Cisco Secure Endpoint Reviews

We rely on it for antivirus. There are probably three levels, and we have the bottom tier, the most basic one.

It is on Cisco's cloud. We have the client installed on all workstations, but we don't have a server.

It just gives me more insights into what threats are out there on the machines, so I can be more proactive.

Actionable alerts in the security console are helpful. With the security console, I immediately get to know about an issue. So, it has sped things up. It also gives you a way to research and see if an issue is spreading, so it has assisted quite a bit.

It definitely gives a starting point for investigating and mitigating threats. It has research tools, and we can run queries. I have used its Orbital Advanced Search feature. I have run quite a few queries to determine what is out on the network or on the devices that could be a threat. It could be something that is misconfigured or something that we don't want to have running. It is able to quickly run these queries.

I usually use the Orbital Advanced Search feature for groups. I use it to look for commonality for a threat thread, and it provides good visibility. I've never used it for just one endpoint.

Orbital Advanced Search helps in reducing the attack surface and investigating real-time data on endpoints. I've only used it a handful of times, and I was mostly looking for whether or not an update has been applied.

Orbital Advanced Search definitely saves time. I assume money goes right along with time. I don't have to go from desktop to desktop. I have 50 desktops, and if I'm looking for something in particular, it would take at least 15 to 20 minutes per desktop.

We use Cisco Umbrella. The integration when you use the SecureX console is really good to go from one to the other. I have pulled the endpoint and Cisco Umbrella into SecureX, so I just have one console. It was easy to integrate. They provided really good instructions. This integration just made things more convenient.

It simplifies endpoint protection, detection, and response workflows, especially for threat hunting. The way it is set up, with the console, I would get to know quickly that we have an issue. It increases operational efficiency because I don't have to go from desktop to desktop. I'm also proactive instead of reactive.

It has minimized security risks to our business. I've had several desktops where they have triggered an alert, and all I had to do was to go and clean that machine out before the problem spread. 

It allows us to focus on the incident instead of investigating the group, so we are more efficient. It has decreased our time to remediate because we're focusing on the machines we need to.

It has decreased our time to detect. I can't quantify the time, but in some of the older antiviruses, the user would say, "Okay, I've got a pop-up, and it has flagged this or that," and then you'd have to go look for it. With this, I know ahead of time, or I know when it happens. 

We use it as an antivirus. The audit logs are valuable. 

It is extensive in terms of providing visibility and insights into threats. It allows for research into a threat, and you can chart your progress on how you're resolving it.

It is quite comprehensive in terms of endpoint protection. I haven't found anything where it was lacking in terms of the protection of our Windows machines.

While I've attended a lot of their training webinars, they were mostly high-level. They just say that these are the feature, and this is how you access them, but I would like to see more scenario-based information. They should provide us examples of how to resolve something when we see something happening. They should give us an example of the flow on how to resolve it.

In Orbital, there are tons of prebuilt queries, but there is not a lot of information in lay terms. There isn't enough information to help us with what we're looking for and why we are looking for it with this query. There are probably a dozen queries in there that really focus on what I need to focus on, but they are not always easy to find the first time through.

I have been using this solution for about a year. My company had it for about a year and a half before I joined.

II haven't had any issues with it except for a connector issue. They quickly put out a new one and got rid of the problem. So, it seems to be really stable, and they seem to be reactive when there is a problem.

It is good in terms of keeping the machines updated. It is easy to get it installed on the desktop and keep it updated. We have a little over 100 users. They are administrators, project managers, field supervisors, engineers, and sales and support staff, so we have quite a mix.

We have deployed it on all desktops and laptops currently. I am going to start looking at adding it to mobile devices. Currently, we only have Windows machines covered. We are working on getting it set up on the Mac mobile devices. So, eventually, we will have a lot more depth than we have now.

I never had to reach out to them. So far, I have been able to find the documentation that I needed.

