Cisco Secure Endpoint Reviews

We needed an endpoint security product and this was the one that we chose. We also use Cisco Umbrella, which fits in neatly with the endpoint as endpoints are moving, more and more, out of the office now. Traditionally, it's slightly harder to manage that, so we use Cisco AMP and Umbrella on those endpoints to secure them.

It's almost entirely on-premise. Although there are some small cloud installations where we use it.

The fact that the solution offers cloud-delivered endpoint protection makes it simpler to use. Historically, Cisco's appliances have been relatively expensive and that has been a block to Cisco getting into the SME space, which is our particular focus. Having it cloud-based, where there's no cost, as such, to get the deployment running, has made it easier to sell to small businesses. We've got AMP installations with as few as two users. In the past, with Cisco, we would never have been able to deliver into that size of business without some sort of cloud for delivering it.

It also has a neat web interface that allows us to access it simply and therefore more people are able to manage it, rather than it being a specialist product. We're able to give it to more junior people on the helpdesk and they're able to determine quite quickly and simply what the state of the environment is and, if needed, escalate it to more senior people if they believe there's an issue. That's worked well for us.

We had quite a large client that had a partial AMP installation only covering key assets, and they were hit by ransomware. It was only Cisco AMP that showed where the problems were. The rest of the antivirus that they had across the estate was completely ineffective. AMP was intact and it gave the engineers the vital information they required to remediate the problem. With all attacks what we're interested in is knowing what was "patient zero," where the problem came in, and where it's spread. That can be a challenge sometimes when you've got multiple devices in a network and you're looking across a large number of PCs to work out who was compromised first and, therefore, what the course of action is.

It has decreased our time to remediate. In the scenario of the client that was hit by ransomware, effectively, none of the endpoints were compromised. We were able to detect what the issue was via the AMP client, which discovered and alerted us to what the actual problem was. We then had to do a cleanup process on the remaining. It certainly showed its value to us and the client in that particular incident. It is hard to say how much time it saved us, because in that particular incident they only had a limited deployment. It actually took six man-days to solve the problem, but it didn't affect any of the AMP clients. It arguably could have taken even longer, had they not had AMP deployed on at least some of the assets. It's very simple: If they had had AMP on all of them, they would have probably avoided the problem in the first place. And they certainly wouldn't have needed six days to actually resolve the issue.

Cisco Threat Response accelerates Cisco Umbrella security operation functions. The abilities of Talos are definitely one of the reasons we bought into this as a product. It enables us to react more quickly. We're relying on Cisco providing that updated information in a timely fashion, and that obviously has a knock-on effect on our ability to support our clients if they've been compromised. That ability to push information automatically into Talos and their environment and then prove it's a problem or otherwise, and then update the system automatically, saves us an enormous amount of time. It gives us a lot of confidence in what we do, because Cisco is able to update things and do that part of the function for us, rather than our relying on in-house skills to try to determine what is good and what is bad.

We use it internally, in our business, to secure us, as we are an MSP, which means we are at particular risk. Obviously, we have a duty of care for our clients to ensure that we take the utmost responsibility and steps to secure our businesses and, in turn, secure our clients' businesses. The Cisco suite of security solutions definitely gives us a great deal of comfort that we are doing that. Relying on Cisco for those updates certainly takes a load off my mind, knowing that we've got the backing of Talos across the suite of products. We feel, with all the steps we have taken, that there are very few gaps in our security.

The solution has also made our team more effective by being able to focus on high-value initiatives. We have it integrated into our helpdesk system where it alerts us of things that are of particular concern. That minimizes the amount of time that we're looking at non-threatening situations. A lot of these systems can throw up an awful lot of information and you can end up spending an awful lot of time looking at things that aren't an issue — false positives. If we're able to target things more accurately, it helps us focus that high-cost engineering resource more accurately. It does save time and money.

Cisco AMP has definitely decreased our time to detection, relative to where we were with previous products. Before this type of next-gen solution, we were relying on things like antivirus, which is pretty poor and didn't produce much in the way of protection, certainly around ransomware and other things. We were relying heavily on perimeter protection, like firewalls. That was, of course, completely ineffective when people took their laptops home. The risk was great and we saw more people bringing problems back into the business. The AMP and Umbrella combination has made life a lot more secure and enables us to deliver consistent policy, which is the other important thing. When people are in our building, we've got a reasonably consistent policy because we have greater control. But the minute a person leaves the building and connects via a phone or at an internet cafe, we lose most of the traditional protection we had. The endpoint becomes everything.

The decrease in time to detection has been significant. It's very hard to put a percentage to it because, before it, we were often blissfully unaware that devices had a problem at all. It's given us visibility and we are much more effective. I'm guessing in terms of what it saves time-wise, because it's given us visibility that we otherwise didn't have, but I would say 80 percent, if I had to put a figure on it.

It has a number of valuable features. One of them is its ability to look across the estate. If somebody has been compromised, the question always is: How has it affected other devices in the network? Cisco AMP gives you a very neat view of that.

It has worked well where there have been compromises of clients and the software has automatically sent a sample to Cisco. Cisco has very quickly turned that around and an update has been issued and therefore, within an hour, all the devices are protected against it. We've been quite impressed with that.

We're a Cisco-centric organization. We use things like Cisco FirePOWER, the Next Gen features, as well as Umbrella portal and AMP. We've got a SIEM solution and we see all the events. It gives us a very good overall view of what's going on, very quickly.

We get all the alerts fed in centrally and it enables the security team to act upon them quickly. The alerts seem to be high-quality. We don't get an awful lot of false positives. With the dashboards it's clear, and you can understand quickly where the issues are, with instant responses.

The tools provided by the solution to help you investigate and mitigate threats are very helpful too. I'm the person who manages the engineers, so I don't use it on a day-to-day basis. I use it to get an overall view of, and a feeling for, where our various clients are in terms of issues: How secure they are, whether the engineers have been acting upon threats, etc. But our engineers like the product very much. The ability to detonate a particular problem in a sandbox environment and understand what the effects are, is helpful. We're trying, for example, to determine, when people send information in, if an attachment is legitimate or not. You just have to open it. If you can do that in a secure sandbox environment, that's an invaluable feature. What you would do otherwise would be very risky and tedious.

All our engineers have been very impressed with the features that it delivers and the fact that it has been low impact on the endpoints. It hasn't caused us any problems with performance. Generally, it's a very well-liked product amongst the engineering team.

Some of the dashboards don't always populate with data. Most of them do, but some of them don't. 

Another issue for me, that would be the greatest value of all, would be to make the security into a single pane of glass. Whilst these products are largely integrated from a Talos perspective, they're not integrated from a portal perspective. For example, we have to look at an Umbrella portal and a separate AMP portal. We also have to look at a separate portal for the firewalls. If I could wave a magic wand and have one thing, I would put all the Cisco products into one, simple management portal. If I were Cisco, that would be my greatest focus of all because it would be of such great value if I could give one pane of glass to an engineer and he could look across all the Cisco products. 

The other thing I would say to Cisco is they need to move more to a consumption model like Office 365, because I want to be able to sell it and deploy it by just adding things on to a particular client.

