Cisco Secure Endpoint Reviews

AMP for Endpoints has Endpoint Connectors, which are agents on the endpoints, providing security against malware and intrusion detection. It also provides intrusion prevention. We install the Connector on all the endpoints before they're deployed and also on our virtual desktop images. They provide constant monitoring and alerting on any events or potential threats to let us know when there is something going on that we can further investigate.

AMP intersects with a bunch of other Cisco tools, such as Threat Grid, Threat Response, and Talos Intelligence to identify threats, then automatically quarantine or remove them. It also gives you the ability to isolate endpoints to prevent further spread of any sort of malware, like a virus that might infect other machines.

The visibility and insight this solution gives you into threats is pretty granular. It has constant monitoring. You can get onto the device trajectory to look at a threat, but you can also see what happened prior to the threat. You can see what happened after the threat. You can see what other applications were incorporated into the execution of the threat. For example, you have the event, but you see that the event was launched by Google Chrome, which was launched by something else. Then, after the event, something else was launched by whatever the threat was. Therefore, it gives you great detail, a timeline, and continuity of events leading up to whatever the incident is, and then, after. This helps you understand and nail down what the threat is and how to fix it.

The solution’s actionable alerts in the security console are granular. They take you right to whatever the incident was so you can start investigating it. One thing that I have noticed lately, as we have spun up more tools associated with our Enterprise Agreement, is that AMP interfaces with all of them, then takes on some automated actions. One of the things that AMP allows you to do if there's an incident, it gives you an alert. This is because a threat was detected. You can click on the threat that's detected, then it takes you right to it in the timeline. Finally, you can pull/fetch the file and submit it for analysis. However, it will also do that automatically.

Cisco is standing up so much stuff right now. This solution interfaces with Talos Intelligence, Threat Grid, Threat Response, and SecureX. All of these things are integrating together and a lot of stuff is now starting to happen automatically, e.g., if a threat is detected, it is automatically interfacing with Talos Intelligence to figure out what that threat is and the hash value of whatever file that is. If it thinks it's suspicious, it automatically submits it to Threat Grid, which detonates the file in the sandbox, but also in the cloud, and returns a report saying whether the file, or whatever it is, is an actual threat/incident. Then, it remediates and quarantines it, and you find out about it later. It's doing a lot of stuff in the background as the integration with other tools increases.

Cisco Threat Response accelerates security operation functions. It gives you great visibility into your network. You start with a hash value, and you can search for that hash value within your environment by just dropping it into Threat Response. Then, it'll show you how that file has interacted with other files, systems, and devices. It gives you immediate visibility with a chart that shows you where that file has gone and where it's been. If you're looking to contain outbreaks, it's all there.

Cisco AMP simplifies endpoint protection detection and response workflows, such as security instigation. It really shortens the window to respond to an incident. You can do something in five minutes that probably would have taken several days in a big, diverse, ambiguous environment, where you have a lot of people working remotely. It would be tough to run down all this stuff. It is saving not only time, but manpower. Another person plus myself can now fix a problem. Whereas before, I would have to crawl through four or five different people before I got the right guy to get to the right place to do the thing that I needed him to do.

I like all the features. They're continually adding features to the product as well. One of the most recent features that they added is Orbital Advanced Search, which gives you great visibility into each individual endpoint. If you need to go look and see what's going on, it gives you that ability very easily.

I've only used Orbital Advanced Search on individual endpoints. Unless what I'm looking for is of great urgency, then I don't want to run very complex queries because they can take a lot of time and use a lot of resources for the endpoint. I'm still getting used to it so I don't know its full capabilities, such as, what it can do without interrupting the use of the endpoint. However, if the endpoint is compromised, it doesn't really matter. If I'm just investigating an incident, I don't want to lock the box up if a user is still trying to use it while I'm trying to figure out what's going on.

The Orbital Advanced Search is a great tool that gives you visibility. Otherwise, you would have to track down the device physically and possibility even do a forensic image of it to figure out what happened, or take it out of the environment just to investigate it. Having the ability to use Orbital to get the information off of a device to determine whether it's legitimately compromised, or if something weird is just going on, shortens the timeline of your response because you have immediate availability and visibility into the device that might be compromised.