I've only been with the company for a year. They had it when I got there, and we haven't changed anything since then.

I've used McAfee and Norton, and it does much better than them.

I wasn't involved in the initial setup. They did that before I joined the company.

Its maintenance is done by me. I'm the only IT person. It is not a large company, so it isn't a bad thing.

It is kind of hard to say what would have happened if you didn't have it. We've got a very stable environment, and it seems to be doing its job. So, I assume we're getting a return on investment.

The pricing was negotiated before I started, so I don't really know.

I would advise others to take a real hard look at it because it is a good solution for companies of our size. I like the fact that it is managed in the cloud. I don't have to maintain a server presence. It is easy to use. It was a bit of a learning curve to start with because I was completely unfamiliar with it. I just dug in there and figured it out. Its documentation is fairly good.

If you go through SecureX, everything is right there in terms of user access and device protection. This integration is nice, but so far, it hasn't really saved me any time. It may in the future.

I believe it makes it possible to see a threat once and block it everywhere across all endpoints and the entire security platform, but I never had to do that.

I would rate Cisco Secure Endpoint an eight out of 10.

AMP was purchased for our organization in response to continued threats that we had from malware and malicious activity on our endpoints. We received AMP for Endpoint and also AMP for Networks as part of our Cisco Security ELA. The solution has made a huge impact on the visibility of what has actually been transpiring at the process level on our servers and workstation endpoints as well as being able to look in detail on those processes to see whose executed those processes and what the trajectory was for those processes.

AMP for Endpoints is Software as a Service. It's a subscription service. You do download a connector onto the endpoint. Then, there is the option to run it to an air gap mode where you connect to a local server that does back out to the AMP Cloud. However, that's not the deployment we have in our case, we have it connecting back directly to Cisco Cloud Security.

While I can understand from a theoretical standpoint how some organizations may not want a cloud connection, it increases the processing and detection because of ETHOS and SPERO detection. Throughout all the other Cisco security products, it is able to add this detection into the threat analytics through Threat Grid and Threat Response for other customers who have the same type of hash in their environment. There are the options: If you want to submit a file to be removed after submission and also for it to be submitted anonymously.

We tie AMP into our SIEM so we are receiving alerts through the SIEM. I also have AMP independently send me alerts. I have these alerts finely tuned so I'm getting the right severity level on events where I am being notified. If you choose to receive a notification on all events, potential malware, or potentially unwanted applications, you're going to have an overload of information. Therefore, AMP allows the ability to go through and fine tune the alerts, both in the console and remotely, so you get a proper level of notification to make actionable requests and executions.

In our organization, we have about 95 percent Windows operating systems. Then, we have about five percent Mac OS. Therefore, Cisco AMP covers a 100 percent of our endpoints. It's totally comprehensive.

I had a conversation with my CIO about a week ago. We are seeing more security incidents in our organization. However, we believe these events have always occurred, and that we are more aware of them now. For example, last Thursday we had an incident where a device tried to go and reach out to a malicious website. Because of the integration we have with Threat Response between Umbrella with WSA and AMP, we were able to stop that malicious activity. That's something we wouldn't been previously aware of: If we had an endpoint out there trying to reach out to a malicious site. Until it hit our perimeter security, we wouldn't have been aware of that. You don't always want to rely on your perimeter security for everything, as it won't catch everything all the time. Therefore, you want a multilayered approach, and having Cisco AMP and Cisco Threat Response helps us to accomplish that.

There are several valuable features that AMP offers:

• Application blacklist
• Threat Response
• Cognitive Threat Analytics
• Threat Grid
• Orbital
• Endpoint Isolation. 

We regularly use all these features on a daily basis. E.g., if we have an alert stating exploit prevention was detected on an endpoint, we will look to see what the hash for that executable/application was, then we can add it to a simple blacklist. Then, everyone else in the organization with AMP for Endpoint running that device can prevent it from running. This is really useful in the event that you have some type of malware incident or event where something is trying to propagate. You can squash it then and there. 

