Cisco Secure Endpoint Reviews

Cisco AMP is an anti-malware and antivirus product. It provides endpoint protection. We use it as our antivirus and anti-malware tool. We put it on all our computers. Our employees have it on their laptops because they leave the network and we can't protect them everywhere. Microsoft Windows comes with a built-in tool but it's not quite as powerful. So we use Cisco AMP and Microsoft System Center Endpoint.

Cisco AMP is our primary solution, but we don't uninstall the free ones that come with Windows.

It runs a little agent on the computer and then you manage it from a website platform. There is an application installed on the computers and they all connect up to the management console, which is hosted in Cisco's cloud.

You can use it for single endpoints. We have 3,000 that we use and then there's the free version of it you can use for home.

The actionable alerts in the security console are very good and very useful. They alert us immediately when something happens so that we can take action faster, instead of having to wait until a user report's something or until we view the logs. It sends you alerts so that you can know about them as soon as they happen and remediate the problem. It's a very nice feature.

The solution also makes it possible to see a threat once and block it everywhere, across all endpoints and your entire security platform. You can identify a threat and then mark it as, "If you ever see this file, delete it." It uses something like crowdsourcing, where, if someone works for another company and has AMP and it detects a malicious file on that person's computer, it then updates so that my AMP knows about the virus at that person's company, and protects my company from their virus.

Cisco AMP simplifies endpoint protection detection and response workflows. I'm the only one who manages it now, so it frees up time for a lot of other people. Once it is deployed and set up, one person can manage and maintain it. That reduces the number of people you have to pay for those responsibilities. The console will show if an AMP agent has checked in and I can use all the search features it has. And it deletes all the viruses so I don't really have to do too much, once it has been installed.

It has also minimized security risks to our business that we were previously unaware of. It points out vulnerabilities in software that is already installed, such as in Microsoft Office. If you don't have the latest version of Office, AMP proactively lets you know that you could potentially be infected. We didn't have that before. It has a more comprehensive database that's made up of all the information it has collected from my company and all the other companies that use it. It takes all that information and protects your environment from anything it's ever seen.

When it comes to time to detection, Cisco AMP has taken it from one day to one hour. And our time to remediate has gone from hours to minutes. It does it itself, so we don't have to do anything. 

I can't think of a case where a computer was infected and AMP did not let us know or missed it. It has never happened to us that the product didn't detect something while another product did detect that problem. So far it has been 100 percent successful.

I'm working in a wholesale industry company. We are present in around 16 European countries and my company has around 5,000 employees. I have been using Cisco products since 2007, and in this company for around three years now.

I am using Cisco Secure Endpoint for around 6,000 endpoints, and I also use Cisco Secure Email, ESA product. It's a cloud-based solution from Cisco. I'm using Cisco Malware Analytics and Sandbox. I use Cisco SecureX to integrate all of these and monitor all these ecosystems from Cisco Secure.

Our use cases for using Cisco Secure products are to increase defenses, machine learning, to integrate all these solutions from the backend, do single dashboard threat hunting, do few clicks incident response, have visibility across the entire architecture, and more. We are happily using Cisco and have various different use cases.

We have backend integrations, front-end visibility, and then incidence response with a single click.

Cisco has definitely improved our organization a lot. In terms of business, our company feels safer. We actually switched from legacy signature-based solutions to threat intelligence-based and machine learning-based solutions, which is Cisco Secure. This has improved our security significantly, from 10% of signature-based technology security to 99.9% of the current one which we are running. We were happy.

The threat-based solution, the machine learning-based solution moving towards AI, the ecosystem visibility, and the single click of threat hunting and incident response, were the few major reasons to switch from legacy security to the latest one.

The implementation of Cisco Secure Endpoint has had a significant impact on reducing the operating expenditures of our organization. The savings amount to approximately half a million to a million euros every year. We don't need a lot of different solutions that collect all these threat logs, correlate them, and then automate them for incidents. We already have this with Cisco SecureX, more or less. Cisco is also saving on the FTE side, we need fewer resources to do threat hunting and incidence response.

We save approximately half a million to a million Euros every year with Cisco solutions. 

AMP was purchased for our organization in response to continued threats that we had from malware and malicious activity on our endpoints. We received AMP for Endpoint and also AMP for Networks as part of our Cisco Security ELA. The solution has made a huge impact on the visibility of what has actually been transpiring at the process level on our servers and workstation endpoints as well as being able to look in detail on those processes to see whose executed those processes and what the trajectory was for those processes.

AMP for Endpoints is Software as a Service. It's a subscription service. You do download a connector onto the endpoint. Then, there is the option to run it to an air gap mode where you connect to a local server that does back out to the AMP Cloud. However, that's not the deployment we have in our case, we have it connecting back directly to Cisco Cloud Security.

While I can understand from a theoretical standpoint how some organizations may not want a cloud connection, it increases the processing and detection because of ETHOS and SPERO detection. Throughout all the other Cisco security products, it is able to add this detection into the threat analytics through Threat Grid and Threat Response for other customers who have the same type of hash in their environment. There are the options: If you want to submit a file to be removed after submission and also for it to be submitted anonymously.