Orbital helps reduce attack surface and investigate real-time data on our endpoints. For example, a device alerted in AMP for having a potential browser hijacker. At the same time, the user was also opening a help desk ticket because they were unable to access some online resources necessary for them to be able to work. I was then able to get on the device using Orbital (out of AMP) to locate the device and figure out what was going on, and it was a legitimate infection of a virus: It was a browser hijacker. All that happened in the span of five minutes, and I was able to get one of my guys out there to remove the device from our environment, reimage and replace it with another device.

I was able to figure out what was going on with that device in the span of five to 10 minutes. Then, I was able to have a guy onsite within the next three hours to get the device out of our environment. Previously, that would have taken days to figure out what was going on with the device, remote into the device, and find out where the device was physically, then get somebody to go to where the device was physically and pull the device out of the environment. That used to be a much longer process, and the longer that you have a threat risk in your environment, the riskier it becomes.

One of the best features of AMP is its cloud feature. It doesn't matter where the device is in regards to whether it's inside or outside of your network environment, especially right now when everybody's remote and taken their laptops home. You don't have to be VPNed into the environment for AMP to work. AMP will work anywhere in the world, as long as it has an internet connection. You get protection and reporting with it. No matter where the device is, AMP has still got coverage on it and is protecting it. You still have the ability to manage and remediate things. The cloud feature is the magic bullet. This is what makes the solution a valuable tool as far as I'm concerned.

The solution’s endpoint protection, in terms of the operating systems and devices that it protects, is pretty comprehensive. The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on. 

It's a rapidly evolving product. Every time they turn on a new feature, you're going to have glitches. Recently, they put out a bad version of a Connector, but they put out a new version of a Connector every other week it seems, so they pulled that back and put out a new version.

About a year.

It is very stable. I haven't noticed it being unstable. It is what it is and does what it does.

On a regular basis, we have four or five network security engineers working on its deployment and maintenance.

It is easily scalable. It's a simple deployment. You can push it out through any sort of desktop management system that you have.

Because we're a hospital, some things (like an imaging device) will not be using the solution as it may stop the imaging software from working. As far as endpoints for regular people who are not doctors using nuclear medicine imaging computers, it is pretty much on all those devices, including all of our virtual desktops. We have about 5,000 endpoints.

Their technical support is excellent. I often wind up working with the same people who are responsive, knowledgeable, and available to do live troubleshooting and analysis. They also do a great job of teaching you things that you otherwise wouldn't know about the tool.

We still do use System Center Endpoint Protection (SCEP). I am in the security group, and there's an infrastructure group who deploys the desktop. As part of their deployment, not only do they include AMP, they also include the Microsoft tools of various types.

Mostly, AMP affords us utility and visibility. Whereas, we had very little control and visibility into other tools because they weren't ours. we didn't have such great access. For endpoints, it's really been great for us as far as having that level of visibility and ability to control what's going on. To not only have the responsibility for security, but the ability to provide security has been the big deal for us. We didn't have such great access. 

When we only had the SCEP solution, we would get alerts but that would be it. We wouldn't have access to the tool to get more information from it. This left us sort of trying to troubleshoot the device in a vacuum without understanding what was going on.

The initial setup was straightforward, easy, and quick. When we first started testing and deploying it, we were installing it on individual machines ourselves. It's just a matter of downloading the Connector or having the URL to the Connector that you just run on the machine. All you need is local admin rights and it takes about five minutes. That's it. 

In our testing environment, deployment was probably a month or two, because we were just testing. Once we felt comfortable with it and started deploying it, we gave it to our desktop engineers because it's an integral part of the image that gets installed on every machine. Therefore, for our entire environment, it probably took a total of four months, since three months were for testing.

Initially, we deployed it to individual desktops for testing. Then, we incorporated it into the standard image deployed on all desktops, laptops, or endpoints.

We have absolutely seen ROI. The way that it is starting to integrate and work with all the other Cisco products, as far as the ease of use, visibility, and being able to respond to incidents. We can know if something bad is potentially happening instantaneously and prevent it from happening. We can go to a device and isolate it before it infects other devices. In our environment, that's millions of dollars saved in a matter of seconds.

The solution has made our team more effective and productive.