There is also the ability: If you have one device that is running something that's really malicious. You can go ahead and put that in isolation mode to prevent any further spread or damage.

I have used Orbital for searching and taking a bit of a deeper dive. It provides detail on assets, users logged in, the IP address, and architecture. It also helps with going through posture assessment, threat hunting, and forensics. 

The room for improvement would be on event notifications. I have mine tuned fairly well. I do feel that if you subscribe to all the event notification types out-of-the-box, or don't really go through and take the time to filter out events, the notifications can become overwhelming with information. Sometimes, when you're overwhelmed with information, you just say, "I'm not going to look at anything because I'm receiving so much." I recommend the vendor come up with a white paper on the best practices for event notifications.

As far as reducing the attack surface, Orbital really doesn't decrease that surface.

I have been using Cisco AMP for about 18 months.

With most applications, whether it's AV or some type of IDS/IPS running on an endpoint, you will have some type of performance hit or degradation of the endpoint's performance. Out of all the devices that we've put AMP on, which is around a 1,000 devices at this point, we have only had one device that had a problem with performance using AMP. So, we were able to go through and tune the policy from the AMP console for that one endpoint. The overall view of AMP's performance is very good.

You have the same deployment process and methodology for 10 to 10,000. Therefore, it scales very well.

I have never had to use tech support for this solution.

Threat Response is integrated with AMP and all the other Cisco security products. That has really helped to decrease the troubleshooting time. Back in the legacy days of AV and Endpoint Protection, the typical workflow would be, "Okay, I have a machine over here that has been infected. I have to figure out all the files which touched it." It was almost impossible retroactively to go back and see what everything it touched and where it all went.

You had to witness the malware in the wild (in real-time) to figure out what it was doing. With Threat Response, you are able to see its executables and trajectory across your network, then where it tried to reach the outside world. All of this helps to mitigate our threat response from days or hours to just a few minutes.

Prior to Cisco AMP, we used Sophos Intercept X, which we still do use, and we also used Carbon Black.

The initial setup was extremely straightforward. I performed the initial install, and I maintained it ever since.

The deployment took about 30 minutes.

The deployment plan was to get the console and policies configured. Once the policies were configured, we started with the servers first because the servers were easier for us to get our hands on and ensure that the connector was installed. Secondarily, we went out to the workstation level endpoints and installed there.

There is Cisco documentation on best practices for your specific endpoints. My recommendation would be to get with your Cisco support team or account manager and obtain the most recent iteration of that document to ensure that your deployment goes as smoothly as possible. While the deployment will go smoothly, the main thing that this document does ensure is you have the correct policies configured per endpoint type. E.g., you have a different type of policy for a workstation versus a server.

We have seen ROI, but it's hard to calculate that return on investment in terms of actual dollars because it's more man-hours. Time spent on other projects is possible because of the optimization and performance that we have by utilizing AMP.

AMP for Endpoints simplifies endpoint protection, detection, and response workflows. It continues to decrease the man-hours needed to perform tasks, such as threat hunting and incident response.

It has decreased time to detection by 95 percent. A lot of the time, prior to having AMP, even with our traditional AV protection, we weren't aware of any type of malicious activity until it had an impact on the organization.

We had a 97 percent reduction in time to remediation, because it's almost instantaneous. In the 18 months that we've had AMP, there has not been malicious activity on an endpoint that we weren't able to resolve immediately.

In our organization, Orbital definitely does save time. Anything that we can do in our organization to save time is crucial, as we have a small IT staff. Therefore, we really need to find force multipliers.

For each incident which occurs, whether it's an exploit prevention or malware detected, Orbital is saving us five to eight hours per incident. In one week, it could save eight hours, and then another week, it could save 32 hours. It just depends on the malicious activity for any given week.

