Cisco Secure Endpoint Reviews

We are using it for remote users, and that's our main reason for using it. We have a lot of colleagues who work outside the organization, and they need to connect to the local, on-prem resources for file sharing and other things that we have in our data center. That's it.

It helped to free up our IT staff's time. We don't need to manually check everything in the compliance area. Everything is automated, so we don't need to check all the time. I don't know how much time it has saved, but it helped us a lot.

The VPN is most valuable. It's the best thing in the market today. We can use two-factor authentication with another platform, and we can authenticate with two-factor.

Logging could be better in terms of sending more logs to Cisco Firepower or Cisco ASA. That's an area where it could be made better.

We've been using this solution for five or six years. 

We do not have any challenges, and we are fine with it. We are using it only for external endpoints, and we are very comfortable with it. 

We don't see any difficulty there.

It's very nice. You get feedback very easily. I'd rate them an eight out of ten.

Positive

We were using another solution before. We switched because we have Cisco everywhere, and the best way is to go for Cisco for everything. That's our strategic plan.

Its initial setup is straightforward, but I have been working with Cisco products for about 10 years. I have knowledge of how to use it, and it's very easy for us to implement.

The process of migration was easy. We have our own tools to migrate from the old one. In our environment, everything is on-prem, and we also have redundancy for the central equipment.

We implement it ourselves. The number of people required depends on how big the organization is. We are not so big. We are a middle-sized organization, and for our use case, three or four people were involved in the planning and implementation.

We have not seen an ROI.

We had faced some license issues, but it has been improved. At the beginning of the implementation, we faced a lot of licensing issues, but now, we have EA licensing, which gives us an opportunity to grow.

If you have a Cisco environment inside, it's best to have a Cisco solution for the outside. You don't need to use multiple vendors because it can be difficult for them to communicate with each other. Sometimes, there can be difficulties when you have different vendors.

Overall, I'd rate it a seven out of ten.

It is used especially to connect with MDM, covering security and monitoring services.

It protects user devices, especially for field services.

Customers need some infrastructure on the cloud, e.g., Amazon and Google. We also need some testing and stage environments to perform tests.

We need to follow many countries' laws about data privacy. This is a requirement that is key for users. Cybersecurity resiliency has been important for us because we need to protect against loss.

The most valuable feature is its threat protection and data privacy, including its cyber attack and data protection, as we need to cover and protect data on user devices.

It could be improved in connection with artificial intelligence and IoT.

I have been using this solution for three years.

The stability is good.

It doesn't require much maintenance, just in a few cases.

It is good.

The technical support is fair. I would rate them as nine out of 10.

Positive

We previously used IBM. We switched because customers made decisions to work natively with the Cisco features, especially on infrastructure and security environments.

In many cases, we can deploy it in a week. In other cases, we have to connect and test with more complex architectures. However, this is not related to the security endpoint services. The testing around another product is important, so it can take two to four months.

We use the agile method for our implementation strategy.

We worked with IBM, Amazon, Google, Microsoft, and a few partners.

It takes three to 10 people to do the deployment, including pre-sales and technical guys, testing guys, and some software architecture.

We get more value out of our portfolio. We have pretty much seen ROI. When the endpoint service is well connected devices, it covers many important key features,

The price is very fair to the customer.

We need to be open as an integrator to figure out other situations and features, especially from Microsoft and IBM. Everything is related to the customer's architecture, which is why we have to be open-minded. 

I really recommend to test and connect it with different devices, especially mobile, tablets, notebooks, and servers. Then, the potential customer can understand the value of naturally integrating all these devices together.

When it comes to data security, it is important to protect the data.

I would rate the solution as nine out of 10.

I'm hoping that this is protecting me from all the harmful issues that are happening, because we know exactly what kind of world we are living in on the internet.

I rely on this system. I am hoping that everything is fine with the system and that it will catch any harmful file or virus or trojan. If any of those things happen on my network, it will hold it or stop them.

It has helped to simplify cybersecurity in my company. I see that there are files that have been blocked. I don't go deep into the reports that I get from the system, but I believe that it's doing its job. I haven't had any serious problems.

I'm only using the AMP (advanced malware protection) which is protecting my file system from all the malicious things that might happen. It should protect all kinds of things that might happen on the servers, things that I cannot see.

They could simplify the solution and make it a little bit easier to understand how things are happening or if something serious has happened. They could improve the main dashboard to more clearly show me the things that I want to see. When I open the dashboard right now, I see a million things and they are not always the things that I need.

I would also like it to update itself so that I don't need to click to make that happen. Of course, having to click is not a hard thing to do, but I would like to see things done automatically as much as possible.

I have been using Cisco Secure Endpoint for a long time. I used it in the last company I worked for and, when I opened my own company, I also started using it. I have been using it for around five years at least.

It's very stable.

I have it installed on about 40 clients. To increase the number of endpoints I just need to download the connector and install it.

I have had some difficulties, but I received support from Cisco and, in the end, it was okay. I cannot complain.

It took me some time to understand how to send in a request. It would be very easy if there were a chat on their site or if it could be done via WhatsApp. But I had to look for an email address, where to send and what were the details that they asked from me at the beginning. It wasn't obvious how to reach out to support.

Positive

I did not have a previous solution.

The deployment was straightforward. It's easy to understand the steps. I created a profile, downloaded the agent, and installed it on the clients that I wanted it on. The dashboard is in the cloud, hosted by Cisco.

It is good that you don't have to take care of the system all the time. Once it's installed and stable, you don't need to make adjustments.

I used SecureIT and it was perfect. He's very professional and he knows the system. He gave me an introduction to the system and explained the things that I needed to know.

It's keeping things quiet, so that's a very good return.

Cisco Secure Endpoint is not too expensive and it's not cheap. It's quite fair.

I looked into SentinelOne two months ago. The question is, is the system protecting me enough or not? Sometimes I ask myself, should I put more security on the servers? Doing so is going to make the system work more slowly. I checked SentinelOne because some of my colleagues who have Cisco AMP had an attack that Cisco AMP did not see.

The fact that I've been using it for five years already means that I believe I can trust it. Others can also trust it.

Cisco AMP is an anti-malware and antivirus product. It provides endpoint protection. We use it as our antivirus and anti-malware tool. We put it on all our computers. Our employees have it on their laptops because they leave the network and we can't protect them everywhere. Microsoft Windows comes with a built-in tool but it's not quite as powerful. So we use Cisco AMP and Microsoft System Center Endpoint.

Cisco AMP is our primary solution, but we don't uninstall the free ones that come with Windows.

It runs a little agent on the computer and then you manage it from a website platform. There is an application installed on the computers and they all connect up to the management console, which is hosted in Cisco's cloud.

You can use it for single endpoints. We have 3,000 that we use and then there's the free version of it you can use for home.

The actionable alerts in the security console are very good and very useful. They alert us immediately when something happens so that we can take action faster, instead of having to wait until a user report's something or until we view the logs. It sends you alerts so that you can know about them as soon as they happen and remediate the problem. It's a very nice feature.

The solution also makes it possible to see a threat once and block it everywhere, across all endpoints and your entire security platform. You can identify a threat and then mark it as, "If you ever see this file, delete it." It uses something like crowdsourcing, where, if someone works for another company and has AMP and it detects a malicious file on that person's computer, it then updates so that my AMP knows about the virus at that person's company, and protects my company from their virus.

Cisco AMP simplifies endpoint protection detection and response workflows. I'm the only one who manages it now, so it frees up time for a lot of other people. Once it is deployed and set up, one person can manage and maintain it. That reduces the number of people you have to pay for those responsibilities. The console will show if an AMP agent has checked in and I can use all the search features it has. And it deletes all the viruses so I don't really have to do too much, once it has been installed.

It has also minimized security risks to our business that we were previously unaware of. It points out vulnerabilities in software that is already installed, such as in Microsoft Office. If you don't have the latest version of Office, AMP proactively lets you know that you could potentially be infected. We didn't have that before. It has a more comprehensive database that's made up of all the information it has collected from my company and all the other companies that use it. It takes all that information and protects your environment from anything it's ever seen.

When it comes to time to detection, Cisco AMP has taken it from one day to one hour. And our time to remediate has gone from hours to minutes. It does it itself, so we don't have to do anything. 

I can't think of a case where a computer was infected and AMP did not let us know or missed it. It has never happened to us that the product didn't detect something while another product did detect that problem. So far it has been 100 percent successful.

I like the central management console where I can see everything that's going on, on all the computers. 

Another of my favorite features is called the Device Trajectory, where it shows everything that's going on, on a computer. It shows the point in time when a virus is downloaded, so you can see if the user was surfing the internet or had a program open. It shows every running process and file access on the computer and saves it like a snapshot when it detects something malicious. It also has a File Trajectory, so you can even see if that file has been found on any of your other computers that have AMP.

One of the things that is most impressive is its ability to give so much insight. That's another of its best features. With the File Trajectory, it shows everything the computer's doing and it can help determine how the virus got onto the computer.

You set it and forget it. Once you install it and configure it, it runs the reports, putting everything on the central web console.

You're able to subscribe to alerts, so I get an email every time it deletes a virus off of someone's computer. I also get an email if it has a problem, such as if it was unable to delete the entire virus. It will say "Quarantine unsuccessful."

It allows as many people as you want to go in and view it. And you set people as administrators or as people that can just view the information.

AMP also has several tools you use to link to websites that contain more information about things. They're useful as well. They give you the ability to look at different companies' information; for example, a virus total. You can also connect it to other modules and tools that you have, and it can do things such as quarantine where it will take a computer off the network for you automatically. Those tools are helpful. It provides a concept they call "distance and depth," where you get more than one company's opinion on things.

We just started using its Orbital Advanced Search feature. It's relatively new, so we haven't used it a whole lot, but for the little bit that we have used it, it has been a really neat tool. I've only run it on a couple of endpoints so far, but it works pretty well. It just gives you that extra insight to help better understand how the rest of your environment could be affected. Obviously, you're dealing with a computer that has a virus already and this gives you an ability to assess what else could have happened with that virus. It helps provide more information. 

The Orbital Advanced Search feature also helps to reduce the attack surface and to investigate real-time data on our endpoints. Some of the queries will show you which software packages you have that are vulnerable, like a version of an Office program or an Adobe Reader that has a vulnerability in it. Once you know that information, you can proactively patch the computer or apply updates to it so that it does not become infected. It alerts you to an infection, and then you can say, "Oh, these other computers could be infected by that too." Orbital detects those computers. It reduces the amount of time we spend on that kind of situation by about 20 percent.

