2019-06-26T05:26:00Z
it_user434868 - PeerSpot reviewer
Senior Director of Delivery at a tech services company with 51-200 employees
  • 0
  • 3

What needs improvement with Cisco AMP for Endpoints?

Please share with the community what you think needs improvement with Cisco AMP for Endpoints.

What are its weaknesses? What would you like to see changed in a future version?

24
PeerSpot user
24 Answers
Mark Broughton - PeerSpot reviewer
Level 2 tech at a tech services company with 11-50 employees
Real User
Top 20
2022-08-10T06:09:00Z
Aug 10, 2022

We were using a third-party help desk. One of the ways that they were fixing problems was to delete the client and then add the client back if there was an issue where the client had stopped communicating. Any improvement in the client communicating back to the server would be good, particularly for machines that are offline for a couple of weeks. A lot of our guys were working on a rotation where the machine might be offline for that long. They were also terrible about rebooting their machines, so those network connections didn't necessarily get refreshed. So, anything that could improve that communication would be good. Also, an easier way to do deduplication of machines, or be alerted to the fact that there's more than one instance of a machine, would be useful. If you could say, "Okay, we've got these two machines. This one says it's not reporting and this one says it's been reporting. Obviously, somebody did a reinstall," it would help. That way you could get a more accurate device count, so you're not having an inflated number. Not that Cisco was going to come down on you and say, "Oh, you're using too many licenses," right away. But to have a much more accurate license usage count by being able to better dedupe the records would be good. I also sent over a couple of other ideas to our technical rep. A lot of that had to do with the reporting options. It would be really nice to be able to do a lot more in the reporting. You can't really drill down into the reports that are there. The reporting and the need for the documentation to be updated and current would be my two biggest areas of complaint. Also, there was one section when I was playing with the automation where it was asking for the endpoint type rather than the machine name. If I could have just put in the machine name, that would have been great. So there are some opportunities, when it comes to searching, to have more options. If I wanted to search, for example, by a Mac address because, for some reason, I thought there was a duplication and I didn't have the machine name, how could I pull it up with the Mac address? When you're getting to that level, you're really starting to get into the ticky tacky. I would definitely put the reporting and documentation way ahead of that.

Search for a product comparison
Nicola F. - PeerSpot reviewer
Infrastructure Engineer at TeamSystem
Real User
Top 10
2022-07-26T13:10:00Z
Jul 26, 2022

When we first installed the solution, we faced significant issues, as the server needs to be rebooted when the agent upgrades. This isn't easy in a production environment, and we relayed our concerns about this problem to Cisco. The Linux agent is a simple offline classic agent, and it doesn't support Secure Boot, which is important to have on a Linux machine. The Linux agent has conflicts with other solutions, including the Exploit Prevention system found in Windows servers. We didn't find a fix during troubleshooting, and Cisco couldn't offer one either. Eventually, we had to shut down the Exploit Prevention system. We didn't like that as we always want a solution that can fit smoothly into the setup without causing problems, especially where security is concerned. The tool also caused CPU spikes on our production machine, and we were seriously considering moving to another product. However, Cisco has improved its product, and version 7.1 ended the need to reboot machines for updates. It's also more stable than before, though I still think they have a lot of work to make this a genuinely stable product. Cisco Secure Endpoint is a developing solution, but they need to do more. It doesn't match up to the offerings from CrowdStrike, FireEye, and perhaps Carbon Black.

RM
Director of I.T. Services at a non-tech company with 201-500 employees
Real User
Top 20
2022-07-06T10:03:00Z
Jul 6, 2022

This product has issues with the number of false positives that it reports. Especially when updates are released for Chrome, many detections report a virus when it really wasn't. Another problem that I notice is that Outlook 2016 creates cache files of attachments, and when this product detects them as malware, it can't delete them. I assume this is because Outlook still has the file open. This means that I get notices about the issue but I can't do anything about it until later, after Outlook has closed them. This may not be Cisco's fault as much as it is Microsoft's fault.

Felipe Guimaraes - PeerSpot reviewer
Sales Director at Samsung
Real User
Top 10
2022-06-15T20:41:00Z
Jun 15, 2022

It could be improved in connection with artificial intelligence and IoT.

Gassan Shalabi - PeerSpot reviewer
Manager at UCloud
Real User
Top 10
2022-05-30T15:43:00Z
May 30, 2022

They could simplify the solution and make it a little bit easier to understand how things are happening or if something serious has happened. They could improve the main dashboard to more clearly show me the things that I want to see. When I open the dashboard right now, I see a million things and they are not always the things that I need. I would also like it to update itself so that I don't need to click to make that happen. Of course, having to click is not a hard thing to do, but I would like to see things done automatically as much as possible.