For example, you set a client up on the AMP portal, which I'm looking at as I speak. I have X number of clients. If I need to sell or deploy Umbrella, I've got to go through a completely different process and enter exactly the same sort of thing. I've got to create the client somewhere else, I've got to put the information somewhere else, and I've got to run the deployment from somewhere else. Whereas with the Office 365 model, I'm able to upgrade packages and add features and functionality all from the one place. That is an incredibly powerful selling tool.

The other area for improvement is to make billing simpler. The billing process for us is hard where we've got those two users. We've got to create a separate bill for those clients and we have to create a separate report to Cisco to say that we're billing those clients. Anything they could do to make that billing process more seamless would be of great value. If they could almost automate it, so that it is something that links in with accounts packages to make the billing process neater, it would help promote the sale of it and make it more profitable to sell. If someone deploys AMP For Endpoints on a client, at the moment that process is very disjointed. We've got to do a check once a month to see how many deployments there are relative to last month and, if we had to add one, we not only have to bill an extra one but we also have to buy an extra one from Cisco. And all that is manual.

I have been using Cisco AMP for Endpoints for three years, maybe more.

The stability is very good. We've had no issues with performance or things crashing. That aspect has all been very positive. When doing as much as these products are doing, it can create quite an overhead and take a toll on the performance of PCs, but we have had none of that kind of experience.

We are predominantly a Microsoft environment. I'm aware that it supports Mac, but I don't think we have any installations across Mac environments at the moment. From a Windows standpoint, it works very well. It hasn't caused instability. It hasn't affected performance in a negative way. All those things are really positive, given what it's actually doing.

Without any question it's scalable. We've got it on as few as two, and as many as 250 or so clients. We don't have any questions about scalability.

I've not personally used any support around this solution. I don't think we have needed to from an implementation perspective. It's all gone smoothly.

We used Sophos in the past. We're replacing it, so when the renewals come up we replace Sophos with AMP, wherever possible.

The initial setup is quite simple. We needed a method of delivery and that's the hardest part. But the deployment and the actual tuning of it are relatively minimal, so that has been a good experience. We didn't have to mess about with performance tuning, whereas with other products we have to do quite a lot for excluding this, that, and the other directory, to make sure the performance is reasonable.

If it's a small environment, it's quick to set up because we've got closer management. But in bigger environments, we bump into the challenge — and this is not an AMP issue or an installation issue — of people who are away, or people who haven't restarted their machines. Those sorts of little things tend to be the things that are a little bit more of a pain to get the final installation done. But the rollout of AMP, per se, is quite straightforward. The setup time of AMP isn't an issue and it is quite acceptable. These types of problems would exist with whichever product was chosen.

In terms of an implementation strategy for this product, our security team is very comfortable with rolling it out. The sales process is that we define the client's needs, the number of devices that they intend to secure, and that goes to the security team to coordinate and roll out. That's a reasonably templated process now for us.

In our company, the security team is comprised of four people, and they are the people who primarily look after and manage the products. We also have a deployment team, another three or four people, who are the people that would ultimately push the client out to the various devices that need it.

Certainly, from a protection standpoint, we have seen ROI. It's doing what we want it to do and it's protecting us and the clients who have it installed. Neither they nor we have been compromised and that's the greatest testament of all.

We use the MSP model, so we're able to pay as we go. We report usage based on the actual usage, which is very handy. The old model of Cisco doing it was dated and archaic, and that goes for most of their products. The previous way they did it, which was that you bought something upfront for a certain period, was terrible because of the actual process of updating it. It wouldn't scale down and it was very hard to scale up. When you added users to the system, it wasn't easy to then add licenses to that particular agreement. It was really difficult, in fact; difficult to the point where we stopped selling it in that model, because it was just too problematic.

For example, if we had a user with 10 devices and they bought some more devices, so it went to, say, 15, getting an extra five licenses within their agreement was immensely hard. To me, the only way forward is the MSP model.

We looked at a number of different solutions: Carbon Black, Cylance, Sophos Intercept X and we liked the Cisco AMP solution over those products because it fit in neatly with the rest of the Cisco portfolio. We believe that the management of the various security products fit better with one manufacturer, rather than picking various manufacturers to try and manage a security solution.

The integration of Cisco Threat Response with Cisco Umbrella is getting a lot better. What we like, across the board, is that the solutions are backed by Talos, and Talos is the largest, independent, security-research and threat-hunting organization in the world. We like the fact that the protection is spread across the Cisco environment. That's where this set of products wins when compared to other vendors. It's not that other vendors, like Carbon Black and Cylance, aren't delivering good products. They're just not doing the whole suite. They're not providing the firewall, they're not providing the CASB solution like CloudLock. I'm not sure if they're doing DNS filtering yet; a lot of vendors are catching up on that. But effectively, when you get a known issue, Cisco have the ability to roll it out across a suite of products and therefore you get protection very quickly. So if you discover a problem in Cisco Umbrella, they can update that threat, where need be, in AMP. That's quite a unique selling point for Cisco.

It's very simple to deploy, doesn't cause much in the way of management overhead, and does what it suggests. I would have no hesitation in recommending it. We obviously do, as we're selling it and have been using it for a number of years.

We have it installed on all our workstations and servers. Primarily, we started with it after we were hit with a ransomware attack about five years ago. We looked for something that would give us a bit more visibility as to what was going on the network, where the weak points were, etc. We had an antivirus solution (FireANT) back then, which obviously wasn't good enough on its own. So, we went looking for something that was going to be a little more granular in how it gave us visibility on the network.

We have the Cisco AMP for Endpoints Connector on our workstations, which is all done in the cloud. We have Windows Server, Windows 10 workstation environment, and on-premise servers at the moment with some cloud. I guess we would call ourselves a partly hybrid business, with some stuff in the cloud, and all our access points have Cisco AMP on them. This currently includes work-from-home devices, because we have a lot of people still working from home with the coronavirus thing going on, even home users have Cisco AMP as well.

Our operating systems, whether they be Linux, Windows, Mac, or Google Android, are well-protected.

We now have gained more visibility into what's going on. We had an incident four or five years ago where a member of our staff had a Tor Browser installed on his workstation in the office. I discovered it by chance while doing some work on his workstation. At that time, we had no way of knowing what was going on. Now, between our two Cisco products, we have the capability to see and block that sort of thing going on from the network side. From that point of view, it's straightaway. It has given us the security aspect of not having to deal with people putting Tor Browsers on their workstations to access stuff on the dark web. We have been able to lock that down straightaway, which is good, because that's obviously a big threat to any business. If you don't understand what's going on in and out of your office, whether physically or virtually, then you have no idea what's going on and where your risks are going to be. 

It gives us visibility with minimal intrusion. We don't have an on-premise sort of interaction with it, though. It's just a connector that sits on the workstations and servers, then interacts with the workstations or servers through to the cloud. It has very minimal impact on us in terms of performance. They have recently improved the updating of the program. It no longer requires a reboot after a connector update, which is always a handy thing. From that point of view, the impact is better on the business. I can roll out an update to all devices and not have to worry about having reboots, particularly for servers. Thus, the impact has gotten better on the business over time.