In terms of the comprehensiveness of the solution, it does Windows great. It works on Macintosh very well. It also does iPhone and Android. It's pretty comprehensive since it covers the majority of operating systems.

It also integrates very well with other Cisco products. It has an API interface so you can integrate it with just about any Cisco product. It does have some out-of-the-box stuff and definitely integrates great with all the other Cisco tools. But we use something called Rapid7, it's a vulnerability scanner, and it's able to integrate with it very well to help report data. It works well with some third-party products, but I'm not sure how many.

The endpoint agent on a machine doesn't provide much data. 

And the thing I hate the most, which they have not fixed, is when it creates duplicate entries within a console. If you have a computer and you upgrade from Windows 7 to Windows 10, or you upgrade your agent from version 6 to 7, it creates a new instance in there instead of updating the information. Instead of paying a license for one computer, I have to license two computers until I manually go in, search for all the duplicate entries, and clean them out myself. There are features that are supposed to work that don't that reduce the duplicates.

I've been using Cisco AMP for Endpoints for five years. I started with the company as they were in the process of determining if they wanted to use it and they decided they wanted it. I have been managing it ever since. We're upgrading everybody to 7.1.5. They were on version 6.2 for a year. Before that, it was 5.1.

It's stable. We only had one or two instances, over five years and 3,000 computers, where the agent has stopped working and we had to reinstall it. That's a pretty high percentage of availability, like 99.9 percent of the time there have been no problems.

Their technical support is the best. I've never had technical support better than Cisco's in my 15 years working with different companies. Nothing is better than Cisco TAC. The response time is always within an hour or less.

If you don't get a response in that time, you can have the case put back in the queue. You can easily escalate it. When you open a case, it tells you the engineer who is assigned to it and then gives you a manager's contact information so you don't have to say, "Let me speak to your manager." You already have that information.

There are tons of support people working 24 hours a day, seven days a week. 

Also, there are so many users — Cisco customers — that even searching the information online through their support Knowledge Base is good and easy to do, if you don't feel like talking to somebody. You can find a lot of information online whereas one of Cisco's competitors, Palo Alto, has a tool called Traps. It would be a lot harder to find information about that.

We replaced a Norton product with AMP. Now, we run the default Windows tools that come with it, along with Cisco AMP. The Windows solutions are free but we wanted to buy a more robust one with better ability to search and do forensics. There are similar solutions to Cisco, but it has definitely been an improvement over previous stuff that we've used.

We have a lot of other Cisco products that it integrates with, and that was one of the reasons we chose Cisco AMP. We did a demo and it was good and it answered the questions we had. We wanted to be secure, so we needed to find an antivirus tool that works. It makes it easier for us to monitor all of the computers for viruses.

I helped set up and deploy it. It was pretty straightforward. You go to the web console, tell it to create a package, download it and then install it, and you're done.

With 3,000 computers, we rolled it out at about 1,000 at a time and it took about three months. We could have done it in a week. We just did it very slowly because any changes you make, you're supposed to do a test community of computers. We did the IT people first because they're smart at troubleshooting things. 

There's another tool from Microsoft called SCCM, a deployment tool, and as we upgrade the client it takes two days to push it out to the thousands of computers because some people don't turn on their computers for a day or two. Everybody is going to do their deployment differently.

We have seen return on our investment with this tool. The amount of stuff that it detects and blocks has been very valuable.

The pricing is very good and the licensing is somewhat of an honor system. We have a license for 3,000 users and if we get up to 3,100 users, it doesn't stop working, but on the next renewal date you're supposed to go in there and add that extra 100 licenses. It's really good that they let you grow and expand and then pay for it. Sometimes, with other products, you overuse a license and they just don't work.

Once you pay a license for a client, that's it. Everything else we talked about, the integrations and those kinds of things, is free. There's only one level of licensing too. Some products are set up so that if you pay this much you get these features and if you pay that much you get those features. Here, everything comes with one price.

The main competitor was Palo Alto with Network Traps. The difference was that Traps would detect viruses but it would not delete them or clean them, whereas AMP did, right out-of-the-box. AMP also worked with multiple operating systems, as I mentioned and the Traps solution did not offer that at the time I looked at it.

They keep adding more features to it and there are features you can enable and turn off. One of the best, newer features addresses the fact that it did not work unless you had an internet connection. They put an antivirus engine on there that works when it does not have an internet connection. That was a big deal. It has a lot of capabilities. They keep developing more for it, which makes it a better product.

Be sure to password-protect it so that users can't disable it. It has a feature to add a password to it which prevents the user from uninstalling or even stopping it. Also, enable that offline antivirus engine called Tetra. You want to be sure to enable that so that it works when it doesn't have an internet connection.

Using the product, what I've learned is that you need to keep the client up to date. One of the hardest things is that people have computers that come and go. Someone might have a laptop that breaks and the company will give them a new one. You've got to manually find that broken laptop and delete it. You want to make sure you go in there frequently to ensure that the information is accurate or up to date. If you wait too long and there are hundreds and hundreds of computers you have to search and work. That's way too much.

We did Threat Response and we did a demo of Threat Grid and did not move forward with it. We had it integrated with ISE and Umbrella. Threat Response provides a little bit more information but, honestly, it wasn't that useful. It seemed like it was a repeat of what we could already find through the other tools we had. Threat Response isn't the best add-on to it, but it's free. It provides more information but the response wasn't that good, those times that I used it. Threat Response didn't impress me. It does do more, but it's not that useful.

