IT Central Station is now PeerSpot: Here's why

Cisco Secure Endpoint OverviewUNIXBusinessApplication

Cisco Secure Endpoint is #4 ranked solution in EDR tools and #5 ranked solution in endpoint security software. PeerSpot users give Cisco Secure Endpoint an average rating of 8 out of 10. Cisco Secure Endpoint is most commonly compared to Microsoft Defender for Endpoint: Cisco Secure Endpoint vs Microsoft Defender for Endpoint. Cisco Secure Endpoint is popular among the large enterprise segment, accounting for 56% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 23% of all views.
Cisco Secure Endpoint Buyer's Guide

Download the Cisco Secure Endpoint Buyer's Guide including reviews and more. Updated: July 2022

What is Cisco Secure Endpoint?

Cisco Secure Endpoint is a cloud-managed endpoint security solution that provides advanced protection against viruses, malware, and other cyber threats by detecting, preventing, and responding to threats. Cisco Secure Endpoint is managed online via a web-based management console and can be deployed on a variety of platforms. It protects endpoints, networks, emails, and web traffic.

In a world of evolving threats, it’s necessary to put security above everything. Cisco Secure Endpoint provides you with the scope, scale, and capabilities to attain effective security with its integrated portfolio and industry-leading threat intelligence. Cisco Secure Endpoint continuously tracks and analyzes files and file activities across your systems - both remote and on premises - and compares these events to other events that occurred before or during past attacks. If a file exhibits malicious behavior, the tool sends an alert which enables you to stop a potential threat from succeeding.

Key Capabilities of Cisco Secure Endpoint

  • Multi-layered protection: Cisco Secure Endpoint combines behavioral analytics, machine learning, and signature-based techniques to prevent threats from compromising your endpoints.

  • Powerful EDR capabilities: Reduce attack surface using advanced endpoint and extended detection and response, threat hunting, and endpoint isolation.

  • Dynamic malware analysis: Identify and block attacks in real time.

  • Simplified investigations: Advanced search capabilities help you get the information you need about your endpoints fast.

Reviews from Real Users

Cisco Secure Endpoint stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to easily secure their endpoints with one single operation using its management console and its advanced alerting techniques.

Tim C., an IT manager at Van Der Meer Consulting, writes, "The solution makes it possible to see a threat once and block it everywhere across all endpoints and the entire security platform. It has the ability to block right down to the file and application level across all devices based on policies, such as, blacklisting and whitelisting of software and applications. This is good. Its strength is the ability to identify threats very quickly, then lock them and the network down and block the threats across the organization and all devices, which is what you want. You don't want to be spending time working out how to block something. You want to block something very quickly, letting that flow through to all the devices and avoiding the same scenario on different operating systems."

Wouter H., a technical team lead network & security at Missing Piece BV, notes, "Any alert that we get is an actionable alert. Immediately, there is information that we can just click through, see the point in time, what happened, what caused it, and what automatic actions were taken. We can then choose to take any manual actions, if we want, or start our investigation. We're no longer looking at digging into information or wading through hundreds of incidents. There's a list which says where the status is assigned, e.g., under investigation or investigation finished. That is all in the console. It has taken away a lot of the administration, which we would normally be doing, and integrated it into the console for us."

Cisco Secure Endpoint was previously known as Cisco AMP for Endpoints.

Cisco Secure Endpoint Customers

Heritage Bank, Mobile County Schools, NHL University, Thunder Bay Regional, Yokogawa Electric, Sam Houston State University, First Financial Bank

Cisco Secure Endpoint Video

Cisco Secure Endpoint Pricing Advice

What users are saying about Cisco Secure Endpoint pricing:
  • "The pricing and licensing are reasonable. The cost of AMP for Endpoints is inline with all the other software that has a monthly endpoint cost. It might be a little bit higher than other antivirus type products, but we're only talking about a dollar a month per user. I don't see that cost as being an issue if it's going to give us the confidence and security that we're looking for. We have had a lot of success and happiness with what we're using, so there's no point in changing."
  • "There is also the Cisco annual subscription plus my management time in terms of what I do with the Cisco product. I spend a minimal amount of time on it though, just rolling out updates as they need them and monitoring the console a couple of times a day to ensure nothing is out of control. Cost-wise, we are quite happy with it."
  • "Our company was very happy with the price of Cisco AMP. It was about a third of what we were paying for System Center Endpoint Protection."
  • "There are a couple of different consumption models: Pay up front, or if you have an enterprise agreement, you can do a monthly thing. Check your licensing possibilities and see what's best for your organization."
  • "The Enterprise Agreement is like an all-you-can-eat buffet of Cisco products. In that vein, it was very affordable."
  • "We can know if something bad is potentially happening instantaneously and prevent it from happening. We can go to a device and isolate it before it infects other devices. In our environment, that's millions of dollars saved in a matter of seconds."
  • "We have a license for 3,000 users and if we get up to 3,100 users, it doesn't stop working, but on the next renewal date you're supposed to go in there and add that extra 100 licenses. It's really good that they let you grow and expand and then pay for it. Sometimes, with other products, you overuse a license and they just don't work."
  • "Cisco Secure Endpoint is not too expensive and it's not cheap. It's quite fair."
  • Cisco Secure Endpoint Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Tim Crosweller - PeerSpot reviewer
    IT Manager at van der Meer Consulting
    Real User
    Top 5
    We have gained more visibility into what's going on because it detects a lot of threats
    Pros and Cons
    • "The solution makes it possible to see a threat once and block it everywhere across all endpoints and the entire security platform. It has the ability to block right down to the file and application level across all devices based on policies, such as, blacklisting and whitelisting of software and applications. This is good. Its strength is the ability to identify threats very quickly, then lock them and the network down and block the threats across the organization and all devices, which is what you want. You don't want to be spending time working out how to block something. You want to block something very quickly, letting that flow through to all the devices and avoiding the same scenario on different operating systems."
    • "The connector updates are very easily done now, and that's improving. Previously, the connector had an issue, where almost every time it needed to be updated, it required a machine reboot. This was always a bit of an inconvenience and a bug. Because with a lot of software now, you don't need to do that and shouldn't need to be rebooting all the time."

    What is our primary use case?

    We have it installed on all our workstations and servers. Primarily, we started with it after we were hit with a ransomware attack about five years ago. We looked for something that would give us a bit more visibility as to what was going on the network, where the weak points were, etc. We had an antivirus solution (FireANT) back then, which obviously wasn't good enough on its own. So, we went looking for something that was going to be a little more granular in how it gave us visibility on the network. We have the Cisco AMP for Endpoints Connector on our workstations, which is all done in the cloud. We have Windows Server, Windows 10 workstation environment, and on-premise servers at the moment with some cloud. I guess we would call ourselves a partly hybrid business, with some stuff in the cloud, and all our access points have Cisco AMP on them. This currently includes work-from-home devices, because we have a lot of people still working from home with the coronavirus thing going on, even home users have Cisco AMP as well. Our operating systems, whether they be Linux, Windows, Mac, or Google Android, are well-protected.

    How has it helped my organization?

    We now have gained more visibility into what's going on. We had an incident four or five years ago where a member of our staff had a Tor Browser installed on his workstation in the office. I discovered it by chance while doing some work on his workstation. At that time, we had no way of knowing what was going on. Now, between our two Cisco products, we have the capability to see and block that sort of thing going on from the network side. From that point of view, it's straightaway. It has given us the security aspect of not having to deal with people putting Tor Browsers on their workstations to access stuff on the dark web. We have been able to lock that down straightaway, which is good, because that's obviously a big threat to any business. If you don't understand what's going on in and out of your office, whether physically or virtually, then you have no idea what's going on and where your risks are going to be.  It gives us visibility with minimal intrusion. We don't have an on-premise sort of interaction with it, though. It's just a connector that sits on the workstations and servers, then interacts with the workstations or servers through to the cloud. It has very minimal impact on us in terms of performance. They have recently improved the updating of the program. It no longer requires a reboot after a connector update, which is always a handy thing. From that point of view, the impact is better on the business. I can roll out an update to all devices and not have to worry about having reboots, particularly for servers. Thus, the impact has gotten better on the business over time. The solution makes it possible to see a threat once and block it everywhere across all endpoints and the entire security platform. It has the ability to block right down to the file and application level across all devices based on policies, such as, blacklisting and whitelisting of software and applications. This is good. Its strength is the ability to identify threats very quickly, then lock them and the network down and block the threats across the organization and all devices, which is what you want. You don't want to be spending time working out how to block something. You want to block something very quickly, letting that flow through to all the devices and avoiding the same scenario on different operating systems. The solution simplifies endpoint protection, detection, and response workflows, such as security investigation, threat hunting, and incident response. We have policies and procedures in place now at the HR user level and also at the machine level to make sure that certain procedures are followed and those procedures are put in place. From that point of view, the Cisco gives us confidence. We don't have to worry too much about threats. This means we can focus a lot more on doing the work we are being paid to do rather than spending time trying to protect the business too much. The fact that we are very quickly able to see what's going on is good in terms of how much time it takes to work through any issues.  We now have a standard rollout of devices with procedures in place. The shared nature where Cisco AMP gets installed on all our devices means we are benchmarking our risk at a level that we're comfortable with. We don't have to deal with managing that risk day-to-day, as the risk level is fairly low in terms of what we're expecting from day-to-day operations. From that point of view, this means we can focus more on the business at hand rather than worrying incessantly about threats to the business.

    What is most valuable?

    You can see what's going on. It detects a lot of stuff, which is benign, but still detects it as a potential threat or IoC. It has a lot more visibility than traditional antivirus, anti-malware programs. From that point, I feel comfortable that we are seeing everything that is going on. There is a lot of stuff that you don't need to do too much with as it may be a case of some poorly written software executing a potential flag as something of concern. However, at the end of the day, it's nothing to worry about. Therefore, I feel fairly comfortable that we're getting full visibility as best we can on what's going on, and it is better to know what's going on (than not). Our webpage/portal records all instances of programs accessed on the computer, everything accessed on the internet, all the system processes, and any programs that are running. It then scans them for potential issues. If we installed some software that has a potential issue, we will flag that and have a look to decide whether we want to allow that through or whether to block it. It shows a lot of stuff going on in the workstations, and to a lesser extent, the servers. Cisco AMP allows us to see within a process what the potential threat may be, for example, on a workstation. That threat may be benign or may be more serious. But, it gives us the opportunity to see those threats, evaluate them, and rate them how we see fit, then do something with them, if necessary. It is now less of an inconvenience on the business from a rebooting aspect. The console is there running in the background all the time. I can just tap on the console at any point to see what's going on. I usually do this a couple times a day. It allows visibility at any point in time because it's doing this in real-time. There is very little lag. If there are any issues, I get a notification. Then, we can then jump in straightaway, have a look, and assess it.  The tools provided by the solution to investigate and mitigate threats are very comprehensive. Sometimes, they're almost too comprehensive. You can get caught up delving very deep into things that you potentially don't need to. The integrations set it above your traditional antivirus, console-type applications in relation to visibility. It's very high-level in terms of how it works and what it can do. Cisco AMP offers user access and device protection in a single endpoint security solution. In combination with Cisco Umbrella, it is looking at attacks from a different point or source. It's good enough with these two products to do the job. We don't see a need another particular third-party security software. 

    What needs improvement?

    The biggest area where I liked seeing improvement is in the interface and its interaction with the customer and portal. Since these things are quite technical, it's important that you can find your way around the console quickly without having to remember where things are. I think the interface has improved quite a lot in the last couple of years, which is good, but also the integrations are starting to be incorporated a lot more too. We can see more value in the product as time goes on. It's a different product to what it was when we first got it in terms of visibility and also its user interface. You need a certain level of technical experience because the console is not the easiest thing to look at. It's very in-depth and there's a lot going on. It does a lot of stuff. I often compare that to our antivirus console, which is pretty self-explanatory, but it is not really doing a lot in terms of its visibility. It will do similar remediation work, but AMP has the visibility. You can see where it's going and what processes are running. Everything that it's tracking can be overwhelming to some people so you need a level of IT and technical experience to understand what it's doing and your way around the console. It's a very high-level product in that respect. Therefore, it might scare a few people off if they're not up to that level. However, if you have someone who can handle it, then it's fine. There are some features with the integrations that I'm not using because I haven't gotten my head around how they integrate and how best to integrate them into what we're doing. It is just a matter of giving me some time to sit down with a Cisco rep and working through it to understand exactly what these things are doing, then implementing them. I am not one to pay for something that we're not going to use. However, from what I can see, everything that comes with the product is worth doing. Obviously, the threats out there now in the internet world are only getting more complex. Therefore, it makes sense that we keep up with all the technology and software that comes with it.
    Buyer's Guide
    Cisco Secure Endpoint
    July 2022
    Learn what your peers think about Cisco Secure Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    610,336 professionals have used our research since 2012.

    For how long have I used the solution?

    About four years.

    What do I think about the stability of the solution?

    I have had a couple of instances in the time that we have had the solution:  It got too smart for itself and detected an Adobe Reader update as malicious, blocking all PDFs. They remediated that fairly quickly.  There was an issue with a connector merging at the start of the coronavirus when we were going into lockdown and sending people to work from home. This caused some issues, but they found that very quickly and were able to remediate it. We were able to roll the connector back.  These issues do pop up from time to time. With any software, there can be upgrades and issues that cause problems.  Overall, the stability of the program and software have been very good. The product has improved considerably over the last 12 to 18 months. They have done a lot of updates to the console and connector. The connector interaction with the workstation has been minimized. The visibility inside the console has improved. 

    What do I think about the scalability of the solution?

    Typically, we have about 120 devices, but we have an extra 60 work-from-home devices at the moment. The scalability is good because we were able to go from 120 devices to 180 very quickly. Therefore, we are able to push devices out very quickly, as needed. There are no issues from my point of view. We have used the solution as much as we can because we have it on every device that we are using. From that point of view, we have maxed out our utilization because we are using it on every device. On every new device that gets bought in, the first thing that gets put on it is the Cisco products before they touch the Internet and the network, just as a precaution.

    How are customer service and support?

    Our rep in Sydney is a certified Cisco supplier and provider. The company is Outcomex. The rep was involved in the setup of the whole thing. We are still using the company for our Cisco products, which is good.  Outcomex is very good. They have looked after any issues we've had with AMP and Umbrella along the way. There might have been some configuration issues that we've had. We have had a few instances where we have needed a bit of external support, and they have been able to give me support very quickly with a fast turnaround. There have been a few changes to the software, such as the threat intelligence, Threat Grid and a couple of other packages/integrations. I must admit that I haven't had a lot of time in the last couple of months to really delve into them. It's something I was going to go and talk to my Cisco rep over in Sydney to get more of an idea of how they work and how we can integrate them. I see a lot of tools coming out now, along with a lot of integration tools working with the products, which look very good. I just haven't quite got my head around the implementation and how to get the best outcome out of those tools. There was a case when our provider said, "You best talk to Cisco directly on that." I think that was only once, but the support was very good. That support request was attended to very quickly.

    Which solution did I use previously and why did I switch?

    Fortunately, our ransomware attack was way back in the very early days when no one really knew anything about it. However, I had done a bit of reading on it and knew the first thing to do when you see one of those things is to disconnect the machine from the network that is causing the issue. I knew which one it was straightaway, so I managed to disconnect it from the network. Then, the proliferation stopped straightaway. We were able to get stuff from the backup fairly quickly because we have good backup regimes in place, but it was purely by chance that I came across the ransomware as a threat. Although I didn't understand to what extent it went, we were able to mitigate it. The ransomware attack took probably a good two days of my time fixing and getting things back to normal. It impacted some people in the business world because of where the ransomware got into the network. That was the wake up call, to say, "Hang on. We need something that's going to flag these issues and give us visibility." Our antivirus software was completely benign to it at that time. It had no idea and didn't pick anything up. That's what made us go looking for something. We came up with FireAMP (Cisco AMP). We decided to trial it for a few months and got an idea of exactly what was going on in the network. We did an audit on the network (to start with) and realized that we had some issues. While all stuff was mostly benign and just sitting around the place, it gave us the ability to quickly see what was going on. That was when we decided to go down the path of getting something that would give us that visibility. The firewalls did their job to some extent. Since then, we have changed our Internet providers and now have a managed firewall. This takes a bit of pressure off me, but we've left AMP in place since we assume that the firewall will let through various things. So, we take the position that we use both Cisco products to protect us from anything that gets through. It is not a matter of just relaxing a bit because we have a managed firewall in place with a lot more security than we probably had five years ago. We still take the view that we need to protect inside the network, assuming something gets through the door, because there are always ways around these things. That's how these things start: They get ahead of a security software before the security software can catch up.

    How was the initial setup?

    The initial setup was pretty straightforward.  We pushed the deployment out in a day. Once we had the connector configured and policies configured to how we saw best at the time, it was a fairly straightforward rollout. Because it was pushed out through the portal in the cloud, all the devices were rolled out pretty quickly. The connector updates are very easily done now, and that's improving. Previously, the connector had an issue, where almost every time it needed to be updated, it required a machine reboot. This was always a bit of an inconvenience and a bug. Because with a lot of software now, you don't need to do that and shouldn't need to be rebooting all the time. The connector updates happen every six to eight weeks. Now, it's just a matter of me saying, "Push out the update," and off it goes. There is minimal time involved, as it's just a matter of me pushing it out. However, I don't push them out automatically. I always hold back a little bit on updates, like Windows updates, because quite often updates come with more problems than they solve. I usually wait a week or so before implementing them.

    What about the implementation team?

    We did a two-week audit of it to assess what threats we had. That was done with our Cisco rep. He put a device in that sniffed out all the traffic on the network and produced a report to show where our weaknesses were and what we had on the network sitting there benignly. That gave us a benchmark to configure the product in its initial stage before implementing. The rollout was quite easy. The deployment was done with a Cisco rep and me.

    What was our ROI?

    Because I was able to get on top of our ransomware attack fairly quickly, I was able to restore stuff from backups. Disruption is time, and we are a time-based business. We have done the numbers. If we had 100 technical people at X amount of dollars per hour charge-out rate, then that gives us an hourly cost as a very rudimentary way of working out hourly cost. Therefore, if we're down for half a day, or even a day, then we can very quickly work out how many dollars we will lose every time we get taken down by an this type of attack. We haven't paid any ransoms because we didn't need to and we wouldn't do that. However, the other side of that is the downtime, assessing the damage, fixing it up, and then all the subsequent tidying up that goes on afterward, which can go on for a while. It would probably be a couple of days of lost productivity, which is not a huge amount in terms of time, but dollar-wise for a small to medium-businesses, it can be quite substantial in a month. We haven't had to spend time dealing with too many threats. That time is minimized in terms of how much we need to spend. The solution has decreased our time to remediate. We do a lot of stuff automatically, but we can manually go in and apply remediation straightaway on devices at a device and policy level. We can apply this throughout the business, which is what we want. If we see a threat at some particular level, we can make a decision to go in straightaway and tackle that threat through manual intervention because you can't blindly put your faith into something and expect it to do everything for you. You have to manage it and be proactive at all times. However, the amount of time spent doing the manual intervention is minimized.

    What's my experience with pricing, setup cost, and licensing?

    The pricing and licensing are reasonable. The cost of AMP for Endpoints is inline with all the other software that has a monthly endpoint cost. It might be a little bit higher than other antivirus type products, but we're only talking about a dollar a month per user. I don't see that cost as being an issue if it's going to give us the confidence and security that we're looking for. We have had a lot of success and happiness with what we're using, so there's no point in changing. There is also the Cisco annual subscription plus my management time in terms of what I do with the Cisco product. I spend a minimal amount of time on it though, just rolling out updates as they need them and monitoring the console a couple of times a day to ensure nothing is out of control. Cost-wise, we are quite happy with it.

    Which other solutions did I evaluate?

    We did look at another solution. At the time, there wasn't a lot of software for small to medium-businesses. I was looking for something with a business name reputation behind it that would give us a good level of security. That's why we went with the Cisco solution. We initially went with Cisco based on its name in the industry, and we have been very happy with it. Cisco AMP comes with an in-built antivirus, but we have another antivirus that we use. Though AMP works whether you use their antivirus or not, it doesn't matter, we thought, "If we use a separate branded antivirus, they may have some extra sort of pickups that the AMP antivirus may not," to spread the risk a little. We have some other systems in place internally in terms of how we protect file installations and macros running on the network. Therefore, we do add extra layers of security that we feel that we need. However, we are confident that this will pick up most of this stuff along the way.

    What other advice do I have?

    At the start, we realized how much we didn't know what was going on in the network and where all the endpoint weaknesses were. That opened eyes up straight away to the risk that was involved. Then, we did the numbers, and said, "For us, risk is downtime, and time is dollars." We just did the sums very quickly and worked out what it would cost us if we didn't have any idea what was going on in the network and got hit by something that we should have been aware of. Because if the software is out there and gives you this type of visibility, you should be using it.  We do use it with another Cisco product, Cisco Umbrella, which is a DNS-level content-filtering, web-filtering software. That has had an impact on the business world in terms of restricting a lot of stuff which may have come in for some web pages or websites that may not have been secured. We have seen a reduced impact on the business because we're using the two Cisco products together. I would give Cisco AMP a nine (out of 10). It is as good as anything out there. I can't see any reason why we would look elsewhere for a product. It does the job it's meant to do and is improving all the time. We have been very happy with it.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Wouter Hindriks - PeerSpot reviewer
    Technical Team Lead Network & Security at Missing Piece BV
    Real User
    Top 5
    Its dashboards immediately show you what's going on in your environment, what's being blocked, and what needs to be investigated
    Pros and Cons
    • "Any alert that we get is an actionable alert. Immediately, there is information that we can just click through, see the point in time, what happened, what caused it, and what automatic actions were taken. We can then choose to take any manual actions, if we want, or start our investigation. We're no longer looking at digging into information or wading through hundreds of incidents. There's a list which says where the status is assigned, e.g., under investigation or investigation finished. That is all in the console. It has taken away a lot of the administration, which we would normally be doing, and integrated it into the console for us."
    • "We have had some problems with updates not playing nice with our environment. This is important, because if there is a new version, we need to test it thoroughly before it goes into production. We cannot just say, "There's a new version. It's not going to give us any problems." With the complexity of the solution using multiple engines for multiple tasks, it can sometimes cause performance issues on our endpoints. Therefore, we need to test it before we deploy. That takes one to three days before we can be certain that the new version plays nice with our environment."

