Stop the Spread of Malware with Cisco Advanced Malware Protection (AMP) and DFLabs

Back to all articles

malware protection

Malware infections are one of the top concerns for organizations around the world. The rapid transmission of these infections can cripple an environment in a matter of minutes, so it is vital to an organization’s survival that they can quickly detect and respond to this type of threat.

DFLabs’ integration with Cisco AMP for Endpoints helps organizations uncover threats faster and improves overall security effectiveness by combining Cisco AMP’s advanced malware detection capabilities with IncMan SOAR’s automation power, to quickly detect and respond to a malware incident before it has a chance to spread throughout an environment.

The Problem

Malware attacks have grown exponentially over the last decade and are one of the costliest attack types of today. On average a successful malware or web-based attack has cost companies nearly $2.4 million in defense spending. This number has the opportunity to skyrocket in the coming years.

This attack type has such a high success rate due to the sophistication used in its delivery and obfuscation techniques. Oftentimes, malware infections go undetected for long periods of time which allows it to rapidly spread throughout an environment causing the maximum amount of damage.

As a result organizations and security managers are often left asking themselves a number of questions, including but not limited to:

  • How can my organization protect itself from one of the costliest attack types targeting our business?

  • How can we gain full visibility of our endpoint activity?

  • How can we quickly uncover malware threats and strengthen our overall security posture?

The DFLabs and Cisco AMP Solution

The integration between DFLabs’ IncMan SOAR platform and Cisco AMP for Endpoints presents organizations with full endpoint visibility and swift automated response power to allow their network defenders to stay ahead of their adversaries and improve their overall security posture. Equipped with AMP’s advanced threat detection capabilities and IncMan’s Rapid Response Runbooks (R3 Runbooks), organization’s mean time to detect previously known and unknown threats is greatly improved and time to remediation is accelerated, which provides incident responders the tools necessary to quickly uncover and eliminate threats to their environment and reduce overall dwell times experienced with these types of attacks.

About Cisco AMP

Cisco Advanced Malware Protection (AMP) for Endpoints integrates prevention, detection, and response capabilities in a single solution, leveraging the power of cloud-based analytics. AMP for Endpoints will protect Windows, Mac, Linux, Android, and iOS devices through a public or private cloud deployment.

In the rapidly evolving world of malware, threats are becoming harder and harder to detect. The most advanced 1% of these threats, those that will eventually enter and wreak havoc on a network, could potentially go undetected. However, AMP for Endpoints provides comprehensive protection against that 1%. This security software prevents breaches, blocks malware at the point of entry, and continuously monitors and analyzes file and process activity to rapidly detect, contain, and remediate threats that can evade front-line defenses.

Use Case

Now let’s look at a simple use case in action.

An alert is received from Cisco AMP for Endpoints indicating that a malicious file had been downloaded from the internet onto a system in the Marketing department. IncMan SOAR receives the alert and executes the Malicious Download R3 Runbook. The Runbook automatically queries Cisco AMP to gather information regarding the affected machine’s current activity, whether any other machines on the network had previously interacted with the malicious file and pulls the domain reputation for the site visited by the user.

Once the information is gathered, the R3 Runbook splits into two different conditional actions. The first condition is looking for the presence of any additional machines which may have interacted with the malicious file and the second condition evaluates the risk score of the visited domain.

If the first condition is successfully met, IncMan will add the additional host information to the incident as an incident artifact, update the priority to high, create a helpdesk ticket to investigate the affected machines for signs of a possible infection, and add the malicious file hash to Cisco AMP’s block list. If no additional hosts interacted with the malicious file, IncMan adds the malicious file to Cisco AMP’s block list and exits the Runbook.

If the second condition is successfully met, the R3 Runbook then queries the organization’s SIEM for evidence that any additional hosts visited the malicious domain. If additional hosts have been observed in communication with this domain, IncMan automatically adds these additional hosts to the incident as an artifact, updates the priority to high, creates a helpdesk ticket to have the affected machines evaluated, and adds the domain to its block list before successfully exiting the Runbook.



By combining the power of IncMan SOAR from DFLabs with Cisco AMP for Endpoints, it enables organizations to stop malware in its tracks through automated threat hunting and remediation. Security teams can quickly uncover threats, improving the organization's overall security posture, while ensuring full endpoint visibility.

If you would like to learn more about this integration, check out our recent webinar “AMP Up Your Response with SOAR and Cisco’s Security Suite”, available on demand.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo