware that does not make use of file, but rather executes entirely in memory. One of the most common fileless attack vectors is the use of PowerShell scripts, which is something that AMP for Endpoints can now help to defend against as well. Lamar explained that the new fileless malware prevention is part of a new engine that is available in AMP for Endpoints.

"The engine watches when an application and all its resources load into memory, then it copies and randomizes the data," Lamar said. "After creating the new memory structure, the engine creates a decoy of the original memory structure."

The fileless malware engine steers legitimate code to the correct memory structure and directs malicious code that is potentially using PowerShell to the decoy, where the exploit is neutralized and blocked, he added.  

Cisco Visibility

Another enhanced capability that has landed in AMP for Endpoints is Cisco Visibility, which includes threat intelligence from third-party vendors as well as Cisco's Talos research group. In addition, Cisco Visibility provides threat hunting capabilities, Lamar said.

"Going forward, we will have the ability to turn on other endpoint detection and response tools that are API-driven so companies can pull in their existing tools for additional context and correlation," he said.

AMP for Endpoints now also protects organizations against unauthorized cryptocurrency mining operations. Lamar said Cisco has integrated indicators of compromise (IOCs) into AMP to detect unauthorized cryptocurrency mining activities.

"We correlate proxy log detections with a cloud-based proxy log analysis tool, and correlate with endpoint activity in AMP," he said.

The cryptocurrency blocking is further enabled with Cisco's Umbrella cloud security platform, which has a category in it already that can block the communication channels back to the cryptocurrency mining domain. 

"Cisco Umbrella is the first line of defense to help prevent malware from being downloaded. Cisco AMP for Endpoints is essentially the last line of defense in case malware gets installed in the machine agent," Lamar said. "With our technology, AMP, the technology will detect and stop the malware from running on the endpoint." 

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.