    What is our primary use case?

    We were looking for a security product, which would not only block known viruses, but give more visibility and control over anti-malware. We offer Desktop as a Service (DAAS) for small and medium businesses, so we have hundreds of laptops, desktops, and virtual machines. Because users click on everything, you need to have a solution in place which will detect if something happens and log it, if there's anything malicious, then it will be blocked and reported.

    The main reason for going with Cisco AMP is its integration with other Cisco solutions. It can integrate our firewalling, DNS protection, and email security appliance, so if there's a malicious file, and I see it on one of those devices. I can say, "Hey, I want to have this blocked," and it will immediately stop it being emailed in or out our environment. It also can no longer be downloaded from the Internet. Thus, with one click, we have multiple points protected.

    AMP is a bit of a time machine for our environment. We can see any action being executed, connection being made, or file being written, whether it's malicious or not. Everything is been logged. I can basically go back in time and see, "This user opened this website," or, "This process created this file." If at any point in time, we do get something where, "There has been malicious activity there," we can completely follow it back:

    • How did it get there? 
    • Did it change other files? 
    • Did it leave a scheduled task somewhere? 
    • Did it connect to other machines? 
    • Did it drop software on another place even before it was know to be malicious? 

    All activity has been logged. If something turns out to be malicious, or if it's a user doing something they shouldn't be doing without using any malicious software but just using system tools, you can still see every command being run from the console.

    The management console is cloud-based and the deployment goes to the endpoints, which are either in our data center or on the laptops and desktops that users have in their offices.

    How has it helped my organization?

    We worked a lot from home over the past few months. This was our only product that did not need to be changed in configuration when all the laptops did not come into the office for a few weeks. As long as there's an Internet connection, it will get the updates. Anything happening locally will upload to your cloud so you have full mobility on it. You have no need to update your console. You log in one day, and there's a note saying, "We added these new features. Click here for more." It has taken a lot of the hassle out so you don't have to worry about the connectivity or updates. You can just worry about stopping the malware you're investigating and incidents in your environments.

    Any alert that we get is an actionable alert. Immediately, there is information that we can just click through, see the point in time, what happened, what caused it, and what automatic actions were taken. We can then choose to take any manual actions, if we want, or start our investigation. We're no longer looking at digging into information or wading through hundreds of incidents. There's a list which says where the status is assigned, e.g., under investigation or investigation finished. That is all in the console. It has taken away a lot of the administration, which we would normally be doing, and integrated it into the console for us.

    With Cisco AMP, or any Cisco security products, you get Cisco Threat Response. Threat Response takes the intelligence from all your different solutions, then combines it with sources, like VirusTotal, and includes general information that Cisco has available on those threats. E.g., if I see a file somewhere, I can with one click go from my AMP console to Cisco Threat Response, and there it will be enriched, saying, "We have already seen this piece of software two months ago in Japan. This is what we thought of it. We did an automatic analysis on it. These are the indicators on this piece of software being either malicious or benign." With Threat Response, it is very easy to go from what's happening on my environment to what's happening in the world.

    If there's spam coming from a machine, I can with one click determine, "Has there been any other intrusive events originating from this machine? Has it been sending me just spam or has it also been scanning me, making connections to other machines, or login attempts?" With Threat Response, we get the view from all sides, both inside and outside our network.

    Orbital helps us with investigation, especially if there's been an incident on one machine, and I want to know, "Are there other machines in my environment with the same type of modifications." It's just a click away. I don't have to leave the Orbital or AMP to do the incident investigation. Thus, I don't have to pivot to another solution to check the event logs or files on the endpoints, and not having to leave the tool is very efficient. You have the same casebook in which you can keep notes of your investigation, then you can share the notes with your colleagues. 

    The solution simplifies endpoint protection, detection, and response workflows, such as security investigation, threat hunting, and incident response. This positively affects our operational efficiency. We don't have to guess anymore if we have everything or need to use different tools. I can query the machines directly from Orbital. It's a complete tool set. You don't need anything else besides the tools you get with Cisco AMP. There are things now possible which we could not do before, and they're easier than before as well.

    What is most valuable?

    I find the the integration to be valuable. Cisco Email Security, Threat Response, and firewall are all completely integrated with this solution. It's very easy to connect your firewall or Email Security appliance with AMP to get visibility within Threat Response. On Cisco's end, we have had no trouble integrating. You go to the menu, and say, "I want to integrate this kind of device." Then, it basically shows you which buttons to click to integrate. It has been very easy.

    The ability to create groups and policies precisely to your liking is also valuable. You can choose which engines you want to use for specific groups and what type of protection you want for what machines. It's not a single, one-size-fits-all. You can precisely match it to your requirements. E.g., if I have a file server and a laptop, then I want a different type of protection for those machines.

    The console is really great. It's web-based. You can give everybody access. It has some great dashboards, which immediately show you what's going on in your environment, what's being blocked, and what needs to be investigated. It also makes collaboration very easy. If I start an investigation, I can open a virtual casebook that will be also stored on the console. I can invite other users to collaborate with me on the same investigation without having to send them notes or have another communication channel open to check things. E.g., I open the casebook and add interesting events to it, then other users are being updated immediately. They can also add to the same casebook, as it is very easy to collaborate from within the console on incident response.

    Orbital is a good feature. It's based on SQL query. You can say, "I want to see failed login attempts," to see if there is anything out of the ordinary, then select a random or specific number of endpoints. It can run queries against the machine without you needing to make sessions. You can check if:

    • There have been any alterations in the host files.
    • Any new applications were installed.
    • There have been any events taking place in the event log, without having to leave the AMP environment.

    What needs improvement?

    We have had some problems with updates not playing nice with our environment. This is important, because if there is a new version, we need to test it thoroughly before it goes into production. We cannot just say, "There's a new version. It's not going to give us any problems." With the complexity of the solution using multiple engines for multiple tasks, it can sometimes cause performance issues on our endpoints. Therefore, we need to test it before we deploy. That takes one to three days before we can be certain that the new version plays nice with our environment.

    For how long have I used the solution?

    At least a year.

    What do I think about the stability of the solution?

    The stability is very good. We have had no issues with the console. It has always been available. The connector also runs well.

    What do I think about the scalability of the solution?

    I have to ensure that the connector is installed on every device, whether it be an iPhone, Android, Linux, or Windows. I don't have to worry about the console, the amount of data, or the back-end, as that is all being handled by the cloud. Therefore, I can scale as much as I want, as long as I have enough licenses.

    We currently cover 500 endpoints with Cisco AMP and are looking to scale that up to 3000 this year.

    Working on the console: We have seven users. 

    Working on machines protected by AMP: We have about 5,000 users.

    How are customer service and technical support?

    There have been a few incidents where we used their technical support, which has been very good. The highest level of certification is Cisco Certified Engineer, and these are the first people whom I talk to as I log an incident with Cisco AMP. They are certified at that level. Therefore, I'm talking to somebody who has intimate knowledge about the products. They react quickly and know what they're talking about. They say, "Can we schedule a remote session? I can work with you on the problem." Then, it's always been either the same day or the next day that they say, "I have a solution," or "I'm going to continue to work with you towards that solution."

    Which solution did I use previously and why did I switch?

    We previously used Microsoft System Center Endpoint Protection. We switched away from it for two reasons:

    1. System Center Endpoint Protection is a classic antivirus product, which will block no malware and only work on Windows. There is nothing advanced about it. It does not have login or the cloud console. It will only give you alerts if the machine is connected to the domain. It was a legacy product looking at the malware and the threat landscape. There was no ransomware protection. There was no sandboxing any threats if there was an unknown file. Now, it will be sent over to Cisco Threat Grids and go right on the VM, then there will be a verdict passed saying, "Good file, bad file, suspicious file." Previous solution didn't have that. 
    2. Our company was very happy with the price of Cisco AMP. It was about a third of what we were paying for System Center Endpoint Protection.

    We had ransomware before we had Cisco AMP. Basically, the user calls you to say, "Hey, there are some files I cannot access well." You log into the machine and look at the processes, then you see there is a process encrypting all the files. You kill the process, get the files (which have been touched), and then start to restore. However, how can I be certain that the process which was started by the user did not leave a scheduled task saying, "In five hours, we have to start another thing," or did it upload any user data to a different machine? How can I know if was there was data loss involved in this incident?

    With our previous solution, you had no way to be sure that you were not missing something, if there were not any files left, passwords/data stolen, connections made to different machines, booby traps or scheduled tasks left, etc. With Cisco AMP, if it manages to execute, I can say, "How did we get this file?" With one click, I can block it from being downloaded from the Internet and being emailed in/out of our environment. I can also see if there were any files created or connections being made. Then, I can be 100 percent sure if there was a data exfiltration, anything left behind, or if we missed anything. AMP is very thorough.

    With our previous solution, if it was known malware, we would get an alert. If it was an unknown malware or ransomware, our users were our detectors. Then, it might take hours before they could say, "Hey, something's not working for me." Cisco AMP will get you that same alert within minutes of an incident occurring.

    Before we had the Orbital tool and Threat Response, we were just feeling around in the dark if we were doing an investigation. We were never sure, "Did we get everything?" We did positively identify malicious malware, but, "Did we miss anything? Has anything else happened? Is this also happening on different machines?" There were these questions we were not able to get 100 percent satisfying answers on. With Cisco AMP, Threat Response, and Orbital, we are 100 percent certain that we got every trace of malicious software. We're also certain that no other machines have been compromised or will be compromised in the same way.

    How was the initial setup?

    The initial setup is straightforward. Because the console is cloud-based, you get an email saying, "An account for you has been created. Click here to login." Then, there is the console. There are some basic groups there, and you say, "I want to have these settings." You download an installer, which already has the policy you defined included, and run it. It installs the connector on the endpoint, then the endpoint starts talking with your console. That's all you have to do. 

    You log into a website, configure your settings, get an executable that you deploy to your endpoints, and that's it. Any policy or connector updates can trigger from the console, because if you can use a web browser, you can deploy Cisco AMP and update it.

    I had the first machines deployed within an hour. After, we started a fine-tuning process, which includes policies, exclusions, and rights. Total deployment was probably two or three weeks before it was part of our default image, where every new machine was being imaged with a connector included.

    What was our ROI?

    Time to response is a lot faster. With every incident, at least six to 10 man-hours are saved because the damage has been reduced significantly. Additionally, if I have to work on file restore for six hours, for those six hours, my IT users cannot work on that application. This does not even take into account lost productivity of hundreds of users waiting to get access to the data again who also have to wait for six to 10 hours.