ED
System Administrator at a manufacturing company with 201-500 employees
Real User
Top 20
2021-08-17T21:42:00Z
Aug 17, 2021

While I've attended a lot of their training webinars, they were mostly high-level. They just say that these are the feature, and this is how you access them, but I would like to see more scenario-based information. They should provide us examples of how to resolve something when we see something happening. They should give us an example of the flow on how to resolve it. In Orbital, there are tons of prebuilt queries, but there is not a lot of information in lay terms. There isn't enough information to help us with what we're looking for and why we are looking for it with this query. There are probably a dozen queries in there that really focus on what I need to focus on, but they are not always easy to find the first time through.

Learn what your peers think about Cisco Secure Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
655,994 professionals have used our research since 2012.
Marian Melniciuc - PeerSpot reviewer
Senior IT System Administrator at ScanPlus GmbH
Real User
Top 5
2021-07-16T12:06:00Z
Jul 16, 2021

Actually, we don't need others features or improvements of this product. It is a complex product and offers us exactly what we need - security and trust. We chose Cisco because we wanted security and trust. That is what we needed from Cisco, and what our customers expected from us. We are using many Cisco products, and, with every new product, every new feature, the trust in Cisco security is growing. We think that Cisco covers all of the security aspects on the market. They continue to innovate in the right way.

Pardeep Sharma - PeerSpot reviewer
Network security engineer at a tech services company with 1,001-5,000 employees
Real User
Top 5
2021-05-14T17:19:12Z
May 14, 2021

The GUI needs improvement, it's not good. There are false positives in emails. At times, the emails are blocked and detected as malware when they are not. They should work on some of the signatures because of the emails that have been blocked and detected as malware that can never be opened.

User1#2% - PeerSpot reviewer
Application Manager at Financial Corp
Real User
Top 10
2020-10-20T04:19:00Z
Oct 20, 2020

Like any other security tool, there's always rooms for improvement. Some of the ways the product can be improved are: - Vendor needs to understand a one-size-fits-all approach will not work with addressing TAC cases and service requests. For "once in a blue moon" cases, most approach still sound like the engineers are acting off of a runbook. In this case the recommended solutions will not totally align with the scenario - Since customers do not have the ability to allow or decline console updates, there have been a number of instances where the console GUI appear buggy and functionalities do not work correctly after an upgrade. This can be improved by informing customers prior to the upgrades. Other additional features that should be improved in next releases include: - The dashboard is great for quick visibility prior to deeper dive, however, making the dashboard more customization will improve interaction, grant the ability to filter out irrelevant outputs and encourage personalized drill-downs based on daily requirements - Integration with enterprise monitoring applications and ticketing systems that differentiates noise, forwards events, generates tickets and have them automatically assigned to application owning group.

MD.SIHAB TALUKDAR - PeerSpot reviewer
System Engineer at asa
Real User
Top 5Leaderboard
2020-10-13T07:21:00Z
Oct 13, 2020

I would like to see integration with Cisco Analytics.

Mark Bonnamy - PeerSpot reviewer
Technical Director at Ridgewall Ltd
Reseller
2020-07-12T11:48:00Z
Jul 12, 2020

Some of the dashboards don't always populate with data. Most of them do, but some of them don't. Another issue for me, that would be the greatest value of all, would be to make the security into a single pane of glass. Whilst these products are largely integrated from a Talos perspective, they're not integrated from a portal perspective. For example, we have to look at an Umbrella portal and a separate AMP portal. We also have to look at a separate portal for the firewalls. If I could wave a magic wand and have one thing, I would put all the Cisco products into one, simple management portal. If I were Cisco, that would be my greatest focus of all because it would be of such great value if I could give one pane of glass to an engineer and he could look across all the Cisco products. The other thing I would say to Cisco is they need to move more to a consumption model like Office 365, because I want to be able to sell it and deploy it by just adding things on to a particular client. For example, you set a client up on the AMP portal, which I'm looking at as I speak. I have X number of clients. If I need to sell or deploy Umbrella, I've got to go through a completely different process and enter exactly the same sort of thing. I've got to create the client somewhere else, I've got to put the information somewhere else, and I've got to run the deployment from somewhere else. Whereas with the Office 365 model, I'm able to upgrade packages and add features and functionality all from the one place. That is an incredibly powerful selling tool. The other area for improvement is to make billing simpler. The billing process for us is hard where we've got those two users. We've got to create a separate bill for those clients and we have to create a separate report to Cisco to say that we're billing those clients. Anything they could do to make that billing process more seamless would be of great value. If they could almost automate it, so that it is something that links in with accounts packages to make the billing process neater, it would help promote the sale of it and make it more profitable to sell. If someone deploys AMP For Endpoints on a client, at the moment that process is very disjointed. We've got to do a check once a month to see how many deployments there are relative to last month and, if we had to add one, we not only have to bill an extra one but we also have to buy an extra one from Cisco. And all that is manual.