Whenever you are doing the licensing process, I would highly advise to look at what other Cisco solutions you have in your organization, then evaluate if an Enterprise Agreement is the best way to go. In our case, it was the best way to go. Since we had so many other Cisco products, we were able to tie those in. We were actually able to get several Cisco security solutions for less than if we had bought three or four Cisco security solutions independently or ad hoc.

In our case, it is a straightforward annual payment through our Enterprise Agreement.

We evaluated Carbon Black before going with Cisco AMP. The reasoning behind going with AMP over Carbon Black was we already had other Cisco security products in our organization. Therefore, AMP was a native integration versus something like Carbon Black where you're looking at a third-party integration. Also, Carbon Black was a bit more cumbersome when it came to performing a lot of the tasks that AMP performs. Carbon Black was first to market with things like endpoint isolation. However, after speaking with our Cisco account reps, we did realize that, "Okay, Endpoint Isolation is coming to AMP. It's just not there yet." That did come to fruition, so there wasn't an advantage to using Carbon Black over AMP. Plus, there were several advantages to using AMP over Carbon Black. That's what led to our decision.

Integration is a key selling factor for Cisco security products. We have a Cisco Enterprise Agreement with access to Cisco Email Security, Cisco Firepower, Cisco Stealthwatch, Cisco Talos, Cisco Threat Grid, Cisco Umbrella, and also third-party solutions. This is key to our security and maximizing operations. Because we do have the Email Security appliance and it is integrated with Threat Response, we have everything tied together. Additionally, we are using the Cisco SecureX platform, as we were a beta test for that new solution. With SecureX, we are able to pull all those applications into one pane for visibility and maintenance. This greatly maximizes our security operations.

Orbital just went from beta to production recently, so I haven't had the opportunity to go through and do a complex search on anything yet.

Biggest lesson learnt: How impactful proper tool utilization in an organization can be to the overall efficiency.

I would rate the solution a 10 (out of 10).

We use it to deliver the best endpoint protection and control for our clients. We offer them MSSP services for their products, so they are assured that their product is fully visible and protected.

It offers advanced threat protection by using machine learning to prevent any possible cyber threat, including malware and ransomware. We get complete real-time visibility and control over the system, so it is easy to track any possible data breaches. You can see on the report what kind of tactic was used and at what time. It provides a comprehensive security posture for our company.

It provides real-time visibility and control over endpoints, allowing its users to promptly respond to any security incidents and remediate any vulnerabilities.

Due to the complexity of the technology that is used and its advanced threat detection capabilities, it is possible to encounter many delays in operation. It can impact the business itself, so I would suggest an improvement in that area.

I have used this product for seven months. 

I am highly satisfied with the stability. I would rate it nine out of ten.

It offers good scalability. I would rate it eight out of ten.

They provide good customer service and support. I would rate it eight out of ten. 

Positive

The deployment process is seamless and fast. After the suitable option is selected and downloaded, it only takes a few steps to complete it and deploy it. The efficiency and promptness of the process greatly depend on the performance of the computer. 

It is quite cost-effective. I would rate it ten out of ten.

It is a very good product overall, it provides multi-layered protection, but its promptness is challenged, so that is something that should be worked on. I would rate it eight out of ten.

I like that this program is very light on the computer and very powerful. I also like the price.

I would like more seamless integration, because I have a security solution based on Cisco and I'm looking at integration for the old solution. It would be much easier for the security administrator to monitor integration.

I guess it's easy to scale, because I started a project with the requirements and when I needed to move forward to scale it up, it's been so easy. We currently have around 50 users. 

I am really satisfied with the technical support.

I also use Trend Micro. I use both programs, because they have different security layers. Both programs are very good.

The initial setup was straightforward as we used one of the Cisco partners. The deployment took a couple of days. 

On a scale from one to ten, I will rate this solution an eight. I do recommend it to others.

I use the public cloud deployment model. I have installed the license, the software, on my VM and it is being managed by Cisco Cloud.

My primary use case for this solution is to test it against malicious links and for encryption and decryption. 