    The visibility has increased a lot because all the heavy work is being done in the cloud. Therefore, we see a lower CPU and memory footprint on the endpoints. All the connectors on the endpoints send your information to the cloud where it is being analyzed, then it just gets the information back. There is not a lot of heavy stuff going on with the endpoint compared with the previous solution where you had a lot of work being done on the endpoint. Thus, you're taking away CPU cycles and memory from the applications you wanted to run there.

    Our technicians are doing more meaningful tasks. They can just do their threat hunting and incident response without having to find tools that can do the things already built into AMP and Threat Response.

    What's my experience with pricing, setup cost, and licensing?

    There are a couple of different consumption models: Pay up front, or if you have an enterprise agreement, you can do a monthly thing. Check your licensing possibilities and see what's best for your organization.

    Note: You can upgrade or increase the number licenses by just placing a new order.

    Which other solutions did I evaluate?

    We did do a product selection, but we did only the proof of value with Cisco AMP. We looked at Trend Micro and a VMware product on paper. However, looking at our integration possibilities, since we were already using Email Security and firewalling from Cisco, there was no other product that offered the same level of integration.

    What other advice do I have?

    Read the manual. There is a lot of information in there. 

    Cisco gives threat hunting workshops globally, which are free. They take about half a day and show you how to use this product for threat hunting. Because we're looking at protection and antivirus, we're looking at a reactive response if there is a nasty file to be blocked. With Cisco AMP, you get the possibility to proactively go hunting for threats and find them before they become a problem. With this workshop, it will really shows you the different tools with real life examples, how to effectively test, and make the most of your investment in Cisco.

    The solution’s endpoint protection is very comprehensive in terms of the operating systems and devices it protects, e.g., servers, Windows and Linux, smart devices, tablets, or home PCs. As long as it has an Internet connection, I can deploy an endpoint connector. I can get all the input into Microsoft for that endpoint as well. We haven't had any operating systems or devices in which we could not get visibility with AMP.

    Other solutions are just the basic, "There was something wrong." They will give you the location, but will not give you the context, from which user, nor show you how the file got onto the system. With Cisco AMP, I just open a dashboard and it will show me (without doing anything), "We had 60 malware incidents via Chrome. We had five malware incidents via Outlook. We had two malware incidents from USB sticks." Immediately, we have an overview of how we're doing today, also showing where the nasty things are coming from. I don't know if there is anything that I'm not seeing.

    With Threat Response, there should be some new integrations announced later this month.

    I would rate this solution as a 10 (out of 10). 

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Buyer's Guide
    Cisco Secure Endpoint
    July 2022
    Learn what your peers think about Cisco Secure Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    610,336 professionals have used our research since 2012.
    Mark Bonnamy - PeerSpot reviewer
    Technical Director at Ridgewall Ltd
    Reseller
    Top 10
    Targets issues more accurately, helping us to focus high-cost engineering resources more accurately
    Pros and Cons
    • "If somebody has been compromised, the question always is: How has it affected other devices in the network? Cisco AMP gives you a very neat view of that."
    • "The ability to detonate a particular problem in a sandbox environment and understand what the effects are, is helpful. We're trying, for example, to determine, when people send information in, if an attachment is legitimate or not. You just have to open it. If you can do that in a secure sandbox environment, that's an invaluable feature. What you would do otherwise would be very risky and tedious."
    • "...the greatest value of all, would be to make the security into a single pane of glass. Whilst these products are largely integrated from a Talos perspective, they're not integrated from a portal perspective. For example, we have to look at an Umbrella portal and a separate AMP portal. We also have to look at a separate portal for the firewalls. If I could wave a magic wand and have one thing, I would put all the Cisco products into one, simple management portal."

    What is our primary use case?

    We needed an endpoint security product and this was the one that we chose. We also use Cisco Umbrella, which fits in neatly with the endpoint as endpoints are moving, more and more, out of the office now. Traditionally, it's slightly harder to manage that, so we use Cisco AMP and Umbrella on those endpoints to secure them.

    It's almost entirely on-premise. Although there are some small cloud installations where we use it.

    How has it helped my organization?

    The fact that the solution offers cloud-delivered endpoint protection makes it simpler to use. Historically, Cisco's appliances have been relatively expensive and that has been a block to Cisco getting into the SME space, which is our particular focus. Having it cloud-based, where there's no cost, as such, to get the deployment running, has made it easier to sell to small businesses. We've got AMP installations with as few as two users. In the past, with Cisco, we would never have been able to deliver into that size of business without some sort of cloud for delivering it.

    It also has a neat web interface that allows us to access it simply and therefore more people are able to manage it, rather than it being a specialist product. We're able to give it to more junior people on the helpdesk and they're able to determine quite quickly and simply what the state of the environment is and, if needed, escalate it to more senior people if they believe there's an issue. That's worked well for us.

    We had quite a large client that had a partial AMP installation only covering key assets, and they were hit by ransomware. It was only Cisco AMP that showed where the problems were. The rest of the antivirus that they had across the estate was completely ineffective. AMP was intact and it gave the engineers the vital information they required to remediate the problem. With all attacks what we're interested in is knowing what was "patient zero," where the problem came in, and where it's spread. That can be a challenge sometimes when you've got multiple devices in a network and you're looking across a large number of PCs to work out who was compromised first and, therefore, what the course of action is.

    It has decreased our time to remediate. In the scenario of the client that was hit by ransomware, effectively, none of the endpoints were compromised. We were able to detect what the issue was via the AMP client, which discovered and alerted us to what the actual problem was. We then had to do a cleanup process on the remaining. It certainly showed its value to us and the client in that particular incident. It is hard to say how much time it saved us, because in that particular incident they only had a limited deployment. It actually took six man-days to solve the problem, but it didn't affect any of the AMP clients. It arguably could have taken even longer, had they not had AMP deployed on at least some of the assets. It's very simple: If they had had AMP on all of them, they would have probably avoided the problem in the first place. And they certainly wouldn't have needed six days to actually resolve the issue.

    Cisco Threat Response accelerates Cisco Umbrella security operation functions. The abilities of Talos are definitely one of the reasons we bought into this as a product. It enables us to react more quickly. We're relying on Cisco providing that updated information in a timely fashion, and that obviously has a knock-on effect on our ability to support our clients if they've been compromised. That ability to push information automatically into Talos and their environment and then prove it's a problem or otherwise, and then update the system automatically, saves us an enormous amount of time. It gives us a lot of confidence in what we do, because Cisco is able to update things and do that part of the function for us, rather than our relying on in-house skills to try to determine what is good and what is bad.

    We use it internally, in our business, to secure us, as we are an MSP, which means we are at particular risk. Obviously, we have a duty of care for our clients to ensure that we take the utmost responsibility and steps to secure our businesses and, in turn, secure our clients' businesses. The Cisco suite of security solutions definitely gives us a great deal of comfort that we are doing that. Relying on Cisco for those updates certainly takes a load off my mind, knowing that we've got the backing of Talos across the suite of products. We feel, with all the steps we have taken, that there are very few gaps in our security.

    The solution has also made our team more effective by being able to focus on high-value initiatives. We have it integrated into our helpdesk system where it alerts us of things that are of particular concern. That minimizes the amount of time that we're looking at non-threatening situations. A lot of these systems can throw up an awful lot of information and you can end up spending an awful lot of time looking at things that aren't an issue — false positives. If we're able to target things more accurately, it helps us focus that high-cost engineering resource more accurately. It does save time and money.

    Cisco AMP has definitely decreased our time to detection, relative to where we were with previous products. Before this type of next-gen solution, we were relying on things like antivirus, which is pretty poor and didn't produce much in the way of protection, certainly around ransomware and other things. We were relying heavily on perimeter protection, like firewalls. That was, of course, completely ineffective when people took their laptops home. The risk was great and we saw more people bringing problems back into the business. The AMP and Umbrella combination has made life a lot more secure and enables us to deliver consistent policy, which is the other important thing. When people are in our building, we've got a reasonably consistent policy because we have greater control. But the minute a person leaves the building and connects via a phone or at an internet cafe, we lose most of the traditional protection we had. The endpoint becomes everything.

    The decrease in time to detection has been significant. It's very hard to put a percentage to it because, before it, we were often blissfully unaware that devices had a problem at all. It's given us visibility and we are much more effective. I'm guessing in terms of what it saves time-wise, because it's given us visibility that we otherwise didn't have, but I would say 80 percent, if I had to put a figure on it.

    What is most valuable?

    It has a number of valuable features. One of them is its ability to look across the estate. If somebody has been compromised, the question always is: How has it affected other devices in the network? Cisco AMP gives you a very neat view of that.

    It has worked well where there have been compromises of clients and the software has automatically sent a sample to Cisco. Cisco has very quickly turned that around and an update has been issued and therefore, within an hour, all the devices are protected against it. We've been quite impressed with that.

    We're a Cisco-centric organization. We use things like Cisco FirePOWER, the Next Gen features, as well as Umbrella portal and AMP. We've got a SIEM solution and we see all the events. It gives us a very good overall view of what's going on, very quickly.

    We get all the alerts fed in centrally and it enables the security team to act upon them quickly. The alerts seem to be high-quality. We don't get an awful lot of false positives. With the dashboards it's clear, and you can understand quickly where the issues are, with instant responses.

    The tools provided by the solution to help you investigate and mitigate threats are very helpful too. I'm the person who manages the engineers, so I don't use it on a day-to-day basis. I use it to get an overall view of, and a feeling for, where our various clients are in terms of issues: How secure they are, whether the engineers have been acting upon threats, etc. But our engineers like the product very much. The ability to detonate a particular problem in a sandbox environment and understand what the effects are, is helpful. We're trying, for example, to determine, when people send information in, if an attachment is legitimate or not. You just have to open it. If you can do that in a secure sandbox environment, that's an invaluable feature. What you would do otherwise would be very risky and tedious.

    All our engineers have been very impressed with the features that it delivers and the fact that it has been low impact on the endpoints. It hasn't caused us any problems with performance. Generally, it's a very well-liked product amongst the engineering team.

    What needs improvement?

    Some of the dashboards don't always populate with data. Most of them do, but some of them don't. 

    Another issue for me, that would be the greatest value of all, would be to make the security into a single pane of glass. Whilst these products are largely integrated from a Talos perspective, they're not integrated from a portal perspective. For example, we have to look at an Umbrella portal and a separate AMP portal. We also have to look at a separate portal for the firewalls. If I could wave a magic wand and have one thing, I would put all the Cisco products into one, simple management portal. If I were Cisco, that would be my greatest focus of all because it would be of such great value if I could give one pane of glass to an engineer and he could look across all the Cisco products. 

    The other thing I would say to Cisco is they need to move more to a consumption model like Office 365, because I want to be able to sell it and deploy it by just adding things on to a particular client.

    For example, you set a client up on the AMP portal, which I'm looking at as I speak. I have X number of clients. If I need to sell or deploy Umbrella, I've got to go through a completely different process and enter exactly the same sort of thing. I've got to create the client somewhere else, I've got to put the information somewhere else, and I've got to run the deployment from somewhere else. Whereas with the Office 365 model, I'm able to upgrade packages and add features and functionality all from the one place. That is an incredibly powerful selling tool.