AMP was purchased for our organization in response to continued threats that we had from malware and malicious activity on our endpoints. We received AMP for Endpoint and also AMP for Networks as part of our Cisco Security ELA. The solution has made a huge impact on the visibility of what has actually been transpiring at the process level on our servers and workstation endpoints as well as being able to look in detail on those processes to see whose executed those processes and what the trajectory was for those processes.

AMP for Endpoints is Software as a Service. It's a subscription service. You do download a connector onto the endpoint. Then, there is the option to run it to an air gap mode where you connect to a local server that does back out to the AMP Cloud. However, that's not the deployment we have in our case, we have it connecting back directly to Cisco Cloud Security.

While I can understand from a theoretical standpoint how some organizations may not want a cloud connection, it increases the processing and detection because of ETHOS and SPERO detection. Throughout all the other Cisco security products, it is able to add this detection into the threat analytics through Threat Grid and Threat Response for other customers who have the same type of hash in their environment. There are the options: If you want to submit a file to be removed after submission and also for it to be submitted anonymously.

We tie AMP into our SIEM so we are receiving alerts through the SIEM. I also have AMP independently send me alerts. I have these alerts finely tuned so I'm getting the right severity level on events where I am being notified. If you choose to receive a notification on all events, potential malware, or potentially unwanted applications, you're going to have an overload of information. Therefore, AMP allows the ability to go through and fine tune the alerts, both in the console and remotely, so you get a proper level of notification to make actionable requests and executions.

In our organization, we have about 95 percent Windows operating systems. Then, we have about five percent Mac OS. Therefore, Cisco AMP covers a 100 percent of our endpoints. It's totally comprehensive.

I had a conversation with my CIO about a week ago. We are seeing more security incidents in our organization. However, we believe these events have always occurred, and that we are more aware of them now. For example, last Thursday we had an incident where a device tried to go and reach out to a malicious website. Because of the integration we have with Threat Response between Umbrella with WSA and AMP, we were able to stop that malicious activity. That's something we wouldn't been previously aware of: If we had an endpoint out there trying to reach out to a malicious site. Until it hit our perimeter security, we wouldn't have been aware of that. You don't always want to rely on your perimeter security for everything, as it won't catch everything all the time. Therefore, you want a multilayered approach, and having Cisco AMP and Cisco Threat Response helps us to accomplish that.

There are several valuable features that AMP offers:

• Application blacklist
• Threat Response
• Cognitive Threat Analytics
• Threat Grid
• Orbital
• Endpoint Isolation. 

We regularly use all these features on a daily basis. E.g., if we have an alert stating exploit prevention was detected on an endpoint, we will look to see what the hash for that executable/application was, then we can add it to a simple blacklist. Then, everyone else in the organization with AMP for Endpoint running that device can prevent it from running. This is really useful in the event that you have some type of malware incident or event where something is trying to propagate. You can squash it then and there. 

There is also the ability: If you have one device that is running something that's really malicious. You can go ahead and put that in isolation mode to prevent any further spread or damage.

I have used Orbital for searching and taking a bit of a deeper dive. It provides detail on assets, users logged in, the IP address, and architecture. It also helps with going through posture assessment, threat hunting, and forensics. 

The room for improvement would be on event notifications. I have mine tuned fairly well. I do feel that if you subscribe to all the event notification types out-of-the-box, or don't really go through and take the time to filter out events, the notifications can become overwhelming with information. Sometimes, when you're overwhelmed with information, you just say, "I'm not going to look at anything because I'm receiving so much." I recommend the vendor come up with a white paper on the best practices for event notifications.

As far as reducing the attack surface, Orbital really doesn't decrease that surface.

I have been using Cisco AMP for about 18 months.

With most applications, whether it's AV or some type of IDS/IPS running on an endpoint, you will have some type of performance hit or degradation of the endpoint's performance. Out of all the devices that we've put AMP on, which is around a 1,000 devices at this point, we have only had one device that had a problem with performance using AMP. So, we were able to go through and tune the policy from the AMP console for that one endpoint. The overall view of AMP's performance is very good.

You have the same deployment process and methodology for 10 to 10,000. Therefore, it scales very well.

I have never had to use tech support for this solution.

Threat Response is integrated with AMP and all the other Cisco security products. That has really helped to decrease the troubleshooting time. Back in the legacy days of AV and Endpoint Protection, the typical workflow would be, "Okay, I have a machine over here that has been infected. I have to figure out all the files which touched it." It was almost impossible retroactively to go back and see what everything it touched and where it all went.

You had to witness the malware in the wild (in real-time) to figure out what it was doing. With Threat Response, you are able to see its executables and trajectory across your network, then where it tried to reach the outside world. All of this helps to mitigate our threat response from days or hours to just a few minutes.

Prior to Cisco AMP, we used Sophos Intercept X, which we still do use, and we also used Carbon Black.

The initial setup was extremely straightforward. I performed the initial install, and I maintained it ever since.

The deployment took about 30 minutes.

The deployment plan was to get the console and policies configured. Once the policies were configured, we started with the servers first because the servers were easier for us to get our hands on and ensure that the connector was installed. Secondarily, we went out to the workstation level endpoints and installed there.

