Having enabled Cisco AMP on email security appliances and created samples to test it’s effectiveness (see prior posts), I am seriously disappointed in it’s ability to detect basic attacks.
We in fact end up with false negatives.
I’m not trying to block APT’s, just average efforts from cyber criminals phishing with Office based attacks that often just download a trojan, perhaps we should term these Common Persistent Threats (CPT’s).
Any way to their defense they are switching over to threatgrid in July which I am told does detect these CPT’s. I do feel Cisco are late in the game here and are catching up acquisition after acquisition. This will mean integration pain for the folk from sourcefire and threatgrid and whoever is next, you could be looking at a 12 month time frame before they are all integrated and back onto innovating.
And that is my opinion as an admin user still struggling with Cisco kit to keep out CPT’s.