    The other area for improvement is to make billing simpler. The billing process for us is hard where we've got those two users. We've got to create a separate bill for those clients and we have to create a separate report to Cisco to say that we're billing those clients. Anything they could do to make that billing process more seamless would be of great value. If they could almost automate it, so that it is something that links in with accounts packages to make the billing process neater, it would help promote the sale of it and make it more profitable to sell. If someone deploys AMP For Endpoints on a client, at the moment that process is very disjointed. We've got to do a check once a month to see how many deployments there are relative to last month and, if we had to add one, we not only have to bill an extra one but we also have to buy an extra one from Cisco. And all that is manual.

    For how long have I used the solution?

    I have been using Cisco AMP for Endpoints for three years, maybe more.

    What do I think about the stability of the solution?

    The stability is very good. We've had no issues with performance or things crashing. That aspect has all been very positive. When doing as much as these products are doing, it can create quite an overhead and take a toll on the performance of PCs, but we have had none of that kind of experience.

    We are predominantly a Microsoft environment. I'm aware that it supports Mac, but I don't think we have any installations across Mac environments at the moment. From a Windows standpoint, it works very well. It hasn't caused instability. It hasn't affected performance in a negative way. All those things are really positive, given what it's actually doing.

    What do I think about the scalability of the solution?

    Without any question it's scalable. We've got it on as few as two, and as many as 250 or so clients. We don't have any questions about scalability.

    How are customer service and technical support?

    I've not personally used any support around this solution. I don't think we have needed to from an implementation perspective. It's all gone smoothly.

    Which solution did I use previously and why did I switch?

    We used Sophos in the past. We're replacing it, so when the renewals come up we replace Sophos with AMP, wherever possible.

    How was the initial setup?

    The initial setup is quite simple. We needed a method of delivery and that's the hardest part. But the deployment and the actual tuning of it are relatively minimal, so that has been a good experience. We didn't have to mess about with performance tuning, whereas with other products we have to do quite a lot for excluding this, that, and the other directory, to make sure the performance is reasonable.

    If it's a small environment, it's quick to set up because we've got closer management. But in bigger environments, we bump into the challenge — and this is not an AMP issue or an installation issue — of people who are away, or people who haven't restarted their machines. Those sorts of little things tend to be the things that are a little bit more of a pain to get the final installation done. But the rollout of AMP, per se, is quite straightforward. The setup time of AMP isn't an issue and it is quite acceptable. These types of problems would exist with whichever product was chosen.

    In terms of an implementation strategy for this product, our security team is very comfortable with rolling it out. The sales process is that we define the client's needs, the number of devices that they intend to secure, and that goes to the security team to coordinate and roll out. That's a reasonably templated process now for us.

    In our company, the security team is comprised of four people, and they are the people who primarily look after and manage the products. We also have a deployment team, another three or four people, who are the people that would ultimately push the client out to the various devices that need it.

    What was our ROI?

    Certainly, from a protection standpoint, we have seen ROI. It's doing what we want it to do and it's protecting us and the clients who have it installed. Neither they nor we have been compromised and that's the greatest testament of all.

    What's my experience with pricing, setup cost, and licensing?

    We use the MSP model, so we're able to pay as we go. We report usage based on the actual usage, which is very handy. The old model of Cisco doing it was dated and archaic, and that goes for most of their products. The previous way they did it, which was that you bought something upfront for a certain period, was terrible because of the actual process of updating it. It wouldn't scale down and it was very hard to scale up. When you added users to the system, it wasn't easy to then add licenses to that particular agreement. It was really difficult, in fact; difficult to the point where we stopped selling it in that model, because it was just too problematic.

    For example, if we had a user with 10 devices and they bought some more devices, so it went to, say, 15, getting an extra five licenses within their agreement was immensely hard. To me, the only way forward is the MSP model.

    Which other solutions did I evaluate?

    We looked at a number of different solutions: Carbon Black, Cylance, Sophos Intercept X and we liked the Cisco AMP solution over those products because it fit in neatly with the rest of the Cisco portfolio. We believe that the management of the various security products fit better with one manufacturer, rather than picking various manufacturers to try and manage a security solution.

    The integration of Cisco Threat Response with Cisco Umbrella is getting a lot better. What we like, across the board, is that the solutions are backed by Talos, and Talos is the largest, independent, security-research and threat-hunting organization in the world. We like the fact that the protection is spread across the Cisco environment. That's where this set of products wins when compared to other vendors. It's not that other vendors, like Carbon Black and Cylance, aren't delivering good products. They're just not doing the whole suite. They're not providing the firewall, they're not providing the CASB solution like CloudLock. I'm not sure if they're doing DNS filtering yet; a lot of vendors are catching up on that. But effectively, when you get a known issue, Cisco have the ability to roll it out across a suite of products and therefore you get protection very quickly. So if you discover a problem in Cisco Umbrella, they can update that threat, where need be, in AMP. That's quite a unique selling point for Cisco.

    What other advice do I have?

    It's very simple to deploy, doesn't cause much in the way of management overhead, and does what it suggests. I would have no hesitation in recommending it. We obviously do, as we're selling it and have been using it for a number of years.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner.
    Security Officer at a healthcare company with 51-200 employees
    Real User
    Top 10
    Gives great network visibility by showing how a file interacts with other systems, devices, and files
    Pros and Cons
    • "The visibility and insight this solution gives you into threats is pretty granular. It has constant monitoring. You can get onto the device trajectory to look at a threat, but you can also see what happened prior to the threat. You can see what happened after the threat. You can see what other applications were incorporated into the execution of the threat. For example, you have the event, but you see that the event was launched by Google Chrome, which was launched by something else. Then, after the event, something else was launched by whatever the threat was. Therefore, it gives you great detail, a timeline, and continuity of events leading up to whatever the incident is, and then, after. This helps you understand and nail down what the threat is and how to fix it."
    • "One of the best features of AMP is its cloud feature. It doesn't matter where the device is in regards to whether it's inside or outside of your network environment, especially right now when everybody's remote and taken their laptops home. You don't have to be VPNed into the environment for AMP to work. AMP will work anywhere in the world, as long as it has an Internet connection. You get protection and reporting with it. No matter where the device is, AMP has still got coverage on it and is protecting it. You still have the ability to manage and remediate things. The cloud feature is the magic bullet. This is what makes the solution a valuable tool as far as I'm concerned."
    • "The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on."

    What is our primary use case?

    AMP for Endpoints has Endpoint Connectors, which are agents on the endpoints, providing security against malware and intrusion detection. It also provides intrusion prevention. We install the Connector on all the endpoints before they're deployed and also on our virtual desktop images. They provide constant monitoring and alerting on any events or potential threats to let us know when there is something going on that we can further investigate.

    AMP intersects with a bunch of other Cisco tools, such as Threat Grid, Threat Response, and Talos Intelligence to identify threats, then automatically quarantine or remove them. It also gives you the ability to isolate endpoints to prevent further spread of any sort of malware, like a virus that might infect other machines.

    How has it helped my organization?

    The visibility and insight this solution gives you into threats is pretty granular. It has constant monitoring. You can get onto the device trajectory to look at a threat, but you can also see what happened prior to the threat. You can see what happened after the threat. You can see what other applications were incorporated into the execution of the threat. For example, you have the event, but you see that the event was launched by Google Chrome, which was launched by something else. Then, after the event, something else was launched by whatever the threat was. Therefore, it gives you great detail, a timeline, and continuity of events leading up to whatever the incident is, and then, after. This helps you understand and nail down what the threat is and how to fix it.

    The solution’s actionable alerts in the security console are granular. They take you right to whatever the incident was so you can start investigating it. One thing that I have noticed lately, as we have spun up more tools associated with our Enterprise Agreement, is that AMP interfaces with all of them, then takes on some automated actions. One of the things that AMP allows you to do if there's an incident, it gives you an alert. This is because a threat was detected. You can click on the threat that's detected, then it takes you right to it in the timeline. Finally, you can pull/fetch the file and submit it for analysis. However, it will also do that automatically.

    Cisco is standing up so much stuff right now. This solution interfaces with Talos Intelligence, Threat Grid, Threat Response, and SecureX. All of these things are integrating together and a lot of stuff is now starting to happen automatically, e.g., if a threat is detected, it is automatically interfacing with Talos Intelligence to figure out what that threat is and the hash value of whatever file that is. If it thinks it's suspicious, it automatically submits it to Threat Grid, which detonates the file in the sandbox, but also in the cloud, and returns a report saying whether the file, or whatever it is, is an actual threat/incident. Then, it remediates and quarantines it, and you find out about it later. It's doing a lot of stuff in the background as the integration with other tools increases.

    Cisco Threat Response accelerates security operation functions. It gives you great visibility into your network. You start with a hash value, and you can search for that hash value within your environment by just dropping it into Threat Response. Then, it'll show you how that file has interacted with other files, systems, and devices. It gives you immediate visibility with a chart that shows you where that file has gone and where it's been. If you're looking to contain outbreaks, it's all there.

    Cisco AMP simplifies endpoint protection detection and response workflows, such as security instigation. It really shortens the window to respond to an incident. You can do something in five minutes that probably would have taken several days in a big, diverse, ambiguous environment, where you have a lot of people working remotely. It would be tough to run down all this stuff. It is saving not only time, but manpower. Another person plus myself can now fix a problem. Whereas before, I would have to crawl through four or five different people before I got the right guy to get to the right place to do the thing that I needed him to do.

    What is most valuable?

    I like all the features. They're continually adding features to the product as well. One of the most recent features that they added is Orbital Advanced Search, which gives you great visibility into each individual endpoint. If you need to go look and see what's going on, it gives you that ability very easily.

    I've only used Orbital Advanced Search on individual endpoints. Unless what I'm looking for is of great urgency, then I don't want to run very complex queries because they can take a lot of time and use a lot of resources for the endpoint. I'm still getting used to it so I don't know its full capabilities, such as, what it can do without interrupting the use of the endpoint. However, if the endpoint is compromised, it doesn't really matter. If I'm just investigating an incident, I don't want to lock the box up if a user is still trying to use it while I'm trying to figure out what's going on.

    The Orbital Advanced Search is a great tool that gives you visibility. Otherwise, you would have to track down the device physically and possibility even do a forensic image of it to figure out what happened, or take it out of the environment just to investigate it. Having the ability to use Orbital to get the information off of a device to determine whether it's legitimately compromised, or if something weird is just going on, shortens the timeline of your response because you have immediate availability and visibility into the device that might be compromised.

    Orbital helps reduce attack surface and investigate real-time data on our endpoints. For example, a device alerted in AMP for having a potential browser hijacker. At the same time, the user was also opening a help desk ticket because they were unable to access some online resources necessary for them to be able to work. I was then able to get on the device using Orbital (out of AMP) to locate the device and figure out what was going on, and it was a legitimate infection of a virus: It was a browser hijacker. All that happened in the span of five minutes, and I was able to get one of my guys out there to remove the device from our environment, reimage and replace it with another device.