The solution makes it possible to see a threat once and block it everywhere across all endpoints and the entire security platform. It has the ability to block right down to the file and application level across all devices based on policies, such as, blacklisting and whitelisting of software and applications. This is good. Its strength is the ability to identify threats very quickly, then lock them and the network down and block the threats across the organization and all devices, which is what you want. You don't want to be spending time working out how to block something. You want to block something very quickly, letting that flow through to all the devices and avoiding the same scenario on different operating systems.

The solution simplifies endpoint protection, detection, and response workflows, such as security investigation, threat hunting, and incident response. We have policies and procedures in place now at the HR user level and also at the machine level to make sure that certain procedures are followed and those procedures are put in place. From that point of view, the Cisco gives us confidence. We don't have to worry too much about threats. This means we can focus a lot more on doing the work we are being paid to do rather than spending time trying to protect the business too much. The fact that we are very quickly able to see what's going on is good in terms of how much time it takes to work through any issues. 

We now have a standard rollout of devices with procedures in place. The shared nature where Cisco AMP gets installed on all our devices means we are benchmarking our risk at a level that we're comfortable with. We don't have to deal with managing that risk day-to-day, as the risk level is fairly low in terms of what we're expecting from day-to-day operations. From that point of view, this means we can focus more on the business at hand rather than worrying incessantly about threats to the business.

You can see what's going on. It detects a lot of stuff, which is benign, but still detects it as a potential threat or IoC. It has a lot more visibility than traditional antivirus, anti-malware programs. From that point, I feel comfortable that we are seeing everything that is going on. There is a lot of stuff that you don't need to do too much with as it may be a case of some poorly written software executing a potential flag as something of concern. However, at the end of the day, it's nothing to worry about. Therefore, I feel fairly comfortable that we're getting full visibility as best we can on what's going on, and it is better to know what's going on (than not).

Our webpage/portal records all instances of programs accessed on the computer, everything accessed on the internet, all the system processes, and any programs that are running. It then scans them for potential issues. If we installed some software that has a potential issue, we will flag that and have a look to decide whether we want to allow that through or whether to block it.

It shows a lot of stuff going on in the workstations, and to a lesser extent, the servers. Cisco AMP allows us to see within a process what the potential threat may be, for example, on a workstation. That threat may be benign or may be more serious. But, it gives us the opportunity to see those threats, evaluate them, and rate them how we see fit, then do something with them, if necessary. It is now less of an inconvenience on the business from a rebooting aspect.

The console is there running in the background all the time. I can just tap on the console at any point to see what's going on. I usually do this a couple times a day. It allows visibility at any point in time because it's doing this in real-time. There is very little lag. If there are any issues, I get a notification. Then, we can then jump in straightaway, have a look, and assess it. 

The tools provided by the solution to investigate and mitigate threats are very comprehensive. Sometimes, they're almost too comprehensive. You can get caught up delving very deep into things that you potentially don't need to. The integrations set it above your traditional antivirus, console-type applications in relation to visibility. It's very high-level in terms of how it works and what it can do.

Cisco AMP offers user access and device protection in a single endpoint security solution. In combination with Cisco Umbrella, it is looking at attacks from a different point or source. It's good enough with these two products to do the job. We don't see a need another particular third-party security software. 

The biggest area where I liked seeing improvement is in the interface and its interaction with the customer and portal. Since these things are quite technical, it's important that you can find your way around the console quickly without having to remember where things are. I think the interface has improved quite a lot in the last couple of years, which is good, but also the integrations are starting to be incorporated a lot more too. We can see more value in the product as time goes on. It's a different product to what it was when we first got it in terms of visibility and also its user interface.

You need a certain level of technical experience because the console is not the easiest thing to look at. It's very in-depth and there's a lot going on. It does a lot of stuff. I often compare that to our antivirus console, which is pretty self-explanatory, but it is not really doing a lot in terms of its visibility. It will do similar remediation work, but AMP has the visibility. You can see where it's going and what processes are running. Everything that it's tracking can be overwhelming to some people so you need a level of IT and technical experience to understand what it's doing and your way around the console. It's a very high-level product in that respect. Therefore, it might scare a few people off if they're not up to that level. However, if you have someone who can handle it, then it's fine.

There are some features with the integrations that I'm not using because I haven't gotten my head around how they integrate and how best to integrate them into what we're doing. It is just a matter of giving me some time to sit down with a Cisco rep and working through it to understand exactly what these things are doing, then implementing them. I am not one to pay for something that we're not going to use. However, from what I can see, everything that comes with the product is worth doing. Obviously, the threats out there now in the internet world are only getting more complex. Therefore, it makes sense that we keep up with all the technology and software that comes with it.

About four years.

I have had a couple of instances in the time that we have had the solution: 

• It got too smart for itself and detected an Adobe Reader update as malicious, blocking all PDFs. They remediated that fairly quickly. 
• There was an issue with a connector merging at the start of the coronavirus when we were going into lockdown and sending people to work from home. This caused some issues, but they found that very quickly and were able to remediate it. We were able to roll the connector back. 

These issues do pop up from time to time. With any software, there can be upgrades and issues that cause problems. 

Overall, the stability of the program and software have been very good.

The product has improved considerably over the last 12 to 18 months. They have done a lot of updates to the console and connector. The connector interaction with the workstation has been minimized. The visibility inside the console has improved. 

Typically, we have about 120 devices, but we have an extra 60 work-from-home devices at the moment. The scalability is good because we were able to go from 120 devices to 180 very quickly. Therefore, we are able to push devices out very quickly, as needed. There are no issues from my point of view.

We have used the solution as much as we can because we have it on every device that we are using. From that point of view, we have maxed out our utilization because we are using it on every device. On every new device that gets bought in, the first thing that gets put on it is the Cisco products before they touch the Internet and the network, just as a precaution.

Our rep in Sydney is a certified Cisco supplier and provider. The company is Outcomex. The rep was involved in the setup of the whole thing. We are still using the company for our Cisco products, which is good. 

Outcomex is very good. They have looked after any issues we've had with AMP and Umbrella along the way. There might have been some configuration issues that we've had. We have had a few instances where we have needed a bit of external support, and they have been able to give me support very quickly with a fast turnaround.

There have been a few changes to the software, such as the threat intelligence, Threat Grid and a couple of other packages/integrations. I must admit that I haven't had a lot of time in the last couple of months to really delve into them. It's something I was going to go and talk to my Cisco rep over in Sydney to get more of an idea of how they work and how we can integrate them. I see a lot of tools coming out now, along with a lot of integration tools working with the products, which look very good. I just haven't quite got my head around the implementation and how to get the best outcome out of those tools.

There was a case when our provider said, "You best talk to Cisco directly on that." I think that was only once, but the support was very good. That support request was attended to very quickly.