We tie AMP into our SIEM so we are receiving alerts through the SIEM. I also have AMP independently send me alerts. I have these alerts finely tuned so I'm getting the right severity level on events where I am being notified. If you choose to receive a notification on all events, potential malware, or potentially unwanted applications, you're going to have an overload of information. Therefore, AMP allows the ability to go through and fine tune the alerts, both in the console and remotely, so you get a proper level of notification to make actionable requests and executions.

In our organization, we have about 95 percent Windows operating systems. Then, we have about five percent Mac OS. Therefore, Cisco AMP covers a 100 percent of our endpoints. It's totally comprehensive.

I had a conversation with my CIO about a week ago. We are seeing more security incidents in our organization. However, we believe these events have always occurred, and that we are more aware of them now. For example, last Thursday we had an incident where a device tried to go and reach out to a malicious website. Because of the integration we have with Threat Response between Umbrella with WSA and AMP, we were able to stop that malicious activity. That's something we wouldn't been previously aware of: If we had an endpoint out there trying to reach out to a malicious site. Until it hit our perimeter security, we wouldn't have been aware of that. You don't always want to rely on your perimeter security for everything, as it won't catch everything all the time. Therefore, you want a multilayered approach, and having Cisco AMP and Cisco Threat Response helps us to accomplish that.

We have it installed on all our workstations and servers. Primarily, we started with it after we were hit with a ransomware attack about five years ago. We looked for something that would give us a bit more visibility as to what was going on the network, where the weak points were, etc. We had an antivirus solution (FireANT) back then, which obviously wasn't good enough on its own. So, we went looking for something that was going to be a little more granular in how it gave us visibility on the network.

We have the Cisco AMP for Endpoints Connector on our workstations, which is all done in the cloud. We have Windows Server, Windows 10 workstation environment, and on-premise servers at the moment with some cloud. I guess we would call ourselves a partly hybrid business, with some stuff in the cloud, and all our access points have Cisco AMP on them. This currently includes work-from-home devices, because we have a lot of people still working from home with the coronavirus thing going on, even home users have Cisco AMP as well.

Our operating systems, whether they be Linux, Windows, Mac, or Google Android, are well-protected.

We now have gained more visibility into what's going on. We had an incident four or five years ago where a member of our staff had a Tor Browser installed on his workstation in the office. I discovered it by chance while doing some work on his workstation. At that time, we had no way of knowing what was going on. Now, between our two Cisco products, we have the capability to see and block that sort of thing going on from the network side. From that point of view, it's straightaway. It has given us the security aspect of not having to deal with people putting Tor Browsers on their workstations to access stuff on the dark web. We have been able to lock that down straightaway, which is good, because that's obviously a big threat to any business. If you don't understand what's going on in and out of your office, whether physically or virtually, then you have no idea what's going on and where your risks are going to be. 

It gives us visibility with minimal intrusion. We don't have an on-premise sort of interaction with it, though. It's just a connector that sits on the workstations and servers, then interacts with the workstations or servers through to the cloud. It has very minimal impact on us in terms of performance. They have recently improved the updating of the program. It no longer requires a reboot after a connector update, which is always a handy thing. From that point of view, the impact is better on the business. I can roll out an update to all devices and not have to worry about having reboots, particularly for servers. Thus, the impact has gotten better on the business over time.

The solution makes it possible to see a threat once and block it everywhere across all endpoints and the entire security platform. It has the ability to block right down to the file and application level across all devices based on policies, such as, blacklisting and whitelisting of software and applications. This is good. Its strength is the ability to identify threats very quickly, then lock them and the network down and block the threats across the organization and all devices, which is what you want. You don't want to be spending time working out how to block something. You want to block something very quickly, letting that flow through to all the devices and avoiding the same scenario on different operating systems.

The solution simplifies endpoint protection, detection, and response workflows, such as security investigation, threat hunting, and incident response. We have policies and procedures in place now at the HR user level and also at the machine level to make sure that certain procedures are followed and those procedures are put in place. From that point of view, the Cisco gives us confidence. We don't have to worry too much about threats. This means we can focus a lot more on doing the work we are being paid to do rather than spending time trying to protect the business too much. The fact that we are very quickly able to see what's going on is good in terms of how much time it takes to work through any issues. 

We now have a standard rollout of devices with procedures in place. The shared nature where Cisco AMP gets installed on all our devices means we are benchmarking our risk at a level that we're comfortable with. We don't have to deal with managing that risk day-to-day, as the risk level is fairly low in terms of what we're expecting from day-to-day operations. From that point of view, this means we can focus more on the business at hand rather than worrying incessantly about threats to the business.

It was our primary endpoint protection. 

The ability to respond rapidly, whether it was doing isolation or threat hunting, helped improve our security. Even when there were a few false positives, it was a good exercise for us to run through and determine what exactly was going on. It was definitely an improvement from what we were using before, which was Trend Micro. That tighter integration definitely helped.