    I was able to figure out what was going on with that device in the span of five to 10 minutes. Then, I was able to have a guy onsite within the next three hours to get the device out of our environment. Previously, that would have taken days to figure out what was going on with the device, remote into the device, and find out where the device was physically, then get somebody to go to where the device was physically and pull the device out of the environment. That used to be a much longer process, and the longer that you have a threat risk in your environment, the riskier it becomes.

    One of the best features of AMP is its cloud feature. It doesn't matter where the device is in regards to whether it's inside or outside of your network environment, especially right now when everybody's remote and taken their laptops home. You don't have to be VPNed into the environment for AMP to work. AMP will work anywhere in the world, as long as it has an internet connection. You get protection and reporting with it. No matter where the device is, AMP has still got coverage on it and is protecting it. You still have the ability to manage and remediate things. The cloud feature is the magic bullet. This is what makes the solution a valuable tool as far as I'm concerned.

    What needs improvement?

    The solution’s endpoint protection, in terms of the operating systems and devices that it protects, is pretty comprehensive. The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on. 

    It's a rapidly evolving product. Every time they turn on a new feature, you're going to have glitches. Recently, they put out a bad version of a Connector, but they put out a new version of a Connector every other week it seems, so they pulled that back and put out a new version.

    For how long have I used the solution?

    About a year.

    What do I think about the stability of the solution?

    It is very stable. I haven't noticed it being unstable. It is what it is and does what it does.

    On a regular basis, we have four or five network security engineers working on its deployment and maintenance.

    What do I think about the scalability of the solution?

    It is easily scalable. It's a simple deployment. You can push it out through any sort of desktop management system that you have.

    Because we're a hospital, some things (like an imaging device) will not be using the solution as it may stop the imaging software from working. As far as endpoints for regular people who are not doctors using nuclear medicine imaging computers, it is pretty much on all those devices, including all of our virtual desktops. We have about 5,000 endpoints.

    How are customer service and technical support?

    Their technical support is excellent. I often wind up working with the same people who are responsive, knowledgeable, and available to do live troubleshooting and analysis. They also do a great job of teaching you things that you otherwise wouldn't know about the tool.

    Which solution did I use previously and why did I switch?

    We still do use System Center Endpoint Protection (SCEP). I am in the security group, and there's an infrastructure group who deploys the desktop. As part of their deployment, not only do they include AMP, they also include the Microsoft tools of various types.

    Mostly, AMP affords us utility and visibility. Whereas, we had very little control and visibility into other tools because they weren't ours. we didn't have such great access. For endpoints, it's really been great for us as far as having that level of visibility and ability to control what's going on. To not only have the responsibility for security, but the ability to provide security has been the big deal for us. We didn't have such great access. 

    When we only had the SCEP solution, we would get alerts but that would be it. We wouldn't have access to the tool to get more information from it. This left us sort of trying to troubleshoot the device in a vacuum without understanding what was going on.

    How was the initial setup?

    The initial setup was straightforward, easy, and quick. When we first started testing and deploying it, we were installing it on individual machines ourselves. It's just a matter of downloading the Connector or having the URL to the Connector that you just run on the machine. All you need is local admin rights and it takes about five minutes. That's it. 

    In our testing environment, deployment was probably a month or two, because we were just testing. Once we felt comfortable with it and started deploying it, we gave it to our desktop engineers because it's an integral part of the image that gets installed on every machine. Therefore, for our entire environment, it probably took a total of four months, since three months were for testing.

    Initially, we deployed it to individual desktops for testing. Then, we incorporated it into the standard image deployed on all desktops, laptops, or endpoints.

    What was our ROI?

    We have absolutely seen ROI. The way that it is starting to integrate and work with all the other Cisco products, as far as the ease of use, visibility, and being able to respond to incidents. We can know if something bad is potentially happening instantaneously and prevent it from happening. We can go to a device and isolate it before it infects other devices. In our environment, that's millions of dollars saved in a matter of seconds.

    The solution has made our team more effective and productive.

    The solution has decreased our time to detection because we are getting alerts letting us know that something needs to be looked at. Now that it's integrating with all these other tools, it's automatically submitting files for analysis to determine whether they are dangerous. Up until about two months ago, I would get a bunch of alerts about certain files. For example, I used to get alerts about a machine having a file, then I'd have to fetch the file and submit it for analysis. That stuff is happening automatically now. So, I went from about 100 or so odd alerts a week to around five because everything is now happening on its own.

    What's my experience with pricing, setup cost, and licensing?

    We have an Enterprise Agreement with Cisco for a bunch of tools. This is one of them.

    The Enterprise Agreement is like an all-you-can-eat buffet of Cisco products. In that vein, it was very affordable.

    Which other solutions did I evaluate?

    We looked at a bunch of different things. We looked at Carbon Black along with two or three other of our tools that we didn't really have any control over. 

    Cisco AMP came as part of the Enterprise Agreement with Cisco, so it was included. This made it much easier to spin up and use.

    What other advice do I have?

    You need to look at your exclusions. You need to understand everything you have in your environment that needs to be able to operate. Because one thing AMP does, if doesn't know what a file is, it will go get that file and isolate/quarantine it. That file might be part of another software platform that's needed to function for whatever it is you do. Chances are you won't have any visibility into whatever that platform is until it stops working, because AMP has quarantined one of the central files for it. Knowing what you have in your environment, what the exclusions are, and how to create and apply those exclusions for those other systems is a key piece.

    I think that AMP is really effective in isolating and stopping things that it doesn't know. This is probably good because you don't know if a threat is really a threat until you get a chance to look at it. AMP gets out in front of that. This can cause problems if you don't know that you need to have an exclusion, but you're better safe than sorry.

    We are using Cisco Email Security, Cisco Firepower, Cisco Talos, Cisco Threat Grid, and SecureX. We have not stood Stealthwatch up yet. We are refreshing our ISE instance. The integrations across the board have really been a multiplier for each tool individually, and certainly through AMP. It's really launched AMP into another level far as automation is concerned. The integration of all these tools is seamless and very effective.

    I would rate it an eight (out of 10). It is all still a work in progress; it is all still a new thing. Not only is the tool itself a new thing, but how the tool integrates with all the other tools. It's in development.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Neal Gravatt - PeerSpot reviewer
    Sr Network Engineer at a real estate/law firm with 1-10 employees
    Real User
    Top 10
    Makes it possible to see a threat once and block it across all endpoints and your entire security platform
    Pros and Cons
    • "Another of my favorite features is called the Device Trajectory, where it shows everything that's going on, on a computer. It shows the point in time when a virus is downloaded, so you can see if the user was surfing the internet or had a program open. It shows every running process and file access on the computer and saves it like a snapshot when it detects something malicious. It also has a File Trajectory, so you can even see if that file has been found on any of your other computers that have AMP."
    • "The thing I hate the most, which they have not fixed, is when it creates duplicate entries within a console. If you have a computer and you upgrade from Windows 7 to Windows 10, or you upgrade your agent from version 6 to 7, it creates a new instance in there instead of updating the information. Instead of paying a license for one computer, I have to license two computers until I manually go in, search for all the duplicate entries, and clean them out myself."

    What is our primary use case?

    Cisco AMP is an anti-malware and antivirus product. It provides endpoint protection. We use it as our antivirus and anti-malware tool. We put it on all our computers. Our employees have it on their laptops because they leave the network and we can't protect them everywhere. Microsoft Windows comes with a built-in tool but it's not quite as powerful. So we use Cisco AMP and Microsoft System Center Endpoint.

    Cisco AMP is our primary solution, but we don't uninstall the free ones that come with Windows.

    It runs a little agent on the computer and then you manage it from a website platform. There is an application installed on the computers and they all connect up to the management console, which is hosted in Cisco's cloud.

    You can use it for single endpoints. We have 3,000 that we use and then there's the free version of it you can use for home.

    How has it helped my organization?

    The actionable alerts in the security console are very good and very useful. They alert us immediately when something happens so that we can take action faster, instead of having to wait until a user report's something or until we view the logs. It sends you alerts so that you can know about them as soon as they happen and remediate the problem. It's a very nice feature.

    The solution also makes it possible to see a threat once and block it everywhere, across all endpoints and your entire security platform. You can identify a threat and then mark it as, "If you ever see this file, delete it." It uses something like crowdsourcing, where, if someone works for another company and has AMP and it detects a malicious file on that person's computer, it then updates so that my AMP knows about the virus at that person's company, and protects my company from their virus.

    Cisco AMP simplifies endpoint protection detection and response workflows. I'm the only one who manages it now, so it frees up time for a lot of other people. Once it is deployed and set up, one person can manage and maintain it. That reduces the number of people you have to pay for those responsibilities. The console will show if an AMP agent has checked in and I can use all the search features it has. And it deletes all the viruses so I don't really have to do too much, once it has been installed.

    It has also minimized security risks to our business that we were previously unaware of. It points out vulnerabilities in software that is already installed, such as in Microsoft Office. If you don't have the latest version of Office, AMP proactively lets you know that you could potentially be infected. We didn't have that before. It has a more comprehensive database that's made up of all the information it has collected from my company and all the other companies that use it. It takes all that information and protects your environment from anything it's ever seen.

    When it comes to time to detection, Cisco AMP has taken it from one day to one hour. And our time to remediate has gone from hours to minutes. It does it itself, so we don't have to do anything. 

    I can't think of a case where a computer was infected and AMP did not let us know or missed it. It has never happened to us that the product didn't detect something while another product did detect that problem. So far it has been 100 percent successful.

    What is most valuable?

    I like the central management console where I can see everything that's going on, on all the computers. 

    Another of my favorite features is called the Device Trajectory, where it shows everything that's going on, on a computer. It shows the point in time when a virus is downloaded, so you can see if the user was surfing the internet or had a program open. It shows every running process and file access on the computer and saves it like a snapshot when it detects something malicious. It also has a File Trajectory, so you can even see if that file has been found on any of your other computers that have AMP.

    One of the things that is most impressive is its ability to give so much insight. That's another of its best features. With the File Trajectory, it shows everything the computer's doing and it can help determine how the virus got onto the computer.

    You set it and forget it. Once you install it and configure it, it runs the reports, putting everything on the central web console.

    You're able to subscribe to alerts, so I get an email every time it deletes a virus off of someone's computer. I also get an email if it has a problem, such as if it was unable to delete the entire virus. It will say "Quarantine unsuccessful."

    It allows as many people as you want to go in and view it. And you set people as administrators or as people that can just view the information.

    AMP also has several tools you use to link to websites that contain more information about things. They're useful as well. They give you the ability to look at different companies' information; for example, a virus total. You can also connect it to other modules and tools that you have, and it can do things such as quarantine where it will take a computer off the network for you automatically. Those tools are helpful. It provides a concept they call "distance and depth," where you get more than one company's opinion on things.

    We just started using its Orbital Advanced Search feature. It's relatively new, so we haven't used it a whole lot, but for the little bit that we have used it, it has been a really neat tool. I've only run it on a couple of endpoints so far, but it works pretty well. It just gives you that extra insight to help better understand how the rest of your environment could be affected. Obviously, you're dealing with a computer that has a virus already and this gives you an ability to assess what else could have happened with that virus. It helps provide more information. 