There is Cisco documentation on best practices for your specific endpoints. My recommendation would be to get with your Cisco support team or account manager and obtain the most recent iteration of that document to ensure that your deployment goes as smoothly as possible. While the deployment will go smoothly, the main thing that this document does ensure is you have the correct policies configured per endpoint type. E.g., you have a different type of policy for a workstation versus a server.

We have seen ROI, but it's hard to calculate that return on investment in terms of actual dollars because it's more man-hours. Time spent on other projects is possible because of the optimization and performance that we have by utilizing AMP.

AMP for Endpoints simplifies endpoint protection, detection, and response workflows. It continues to decrease the man-hours needed to perform tasks, such as threat hunting and incident response.

It has decreased time to detection by 95 percent. A lot of the time, prior to having AMP, even with our traditional AV protection, we weren't aware of any type of malicious activity until it had an impact on the organization.

We had a 97 percent reduction in time to remediation, because it's almost instantaneous. In the 18 months that we've had AMP, there has not been malicious activity on an endpoint that we weren't able to resolve immediately.

In our organization, Orbital definitely does save time. Anything that we can do in our organization to save time is crucial, as we have a small IT staff. Therefore, we really need to find force multipliers.

For each incident which occurs, whether it's an exploit prevention or malware detected, Orbital is saving us five to eight hours per incident. In one week, it could save eight hours, and then another week, it could save 32 hours. It just depends on the malicious activity for any given week.

Whenever you are doing the licensing process, I would highly advise to look at what other Cisco solutions you have in your organization, then evaluate if an Enterprise Agreement is the best way to go. In our case, it was the best way to go. Since we had so many other Cisco products, we were able to tie those in. We were actually able to get several Cisco security solutions for less than if we had bought three or four Cisco security solutions independently or ad hoc.

In our case, it is a straightforward annual payment through our Enterprise Agreement.

We evaluated Carbon Black before going with Cisco AMP. The reasoning behind going with AMP over Carbon Black was we already had other Cisco security products in our organization. Therefore, AMP was a native integration versus something like Carbon Black where you're looking at a third-party integration. Also, Carbon Black was a bit more cumbersome when it came to performing a lot of the tasks that AMP performs. Carbon Black was first to market with things like endpoint isolation. However, after speaking with our Cisco account reps, we did realize that, "Okay, Endpoint Isolation is coming to AMP. It's just not there yet." That did come to fruition, so there wasn't an advantage to using Carbon Black over AMP. Plus, there were several advantages to using AMP over Carbon Black. That's what led to our decision.

Integration is a key selling factor for Cisco security products. We have a Cisco Enterprise Agreement with access to Cisco Email Security, Cisco Firepower, Cisco Stealthwatch, Cisco Talos, Cisco Threat Grid, Cisco Umbrella, and also third-party solutions. This is key to our security and maximizing operations. Because we do have the Email Security appliance and it is integrated with Threat Response, we have everything tied together. Additionally, we are using the Cisco SecureX platform, as we were a beta test for that new solution. With SecureX, we are able to pull all those applications into one pane for visibility and maintenance. This greatly maximizes our security operations.

Orbital just went from beta to production recently, so I haven't had the opportunity to go through and do a complex search on anything yet.

Biggest lesson learnt: How impactful proper tool utilization in an organization can be to the overall efficiency.

I would rate the solution a 10 (out of 10).

AMP 4 Endpoints protect our workstation (ca 300), our VDI environment (ca 250), and our servers (ca 50).

The old product was from Trend Micro and was just a simple antivirus solution. It was ok, but it was just an antivirus. We needed something more than just an antivirus that is used by every end-user. We were looking for a tool can we trust, and something that can schedule some things, implement scripts, analyze malware, perform advanced scans, etc. Our company, as an ISP for many customers, has to be protected from vulnerabilities.

First of all, we performed a PoV (Proof of Value) together with our Cisco partners, and we tested about a few months the efficacy and complexity of this product.

After the evaluation of the cost and security that AMP 4 Endpoints could offer, we decided to replace the old solution with AMP 4 Endpoints. The implementation was performed, with support from Cisco partners, in a few hours. In the following days, AMP 4 Endpoints found many things that the old antivirus solution missed. That was a very huge advantage for us.

Since we booked the Premier License, the most valuable features, in my opinion, are

• Secure Threat Hunting to have a specialized team to support in analyzing complex attacks. That could help us to learn about new technics
• Threat Grid with the ability to observe the sandboxing, analyze, and perform investigations of different malicious files. Nobody wants to run a dangerous file in his network, for that Threat Grid is important for us.
  
• Threat Response that offers the possibility of help on logs, IPs, domains, etc. to perform investigations into our and global infrastructure. Sometimes we want to see if a malicious file was run in our network, for that Threat Response take this job to search and save us alot of time.

Actually, we don't need others features or improvements of this product. It is a complex product and offers us exactly what we need - security and trust.

We chose Cisco because we wanted security and trust. That is what we needed from Cisco, and what our customers expected from us.

We are using many Cisco products, and, with every new product, every new feature, the trust in Cisco security is growing.

We think that Cisco covers all of the security aspects on the market. They continue to innovate in the right way.

We have been using the AMP 4 Endpoints in the Test Environment since November 2020 and implemented them in the production environment since March 2021.

We used Trend Micro and when we tested AMP 4 Endpoints we saw its value immediately.

I'd advise users to book the premier license and to have access to all the features that AMp 4 Endpoints has on offer.

There was no other option; we wanted the Cisco solution immediately.