The solution has decreased our time to detection because we are getting alerts letting us know that something needs to be looked at. Now that it's integrating with all these other tools, it's automatically submitting files for analysis to determine whether they are dangerous. Up until about two months ago, I would get a bunch of alerts about certain files. For example, I used to get alerts about a machine having a file, then I'd have to fetch the file and submit it for analysis. That stuff is happening automatically now. So, I went from about 100 or so odd alerts a week to around five because everything is now happening on its own.

We have an Enterprise Agreement with Cisco for a bunch of tools. This is one of them.

The Enterprise Agreement is like an all-you-can-eat buffet of Cisco products. In that vein, it was very affordable.

We looked at a bunch of different things. We looked at Carbon Black along with two or three other of our tools that we didn't really have any control over. 

Cisco AMP came as part of the Enterprise Agreement with Cisco, so it was included. This made it much easier to spin up and use.

You need to look at your exclusions. You need to understand everything you have in your environment that needs to be able to operate. Because one thing AMP does, if doesn't know what a file is, it will go get that file and isolate/quarantine it. That file might be part of another software platform that's needed to function for whatever it is you do. Chances are you won't have any visibility into whatever that platform is until it stops working, because AMP has quarantined one of the central files for it. Knowing what you have in your environment, what the exclusions are, and how to create and apply those exclusions for those other systems is a key piece.

I think that AMP is really effective in isolating and stopping things that it doesn't know. This is probably good because you don't know if a threat is really a threat until you get a chance to look at it. AMP gets out in front of that. This can cause problems if you don't know that you need to have an exclusion, but you're better safe than sorry.

We are using Cisco Email Security, Cisco Firepower, Cisco Talos, Cisco Threat Grid, and SecureX. We have not stood Stealthwatch up yet. We are refreshing our ISE instance. The integrations across the board have really been a multiplier for each tool individually, and certainly through AMP. It's really launched AMP into another level far as automation is concerned. The integration of all these tools is seamless and very effective.

I would rate it an eight (out of 10). It is all still a work in progress; it is all still a new thing. Not only is the tool itself a new thing, but how the tool integrates with all the other tools. It's in development.

We were looking for a security product, which would not only block known viruses, but give more visibility and control over anti-malware. We offer Desktop as a Service (DAAS) for small and medium businesses, so we have hundreds of laptops, desktops, and virtual machines. Because users click on everything, you need to have a solution in place which will detect if something happens and log it, if there's anything malicious, then it will be blocked and reported.

The main reason for going with Cisco AMP is its integration with other Cisco solutions. It can integrate our firewalling, DNS protection, and email security appliance, so if there's a malicious file, and I see it on one of those devices. I can say, "Hey, I want to have this blocked," and it will immediately stop it being emailed in or out our environment. It also can no longer be downloaded from the Internet. Thus, with one click, we have multiple points protected.

AMP is a bit of a time machine for our environment. We can see any action being executed, connection being made, or file being written, whether it's malicious or not. Everything is been logged. I can basically go back in time and see, "This user opened this website," or, "This process created this file." If at any point in time, we do get something where, "There has been malicious activity there," we can completely follow it back:

• How did it get there? 
• Did it change other files? 
• Did it leave a scheduled task somewhere? 
• Did it connect to other machines? 
• Did it drop software on another place even before it was know to be malicious? 

All activity has been logged. If something turns out to be malicious, or if it's a user doing something they shouldn't be doing without using any malicious software but just using system tools, you can still see every command being run from the console.

The management console is cloud-based and the deployment goes to the endpoints, which are either in our data center or on the laptops and desktops that users have in their offices.

We worked a lot from home over the past few months. This was our only product that did not need to be changed in configuration when all the laptops did not come into the office for a few weeks. As long as there's an Internet connection, it will get the updates. Anything happening locally will upload to your cloud so you have full mobility on it. You have no need to update your console. You log in one day, and there's a note saying, "We added these new features. Click here for more." It has taken a lot of the hassle out so you don't have to worry about the connectivity or updates. You can just worry about stopping the malware you're investigating and incidents in your environments.