Fortunately, our ransomware attack was way back in the very early days when no one really knew anything about it. However, I had done a bit of reading on it and knew the first thing to do when you see one of those things is to disconnect the machine from the network that is causing the issue. I knew which one it was straightaway, so I managed to disconnect it from the network. Then, the proliferation stopped straightaway. We were able to get stuff from the backup fairly quickly because we have good backup regimes in place, but it was purely by chance that I came across the ransomware as a threat. Although I didn't understand to what extent it went, we were able to mitigate it.

The ransomware attack took probably a good two days of my time fixing and getting things back to normal. It impacted some people in the business world because of where the ransomware got into the network. That was the wake up call, to say, "Hang on. We need something that's going to flag these issues and give us visibility." Our antivirus software was completely benign to it at that time. It had no idea and didn't pick anything up. That's what made us go looking for something. We came up with FireAMP (Cisco AMP). We decided to trial it for a few months and got an idea of exactly what was going on in the network. We did an audit on the network (to start with) and realized that we had some issues. While all stuff was mostly benign and just sitting around the place, it gave us the ability to quickly see what was going on. That was when we decided to go down the path of getting something that would give us that visibility.

The firewalls did their job to some extent. Since then, we have changed our Internet providers and now have a managed firewall. This takes a bit of pressure off me, but we've left AMP in place since we assume that the firewall will let through various things. So, we take the position that we use both Cisco products to protect us from anything that gets through. It is not a matter of just relaxing a bit because we have a managed firewall in place with a lot more security than we probably had five years ago. We still take the view that we need to protect inside the network, assuming something gets through the door, because there are always ways around these things. That's how these things start: They get ahead of a security software before the security software can catch up.

The initial setup was pretty straightforward. 

We pushed the deployment out in a day. Once we had the connector configured and policies configured to how we saw best at the time, it was a fairly straightforward rollout. Because it was pushed out through the portal in the cloud, all the devices were rolled out pretty quickly.

The connector updates are very easily done now, and that's improving. Previously, the connector had an issue, where almost every time it needed to be updated, it required a machine reboot. This was always a bit of an inconvenience and a bug. Because with a lot of software now, you don't need to do that and shouldn't need to be rebooting all the time.

The connector updates happen every six to eight weeks. Now, it's just a matter of me saying, "Push out the update," and off it goes. There is minimal time involved, as it's just a matter of me pushing it out. However, I don't push them out automatically. I always hold back a little bit on updates, like Windows updates, because quite often updates come with more problems than they solve. I usually wait a week or so before implementing them.

We did a two-week audit of it to assess what threats we had. That was done with our Cisco rep. He put a device in that sniffed out all the traffic on the network and produced a report to show where our weaknesses were and what we had on the network sitting there benignly. That gave us a benchmark to configure the product in its initial stage before implementing. The rollout was quite easy.

The deployment was done with a Cisco rep and me.

Because I was able to get on top of our ransomware attack fairly quickly, I was able to restore stuff from backups. Disruption is time, and we are a time-based business. We have done the numbers. If we had 100 technical people at X amount of dollars per hour charge-out rate, then that gives us an hourly cost as a very rudimentary way of working out hourly cost. Therefore, if we're down for half a day, or even a day, then we can very quickly work out how many dollars we will lose every time we get taken down by an this type of attack.

We haven't paid any ransoms because we didn't need to and we wouldn't do that. However, the other side of that is the downtime, assessing the damage, fixing it up, and then all the subsequent tidying up that goes on afterward, which can go on for a while. It would probably be a couple of days of lost productivity, which is not a huge amount in terms of time, but dollar-wise for a small to medium-businesses, it can be quite substantial in a month.

We haven't had to spend time dealing with too many threats. That time is minimized in terms of how much we need to spend.

The solution has decreased our time to remediate. We do a lot of stuff automatically, but we can manually go in and apply remediation straightaway on devices at a device and policy level. We can apply this throughout the business, which is what we want. If we see a threat at some particular level, we can make a decision to go in straightaway and tackle that threat through manual intervention because you can't blindly put your faith into something and expect it to do everything for you. You have to manage it and be proactive at all times. However, the amount of time spent doing the manual intervention is minimized.

The pricing and licensing are reasonable. The cost of AMP for Endpoints is inline with all the other software that has a monthly endpoint cost. It might be a little bit higher than other antivirus type products, but we're only talking about a dollar a month per user. I don't see that cost as being an issue if it's going to give us the confidence and security that we're looking for. We have had a lot of success and happiness with what we're using, so there's no point in changing.

There is also the Cisco annual subscription plus my management time in terms of what I do with the Cisco product. I spend a minimal amount of time on it though, just rolling out updates as they need them and monitoring the console a couple of times a day to ensure nothing is out of control. Cost-wise, we are quite happy with it.

We did look at another solution. At the time, there wasn't a lot of software for small to medium-businesses.

I was looking for something with a business name reputation behind it that would give us a good level of security. That's why we went with the Cisco solution. We initially went with Cisco based on its name in the industry, and we have been very happy with it.

Cisco AMP comes with an in-built antivirus, but we have another antivirus that we use. Though AMP works whether you use their antivirus or not, it doesn't matter, we thought, "If we use a separate branded antivirus, they may have some extra sort of pickups that the AMP antivirus may not," to spread the risk a little. We have some other systems in place internally in terms of how we protect file installations and macros running on the network. Therefore, we do add extra layers of security that we feel that we need. However, we are confident that this will pick up most of this stuff along the way.

At the start, we realized how much we didn't know what was going on in the network and where all the endpoint weaknesses were. That opened eyes up straight away to the risk that was involved. Then, we did the numbers, and said, "For us, risk is downtime, and time is dollars." We just did the sums very quickly and worked out what it would cost us if we didn't have any idea what was going on in the network and got hit by something that we should have been aware of. Because if the software is out there and gives you this type of visibility, you should be using it. 

We do use it with another Cisco product, Cisco Umbrella, which is a DNS-level content-filtering, web-filtering software. That has had an impact on the business world in terms of restricting a lot of stuff which may have come in for some web pages or websites that may not have been secured. We have seen a reduced impact on the business because we're using the two Cisco products together.

I would give Cisco AMP a nine (out of 10). It is as good as anything out there. I can't see any reason why we would look elsewhere for a product. It does the job it's meant to do and is improving all the time. We have been very happy with it.

We are delivering Cisco solutions and security services to more than 100 customers. We use AMP, which I believe is currently called Cisco Secure Endpoint. We use Umbrella, we use SecureX, we use Meraki, and we, of course, use firewalls. So, it's a very broad range of Cisco products. 

Cisco Secure solutions have improved our company in the sense that we are now moving towards being a managed service provider, which is doing what Cisco is telling about combining your network, your hosting, and your security together in one company so that you can deliver IT services in a carefree way for your customers. So, Cisco is helping us in creating that goal of carefree use of IT.

I'm very glad that for most customers, we have onboarded Cisco Secure Endpoint because it helps us a lot in solving and detecting ransomware. It's being done automatically, so you don't have to worry. It's removing that. Therefore, it is called an EDR solution. It takes care of detection and response, and it's being done automatically. In the case some handling is needed, we have a connection from Cisco Secure Endpoint towards SecureX and ServiceNow. So, we are bringing that very simply to our support engineers. If any handling is needed there, they automatically get a ticket, and they can act.