Everything is working fine.

We are system integrators and we use this product for DNS security, which is integrated with the DNS service.

Cisco AMP is the broadest, most integrated security platform that connects the breadth of Cisco's integrated security portfolio and the customer's infrastructure for a consistent experience. It unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications--all without replacing your current security infrastructure or layering on new technology.

The entirety of our network infrastructure is Cisco and the most valuable feature is the integration.

I would like to see integration with Cisco Analytics.

We have been using the total Cisco solutions including AMP for Endpoints, Umbrella, and Firepower for three years.

This is a stable product.

This solution is scalable.

I have contacted them in the past to raise a case and they were able to resolve it.

We use the traditional antivirus, its don't able to protects real time protection don't have firewall integration.

The initial setup involves integration with other products such as Talos. The deployment took us about one day.

Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world.These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services.

I began with implementing Cisco AMP for Endpoints and then integrated Umbrella and the other products after that.

I would rate this solution a nine out of ten.

We have it installed on all our workstations and servers. Primarily, we started with it after we were hit with a ransomware attack about five years ago. We looked for something that would give us a bit more visibility as to what was going on the network, where the weak points were, etc. We had an antivirus solution (FireANT) back then, which obviously wasn't good enough on its own. So, we went looking for something that was going to be a little more granular in how it gave us visibility on the network.

We have the Cisco AMP for Endpoints Connector on our workstations, which is all done in the cloud. We have Windows Server, Windows 10 workstation environment, and on-premise servers at the moment with some cloud. I guess we would call ourselves a partly hybrid business, with some stuff in the cloud, and all our access points have Cisco AMP on them. This currently includes work-from-home devices, because we have a lot of people still working from home with the coronavirus thing going on, even home users have Cisco AMP as well.

Our operating systems, whether they be Linux, Windows, Mac, or Google Android, are well-protected.

We now have gained more visibility into what's going on. We had an incident four or five years ago where a member of our staff had a Tor Browser installed on his workstation in the office. I discovered it by chance while doing some work on his workstation. At that time, we had no way of knowing what was going on. Now, between our two Cisco products, we have the capability to see and block that sort of thing going on from the network side. From that point of view, it's straightaway. It has given us the security aspect of not having to deal with people putting Tor Browsers on their workstations to access stuff on the dark web. We have been able to lock that down straightaway, which is good, because that's obviously a big threat to any business. If you don't understand what's going on in and out of your office, whether physically or virtually, then you have no idea what's going on and where your risks are going to be. 

It gives us visibility with minimal intrusion. We don't have an on-premise sort of interaction with it, though. It's just a connector that sits on the workstations and servers, then interacts with the workstations or servers through to the cloud. It has very minimal impact on us in terms of performance. They have recently improved the updating of the program. It no longer requires a reboot after a connector update, which is always a handy thing. From that point of view, the impact is better on the business. I can roll out an update to all devices and not have to worry about having reboots, particularly for servers. Thus, the impact has gotten better on the business over time.

The solution makes it possible to see a threat once and block it everywhere across all endpoints and the entire security platform. It has the ability to block right down to the file and application level across all devices based on policies, such as, blacklisting and whitelisting of software and applications. This is good. Its strength is the ability to identify threats very quickly, then lock them and the network down and block the threats across the organization and all devices, which is what you want. You don't want to be spending time working out how to block something. You want to block something very quickly, letting that flow through to all the devices and avoiding the same scenario on different operating systems.

The solution simplifies endpoint protection, detection, and response workflows, such as security investigation, threat hunting, and incident response. We have policies and procedures in place now at the HR user level and also at the machine level to make sure that certain procedures are followed and those procedures are put in place. From that point of view, the Cisco gives us confidence. We don't have to worry too much about threats. This means we can focus a lot more on doing the work we are being paid to do rather than spending time trying to protect the business too much. The fact that we are very quickly able to see what's going on is good in terms of how much time it takes to work through any issues. 

We now have a standard rollout of devices with procedures in place. The shared nature where Cisco AMP gets installed on all our devices means we are benchmarking our risk at a level that we're comfortable with. We don't have to deal with managing that risk day-to-day, as the risk level is fairly low in terms of what we're expecting from day-to-day operations. From that point of view, this means we can focus more on the business at hand rather than worrying incessantly about threats to the business.

You can see what's going on. It detects a lot of stuff, which is benign, but still detects it as a potential threat or IoC. It has a lot more visibility than traditional antivirus, anti-malware programs. From that point, I feel comfortable that we are seeing everything that is going on. There is a lot of stuff that you don't need to do too much with as it may be a case of some poorly written software executing a potential flag as something of concern. However, at the end of the day, it's nothing to worry about. Therefore, I feel fairly comfortable that we're getting full visibility as best we can on what's going on, and it is better to know what's going on (than not).

Our webpage/portal records all instances of programs accessed on the computer, everything accessed on the internet, all the system processes, and any programs that are running. It then scans them for potential issues. If we installed some software that has a potential issue, we will flag that and have a look to decide whether we want to allow that through or whether to block it.

It shows a lot of stuff going on in the workstations, and to a lesser extent, the servers. Cisco AMP allows us to see within a process what the potential threat may be, for example, on a workstation. That threat may be benign or may be more serious. But, it gives us the opportunity to see those threats, evaluate them, and rate them how we see fit, then do something with them, if necessary. It is now less of an inconvenience on the business from a rebooting aspect.