    The Orbital Advanced Search feature also helps to reduce the attack surface and to investigate real-time data on our endpoints. Some of the queries will show you which software packages you have that are vulnerable, like a version of an Office program or an Adobe Reader that has a vulnerability in it. Once you know that information, you can proactively patch the computer or apply updates to it so that it does not become infected. It alerts you to an infection, and then you can say, "Oh, these other computers could be infected by that too." Orbital detects those computers. It reduces the amount of time we spend on that kind of situation by about 20 percent.

    In terms of the comprehensiveness of the solution, it does Windows great. It works on Macintosh very well. It also does iPhone and Android. It's pretty comprehensive since it covers the majority of operating systems.

    It also integrates very well with other Cisco products. It has an API interface so you can integrate it with just about any Cisco product. It does have some out-of-the-box stuff and definitely integrates great with all the other Cisco tools. But we use something called Rapid7, it's a vulnerability scanner, and it's able to integrate with it very well to help report data. It works well with some third-party products, but I'm not sure how many.

    What needs improvement?

    The endpoint agent on a machine doesn't provide much data. 

    And the thing I hate the most, which they have not fixed, is when it creates duplicate entries within a console. If you have a computer and you upgrade from Windows 7 to Windows 10, or you upgrade your agent from version 6 to 7, it creates a new instance in there instead of updating the information. Instead of paying a license for one computer, I have to license two computers until I manually go in, search for all the duplicate entries, and clean them out myself. There are features that are supposed to work that don't that reduce the duplicates.

    For how long have I used the solution?

    I've been using Cisco AMP for Endpoints for five years. I started with the company as they were in the process of determining if they wanted to use it and they decided they wanted it. I have been managing it ever since. We're upgrading everybody to 7.1.5. They were on version 6.2 for a year. Before that, it was 5.1.

    What do I think about the stability of the solution?

    It's stable. We only had one or two instances, over five years and 3,000 computers, where the agent has stopped working and we had to reinstall it. That's a pretty high percentage of availability, like 99.9 percent of the time there have been no problems.

    How are customer service and support?

    Their technical support is the best. I've never had technical support better than Cisco's in my 15 years working with different companies. Nothing is better than Cisco TAC. The response time is always within an hour or less.

    If you don't get a response in that time, you can have the case put back in the queue. You can easily escalate it. When you open a case, it tells you the engineer who is assigned to it and then gives you a manager's contact information so you don't have to say, "Let me speak to your manager." You already have that information.

    There are tons of support people working 24 hours a day, seven days a week. 

    Also, there are so many users — Cisco customers — that even searching the information online through their support Knowledge Base is good and easy to do, if you don't feel like talking to somebody. You can find a lot of information online whereas one of Cisco's competitors, Palo Alto, has a tool called Traps. It would be a lot harder to find information about that.

    Which solution did I use previously and why did I switch?

    We replaced a Norton product with AMP. Now, we run the default Windows tools that come with it, along with Cisco AMP. The Windows solutions are free but we wanted to buy a more robust one with better ability to search and do forensics. There are similar solutions to Cisco, but it has definitely been an improvement over previous stuff that we've used.

    We have a lot of other Cisco products that it integrates with, and that was one of the reasons we chose Cisco AMP. We did a demo and it was good and it answered the questions we had. We wanted to be secure, so we needed to find an antivirus tool that works. It makes it easier for us to monitor all of the computers for viruses.

    How was the initial setup?

    I helped set up and deploy it. It was pretty straightforward. You go to the web console, tell it to create a package, download it and then install it, and you're done.

    With 3,000 computers, we rolled it out at about 1,000 at a time and it took about three months. We could have done it in a week. We just did it very slowly because any changes you make, you're supposed to do a test community of computers. We did the IT people first because they're smart at troubleshooting things. 

    There's another tool from Microsoft called SCCM, a deployment tool, and as we upgrade the client it takes two days to push it out to the thousands of computers because some people don't turn on their computers for a day or two. Everybody is going to do their deployment differently.

    What was our ROI?

    We have seen return on our investment with this tool. The amount of stuff that it detects and blocks has been very valuable.

    What's my experience with pricing, setup cost, and licensing?

    The pricing is very good and the licensing is somewhat of an honor system. We have a license for 3,000 users and if we get up to 3,100 users, it doesn't stop working, but on the next renewal date you're supposed to go in there and add that extra 100 licenses. It's really good that they let you grow and expand and then pay for it. Sometimes, with other products, you overuse a license and they just don't work.

    Once you pay a license for a client, that's it. Everything else we talked about, the integrations and those kinds of things, is free. There's only one level of licensing too. Some products are set up so that if you pay this much you get these features and if you pay that much you get those features. Here, everything comes with one price.

    Which other solutions did I evaluate?

    The main competitor was Palo Alto with Network Traps. The difference was that Traps would detect viruses but it would not delete them or clean them, whereas AMP did, right out-of-the-box. AMP also worked with multiple operating systems, as I mentioned and the Traps solution did not offer that at the time I looked at it.

    What other advice do I have?

    They keep adding more features to it and there are features you can enable and turn off. One of the best, newer features addresses the fact that it did not work unless you had an internet connection. They put an antivirus engine on there that works when it does not have an internet connection. That was a big deal. It has a lot of capabilities. They keep developing more for it, which makes it a better product.

    Be sure to password-protect it so that users can't disable it. It has a feature to add a password to it which prevents the user from uninstalling or even stopping it. Also, enable that offline antivirus engine called Tetra. You want to be sure to enable that so that it works when it doesn't have an internet connection.

    Using the product, what I've learned is that you need to keep the client up to date. One of the hardest things is that people have computers that come and go. Someone might have a laptop that breaks and the company will give them a new one. You've got to manually find that broken laptop and delete it. You want to make sure you go in there frequently to ensure that the information is accurate or up to date. If you wait too long and there are hundreds and hundreds of computers you have to search and work. That's way too much.

    We did Threat Response and we did a demo of Threat Grid and did not move forward with it. We had it integrated with ISE and Umbrella. Threat Response provides a little bit more information but, honestly, it wasn't that useful. It seemed like it was a repeat of what we could already find through the other tools we had. Threat Response isn't the best add-on to it, but it's free. It provides more information but the response wasn't that good, those times that I used it. Threat Response didn't impress me. It does do more, but it's not that useful.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    System Administrator at a manufacturing company with 201-500 employees
    Real User
    Top 20
    Increases operational efficiency and provides insights into threats out there so that I can be more proactive
    Pros and Cons
    • "It is extensive in terms of providing visibility and insights into threats. It allows for research into a threat, and you can chart your progress on how you're resolving it."
    • "In Orbital, there are tons of prebuilt queries, but there is not a lot of information in lay terms. There isn't enough information to help us with what we're looking for and why we are looking for it with this query. There are probably a dozen queries in there that really focus on what I need to focus on, but they are not always easy to find the first time through."

    What is our primary use case?

    We rely on it for antivirus. There are probably three levels, and we have the bottom tier, the most basic one.

    It is on Cisco's cloud. We have the client installed on all workstations, but we don't have a server.

    How has it helped my organization?

    It just gives me more insights into what threats are out there on the machines, so I can be more proactive.

    Actionable alerts in the security console are helpful. With the security console, I immediately get to know about an issue. So, it has sped things up. It also gives you a way to research and see if an issue is spreading, so it has assisted quite a bit.

    It definitely gives a starting point for investigating and mitigating threats. It has research tools, and we can run queries. I have used its Orbital Advanced Search feature. I have run quite a few queries to determine what is out on the network or on the devices that could be a threat. It could be something that is misconfigured or something that we don't want to have running. It is able to quickly run these queries.

    I usually use the Orbital Advanced Search feature for groups. I use it to look for commonality for a threat thread, and it provides good visibility. I've never used it for just one endpoint.

    Orbital Advanced Search helps in reducing the attack surface and investigating real-time data on endpoints. I've only used it a handful of times, and I was mostly looking for whether or not an update has been applied.

    Orbital Advanced Search definitely saves time. I assume money goes right along with time. I don't have to go from desktop to desktop. I have 50 desktops, and if I'm looking for something in particular, it would take at least 15 to 20 minutes per desktop.

    We use Cisco Umbrella. The integration when you use the SecureX console is really good to go from one to the other. I have pulled the endpoint and Cisco Umbrella into SecureX, so I just have one console. It was easy to integrate. They provided really good instructions. This integration just made things more convenient.

    It simplifies endpoint protection, detection, and response workflows, especially for threat hunting. The way it is set up, with the console, I would get to know quickly that we have an issue. It increases operational efficiency because I don't have to go from desktop to desktop. I'm also proactive instead of reactive.

    It has minimized security risks to our business. I've had several desktops where they have triggered an alert, and all I had to do was to go and clean that machine out before the problem spread. 

    It allows us to focus on the incident instead of investigating the group, so we are more efficient. It has decreased our time to remediate because we're focusing on the machines we need to.

    It has decreased our time to detect. I can't quantify the time, but in some of the older antiviruses, the user would say, "Okay, I've got a pop-up, and it has flagged this or that," and then you'd have to go look for it. With this, I know ahead of time, or I know when it happens. 

    What is most valuable?

    We use it as an antivirus. The audit logs are valuable. 

    It is extensive in terms of providing visibility and insights into threats. It allows for research into a threat, and you can chart your progress on how you're resolving it.

    It is quite comprehensive in terms of endpoint protection. I haven't found anything where it was lacking in terms of the protection of our Windows machines.

    What needs improvement?

    While I've attended a lot of their training webinars, they were mostly high-level. They just say that these are the feature, and this is how you access them, but I would like to see more scenario-based information. They should provide us examples of how to resolve something when we see something happening. They should give us an example of the flow on how to resolve it.

    In Orbital, there are tons of prebuilt queries, but there is not a lot of information in lay terms. There isn't enough information to help us with what we're looking for and why we are looking for it with this query. There are probably a dozen queries in there that really focus on what I need to focus on, but they are not always easy to find the first time through.

    For how long have I used the solution?

    I have been using this solution for about a year. My company had it for about a year and a half before I joined.

    What do I think about the stability of the solution?

    II haven't had any issues with it except for a connector issue. They quickly put out a new one and got rid of the problem. So, it seems to be really stable, and they seem to be reactive when there is a problem.

    What do I think about the scalability of the solution?

    It is good in terms of keeping the machines updated. It is easy to get it installed on the desktop and keep it updated. We have a little over 100 users. They are administrators, project managers, field supervisors, engineers, and sales and support staff, so we have quite a mix.

    We have deployed it on all desktops and laptops currently. I am going to start looking at adding it to mobile devices. Currently, we only have Windows machines covered. We are working on getting it set up on the Mac mobile devices. So, eventually, we will have a lot more depth than we have now.

    How are customer service and support?

    I never had to reach out to them. So far, I have been able to find the documentation that I needed.

    Which solution did I use previously and why did I switch?

    I've only been with the company for a year. They had it when I got there, and we haven't changed anything since then.

    I've used McAfee and Norton, and it does much better than them.

    How was the initial setup?