Any alert that we get is an actionable alert. Immediately, there is information that we can just click through, see the point in time, what happened, what caused it, and what automatic actions were taken. We can then choose to take any manual actions, if we want, or start our investigation. We're no longer looking at digging into information or wading through hundreds of incidents. There's a list which says where the status is assigned, e.g., under investigation or investigation finished. That is all in the console. It has taken away a lot of the administration, which we would normally be doing, and integrated it into the console for us.

With Cisco AMP, or any Cisco security products, you get Cisco Threat Response. Threat Response takes the intelligence from all your different solutions, then combines it with sources, like VirusTotal, and includes general information that Cisco has available on those threats. E.g., if I see a file somewhere, I can with one click go from my AMP console to Cisco Threat Response, and there it will be enriched, saying, "We have already seen this piece of software two months ago in Japan. This is what we thought of it. We did an automatic analysis on it. These are the indicators on this piece of software being either malicious or benign." With Threat Response, it is very easy to go from what's happening on my environment to what's happening in the world.

If there's spam coming from a machine, I can with one click determine, "Has there been any other intrusive events originating from this machine? Has it been sending me just spam or has it also been scanning me, making connections to other machines, or login attempts?" With Threat Response, we get the view from all sides, both inside and outside our network.

Orbital helps us with investigation, especially if there's been an incident on one machine, and I want to know, "Are there other machines in my environment with the same type of modifications." It's just a click away. I don't have to leave the Orbital or AMP to do the incident investigation. Thus, I don't have to pivot to another solution to check the event logs or files on the endpoints, and not having to leave the tool is very efficient. You have the same casebook in which you can keep notes of your investigation, then you can share the notes with your colleagues. 

The solution simplifies endpoint protection, detection, and response workflows, such as security investigation, threat hunting, and incident response. This positively affects our operational efficiency. We don't have to guess anymore if we have everything or need to use different tools. I can query the machines directly from Orbital. It's a complete tool set. You don't need anything else besides the tools you get with Cisco AMP. There are things now possible which we could not do before, and they're easier than before as well.

I find the the integration to be valuable. Cisco Email Security, Threat Response, and firewall are all completely integrated with this solution. It's very easy to connect your firewall or Email Security appliance with AMP to get visibility within Threat Response. On Cisco's end, we have had no trouble integrating. You go to the menu, and say, "I want to integrate this kind of device." Then, it basically shows you which buttons to click to integrate. It has been very easy.

The ability to create groups and policies precisely to your liking is also valuable. You can choose which engines you want to use for specific groups and what type of protection you want for what machines. It's not a single, one-size-fits-all. You can precisely match it to your requirements. E.g., if I have a file server and a laptop, then I want a different type of protection for those machines.

The console is really great. It's web-based. You can give everybody access. It has some great dashboards, which immediately show you what's going on in your environment, what's being blocked, and what needs to be investigated. It also makes collaboration very easy. If I start an investigation, I can open a virtual casebook that will be also stored on the console. I can invite other users to collaborate with me on the same investigation without having to send them notes or have another communication channel open to check things. E.g., I open the casebook and add interesting events to it, then other users are being updated immediately. They can also add to the same casebook, as it is very easy to collaborate from within the console on incident response.

Orbital is a good feature. It's based on SQL query. You can say, "I want to see failed login attempts," to see if there is anything out of the ordinary, then select a random or specific number of endpoints. It can run queries against the machine without you needing to make sessions. You can check if:

• There have been any alterations in the host files.
• Any new applications were installed.
• There have been any events taking place in the event log, without having to leave the AMP environment.

We have had some problems with updates not playing nice with our environment. This is important, because if there is a new version, we need to test it thoroughly before it goes into production. We cannot just say, "There's a new version. It's not going to give us any problems." With the complexity of the solution using multiple engines for multiple tasks, it can sometimes cause performance issues on our endpoints. Therefore, we need to test it before we deploy. That takes one to three days before we can be certain that the new version plays nice with our environment.

At least a year.

The stability is very good. We have had no issues with the console. It has always been available. The connector also runs well.

I have to ensure that the connector is installed on every device, whether it be an iPhone, Android, Linux, or Windows. I don't have to worry about the console, the amount of data, or the back-end, as that is all being handled by the cloud. Therefore, I can scale as much as I want, as long as I have enough licenses.

We currently cover 500 endpoints with Cisco AMP and are looking to scale that up to 3000 this year.