The console is there running in the background all the time. I can just tap on the console at any point to see what's going on. I usually do this a couple times a day. It allows visibility at any point in time because it's doing this in real-time. There is very little lag. If there are any issues, I get a notification. Then, we can then jump in straightaway, have a look, and assess it. 

The tools provided by the solution to investigate and mitigate threats are very comprehensive. Sometimes, they're almost too comprehensive. You can get caught up delving very deep into things that you potentially don't need to. The integrations set it above your traditional antivirus, console-type applications in relation to visibility. It's very high-level in terms of how it works and what it can do.

Cisco AMP offers user access and device protection in a single endpoint security solution. In combination with Cisco Umbrella, it is looking at attacks from a different point or source. It's good enough with these two products to do the job. We don't see a need another particular third-party security software. 

The biggest area where I liked seeing improvement is in the interface and its interaction with the customer and portal. Since these things are quite technical, it's important that you can find your way around the console quickly without having to remember where things are. I think the interface has improved quite a lot in the last couple of years, which is good, but also the integrations are starting to be incorporated a lot more too. We can see more value in the product as time goes on. It's a different product to what it was when we first got it in terms of visibility and also its user interface.

You need a certain level of technical experience because the console is not the easiest thing to look at. It's very in-depth and there's a lot going on. It does a lot of stuff. I often compare that to our antivirus console, which is pretty self-explanatory, but it is not really doing a lot in terms of its visibility. It will do similar remediation work, but AMP has the visibility. You can see where it's going and what processes are running. Everything that it's tracking can be overwhelming to some people so you need a level of IT and technical experience to understand what it's doing and your way around the console. It's a very high-level product in that respect. Therefore, it might scare a few people off if they're not up to that level. However, if you have someone who can handle it, then it's fine.

There are some features with the integrations that I'm not using because I haven't gotten my head around how they integrate and how best to integrate them into what we're doing. It is just a matter of giving me some time to sit down with a Cisco rep and working through it to understand exactly what these things are doing, then implementing them. I am not one to pay for something that we're not going to use. However, from what I can see, everything that comes with the product is worth doing. Obviously, the threats out there now in the internet world are only getting more complex. Therefore, it makes sense that we keep up with all the technology and software that comes with it.

About four years.

I have had a couple of instances in the time that we have had the solution: 

• It got too smart for itself and detected an Adobe Reader update as malicious, blocking all PDFs. They remediated that fairly quickly. 
• There was an issue with a connector merging at the start of the coronavirus when we were going into lockdown and sending people to work from home. This caused some issues, but they found that very quickly and were able to remediate it. We were able to roll the connector back. 

These issues do pop up from time to time. With any software, there can be upgrades and issues that cause problems. 

Overall, the stability of the program and software have been very good.

The product has improved considerably over the last 12 to 18 months. They have done a lot of updates to the console and connector. The connector interaction with the workstation has been minimized. The visibility inside the console has improved. 

Typically, we have about 120 devices, but we have an extra 60 work-from-home devices at the moment. The scalability is good because we were able to go from 120 devices to 180 very quickly. Therefore, we are able to push devices out very quickly, as needed. There are no issues from my point of view.

We have used the solution as much as we can because we have it on every device that we are using. From that point of view, we have maxed out our utilization because we are using it on every device. On every new device that gets bought in, the first thing that gets put on it is the Cisco products before they touch the Internet and the network, just as a precaution.

Our rep in Sydney is a certified Cisco supplier and provider. The company is Outcomex. The rep was involved in the setup of the whole thing. We are still using the company for our Cisco products, which is good. 

Outcomex is very good. They have looked after any issues we've had with AMP and Umbrella along the way. There might have been some configuration issues that we've had. We have had a few instances where we have needed a bit of external support, and they have been able to give me support very quickly with a fast turnaround.

There have been a few changes to the software, such as the threat intelligence, Threat Grid and a couple of other packages/integrations. I must admit that I haven't had a lot of time in the last couple of months to really delve into them. It's something I was going to go and talk to my Cisco rep over in Sydney to get more of an idea of how they work and how we can integrate them. I see a lot of tools coming out now, along with a lot of integration tools working with the products, which look very good. I just haven't quite got my head around the implementation and how to get the best outcome out of those tools.

There was a case when our provider said, "You best talk to Cisco directly on that." I think that was only once, but the support was very good. That support request was attended to very quickly.

Fortunately, our ransomware attack was way back in the very early days when no one really knew anything about it. However, I had done a bit of reading on it and knew the first thing to do when you see one of those things is to disconnect the machine from the network that is causing the issue. I knew which one it was straightaway, so I managed to disconnect it from the network. Then, the proliferation stopped straightaway. We were able to get stuff from the backup fairly quickly because we have good backup regimes in place, but it was purely by chance that I came across the ransomware as a threat. Although I didn't understand to what extent it went, we were able to mitigate it.

The ransomware attack took probably a good two days of my time fixing and getting things back to normal. It impacted some people in the business world because of where the ransomware got into the network. That was the wake up call, to say, "Hang on. We need something that's going to flag these issues and give us visibility." Our antivirus software was completely benign to it at that time. It had no idea and didn't pick anything up. That's what made us go looking for something. We came up with FireAMP (Cisco AMP). We decided to trial it for a few months and got an idea of exactly what was going on in the network. We did an audit on the network (to start with) and realized that we had some issues. While all stuff was mostly benign and just sitting around the place, it gave us the ability to quickly see what was going on. That was when we decided to go down the path of getting something that would give us that visibility.