The simplicity of use is its most valuable feature. You can very clearly see things. You have the ability to go back in time and get details, where the malware started, what happened and where it went from the minute it got in. It offers a good scope and a good ability to shut it down then go back and see what happened. 

It should be doing backups. Every stage that this malware is going forward, it should snapshot the situation. Then I could go back to the first stage before it got infected. It doesn't have this option, and I know that other manufacturers have it, like Check Point, for example. 

In the next release, I would for it to have back up abilities. I would like the ability to go back to a point in time to when my PC was uninfected and to the moment of when the infection happened.

The stability is good. 

I haven't needed to scale up yet but from what I see it's supposed to be easy. My organization sells this solution. We provide the service and management of the environment of our clients. 

It only requires one staff member for deployment and maintenance. 

I'm looking to expand the usage. I offer this solution to almost every endpoint SMB client. I'm looking to establish a faster solution and I meet with clients to discuss their network security. 

We haven't needed to contact their technical support because we've never had a problem that we couldn't resolve ourselves. 

We were previously using Check Point Sandblast Agent. We switched because it wasn't as stable as this one. We had some problems with it and we needed to contact their support and it wasn't so good. I would get tough questions from my clients so eventually I told them that we would look into other solutions.

We also work with Fortinet but I prefer AMP. 

The initial setup is a bit complex because you need to execute existing antiviruses or security software that you have on your device. 

The deployment took around fifteen to twenty minutes. 

I deployed it myself. I am the consultant who does the deployments. 

The costs of 50 licenses of AMP for three years is around $9,360. There are no additional costs. 

Just purchase the license, download it, install it to an active device, the main controller, and send it to everyone. My advice is that you need to delete your existing endpoint security solution because AMP actually contains everything that you need. Those two softwares can attack each other which can be a problem.

I would rate it a nine out of ten. 

We are using it for remote users, and that's our main reason for using it. We have a lot of colleagues who work outside the organization, and they need to connect to the local, on-prem resources for file sharing and other things that we have in our data center. That's it.

It helped to free up our IT staff's time. We don't need to manually check everything in the compliance area. Everything is automated, so we don't need to check all the time. I don't know how much time it has saved, but it helped us a lot.

The VPN is most valuable. It's the best thing in the market today. We can use two-factor authentication with another platform, and we can authenticate with two-factor.

Logging could be better in terms of sending more logs to Cisco Firepower or Cisco ASA. That's an area where it could be made better.

We've been using this solution for five or six years. 

We do not have any challenges, and we are fine with it. We are using it only for external endpoints, and we are very comfortable with it. 

We don't see any difficulty there.

It's very nice. You get feedback very easily. I'd rate them an eight out of ten.

Positive

We were using another solution before. We switched because we have Cisco everywhere, and the best way is to go for Cisco for everything. That's our strategic plan.

Its initial setup is straightforward, but I have been working with Cisco products for about 10 years. I have knowledge of how to use it, and it's very easy for us to implement.

The process of migration was easy. We have our own tools to migrate from the old one. In our environment, everything is on-prem, and we also have redundancy for the central equipment.

We implement it ourselves. The number of people required depends on how big the organization is. We are not so big. We are a middle-sized organization, and for our use case, three or four people were involved in the planning and implementation.

We have not seen an ROI.

We had faced some license issues, but it has been improved. At the beginning of the implementation, we faced a lot of licensing issues, but now, we have EA licensing, which gives us an opportunity to grow.

If you have a Cisco environment inside, it's best to have a Cisco solution for the outside. You don't need to use multiple vendors because it can be difficult for them to communicate with each other. Sometimes, there can be difficulties when you have different vendors.

Overall, I'd rate it a seven out of ten.

AMP for Endpoints has Endpoint Connectors, which are agents on the endpoints, providing security against malware and intrusion detection. It also provides intrusion prevention. We install the Connector on all the endpoints before they're deployed and also on our virtual desktop images. They provide constant monitoring and alerting on any events or potential threats to let us know when there is something going on that we can further investigate.