Working on the console: We have seven users. 

Working on machines protected by AMP: We have about 5,000 users.

There have been a few incidents where we used their technical support, which has been very good. The highest level of certification is Cisco Certified Engineer, and these are the first people whom I talk to as I log an incident with Cisco AMP. They are certified at that level. Therefore, I'm talking to somebody who has intimate knowledge about the products. They react quickly and know what they're talking about. They say, "Can we schedule a remote session? I can work with you on the problem." Then, it's always been either the same day or the next day that they say, "I have a solution," or "I'm going to continue to work with you towards that solution."

We previously used Microsoft System Center Endpoint Protection. We switched away from it for two reasons:

1. System Center Endpoint Protection is a classic antivirus product, which will block no malware and only work on Windows. There is nothing advanced about it. It does not have login or the cloud console. It will only give you alerts if the machine is connected to the domain. It was a legacy product looking at the malware and the threat landscape. There was no ransomware protection. There was no sandboxing any threats if there was an unknown file. Now, it will be sent over to Cisco Threat Grids and go right on the VM, then there will be a verdict passed saying, "Good file, bad file, suspicious file." Previous solution didn't have that. 
2. Our company was very happy with the price of Cisco AMP. It was about a third of what we were paying for System Center Endpoint Protection.

We had ransomware before we had Cisco AMP. Basically, the user calls you to say, "Hey, there are some files I cannot access well." You log into the machine and look at the processes, then you see there is a process encrypting all the files. You kill the process, get the files (which have been touched), and then start to restore. However, how can I be certain that the process which was started by the user did not leave a scheduled task saying, "In five hours, we have to start another thing," or did it upload any user data to a different machine? How can I know if was there was data loss involved in this incident?

With our previous solution, you had no way to be sure that you were not missing something, if there were not any files left, passwords/data stolen, connections made to different machines, booby traps or scheduled tasks left, etc. With Cisco AMP, if it manages to execute, I can say, "How did we get this file?" With one click, I can block it from being downloaded from the Internet and being emailed in/out of our environment. I can also see if there were any files created or connections being made. Then, I can be 100 percent sure if there was a data exfiltration, anything left behind, or if we missed anything. AMP is very thorough.

With our previous solution, if it was known malware, we would get an alert. If it was an unknown malware or ransomware, our users were our detectors. Then, it might take hours before they could say, "Hey, something's not working for me." Cisco AMP will get you that same alert within minutes of an incident occurring.

Before we had the Orbital tool and Threat Response, we were just feeling around in the dark if we were doing an investigation. We were never sure, "Did we get everything?" We did positively identify malicious malware, but, "Did we miss anything? Has anything else happened? Is this also happening on different machines?" There were these questions we were not able to get 100 percent satisfying answers on. With Cisco AMP, Threat Response, and Orbital, we are 100 percent certain that we got every trace of malicious software. We're also certain that no other machines have been compromised or will be compromised in the same way.

The initial setup is straightforward. Because the console is cloud-based, you get an email saying, "An account for you has been created. Click here to login." Then, there is the console. There are some basic groups there, and you say, "I want to have these settings." You download an installer, which already has the policy you defined included, and run it. It installs the connector on the endpoint, then the endpoint starts talking with your console. That's all you have to do. 

You log into a website, configure your settings, get an executable that you deploy to your endpoints, and that's it. Any policy or connector updates can trigger from the console, because if you can use a web browser, you can deploy Cisco AMP and update it.

I had the first machines deployed within an hour. After, we started a fine-tuning process, which includes policies, exclusions, and rights. Total deployment was probably two or three weeks before it was part of our default image, where every new machine was being imaged with a connector included.

Time to response is a lot faster. With every incident, at least six to 10 man-hours are saved because the damage has been reduced significantly. Additionally, if I have to work on file restore for six hours, for those six hours, my IT users cannot work on that application. This does not even take into account lost productivity of hundreds of users waiting to get access to the data again who also have to wait for six to 10 hours.

The visibility has increased a lot because all the heavy work is being done in the cloud. Therefore, we see a lower CPU and memory footprint on the endpoints. All the connectors on the endpoints send your information to the cloud where it is being analyzed, then it just gets the information back. There is not a lot of heavy stuff going on with the endpoint compared with the previous solution where you had a lot of work being done on the endpoint. Thus, you're taking away CPU cycles and memory from the applications you wanted to run there.