The firewalls did their job to some extent. Since then, we have changed our Internet providers and now have a managed firewall. This takes a bit of pressure off me, but we've left AMP in place since we assume that the firewall will let through various things. So, we take the position that we use both Cisco products to protect us from anything that gets through. It is not a matter of just relaxing a bit because we have a managed firewall in place with a lot more security than we probably had five years ago. We still take the view that we need to protect inside the network, assuming something gets through the door, because there are always ways around these things. That's how these things start: They get ahead of a security software before the security software can catch up.

The initial setup was pretty straightforward. 

We pushed the deployment out in a day. Once we had the connector configured and policies configured to how we saw best at the time, it was a fairly straightforward rollout. Because it was pushed out through the portal in the cloud, all the devices were rolled out pretty quickly.

The connector updates are very easily done now, and that's improving. Previously, the connector had an issue, where almost every time it needed to be updated, it required a machine reboot. This was always a bit of an inconvenience and a bug. Because with a lot of software now, you don't need to do that and shouldn't need to be rebooting all the time.

The connector updates happen every six to eight weeks. Now, it's just a matter of me saying, "Push out the update," and off it goes. There is minimal time involved, as it's just a matter of me pushing it out. However, I don't push them out automatically. I always hold back a little bit on updates, like Windows updates, because quite often updates come with more problems than they solve. I usually wait a week or so before implementing them.

We did a two-week audit of it to assess what threats we had. That was done with our Cisco rep. He put a device in that sniffed out all the traffic on the network and produced a report to show where our weaknesses were and what we had on the network sitting there benignly. That gave us a benchmark to configure the product in its initial stage before implementing. The rollout was quite easy.

The deployment was done with a Cisco rep and me.

Because I was able to get on top of our ransomware attack fairly quickly, I was able to restore stuff from backups. Disruption is time, and we are a time-based business. We have done the numbers. If we had 100 technical people at X amount of dollars per hour charge-out rate, then that gives us an hourly cost as a very rudimentary way of working out hourly cost. Therefore, if we're down for half a day, or even a day, then we can very quickly work out how many dollars we will lose every time we get taken down by an this type of attack.

We haven't paid any ransoms because we didn't need to and we wouldn't do that. However, the other side of that is the downtime, assessing the damage, fixing it up, and then all the subsequent tidying up that goes on afterward, which can go on for a while. It would probably be a couple of days of lost productivity, which is not a huge amount in terms of time, but dollar-wise for a small to medium-businesses, it can be quite substantial in a month.

We haven't had to spend time dealing with too many threats. That time is minimized in terms of how much we need to spend.

The solution has decreased our time to remediate. We do a lot of stuff automatically, but we can manually go in and apply remediation straightaway on devices at a device and policy level. We can apply this throughout the business, which is what we want. If we see a threat at some particular level, we can make a decision to go in straightaway and tackle that threat through manual intervention because you can't blindly put your faith into something and expect it to do everything for you. You have to manage it and be proactive at all times. However, the amount of time spent doing the manual intervention is minimized.

The pricing and licensing are reasonable. The cost of AMP for Endpoints is inline with all the other software that has a monthly endpoint cost. It might be a little bit higher than other antivirus type products, but we're only talking about a dollar a month per user. I don't see that cost as being an issue if it's going to give us the confidence and security that we're looking for. We have had a lot of success and happiness with what we're using, so there's no point in changing.

There is also the Cisco annual subscription plus my management time in terms of what I do with the Cisco product. I spend a minimal amount of time on it though, just rolling out updates as they need them and monitoring the console a couple of times a day to ensure nothing is out of control. Cost-wise, we are quite happy with it.

We did look at another solution. At the time, there wasn't a lot of software for small to medium-businesses.

I was looking for something with a business name reputation behind it that would give us a good level of security. That's why we went with the Cisco solution. We initially went with Cisco based on its name in the industry, and we have been very happy with it.

Cisco AMP comes with an in-built antivirus, but we have another antivirus that we use. Though AMP works whether you use their antivirus or not, it doesn't matter, we thought, "If we use a separate branded antivirus, they may have some extra sort of pickups that the AMP antivirus may not," to spread the risk a little. We have some other systems in place internally in terms of how we protect file installations and macros running on the network. Therefore, we do add extra layers of security that we feel that we need. However, we are confident that this will pick up most of this stuff along the way.

At the start, we realized how much we didn't know what was going on in the network and where all the endpoint weaknesses were. That opened eyes up straight away to the risk that was involved. Then, we did the numbers, and said, "For us, risk is downtime, and time is dollars." We just did the sums very quickly and worked out what it would cost us if we didn't have any idea what was going on in the network and got hit by something that we should have been aware of. Because if the software is out there and gives you this type of visibility, you should be using it. 

We do use it with another Cisco product, Cisco Umbrella, which is a DNS-level content-filtering, web-filtering software. That has had an impact on the business world in terms of restricting a lot of stuff which may have come in for some web pages or websites that may not have been secured. We have seen a reduced impact on the business because we're using the two Cisco products together.

I would give Cisco AMP a nine (out of 10). It is as good as anything out there. I can't see any reason why we would look elsewhere for a product. It does the job it's meant to do and is improving all the time. We have been very happy with it.