Tim Crosweller - PeerSpot reviewer
IT Manager at van der Meer Consulting
Real User
2020-07-09T06:27:00Z
Jul 9, 2020

The biggest area where I liked seeing improvement is in the interface and its interaction with the customer and portal. Since these things are quite technical, it's important that you can find your way around the console quickly without having to remember where things are. I think the interface has improved quite a lot in the last couple of years, which is good, but also the integrations are starting to be incorporated a lot more too. We can see more value in the product as time goes on. It's a different product to what it was when we first got it in terms of visibility and also its user interface. You need a certain level of technical experience because the console is not the easiest thing to look at. It's very in-depth and there's a lot going on. It does a lot of stuff. I often compare that to our antivirus console, which is pretty self-explanatory, but it is not really doing a lot in terms of its visibility. It will do similar remediation work, but AMP has the visibility. You can see where it's going and what processes are running. Everything that it's tracking can be overwhelming to some people so you need a level of IT and technical experience to understand what it's doing and your way around the console. It's a very high-level product in that respect. Therefore, it might scare a few people off if they're not up to that level. However, if you have someone who can handle it, then it's fine. There are some features with the integrations that I'm not using because I haven't gotten my head around how they integrate and how best to integrate them into what we're doing. It is just a matter of giving me some time to sit down with a Cisco rep and working through it to understand exactly what these things are doing, then implementing them. I am not one to pay for something that we're not going to use. However, from what I can see, everything that comes with the product is worth doing. Obviously, the threats out there now in the internet world are only getting more complex. Therefore, it makes sense that we keep up with all the technology and software that comes with it.

HB
Security Officer at a healthcare company with 51-200 employees
Real User
2020-07-08T09:01:00Z
Jul 8, 2020

The solution’s endpoint protection, in terms of the operating systems and devices that it protects, is pretty comprehensive. The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on. It's a rapidly evolving product. Every time they turn on a new feature, you're going to have glitches. Recently, they put out a bad version of a Connector, but they put out a new version of a Connector every other week it seems, so they pulled that back and put out a new version.

Neal Gravatt - PeerSpot reviewer
Sr Network Engineer at a real estate/law firm with 1-10 employees
Real User
2020-07-08T09:01:00Z
Jul 8, 2020

The endpoint agent on a machine doesn't provide much data. And the thing I hate the most, which they have not fixed, is when it creates duplicate entries within a console. If you have a computer and you upgrade from Windows 7 to Windows 10, or you upgrade your agent from version 6 to 7, it creates a new instance in there instead of updating the information. Instead of paying a license for one computer, I have to license two computers until I manually go in, search for all the duplicate entries, and clean them out myself. There are features that are supposed to work that don't that reduce the duplicates.

Cole Two-Bears - PeerSpot reviewer
Systems Architect at a consultancy with 5,001-10,000 employees
Real User
2020-06-10T08:01:00Z
Jun 10, 2020

The room for improvement would be on event notifications. I have mine tuned fairly well. I do feel that if you subscribe to all the event notification types out-of-the-box, or don't really go through and take the time to filter out events, the notifications can become overwhelming with information. Sometimes, when you're overwhelmed with information, you just say, "I'm not going to look at anything because I'm receiving so much." I recommend the vendor come up with a white paper on the best practices for event notifications. As far as reducing the attack surface, Orbital really doesn't decrease that surface.

Wouter Hindriks - PeerSpot reviewer
Technical Team Lead Network & Security at Missing Piece BV
Real User
Top 5
2020-06-09T07:46:00Z
Jun 9, 2020

We have had some problems with updates not playing nice with our environment. This is important, because if there is a new version, we need to test it thoroughly before it goes into production. We cannot just say, "There's a new version. It's not going to give us any problems." With the complexity of the solution using multiple engines for multiple tasks, it can sometimes cause performance issues on our endpoints. Therefore, we need to test it before we deploy. That takes one to three days before we can be certain that the new version plays nice with our environment.

DanTurner - PeerSpot reviewer
CIO at Per Mar Security Services
Real User
2020-06-03T06:54:00Z
Jun 3, 2020

If it could physically go out and slap the end-user to keep him or her from doing the bad thing initially, that would be great. But seriously, maybe there is room for improvement in some of the automated remediation. We have other tools in place that AMP feeds into that allow for that to happen, so I look at it as one seamless solution. But if you're buying AMP all by itself, I don't know if it can remove malicious software after the fact or if it requires the other tools that we use to do some of that.