Our technicians are doing more meaningful tasks. They can just do their threat hunting and incident response without having to find tools that can do the things already built into AMP and Threat Response.

There are a couple of different consumption models: Pay up front, or if you have an enterprise agreement, you can do a monthly thing. Check your licensing possibilities and see what's best for your organization.

Note: You can upgrade or increase the number licenses by just placing a new order.

We did do a product selection, but we did only the proof of value with Cisco AMP. We looked at Trend Micro and a VMware product on paper. However, looking at our integration possibilities, since we were already using Email Security and firewalling from Cisco, there was no other product that offered the same level of integration.

Read the manual. There is a lot of information in there. 

Cisco gives threat hunting workshops globally, which are free. They take about half a day and show you how to use this product for threat hunting. Because we're looking at protection and antivirus, we're looking at a reactive response if there is a nasty file to be blocked. With Cisco AMP, you get the possibility to proactively go hunting for threats and find them before they become a problem. With this workshop, it will really shows you the different tools with real life examples, how to effectively test, and make the most of your investment in Cisco.

The solution’s endpoint protection is very comprehensive in terms of the operating systems and devices it protects, e.g., servers, Windows and Linux, smart devices, tablets, or home PCs. As long as it has an Internet connection, I can deploy an endpoint connector. I can get all the input into Microsoft for that endpoint as well. We haven't had any operating systems or devices in which we could not get visibility with AMP.

Other solutions are just the basic, "There was something wrong." They will give you the location, but will not give you the context, from which user, nor show you how the file got onto the system. With Cisco AMP, I just open a dashboard and it will show me (without doing anything), "We had 60 malware incidents via Chrome. We had five malware incidents via Outlook. We had two malware incidents from USB sticks." Immediately, we have an overview of how we're doing today, also showing where the nasty things are coming from. I don't know if there is anything that I'm not seeing.

With Threat Response, there should be some new integrations announced later this month.

I would rate this solution as a 10 (out of 10). 

I'm hoping that this is protecting me from all the harmful issues that are happening, because we know exactly what kind of world we are living in on the internet.

I rely on this system. I am hoping that everything is fine with the system and that it will catch any harmful file or virus or trojan. If any of those things happen on my network, it will hold it or stop them.

It has helped to simplify cybersecurity in my company. I see that there are files that have been blocked. I don't go deep into the reports that I get from the system, but I believe that it's doing its job. I haven't had any serious problems.

I'm only using the AMP (advanced malware protection) which is protecting my file system from all the malicious things that might happen. It should protect all kinds of things that might happen on the servers, things that I cannot see.

They could simplify the solution and make it a little bit easier to understand how things are happening or if something serious has happened. They could improve the main dashboard to more clearly show me the things that I want to see. When I open the dashboard right now, I see a million things and they are not always the things that I need.

I would also like it to update itself so that I don't need to click to make that happen. Of course, having to click is not a hard thing to do, but I would like to see things done automatically as much as possible.

I have been using Cisco Secure Endpoint for a long time. I used it in the last company I worked for and, when I opened my own company, I also started using it. I have been using it for around five years at least.

It's very stable.

I have it installed on about 40 clients. To increase the number of endpoints I just need to download the connector and install it.

I have had some difficulties, but I received support from Cisco and, in the end, it was okay. I cannot complain.

It took me some time to understand how to send in a request. It would be very easy if there were a chat on their site or if it could be done via WhatsApp. But I had to look for an email address, where to send and what were the details that they asked from me at the beginning. It wasn't obvious how to reach out to support.

Positive

I did not have a previous solution.

The deployment was straightforward. It's easy to understand the steps. I created a profile, downloaded the agent, and installed it on the clients that I wanted it on. The dashboard is in the cloud, hosted by Cisco.

It is good that you don't have to take care of the system all the time. Once it's installed and stable, you don't need to make adjustments.

I used SecureIT and it was perfect. He's very professional and he knows the system. He gave me an introduction to the system and explained the things that I needed to know.

It's keeping things quiet, so that's a very good return.

Cisco Secure Endpoint is not too expensive and it's not cheap. It's quite fair.

