In which scenario is endpoint-based security the solution?
In which scenario is endpoint-based security the solution?
Endpoint-based security is most appropriate for inspecting a password-protected archive. Network-based security mechanisms are generally unable to provide visibility into encrypted content such as password-protected archives because they cannot decrypt the data. This task requires an endpoint-based solution that operates directly on the device, where it can prompt for a password when the user attempts to access the archive and then perform an inspection once the content is accessible.
A, B and C can be done at the network level. Only for password-protected (=encrypted?) archive, there is not enough information on the network level, so it needs to be done on the end point.
application control (C) can't be done at the network level
Im going with A. Endpoint protection cannot open a password protected archive. Endpoint protection does not do signature based application control. you can create application block lists and allow lists using file hashes, but no signature based application control that Im aware of. Inspecting encrypted files can be done at the network level, but it is not optimal. it consumes way too much firewall CPU and can be impractical. Also, some encrypted sites implement certificate pinning and client side validation and therefore network decryption will appear as a man in the middle and fail. Endpoint protection is the recommended solution for inspecting encrypted traffic.
what about when the user enters the password for the protected file? then AMP would ask for its hash, isn't? (Hope so)
The answer is D. B is nonsense, A can be done at the network level (ETA, SSL decrytion) so you don't need an endpoint solution for that, and C can also be achieved by an IPS, so again, you don't need an endpoint solution, but if a malicious file is zipped and password-protected, it will bypass most of the security controls, only an endpoint protection solution will detect it and stop it at the moment of execution.
https://blogs.cisco.com/security/endpoint-protection-platform-epp-vs-endpoint-detection-response-edr#:~:text=Cisco%20AMP%20for%20Endpoints%20goes,block%20malware%20in%20real%2Dtime.
Think its C in AMP saves the hash of the app You upload and can block
C I prefer
Thanks DWizard Excellent illustration.
Correct answer D. Checked in securitytut
I like C, application control the key I would for endpoint protection.
C Performing signature-based application control (executable hash used to block application). Inspect traffic is not endpoint. Devide profiling and authorization is ISE. Inspect a password-protected archive is not AMP funcion.
Thought C initially, but agree with bigblob that it's actually D per their reasoning. Pretty sure there are always new IPS signature updates on FTD, and FTD is not an endpoint-based security solution.
Based on Cisco SCOR materials I choose A: Because HIPS is installed directly on the host that it is protecting, it can monitor processes and resources on the system. It can also analyze encrypted traffic after it has been decrypted, which is something a network-based IPS cannot do.
Did some googling, it seems EDR and XDR can't inspect password protected files, so based on this D isn't correct as it's impossible to execute D.