AMP intersects with a bunch of other Cisco tools, such as Threat Grid, Threat Response, and Talos Intelligence to identify threats, then automatically quarantine or remove them. It also gives you the ability to isolate endpoints to prevent further spread of any sort of malware, like a virus that might infect other machines.

The visibility and insight this solution gives you into threats is pretty granular. It has constant monitoring. You can get onto the device trajectory to look at a threat, but you can also see what happened prior to the threat. You can see what happened after the threat. You can see what other applications were incorporated into the execution of the threat. For example, you have the event, but you see that the event was launched by Google Chrome, which was launched by something else. Then, after the event, something else was launched by whatever the threat was. Therefore, it gives you great detail, a timeline, and continuity of events leading up to whatever the incident is, and then, after. This helps you understand and nail down what the threat is and how to fix it.

The solution’s actionable alerts in the security console are granular. They take you right to whatever the incident was so you can start investigating it. One thing that I have noticed lately, as we have spun up more tools associated with our Enterprise Agreement, is that AMP interfaces with all of them, then takes on some automated actions. One of the things that AMP allows you to do if there's an incident, it gives you an alert. This is because a threat was detected. You can click on the threat that's detected, then it takes you right to it in the timeline. Finally, you can pull/fetch the file and submit it for analysis. However, it will also do that automatically.

Cisco is standing up so much stuff right now. This solution interfaces with Talos Intelligence, Threat Grid, Threat Response, and SecureX. All of these things are integrating together and a lot of stuff is now starting to happen automatically, e.g., if a threat is detected, it is automatically interfacing with Talos Intelligence to figure out what that threat is and the hash value of whatever file that is. If it thinks it's suspicious, it automatically submits it to Threat Grid, which detonates the file in the sandbox, but also in the cloud, and returns a report saying whether the file, or whatever it is, is an actual threat/incident. Then, it remediates and quarantines it, and you find out about it later. It's doing a lot of stuff in the background as the integration with other tools increases.

Cisco Threat Response accelerates security operation functions. It gives you great visibility into your network. You start with a hash value, and you can search for that hash value within your environment by just dropping it into Threat Response. Then, it'll show you how that file has interacted with other files, systems, and devices. It gives you immediate visibility with a chart that shows you where that file has gone and where it's been. If you're looking to contain outbreaks, it's all there.

Cisco AMP simplifies endpoint protection detection and response workflows, such as security instigation. It really shortens the window to respond to an incident. You can do something in five minutes that probably would have taken several days in a big, diverse, ambiguous environment, where you have a lot of people working remotely. It would be tough to run down all this stuff. It is saving not only time, but manpower. Another person plus myself can now fix a problem. Whereas before, I would have to crawl through four or five different people before I got the right guy to get to the right place to do the thing that I needed him to do.

I like all the features. They're continually adding features to the product as well. One of the most recent features that they added is Orbital Advanced Search, which gives you great visibility into each individual endpoint. If you need to go look and see what's going on, it gives you that ability very easily.

I've only used Orbital Advanced Search on individual endpoints. Unless what I'm looking for is of great urgency, then I don't want to run very complex queries because they can take a lot of time and use a lot of resources for the endpoint. I'm still getting used to it so I don't know its full capabilities, such as, what it can do without interrupting the use of the endpoint. However, if the endpoint is compromised, it doesn't really matter. If I'm just investigating an incident, I don't want to lock the box up if a user is still trying to use it while I'm trying to figure out what's going on.

The Orbital Advanced Search is a great tool that gives you visibility. Otherwise, you would have to track down the device physically and possibility even do a forensic image of it to figure out what happened, or take it out of the environment just to investigate it. Having the ability to use Orbital to get the information off of a device to determine whether it's legitimately compromised, or if something weird is just going on, shortens the timeline of your response because you have immediate availability and visibility into the device that might be compromised.