I looked into SentinelOne two months ago. The question is, is the system protecting me enough or not? Sometimes I ask myself, should I put more security on the servers? Doing so is going to make the system work more slowly. I checked SentinelOne because some of my colleagues who have Cisco AMP had an attack that Cisco AMP did not see.

The fact that I've been using it for five years already means that I believe I can trust it. Others can also trust it.

We are system integrators and we use this product for DNS security, which is integrated with the DNS service.

Cisco AMP is the broadest, most integrated security platform that connects the breadth of Cisco's integrated security portfolio and the customer's infrastructure for a consistent experience. It unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications--all without replacing your current security infrastructure or layering on new technology.

The entirety of our network infrastructure is Cisco and the most valuable feature is the integration.

I would like to see integration with Cisco Analytics.

We have been using the total Cisco solutions including AMP for Endpoints, Umbrella, and Firepower for three years.

This is a stable product.

This solution is scalable.

I have contacted them in the past to raise a case and they were able to resolve it.

We use the traditional antivirus, its don't able to protects real time protection don't have firewall integration.

The initial setup involves integration with other products such as Talos. The deployment took us about one day.

Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world.These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services.

I began with implementing Cisco AMP for Endpoints and then integrated Umbrella and the other products after that.

I would rate this solution a nine out of ten.

The primary use case is for endpoint protection. For the larger deployments, we use it for our policy enforcement as well. We use AMP on the endpoints for writing automated policies in order to protect the user when they join the network, for example. 

The solution's integration capabilities are excellent. It's one of the best features.

Most of my ecosystems are Cisco-based, so AMP is an easy deployment for me and an easy sale as well. There is a lot of technical documentation which is readily available. There's a lot of Cisco-based education which is really helpful in terms of various unique situations that we run into.

I would recommend that the solution offer more availability in terms of the product portfolio and integration with third-party products. 

AMP works very well within the Cisco ecosystem. If it could work along with the third party ecosystem as well, if that integration or even more APIs came into play, I think we could utilize this product a little bit better.

One thing which I would like to see in terms of a major improvement would be AMP supporting the IoT infrastructure, which has been coming up in networks recently. It should also support more factory managed devices, like systems running Linux. Better support is what I'm looking for.

The common endpoints are already covered and we work very well with them. That would be the case if support is extended to new devices as well. I think that would bring real value to the table.

AMP has recently released email security and web security. If there was something like a common dashboard, similar to that of CrowdStrike, it would be useful.

AMP needs to come up with a common dashboard for all of the solutions. That single pane of information would allow us to view everything. 

Instead of installing a plugin, what we need AMP to do is run installs in the background. Then the user doesn't know that AMP is running on the system. That would be a fantastic use case or the recommendation which I would like to make, in they're looking for products and features to develop. Something like that would allow me to have a high-end deployment in place for AMP which would be ideal.

I've been using the solution for two or three years now. I have been using AMP since it was acquired as an independent company. That means I have almost five years of experience in AMP and AMP-based products.

Scalability wise, AMP is a sure shot recommendation. I would recommend it for an endpoint protection solution compared to any other product out there in the market. It's number one.

I work with small and medium-sized organizations as primary clients which I have targeted AMP on. The small users or the smaller segment within our clients are from 10 users to 500 users. And when I'm talking about medium deployment, I'm referring to users ranging from 500 to 5000 users.

The technical support has always been fantastic.

It has never been a disappointing experience to be very frank. Cisco TAC has been very helpful. I worked in the presales team as well, so there is Partner Plus which has always been favored in terms of providing us with solution-based documents as well as presentations to take to our customers.

In a couple of ways, I think we are doing a very good job in terms of the resources which are being provided as well as the support that has been designed around this product.

The initial setup is very straightforward.

I normally work with Cisco systems, as well as most of the routing and switching companies out there, like Juniper, among others.

We're partners with Cisco. I handle consultation with all Cisco products, which includes all of the safe architecture, security logging, and switching. I'm basically working with the system architecture within Compass. I am a unified, tech grade umbrella for the entire product portfolio.

I'd advise, if users are running a Cisco environment, to definitely adopt AMP as an endpoint-based solution, which makes it a lot easier for them to manage your devices.