It has helped a lot in saving time because when you have an automated flow of tickets, a ticket is immediately handled by the support people. They can immediately act in ServiceNow and see what they have to do if something is detected where a manual action is still needed. There are, however, not many cases because AMP already handles a lot of responses automatically. 

We are saving a lot of money on our operational costs because people don't have to enter tickets anymore in the system. Secondly, a lot of response is being done automatically by AMP. That helps us a lot as well in saving costs because, in the past, somebody had to do it manually.

The most valuable feature at this moment is that Cisco AMP or Cisco Secure Endpoint solution is delivering a lot of things, and I always say to a lot of customers that if we didn't have Cisco AMP, we probably would have had ransomware somewhere. So, it's protecting us very well from a lot of hackers, malware, and especially ransomware.

We would like to see the protection from the start of the endpoint till the end. Nowadays, we see that working from home is quite important, so there's a need to protect the whole layer, not only the network of the customer. There is a change towards starting from the process on the endpoint and then protecting that towards the application and the data on the back end. You need to protect that whole layer, which means that you have to have something on your endpoints that can protect. Today, at the Cisco Live event, I heard that there will be an AnyConnect solution from Cisco that will help us in delivering the kinds of security solutions that customers currently want. In some cases, we use AnyConnect, but because SaaS is coming up, many of the solutions or many endpoints are using a browser to make the connection to any place, anytime, and anywhere, so you want to have a secure connection at the start. It should be on every endpoint. I've heard Cisco is developing that right now to have all endpoints, not only laptops, desktops, and tablets, but also mobile devices, connected and secure towards the application and the data at the end. We are using AnyConnect as a VPN solution, but not as a whole set, which is currently being developed by Cisco.

They can combine the platforms and the management tools so that they are a little bit simpler and easy to use.

The integration of the Cisco products for security could be better in the sense that not everything is integrated, and they aren't working together. In addition, not all products are multi-tenant, so you can't separate different customer environments from each other, which makes it a little bit hard for a managed service provider to deliver services to the customers.

The quality of the product should be on top. For instance, when they are being introduced, some firewalls have some bugs, and they are known bugs. So, going to the latest version of the firewall is not always the smartest thing to do. There could be an improvement to help us go to the most modern version.

Cisco's support for their solutions is very good, but it always depends on people. We have a good account manager or service manager from Cisco, and he is helping us a lot in getting the right people from Cisco to talk to, etc. So, it's good. It's a very good arrangement. 

I'd rate them between eight and nine. I don't think that the support organization has to change, but if the tools that you have to use and the management consoles you have to use are simpler, then the support can also be much simpler, and the support department from Cisco can easily support the partners as well.

Positive

I was involved in the implementation of Cisco AMP. When we did a changeover from the traditional antivirus to AMP, I was highly involved. It was an interesting journey, and in the end, we achieved what we wanted to achieve.

It was easy in a certain way, but if you are a managed service provider, you also need to have multi-tenancy. The multi-tenancy support is within Cisco AMP. If you want to implement it, it's not always easy because you cannot do some of the things, such as specifying the policies you want to use, from the top level. You have to do them separately in every tenant, but I've heard that they are going to change it.

We have indeed seen a return on investment for the Cisco Secure solution we have implemented. We've seen the benefits in terms of earning money, but also in terms of extending our services and turnover in many cases.

The pricing and licensing of the security solutions of Cisco are very good in comparison with the competitors, but sometimes, it's difficult to see all the discounts and other kinds of things. So, you have to be careful, but the pricing is good.

I was a part of the evaluation process to go from a traditional antivirus package to a new solution called endpoint detection and response. Of course, there are only two big players, Cisco and Microsoft, in that area. We had to discuss what to do and how to deal with it. Of course, many customers have Microsoft in their workplace, but we are offering Cisco at least for the endpoint service where we have the hosting center. If they want, we can deploy AMP on the endpoints as well. However, there's something to say about the fact that you have two different kinds of EDRs. On your end-user devices, you have Defender, and on your server, you have Cisco, which makes it even more strong.

Traditionally, Cisco comes from the infrastructure. The difference between Cisco and Microsoft security solutions is that Cisco is coming from the infrastructure part, and Microsoft is coming from the data part. What you see is that Microsoft developed its solution from information, from data, and Cisco is coming from the infrastructure. It is deeper in IT. The solutions are deeper, and therefore, they sometimes might be stronger if you are only looking at the top of what's in IT. That makes it a little bit different. So, it's not about who's better or who's stronger. In some cases, they are an addition to each other.

Cisco Secure was the right solution for us. Of course, that was also because of the cost. Because we were already working together with Cisco, we chose Cisco for our hosting center and for all of our services. If the customer wants to have it on their endpoints and user devices, they could use our Cisco solution as well. If they want to have Defender, we support that as well on the endpoints of the user. 

To those evaluating Cisco Secure solution, I'd advise understanding the roadmap and the architecture of Cisco very well and seeing how it can add things. I have to mention Microsoft solutions because there is an added value on top of the Microsoft solutions, and that's what you have to look for. 

Cisco Secure solutions are currently at the level of a seven out of ten, and that's based on the fact that some management consoles are not working together, and in some of the new products, there are still, for instance, some known bugs. That's an issue that could be improved, and they are working on that.

We saw this product with a partner. We installed it and configured it properly along with our antivirus solution. We monitor it almost every day to see what's going on. Up till now, we are very happy with the performance.

We check every day if there are any indicators of compromise, if there are any workstations that need particular attention, or if there are any peculiar or strange events.

The main benefit is that we have visibility on the network. With the combination of Cisco Secure Endpoint and our antivirus, we feel a little bit more secure. We have better monitoring of and overview of what's going on in the network.

It's reliable. It's doing most of the jobs for us, so we don't have to worry. We check it for just 15 minutes per day to be sure that everything is fine.

It doesn't save time, but we feel more confident that everything is okay on the network. It improves our security posture.

It's quite simple, and the advantage I see is that I get the trajectory of what happened inside the network, how a file has been transmitted to the workstation, and which files have got corrupted.

It's able to detect and help remediate threats. So far, my experience is very good. I trust this product. It's quite simple, fast, and reliable. The dashboard and reporting are also quite good.

In terms of features, I don't have any areas for improvement. It has a good interface. Its reporting is also good, and the updates are very frequent. Its price is okay for us, but it can always be better. There's always room for improvement when it comes to pricing.

We have been using this solution for more than a year and a half.

It's reliable. We haven't had any problems so far.

It's easy to scale.

It has been excellent so far. We don't have any problems. I'd rate them a nine out of ten.

Positive

It's the first time we are using this kind of product. We didn't use any other product previously. 

It was quite easy for us. It probably took us three days.

We have a lot of partners, but Netbull is our partner in Greece for Cisco Secure Endpoint.

Its price is fair for us.

We didn't evaluate other products. We had seen this product before. We discussed it with our partners, and we just went for it. Our main thought was to go with a product and brand that we can trust. All our core network is Cisco, so this was the product that came straight into our head.