Orbital helps reduce attack surface and investigate real-time data on our endpoints. For example, a device alerted in AMP for having a potential browser hijacker. At the same time, the user was also opening a help desk ticket because they were unable to access some online resources necessary for them to be able to work. I was then able to get on the device using Orbital (out of AMP) to locate the device and figure out what was going on, and it was a legitimate infection of a virus: It was a browser hijacker. All that happened in the span of five minutes, and I was able to get one of my guys out there to remove the device from our environment, reimage and replace it with another device.

I was able to figure out what was going on with that device in the span of five to 10 minutes. Then, I was able to have a guy onsite within the next three hours to get the device out of our environment. Previously, that would have taken days to figure out what was going on with the device, remote into the device, and find out where the device was physically, then get somebody to go to where the device was physically and pull the device out of the environment. That used to be a much longer process, and the longer that you have a threat risk in your environment, the riskier it becomes.

One of the best features of AMP is its cloud feature. It doesn't matter where the device is in regards to whether it's inside or outside of your network environment, especially right now when everybody's remote and taken their laptops home. You don't have to be VPNed into the environment for AMP to work. AMP will work anywhere in the world, as long as it has an internet connection. You get protection and reporting with it. No matter where the device is, AMP has still got coverage on it and is protecting it. You still have the ability to manage and remediate things. The cloud feature is the magic bullet. This is what makes the solution a valuable tool as far as I'm concerned.

The solution’s endpoint protection, in terms of the operating systems and devices that it protects, is pretty comprehensive. The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on. 

It's a rapidly evolving product. Every time they turn on a new feature, you're going to have glitches. Recently, they put out a bad version of a Connector, but they put out a new version of a Connector every other week it seems, so they pulled that back and put out a new version.

About a year.

It is very stable. I haven't noticed it being unstable. It is what it is and does what it does.

On a regular basis, we have four or five network security engineers working on its deployment and maintenance.

It is easily scalable. It's a simple deployment. You can push it out through any sort of desktop management system that you have.

Because we're a hospital, some things (like an imaging device) will not be using the solution as it may stop the imaging software from working. As far as endpoints for regular people who are not doctors using nuclear medicine imaging computers, it is pretty much on all those devices, including all of our virtual desktops. We have about 5,000 endpoints.

Their technical support is excellent. I often wind up working with the same people who are responsive, knowledgeable, and available to do live troubleshooting and analysis. They also do a great job of teaching you things that you otherwise wouldn't know about the tool.

We still do use System Center Endpoint Protection (SCEP). I am in the security group, and there's an infrastructure group who deploys the desktop. As part of their deployment, not only do they include AMP, they also include the Microsoft tools of various types.

Mostly, AMP affords us utility and visibility. Whereas, we had very little control and visibility into other tools because they weren't ours. we didn't have such great access. For endpoints, it's really been great for us as far as having that level of visibility and ability to control what's going on. To not only have the responsibility for security, but the ability to provide security has been the big deal for us. We didn't have such great access. 

When we only had the SCEP solution, we would get alerts but that would be it. We wouldn't have access to the tool to get more information from it. This left us sort of trying to troubleshoot the device in a vacuum without understanding what was going on.

The initial setup was straightforward, easy, and quick. When we first started testing and deploying it, we were installing it on individual machines ourselves. It's just a matter of downloading the Connector or having the URL to the Connector that you just run on the machine. All you need is local admin rights and it takes about five minutes. That's it. 

In our testing environment, deployment was probably a month or two, because we were just testing. Once we felt comfortable with it and started deploying it, we gave it to our desktop engineers because it's an integral part of the image that gets installed on every machine. Therefore, for our entire environment, it probably took a total of four months, since three months were for testing.

Initially, we deployed it to individual desktops for testing. Then, we incorporated it into the standard image deployed on all desktops, laptops, or endpoints.