I'd also advise that AMP works very well if someone is running a non-Cisco set up (and they're looking at an endpoint solution that works independently). However, there's a little bit of complexity in terms of getting the actual business use case, because there's less documentation surrounding that kind of setup.

In terms of rating the solution overall, I'd rate it an eight out of ten. It has covered most of the feature sets we need. The reason I'm not giving it a full ten out of ten is because there is still room to improve the scope of integration. It doesn't support many of the IoT endpoints as well as the other components on the network, which are not yet compatible but under development. Once that happens, I'd probably give it a proper ten out of ten.

I like that this program is very light on the computer and very powerful. I also like the price.

I would like more seamless integration, because I have a security solution based on Cisco and I'm looking at integration for the old solution. It would be much easier for the security administrator to monitor integration.

I guess it's easy to scale, because I started a project with the requirements and when I needed to move forward to scale it up, it's been so easy. We currently have around 50 users. 

I am really satisfied with the technical support.

I also use Trend Micro. I use both programs, because they have different security layers. Both programs are very good.

The initial setup was straightforward as we used one of the Cisco partners. The deployment took a couple of days. 

On a scale from one to ten, I will rate this solution an eight. I do recommend it to others.

I use the public cloud deployment model. I have installed the license, the software, on my VM and it is being managed by Cisco Cloud.

My primary use case for this solution is to test it against malicious links and for encryption and decryption. 

The simplicity of use is its most valuable feature. You can very clearly see things. You have the ability to go back in time and get details, where the malware started, what happened and where it went from the minute it got in. It offers a good scope and a good ability to shut it down then go back and see what happened. 

It should be doing backups. Every stage that this malware is going forward, it should snapshot the situation. Then I could go back to the first stage before it got infected. It doesn't have this option, and I know that other manufacturers have it, like Check Point, for example. 

In the next release, I would for it to have back up abilities. I would like the ability to go back to a point in time to when my PC was uninfected and to the moment of when the infection happened.

The stability is good. 

I haven't needed to scale up yet but from what I see it's supposed to be easy. My organization sells this solution. We provide the service and management of the environment of our clients. 

It only requires one staff member for deployment and maintenance. 

I'm looking to expand the usage. I offer this solution to almost every endpoint SMB client. I'm looking to establish a faster solution and I meet with clients to discuss their network security. 

We haven't needed to contact their technical support because we've never had a problem that we couldn't resolve ourselves. 

We were previously using Check Point Sandblast Agent. We switched because it wasn't as stable as this one. We had some problems with it and we needed to contact their support and it wasn't so good. I would get tough questions from my clients so eventually I told them that we would look into other solutions.

We also work with Fortinet but I prefer AMP. 

The initial setup is a bit complex because you need to execute existing antiviruses or security software that you have on your device. 

The deployment took around fifteen to twenty minutes. 

I deployed it myself. I am the consultant who does the deployments. 

The costs of 50 licenses of AMP for three years is around $9,360. There are no additional costs. 

Just purchase the license, download it, install it to an active device, the main controller, and send it to everyone. My advice is that you need to delete your existing endpoint security solution because AMP actually contains everything that you need. Those two softwares can attack each other which can be a problem.

I would rate it a nine out of ten. 

We're using it for endpoint security for users and to make sure that no vulnerabilities exist.

Cisco Secure Endpoint has improved our security boundary. It makes our network more secure.

Cisco Secure Endpoint has decreased our time to remediate and time to detect, but I don't have the metrics.

Cisco Secure Endpoint has improved our cybersecurity resilience.

The product itself is pretty reliable. The security features that it has make it reliable.

It's pretty good as it is, but its cost could be improved.

We have been using Cisco Secure Endpoint for three to four years.

It's pretty reliable.

I haven't had to scale it at all, but I would hope it's scalable.

It's great. I never had any problems getting through or contacting tech support. I'd rate them an eight out of ten.

Positive

We used McAfee. We switched because we're more Cisco-reliant, and the product suits us better.

I wasn't involved in its setup.

I personally have not seen an ROI.

I would definitely weigh it with its competitors. The best bang for the buck in the technology is Cisco Secure Endpoint.

I would rate Cisco Secure Endpoint an eight out of ten.