I'd rate Cisco Secure Endpoint a nine out of ten. It's excellent.

We're using it in a handful of ways. We initially bought it to provide endpoint protection against malware and the like on our laptops that were mobile and off our network the entire time. We eventually moved it onto all of our desktops, and we have now integrated with Umbrella, so we have a full protection suite for all of our clients across our enterprise. 

The most valuable thing about the solution is a feature that's not in the actual product set itself. It's peace of mind. We take a look at security holistically, multilayered. We start from the edge and perimeter and work all the way down to the client. I feel we've deployed best-of-breed in each of the slices of the security layer. For the endpoint, Cisco gives us good clarity about what our endpoints are actually doing. So when we get bad actors into the network, we get quick visibility into which devices are compromised.

We've really subscribed to the whole security stack from Cisco. AMP feeds into that whole Threat Grid for us. We're able to see hashes, and the like, all the way down to the client and we get that visibility because of AMP. As AMP reports back into the Threat Grid, we can see the hashes running on the actual endpoint, and whether they are malicious, and what those things have done. If malware has infected a certain laptop, we get all the forensic evidence around that laptop and, if it's jumped, where that bad stuff has jumped to and what it's done. All that visibility is possible because of AMP.

Even as a standalone product, you get peace of mind having AMP running on something. So if you open up an attachment and it's doing things that it's not supposed to, because your endpoint gets security updates it is protected. Whether it's connected to the network or not, whether it's connected to the internet or not, it is protected. It does its job very well.

The fact that the solution offers cloud-delivered endpoint protection simplifies our security operations. We don't have to worry about updates or signature updates. It takes care of itself in the background, so it frees my guys up to do more meaningful work.

The quality of alerts that actually percolate up for us to take action on are on point. There aren't a lot of false positives so my security team is able to spend its time more effectively. They're not on a wild goose chase. They're chasing actionable things to take care of.

In addition, the security stack that we have in place allows us to see a threat once and block it everywhere, across all endpoints and our entire security platform. If one piece of bad malware gets through, the entire network will self-heal. It makes us more efficient. Standardizing on one pane of glass is the dream that you're after. So even though Cisco doesn't have just one management console for its entire security suite, the pieces plug in properly. With help from Cisco and their security experts, having this deployed the right way lightens the load on my team. We become much more effective. I don't have a team of 15 security experts running around our network, facing down bad guys and preventing them from ever touching our core pieces of data or IP assets they would be after. AMP and the rest of the security stack from Cisco give me peace of mind that the network is taking care of itself and that the endpoints are protected. As long as we are not careless with the pieces that we control, we can rest reasonably well at night knowing that Cisco is doing the heavy lifting that keeps the bad guys at bay.

AMP has decreased our time to detection and to remediate, without a doubt. It's gone down by 100 percent. We're able to detect, real-time, bad or malicious software and mitigate it, not quite in real-time but pretty darn close. If you go back to when we first deployed it, there was no time measurement, so I'm comfortable saying it has sped things up considerably. Now, we're only chasing real threats.

It doesn't impact the devices. It is an agent-based solution, and we see no performance knock on cell phones. That was a big thing for us, especially in the mobile world. We don't see battery degradation like you do with other solutions which really drain the battery, as they're constantly doing things. That can shorten the useful life of a device. We're really happy about that. That's why we decided to go full-steam-ahead on that. And of course, on laptops and desktop, there's no performance hit whatsoever. We have Windows, Android, and iOS, and deployment of the agent is very easy, and is done with no user interaction.

The other thing that we really like, from the agent standpoint, is that our end-users are not capable of turning the tool off. That was very critical for us.

The integration of the Cisco Threat Response feature with products such as Cisco Email Security, Cisco FirePOWER, Stealthwatch, Talos, Threat Grid, Umbrella, and third-party solutions means it plugs right in. We use that entire stack, with the exception of email protection. Talos is out there as the guiding force, applying visibility from around the globe, and the insights that it gains, and then feeds back into all the security platforms. Threat Grid lets us see and track hashes with the forensics that we get. It is just out-of-bounds crazy what we're able to do in a very short period of time. That's all dependent on the stack working together. That's where Umbrella and AMP come into play, and having those agents out there running on endpoints and feeding it all the way back up the stack and giving us visibility into all our north-south traffic through the network. That is important.

We use FirePOWER on our firewalls to try to prevent bad guys from getting in. The thing we're really impressed with there is that even if questionable hashes that get through, we're able to say, "Oh, something bad got through," and we're able to track it back and remove it from the network after it's proven to be malicious. We see that on a constant basis. That's a very useful tool. The ability to extract that malicious software automatically is a cross-function of AMP, ISE, and FirePOWER. Using that entire stack, we're able to automate that entire process, with my guys not having to do anything. It just happens.

If it could physically go out and slap the end-user to keep him or her from doing the bad thing initially, that would be great.

But seriously, maybe there is room for improvement in some of the automated remediation. We have other tools in place that AMP feeds into that allow for that to happen, so I look at it as one seamless solution. But if you're buying AMP all by itself, I don't know if it can remove malicious software after the fact or if it requires the other tools that we use to do some of that.

We've been using Cisco AMP for Endpoints for well over five years. Aside from firewalls, it was our first security software product from Cisco that resides on the desktop. It goes on laptops, desktops, the whole shootin' match. Recently we started to deploy it on mobile devices and we're excited about that.

It's rock-solid. I don't think there's more to say there. It's just a rock-solid solution.

We have about 800 endpoints that we protect with it and that number is growing, because around the end of 2019 we started playing around with deploying AMP onto cell phones, both Android and iOS. We kicked that tire for a few months and during [COVID] quarantine, we finally figured out how to make it all successful. We've now started rolling that out and we have close to the same number of smartphones out there as other endpoints. We're rapidly deploying it out to all of our Apple and Samsung devices.

We're a baby user, even at 800 endpoints. We get great value out of 800 endpoints. I've talked to peers of mine who run much larger IT organizations who have it scaled out to tens of thousands of endpoints, with the same ease. It scales very well.

Their tech support, overall, is best-in-class. If you ever have a question, TAC gets the answer for you and helps you work through the solutions. 

One thing that we are working on is trying to integrate AMP with AnyConnect. We have our image or our "build." We install AMP, and then we install Umbrella, and then we install AnyConnect. Now Umbrella and AnyConnect have integrated together, and AMP is coming. We've been working with customer support to build all of it into AnyConnect in one deployment model. They've been fantastic to work with.

I don't think it's quite ready for release, yet. We're on the beta side of things. They asked us to kick the tires to get some feedback from a medium sized enterprise on ease and scale. They're trying to make it as simple as possible so that you can just punch in a little bit of configuration info and away it goes.

We've been an AMP customer for a very long time. We've always had antivirus on the desktops; that's what everybody needed to do. Then, I went to a security conference and Cisco was talking about AMP and about how ineffective antivirus really was and that you needed something more. This was when they were bringing AMP to market. I seized on it immediately and said, "That is well-priced, well-positioned, and exactly the gap that we need to fill."