We have absolutely seen ROI. The way that it is starting to integrate and work with all the other Cisco products, as far as the ease of use, visibility, and being able to respond to incidents. We can know if something bad is potentially happening instantaneously and prevent it from happening. We can go to a device and isolate it before it infects other devices. In our environment, that's millions of dollars saved in a matter of seconds.

The solution has made our team more effective and productive.

The solution has decreased our time to detection because we are getting alerts letting us know that something needs to be looked at. Now that it's integrating with all these other tools, it's automatically submitting files for analysis to determine whether they are dangerous. Up until about two months ago, I would get a bunch of alerts about certain files. For example, I used to get alerts about a machine having a file, then I'd have to fetch the file and submit it for analysis. That stuff is happening automatically now. So, I went from about 100 or so odd alerts a week to around five because everything is now happening on its own.

We have an Enterprise Agreement with Cisco for a bunch of tools. This is one of them.

The Enterprise Agreement is like an all-you-can-eat buffet of Cisco products. In that vein, it was very affordable.

We looked at a bunch of different things. We looked at Carbon Black along with two or three other of our tools that we didn't really have any control over. 

Cisco AMP came as part of the Enterprise Agreement with Cisco, so it was included. This made it much easier to spin up and use.

You need to look at your exclusions. You need to understand everything you have in your environment that needs to be able to operate. Because one thing AMP does, if doesn't know what a file is, it will go get that file and isolate/quarantine it. That file might be part of another software platform that's needed to function for whatever it is you do. Chances are you won't have any visibility into whatever that platform is until it stops working, because AMP has quarantined one of the central files for it. Knowing what you have in your environment, what the exclusions are, and how to create and apply those exclusions for those other systems is a key piece.

I think that AMP is really effective in isolating and stopping things that it doesn't know. This is probably good because you don't know if a threat is really a threat until you get a chance to look at it. AMP gets out in front of that. This can cause problems if you don't know that you need to have an exclusion, but you're better safe than sorry.

We are using Cisco Email Security, Cisco Firepower, Cisco Talos, Cisco Threat Grid, and SecureX. We have not stood Stealthwatch up yet. We are refreshing our ISE instance. The integrations across the board have really been a multiplier for each tool individually, and certainly through AMP. It's really launched AMP into another level far as automation is concerned. The integration of all these tools is seamless and very effective.

I would rate it an eight (out of 10). It is all still a work in progress; it is all still a new thing. Not only is the tool itself a new thing, but how the tool integrates with all the other tools. It's in development.

We are trying to provide managed security services. This solution would be part of those managed security services.

We are on proof of concept phase and will see how it works.

I hope it will help decrease mean time to detect and respond, because it provides scalability, and we could make an efficient, effective service providing it for customers.

• Scalability
• Ability to integrate with SIEM.
• Advanced threat protection for customers.

We would like to have an API integration with a SIEM solution, because as far as I know, it currently hasn't yet been released. We are looking forward to it because it's important for us to integrate the product with a SIEM solution in order to provide our customers a good, robust solution.

It needs major improvement with its ease of integration.

So far, so good.

The scalability is good.

We have not had any technical cases.

We are providing our customers multiple solutions depending on their needs. So, it's more like what our customer needs. We could go with Cisco or maybe we could with another vendor (we will see). Right now, we are quite satisfied with Cisco.

For what we have already set up, the process has been straightforward.

We are estimating 5 to 10 percent staff productivity increases.

Our partner in Norway does the price negotiation.

We are looking for cost-effective, efficient solutions for our customers, and Cisco happens to be one of the vendors who fits into that scope.

Microsoft is another vendor who offers a similar licensing model for this type of solution. There is also McAfee and Trend Micro. It depends on the customer's requirements.

We have some mature security services, like anti-malware. We are looking to broaden our service portfolio and are on the first steps to climb further. 

You should always assess your customers' needs. Once you get that information, you just look for respective vendors.