SunnyNair - PeerSpot reviewer
System Architect at COMPASS IT Solutions & Services Pvt.Ltd.
Real User
2020-01-29T08:35:00Z
Jan 29, 2020

I would recommend that the solution offer more availability in terms of the product portfolio and integration with third-party products. AMP works very well within the Cisco ecosystem. If it could work along with the third party ecosystem as well, if that integration or even more APIs came into play, I think we could utilize this product a little bit better. One thing which I would like to see in terms of a major improvement would be AMP supporting the IoT infrastructure, which has been coming up in networks recently. It should also support more factory managed devices, like systems running Linux. Better support is what I'm looking for. The common endpoints are already covered and we work very well with them. That would be the case if support is extended to new devices as well. I think that would bring real value to the table. AMP has recently released email security and web security. If there was something like a common dashboard, similar to that of CrowdStrike, it would be useful. AMP needs to come up with a common dashboard for all of the solutions. That single pane of information would allow us to view everything. Instead of installing a plugin, what we need AMP to do is run installs in the background. Then the user doesn't know that AMP is running on the system. That would be a fantastic use case or the recommendation which I would like to make, in they're looking for products and features to develop. Something like that would allow me to have a high-end deployment in place for AMP which would be ideal.

MohamedEladawy - PeerSpot reviewer
Service Security Lead at Salam Technology
Real User
Top 5
2020-01-12T12:03:00Z
Jan 12, 2020

I think there should be better support and I would also like to see an easier implementation of the solution. The support should be cheaper and more available during the implementation stage. It would be great if they could have support teams that involve an AMP team because there's a specific team for AMP.

AD
CEO at Oriental Weavers
Real User
2019-11-18T07:22:00Z
Nov 18, 2019

I would like more seamless integration, because I have a security solution based on Cisco and I'm looking at integration for the old solution. It would be much easier for the security administrator to monitor integration.

Mohammad Siraj - PeerSpot reviewer
Deputy GM at Oregon Systems
Real User
2019-09-27T04:38:00Z
Sep 27, 2019

The reporting and analytics areas of the solution need to be improved.

ZS
Solution Architect / Presales Engineer at a comms service provider with 1,001-5,000 employees
Real User
2019-09-24T05:43:00Z
Sep 24, 2019

It should be doing backups. Every stage that this malware is going forward, it should snapshot the situation. Then I could go back to the first stage before it got infected. It doesn't have this option, and I know that other manufacturers have it, like Check Point, for example. In the next release, I would for it to have back up abilities. I would like the ability to go back to a point in time to when my PC was uninfected and to the moment of when the infection happened.

SV
CISO & COO at a tech services company with 1-10 employees
Real User
Top 10
2019-07-02T06:57:00Z
Jul 2, 2019

In the next version of this solution, I would like to see the addition of local authentication.

Mohammad Siraj - PeerSpot reviewer
Deputy GM at Oregon Systems
Real User
2019-06-26T05:26:00Z
Jun 26, 2019

When we're talking about anti-malware protection, AMP is a very good solution, but again, the CSO level reports are not generated. There is a dashboard, there is a report, but again, those reports have to be taken to the CSO, because when it comes to security, we always want to have high-level reports. So if we had a system that generated reports from the AMP itself, that would be great for us. Also, the solution needs more in-depth analytics. Right now they have implemented AMP, so, monitoring is happening, but you need to see what exactly is happening, the updates and then the mode of attacks that have happened and have been prevented. An in-depth report could be generated, and it should be on a CSO level. That's the value should be added to AMP solution.

Related Questions
it_user434868 - PeerSpot reviewer
Senior Director of Delivery at a tech services company with 51-200 employees
Aug 10, 2022
How do you or your organization use this solution? Please share with us so that your peers can learn from your experiences. Thank you!
2 out of 22 answers
SV
CISO & COO at a tech services company with 1-10 employees
Jul 2, 2019
We use this solution as part of our organization security.
ZS
Solution Architect / Presales Engineer at a comms service provider with 1,001-5,000 employees
Sep 24, 2019
I use the public cloud deployment model. I have installed the license, the software, on my VM and it is being managed by Cisco Cloud. My primary use case for this solution is to test it against malicious links and for encryption and decryption.
Miriam Tover - PeerSpot reviewer
Service Delivery Manager at PeerSpot (formerly IT Central Station)
Aug 10, 2022
Hi Everyone, What do you like most about Cisco AMP for Endpoints? Thanks for sharing your thoughts with the community!
2 out of 25 answers
Mohammad Siraj - PeerSpot reviewer
Deputy GM at Oregon Systems
Jun 26, 2019
For the initial first level of support, we provide it from our side. If there's escalation required, we use Cisco tech for the AMP. And again, they are perfect. I mean, one of the best, compared to any other vendors.
SV
CISO & COO at a tech services company with 1-10 employees
Jul 2, 2019
The most valuable features of this solution are the IPS and the integration with ISE.
Download Free Report
Download our free Cisco Secure Endpoint Report and get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
DOWNLOAD NOW
655,994 professionals have used our research since 2012.