It definitely helps us minimize security risks. We were probably aware of those risks, but may have just been limited in the tool sets available to us. AMP came to market when there weren't a lot of tool sets out there. Before AMP, we made our best efforts in educating and the like, in the hope that nobody would click on bad things. But then we were able to plug AMP into the environment and know that we had a piece of software so that if somebody did click on something bad, we had tools in place to prevent it from doing anything totally out of bounds, and business-shattering.

Malwarebytes was probably about the closest that we had to a solution that was comparable to AMP, but they are definitely not direct competitors. That was a tool that we used on a one-off basis if we thought a computer was infected with malware. Once we deployed AMP, we no longer had a need for that tool.

The initial setup was straightforward. I've been at Per Mar Security for over 20 years and there are a handful of solutions that just work the way they're supposed to, out-of-the-box. AMP's startup guide was on point. I'm the one that deployed it, and I still do some of the technical stuff, day in, day out. I was able to go through their Quick Start Guide and we were able to deploy it out to over 800 endpoints in a matter of two weeks, and that was mostly due to how we roll software out. We probably could have deployed it all in one day if we really wanted to. But we have 30 offices, so we just went office-by-office. It was easy-peasy.

We've seen ROI, absolutely, in more efficient use of my team's time.

The visibility that we have into the endpoint and the forensics that we're able to collect give us value for the price. This is not an overly expensive solution, considering all the things that are provided. You get great performance and value for the cost.

This is a mature product for Cisco. They've been in this space for a while. There are a lot of competitors out there and, since we deployed AMP, we've had some of the competitors to AMP take runs at us and say, "Hey, look at our little widget. We think we're better. We catch more things at a higher hit rate." Every once in a while we'll get bored we'll take a look at one of these tools. We'll say, "Hey, pretty cool tool." And then we see the pricing and, after they perform CPR on you and resuscitate you and you get back to living, you're like, "Holy cow, that is way overpriced compared to what I'm paying for AMP." AMP is very well-priced. 

When I look at different solutions, I always go back and compare them to AMP. I'll tell the others, "Hey, here's what we're paying for AMP, per user. You guys can't be any more than that, because here's everything we get from AMP. You guys are only doing one thing or two things, and AMP's doing all these other things for us."

AMP's pricing is the gold standard that I compare all other pricing to, from antivirus to other security tools. That's how well-priced I think AMP is.

Take a holistic view of your security stack. If you can only focus in on the endpoints, I understand, but if you take a longer view on where you want your cyber security posture to be over the course of time and over the course of budget, this is a great building block. I took a step back half a decade ago, evaluated where we were and where we needed to be, and I started taking baby steps. We started with AMP; we quickly added Umbrella. And that was a great little solution to endpoint protection. We knew where our people were going on the internet. We could block them from bad sites. We had the power of Talos protecting us.

Over the course of time, and as budget constraints allowed, we were able to add on more layers. I would rate our cyber security posture as very mature. You're always growing, you're always evolving, as the threat landscape does, but I think that we have the fundamentals in place to be able to adjust rapidly to an evolving threat landscape. 

That didn't happen overnight. We didn't just open up the checkbook and write a $10 million check to say, "Hey, we have cybersecurity." We took a very methodical approach over the course of time, trying to plug in the right pieces as they fit and as our business grew and matured. Our fundamental building block was AMP. We started there and then built out from it. Just recently, this past fall, we finished up building security into the core of the data center. We built from the endpoint up to the perimeter and then into the data center. Now, we have good visibility into our north-south traffic, where AMP plays and, with the recent project that we just finished up, we now have great visibility into east-west traffic out of the data center. AMP plays into that, too.

At the end of the day, AMP will feed both data feeds and give you good visibility into all your traffic, whether it's leaving your network, coming into your network, or going across your network.

We're very confident about the security alerts that pop up on Threat Grid. And we use another tool that's not Cisco-related, another SIEM tool, that will alert us for different things. We cross-correlate the two platforms — it's like a check-and-balance, if you will. It makes sure Cisco's doing everything it's supposed to, and that this other tool is doing everything it's supposed to do.

I use the solution in my company to protect our Windows and Mac devices.

The most valuable features of the solution are its ease of use, simple management of dashboards, and constant updates.

It cannot currently block URLs over websites. From an improvement perspective, I want the tools to have the ability to block URLs over websites from a threat prevention point of view so that everything stays protected.

The product needs to offer better integration capabilities.

I have been using Cisco Secure Endpoint for two and a half years.

It is a totally stable solution. Stability-wise, I rate the solution a ten out of ten.

Scalability-wise, I rate the solution a ten out of ten.

Around 20 to 30 people use the product in my company.

The product is used extensively in my company.

The plan to increase the solution usage depends on the company's decision.

The product's initial setup phase was very simple.

The solution is deployed on the cloud model.

In terms of the time needed for the deployment process, my company requires one or two hours to upgrade the tool on our twenty machines.

One or two people who are engineers are required to deploy and maintain the solution.

The return on investment is fine. My company only looks at how the product can offer security.

You must make monthly payments towards the licensing charges attached to the product. There are no extra charges apart from the standard licensing fees associated with the product.

In the past, I have used ESET and Symantec in my company. The protection offered by Cisco is much better than that offered by ESET and Symantec.

I never used the tool's threat-hunting capability to see its impact on our company's security posture.

I have integrated Cisco Secure Endpoint with other security tools from Cisco, and I see that it has been great.

I recommend the product to those who plan to use it.

The product is reliable and stable. It also provides up-to-date security based on ongoing trends.

The benefits from the use of the product revolves around the fact that it helps our company to be secured, especially in a scenario where constant attacks happen on other companies.

If I consider the current trends in the cybersecurity world, I can say that the product offers main features that provide functionalities of an anti-virus solution.

I rate the overall tool a nine out of ten.

We have a complete Cisco environment; we use Cisco Firepower, Cisco ACI, and many of their other products. We have many of their top solutions from the network to the data center server.

The solution improved the effectiveness of our security. Before Cisco Secure Endpoint, we used Trend Micro Deep Security for our virtualized environment, but it didn't allow us to track all the malicious events. We can follow them with Cisco, which is a positive change for us. 

Cisco Secure Endpoint enables us to stop a threat before it spreads across our system. This is a massive improvement for us, as we couldn't follow threats and respond to them as rapidly when we used other solutions. 

I appreciate the File Trajectory feature, as it's excellent for an analyst or mobile analyst. I can track everything that happens on our server from my PC or device. Integration with SecureX is a welcome feature because it connects Cisco's integrated security portfolio with our complete infrastructure. Sandboxing is helpful, and integration with the Cisco environment is excellent as we use many of their products, and that's very valuable for us.

The Cisco Secure Endpoint dashboard gives a clear view of everything occurring across the environment, making it straightforward to track and solve threats. This direct approach to threats simplifies cyber security, a capability we didn't have from other solutions; it's instrumental. The dashboard is clean and user-friendly. 