    I wasn't involved in the initial setup. They did that before I joined the company.

    Its maintenance is done by me. I'm the only IT person. It is not a large company, so it isn't a bad thing.

    What was our ROI?

    It is kind of hard to say what would have happened if you didn't have it. We've got a very stable environment, and it seems to be doing its job. So, I assume we're getting a return on investment.

    What's my experience with pricing, setup cost, and licensing?

    The pricing was negotiated before I started, so I don't really know.

    What other advice do I have?

    I would advise others to take a real hard look at it because it is a good solution for companies of our size. I like the fact that it is managed in the cloud. I don't have to maintain a server presence. It is easy to use. It was a bit of a learning curve to start with because I was completely unfamiliar with it. I just dug in there and figured it out. Its documentation is fairly good.

    If you go through SecureX, everything is right there in terms of user access and device protection. This integration is nice, but so far, it hasn't really saved me any time. It may in the future.

    I believe it makes it possible to see a threat once and block it everywhere across all endpoints and the entire security platform, but I never had to do that.

    I would rate Cisco Secure Endpoint an eight out of 10.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    User1#2% - PeerSpot reviewer
    Application Manager at Financial Corp
    Real User
    Top 5
    Strong IDS solution, easy deployment, coverage across multiple platforms with at-a-glance dashboard and many more...
    Pros and Cons
    • "Among the most valuable features are the exclusions. And on the scalability side, we can integrate well with the SIEM orchestration engine and a number of applications that are proprietary or open source."
    • "We had a lot of noise at the beginning, and we had to turn it down based on exclusions, application whitelisting, and excluding unknown benign applications. Cisco should understand the need for continuous updates on the custom Cisco exclusions and the custom applications that come out-of-the-box with the AMP for Endpoints."

    What is our primary use case?

    Being the primary AV/IDS within the enterprise, we have the solution deployed across multiple platforms including workstations, servers and Operating Systems.

    The solutions conveniently integrates with other existing on-prem and cloud application will relatively minimum to stand up, using APIs and security best practices.

    Most out-of-the-box features are either being utilized or pipelined to be deployed going forward, including MAP, ETHOS, SPERO, Exploit Prevention, SecureX, and Tetra which serves as an offline definition repository for workstation who are unable to pull definition updates using the default Cisco AMP cloud route.

    How has it helped my organization?

    It has been effective as the primary AV tool.

    The visibility, dashboard and the navigations gives pretty decent insights into threats, IOCs and endpoint events to help with proactive monitoring. Deployment and connector upgrades are straightforward with available technical documentation for most scenarios.

    AMP simplifies endpoint protection, detection, and response workflows, like security investigation, threat hunting, and incident response. By using the solution, we've been able to divert attention towards of the tasks, saving us significant time and effort. It has also served as a one stop shop for endpoint anomaly detection and proactive protection, thwarting the need to gathering inputs from various applications and having to compile that data into one relevant result. It has obviously minimized security risks to the entire business, most importantly, endpoints, servers and other crown-jewel assets. 

    What is most valuable?

    Recently, we have engaged the vendor regarding optimization, bug detections and extended features. Identity persistence, a feature request that was recently granted for instance gives virtual and physical devices deployed using gold image the ability specify an Identity Synchronization option. This persistence feature can apply by MAC address across business, by MAC address across policy or by host name across business.  

    Speaking of scalability, integrating with other Cisco products, secure email, network, SIEM, API, open source and a number of selected proprietary applications have been encouraging.

    Of all valuable features, these are worth mentioning:

    - CI/CD pipelining and feature prioritization by actioning on user requests/ identified bugs, releasing connector upgrades, and deploying console upgrades for better usability

    - Subscription functionality where console administrators able to Subscribe to receive immediate alerts(digest) on specific or group of monitored workstations

    - Identity and access management capability within the console that allow administrators the ability to drill down user visibility on a Role based access control, limiting access to policies, groups, exclusions, and other controls

    In terms of operating system compatibility, the coverage is almost in its entirety. Integration and deployment to Windows workstations, Windows servers, Mac, Linux and mobile is seamless

    Being a unified AV engine, AMP conveniently delivers both Intrusion detection systems (IDS) and Intrusion Prevention Systems (IPS) capabilities with a specialty in cloud-delivered protection, next-generation antivirus, endpoint protection platform (EPP), and advanced endpoint detection and response (EDR)

    What needs improvement?

    Like any other security tool, there's always rooms for improvement. Some of the ways the product can be improved are:

    - Vendor needs to understand a one-size-fits-all approach will not work with addressing TAC cases and service requests. For "once in a blue moon" cases, most approach still sound like the engineers are acting off of a runbook. In this case the recommended solutions will not totally align with the scenario

    - Since customers do not have the ability to allow or decline console updates, there have been a number of instances where the console GUI appear buggy and functionalities do not work correctly after an upgrade. This can be improved by informing customers prior to the upgrades.

    Other additional features that should be improved in next releases include:

    - The dashboard is great for quick visibility prior to deeper dive, however, making the dashboard more customization will improve interaction, grant the ability to filter out irrelevant outputs and encourage personalized drill-downs based on daily requirements

    - Integration with enterprise monitoring applications and ticketing systems that differentiates noise, forwards events, generates tickets and have them automatically assigned to application owning group.


    For how long have I used the solution?

    I have been using Cisco AMP for Endpoints for about three years, this is inclusive of my prior assignments before being the SME for the application within the firm.

    What do I think about the stability of the solution?

    Stability is below average. There have been several issues with frequency of release, feature release and wait time for overhanging time-bombs. 

    From a customer stand-point, these released are aimed at fixing known bugs from last release and introducing new features either in beta or live versions. However, this means that an enterprise  running 50K+ endpoints need to go through the rigors of setting up test/dev/qa/pilot then production for iteration, so as to limit the blast radius. 

    This can be tasking if as the frequency increases.

    What do I think about the scalability of the solution?

    Long story short, Cisco AMP is scalable. Having used the product as a 'demanding' customer, I can attest to the availability of proper technical documentation and seamless integration with existing application, infrastructure and appliances 

    How are customer service and technical support?

    - Vendor needs to understand a one-size-fits-all approach will not work with addressing TAC cases and service requests. For "once in a blue moon" cases, most approach still sound like the engineers are acting off of a runbook. In this case the recommended solutions will not totally align with the scenario. Also escalations can be more flexible, for instance, certain case priorities (P2, P1) require phoning in, which can be fuel to an already burning bush. 

    How was the initial setup?

    From my understanding, initial setup was tasking with various gray areas. For a new customer trying to set up AMP, there is room for improvement. 

    The initial deployment happened prior to me joining the organization, based on my interactions with the application deployment team, the effort took months.

    Customers can get better during product's initial setup if vendor provides documentation that suggest important objectives like naming convention, default config and collection of product's best practices

    What about the implementation team?

    In-house

    What was our ROI?

    AMP is worth the money. In recent years, we have spent less time/money and require lesser  human resources for task completion. On the higher level, this has saved the firm the need to hire more security engineers to manage the application, reducing overhead cost.

    A discrepancy with  the number of assets per license should be reviewed to apply based on preference or number of endpoints versus ranges.

    Compared to other competitors, there's a significant price difference, although different applications tend to focus more on different cybersecurity functionality

    What other advice do I have?

    It's been really interesting working with the application, going from 5.X.X connector versions up until 7.X.X. As previously highlighted, there are numerous ways to improve the products. Working with the engineers in previous cases, there is the zeal to improve and an attitude that embraces change

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Gassan Shalabi - PeerSpot reviewer
    Manager at UCloud
    Real User
    Top 20
    Catches and blocks harmful files, viruses, and trojans
    Pros and Cons
    • "I'm only using the AMP (advanced malware protection) which is protecting my file system from all the malicious things that might happen. It should protect all kinds of things that might happen on the servers, things that I cannot see."
    • "They could improve the main dashboard to more clearly show me the things that I want to see. When I open the dashboard right now, I see a million things and they are not always the things that I need."

    What is our primary use case?

    I'm hoping that this is protecting me from all the harmful issues that are happening, because we know exactly what kind of world we are living in on the internet.

    How has it helped my organization?

    I rely on this system. I am hoping that everything is fine with the system and that it will catch any harmful file or virus or trojan. If any of those things happen on my network, it will hold it or stop them.

    It has helped to simplify cybersecurity in my company. I see that there are files that have been blocked. I don't go deep into the reports that I get from the system, but I believe that it's doing its job. I haven't had any serious problems.

    What is most valuable?

    I'm only using the AMP (advanced malware protection) which is protecting my file system from all the malicious things that might happen. It should protect all kinds of things that might happen on the servers, things that I cannot see.

    What needs improvement?

    They could simplify the solution and make it a little bit easier to understand how things are happening or if something serious has happened. They could improve the main dashboard to more clearly show me the things that I want to see. When I open the dashboard right now, I see a million things and they are not always the things that I need.

    I would also like it to update itself so that I don't need to click to make that happen. Of course, having to click is not a hard thing to do, but I would like to see things done automatically as much as possible.

    For how long have I used the solution?

    I have been using Cisco Secure Endpoint for a long time. I used it in the last company I worked for and, when I opened my own company, I also started using it. I have been using it for around five years at least.

    What do I think about the stability of the solution?

    It's very stable.

    What do I think about the scalability of the solution?

    I have it installed on about 40 clients. To increase the number of endpoints I just need to download the connector and install it.

    How are customer service and support?

    I have had some difficulties, but I received support from Cisco and, in the end, it was okay. I cannot complain.

    It took me some time to understand how to send in a request. It would be very easy if there were a chat on their site or if it could be done via WhatsApp. But I had to look for an email address, where to send and what were the details that they asked from me at the beginning. It wasn't obvious how to reach out to support.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I did not have a previous solution.

    How was the initial setup?

    The deployment was straightforward. It's easy to understand the steps. I created a profile, downloaded the agent, and installed it on the clients that I wanted it on. The dashboard is in the cloud, hosted by Cisco.

    It is good that you don't have to take care of the system all the time. Once it's installed and stable, you don't need to make adjustments.

    What about the implementation team?

    I used SecureIT and it was perfect. He's very professional and he knows the system. He gave me an introduction to the system and explained the things that I needed to know.

    What was our ROI?

    It's keeping things quiet, so that's a very good return.

    What's my experience with pricing, setup cost, and licensing?

    Cisco Secure Endpoint is not too expensive and it's not cheap. It's quite fair.

    Which other solutions did I evaluate?

    I looked into SentinelOne two months ago. The question is, is the system protecting me enough or not? Sometimes I ask myself, should I put more security on the servers? Doing so is going to make the system work more slowly. I checked SentinelOne because some of my colleagues who have Cisco AMP had an attack that Cisco AMP did not see.

    What other advice do I have?

    The fact that I've been using it for five years already means that I believe I can trust it. Others can also trust it.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Buyer's Guide
    Download our free Cisco Secure Endpoint Report and get advice and tips from experienced pros sharing their opinions.
    Updated: July 2022
    Buyer's Guide
    Download our free Cisco Secure Endpoint Report and get advice and tips from experienced pros sharing their opinions.