The solution helps prioritize threats as it presents them as low or high-priority, which informs our approach to dealing with them. We can focus on the more severe threats first and protect the integrity of our system. This avoids the problem of having 40 or 50 alerts and not knowing where to start; threat prioritization gives us a starting point. 

CSE reduced our time to detection, mainly due to the excellent dashboard that gives a clear view of threats developing in real-time. One member of staff monitoring the console can block threats almost immediately and set and customize notification preferences. Once the product is correctly configured, we can stop any threats almost as soon as they arise. This requires some time at first, as the agent deployment isn't easy, so starting in the audit mode for the initial configuration is good. 

When we first installed the solution, we faced significant issues, as the server needs to be rebooted when the agent upgrades. This isn't easy in a production environment, and we relayed our concerns about this problem to Cisco.

The Linux agent is a simple offline classic agent, and it doesn't support Secure Boot, which is important to have on a Linux machine. The Linux agent has conflicts with other solutions, including the Exploit Prevention system found in Windows servers. We didn't find a fix during troubleshooting, and Cisco couldn't offer one either. Eventually, we had to shut down the Exploit Prevention system. We didn't like that as we always want a solution that can fit smoothly into the setup without causing problems, especially where security is concerned. The tool also caused CPU spikes on our production machine, and we were seriously considering moving to another product.

However, Cisco has improved its product, and version 7.1 ended the need to reboot machines for updates. It's also more stable than before, though I still think they have a lot of work to make this a genuinely stable product. Cisco Secure Endpoint is a developing solution, but they need to do more. It doesn't match up to the offerings from CrowdStrike, FireEye, and perhaps Carbon Black.

We have been using the solution for two and a half years. 

For stability, I would rate the product an eight out of ten as there has been significant improvement. If this were a year or two ago, the rating would be five or six. Now it's stable.

I want the ability to deploy the solution without using third-party tools. I'm not too fond of that, so I would rate the solution a seven out of ten for scalability.

Cisco support is excellent, we need to open a support case, and they are very helpful and responsive. Initially, when we had issues during deployment, we opened too many cases, but that was part of our learning process.

Positive

We tried Microsoft ATP and previously used Trend Micro Apex One. We used Trend Micro Deep Security in our VMware environment, which is a hypervisor-level anti-malware. Still, we removed it because it blocked our VM migrations, which significantly impacted our production ecosystem. We had to use DRS to migrate our VMs, and when they don't migrate, that results in an overloaded hypervisor server using all the CPU and RAM. That has a knock-on effect on the other systems and applications, degrading their functions, which is not what we want from an anti-malware solution. Thus, we moved to Cisco Secure Endpoint; we already had a strong connection with Cisco because we use many of their products. It is an affordable offering compared to the competitors, such as Windows Defender ATP.

The initial deployment was more complex because the agent behavior was unstable. There is the potential for the agent to block legitimate files on a production server, so we deployed and spent significant time configuring in audit mode. In our case, the production environment is used by developers, so there can be executables that aren't signed in the environment. I'd say deploying in audit mode first to make these configurations and exemptions specific to requirements is essential before activating the agent and leaving it to work.

We initially deployed the solution manually for testing, and then we used Microsoft SCCM to mass deploy to over 3000 digital machines.

Our deployment is 90% on-premise and 10% in the Azure cloud, and we're looking to move more into the cloud. We have a different internal environment for internal use, the on-premise part, and it's a big environment with over 3000 machines. We don't have a dedicated customer space, which we plan to resolve.

Our deployment was slow initially because we weren't sure about the solution. Our line manager was seriously considering removing it in favor of Microsoft ATP. The reboot to update issue was a significant concern, making us question the tool's viability. Automation like SCCM makes the deployment very fast, but it can take anywhere from two weeks to two months to configure the exclusions, notification settings, and dashboard. Learning the solution, using file analysis, the tracking grid, and all the features and tools takes time. CSE isn't an immediate solution.

A Cisco partner helped us with the system integration, and two members from Cisco's security team followed the deployment to help us get it started. 

I don't have the details, but I would say the solution gives us an ROI.

The solution is highly affordable; I believe we pay $2 or $3 per endpoint. It's significantly cheaper than the competitors on the market. 

I would rate this solution an eight out of ten as we are in a Cisco environment. Without that, it would be a seven out of ten.  

Our biggest challenge was the initial deployment, which required using SCCM or other automated tools like Ansible, Puppet, or Chef. We spent a long time in the audit phase, as the configurations we made didn't integrate well into our environment, causing stability issues.

We started using SecureX, but we're at the beginning of understanding and fully implementing its capabilities; we need to learn more. We like the integration of Cisco Secure Endpoint with other Cisco products like Firepower NGFW, ISE, and more. We use a proxy as we have another company acting as our SOC; they receive threat alerts and relay them to us.

I'm satisfied with the solution, and I recommend it to those with other Cisco products. I wouldn't suggest it to those who don't have them.

Cisco Secure Endpoint requires some knowledge of security and malware. An understanding of heuristics, exploits, and living-off-the-land attacks is essential. I would advise any organization to acquire this knowledge if it doesn't exist in their staff pool before implementing and deploying the solution in a production environment. The solution taught me to take things one step at a time.

I implemented the solution in my company to use its managed endpoint protection in my company's use cases. Most of the users of Cisco Secure Endpoint in my company are unaware that they use the product. Our company only uses it to isolate possible malware on the endpoints. Our company uses the solution in collaboration with other software protection tools we have so that it helps us to look into cases where possible malware or attacks can happen.

The most valuable feature of the solution is its technical support. In most cases, it's very difficult or complicated to incorporate Cisco Secure Endpoint in the IT environment, and most of the messages that appear are not very clear. It is a reliable tool. After the setup phase, I realized that it is a reliable tool.

The initial implementation of Cisco Secure Endpoint can be a pain and is an area in the solution that needs improvement. After the initial implementation phase, a person gets support from Cisco, making it a solid tool.

The solution needs to improve in the area of the specific details of the threats it provides to its users.

I have been using Cisco Secure Endpoint for three years.

After the presence and use of the solution in our company for three years, I rate the solution's stability a nine out of ten.

Since we haven't had any expansion in our company's infrastructure, I won't be able to comment on the solution's scalability feature.

All of the employees in the back-end processes of our company are users of the solution since the product is implemented on all the PCs and servers. From an IT perspective, only two people use the solution in the company. One person looks after the maintenance of the solution, while the other person looks at the messaging part of the solution.

My company has chosen an outsourced option to get technical support of the solution since we don't get any technical support internally. 

The initial setup of Cisco Secure Endpoint is complex.

Speaking about the deployment process, during the initial phase of using Cisco Secure Endpoint, we were getting a lot of false positives in our company, making it pretty hard for us initially since we had to cut endpoints until we could stabilize the solution.

My company does make annual payments towards the licensing costs of the solution. Cisco Secure Endpoint is a little bit expensive. The pricing for licenses is pretty expensive for the moment, but it is a good solution.

My company wants to stop using Cisco Secure Endpoint and opt for another solution.

I recommend the solution to those planning to use it.

I rate the overall solution an eight or nine out of ten.