In the time that I was there, we didn't really have any sufficiently major occurrence that did not turn out to be a false positive. But there was useful stuff coming up on the dashboard, where it showed the vulnerable applications. Being aware that those were in our environment, and what threat level they presented on that one to 10 scale, was helpful. It enabled us to say, "Hey, look, Firefox version 71 is still in our environment, and it's a 10. We need to contact that user and get them to upgrade, or remove it if they're using something else." That definitely allowed us to enhance our security posture.

That prioritization of threats, particularly on those vulnerable applications, meant we were able to take action using Microsoft Endpoint Manager. We could deploy applications with supersedence to get that old product off of the machines or upgraded. It definitely improved our situation.

Being able to do pretty immediate research through a simple right-click and threat-detect was very quick and invaluable in making a rapid assessment of what I might be looking at. And with the tighter integration with the Umbrella and Firepower products, when I got in touch with our infrastructure team, they were able to see what I was seeing and more. That was very eye-opening: Wow, look how much information we can get and how quickly we can get that information. We could start evaluating what our status was and what actions we needed to take.

Overall, the impact on our security was that the endpoints were that much safer than they were before, by eliminating those vulnerable applications. And in the event that there was something that appeared to be significant, we had the ability to isolate that device.

Also, Cisco Secure Endpoint, as far as I know, consolidated endpoint, cloud, and remote access agents into a single agent. When we bought the product, it was actually Cisco AMP, and then they went to Cisco Secure Endpoint and everything was managed through the cloud. With that change in the agent, I presume that was all moved to a more cloud-oriented situation.

I would say it improved our time to detection, but that's one of those things that is hard to document. I didn't spend a whole lot of time working with the Trend Micro product, but it seemed to me like it was probably an improvement of at least 30 minutes, which in today's world is forever.

We're using it in a handful of ways. We initially bought it to provide endpoint protection against malware and the like on our laptops that were mobile and off our network the entire time. We eventually moved it onto all of our desktops, and we have now integrated with Umbrella, so we have a full protection suite for all of our clients across our enterprise. 

The most valuable thing about the solution is a feature that's not in the actual product set itself. It's peace of mind. We take a look at security holistically, multilayered. We start from the edge and perimeter and work all the way down to the client. I feel we've deployed best-of-breed in each of the slices of the security layer. For the endpoint, Cisco gives us good clarity about what our endpoints are actually doing. So when we get bad actors into the network, we get quick visibility into which devices are compromised.

We've really subscribed to the whole security stack from Cisco. AMP feeds into that whole Threat Grid for us. We're able to see hashes, and the like, all the way down to the client and we get that visibility because of AMP. As AMP reports back into the Threat Grid, we can see the hashes running on the actual endpoint, and whether they are malicious, and what those things have done. If malware has infected a certain laptop, we get all the forensic evidence around that laptop and, if it's jumped, where that bad stuff has jumped to and what it's done. All that visibility is possible because of AMP.

Even as a standalone product, you get peace of mind having AMP running on something. So if you open up an attachment and it's doing things that it's not supposed to, because your endpoint gets security updates it is protected. Whether it's connected to the network or not, whether it's connected to the internet or not, it is protected. It does its job very well.

The fact that the solution offers cloud-delivered endpoint protection simplifies our security operations. We don't have to worry about updates or signature updates. It takes care of itself in the background, so it frees my guys up to do more meaningful work.

The quality of alerts that actually percolate up for us to take action on are on point. There aren't a lot of false positives so my security team is able to spend its time more effectively. They're not on a wild goose chase. They're chasing actionable things to take care of.

In addition, the security stack that we have in place allows us to see a threat once and block it everywhere, across all endpoints and our entire security platform. If one piece of bad malware gets through, the entire network will self-heal. It makes us more efficient. Standardizing on one pane of glass is the dream that you're after. So even though Cisco doesn't have just one management console for its entire security suite, the pieces plug in properly. With help from Cisco and their security experts, having this deployed the right way lightens the load on my team. We become much more effective. I don't have a team of 15 security experts running around our network, facing down bad guys and preventing them from ever touching our core pieces of data or IP assets they would be after. AMP and the rest of the security stack from Cisco give me peace of mind that the network is taking care of itself and that the endpoints are protected. As long as we are not careless with the pieces that we control, we can rest reasonably well at night knowing that Cisco is doing the heavy lifting that keeps the bad guys at bay.

AMP has decreased our time to detection and to remediate, without a doubt. It's gone down by 100 percent. We're able to detect, real-time, bad or malicious software and mitigate it, not quite in real-time but pretty darn close. If you go back to when we first deployed it, there was no time measurement, so I'm comfortable saying it has sped things up considerably. Now, we're only chasing real threats.

We were looking for a security product, which would not only block known viruses, but give more visibility and control over anti-malware. We offer Desktop as a Service (DAAS) for small and medium businesses, so we have hundreds of laptops, desktops, and virtual machines. Because users click on everything, you need to have a solution in place which will detect if something happens and log it, if there's anything malicious, then it will be blocked and reported.

The main reason for going with Cisco AMP is its integration with other Cisco solutions. It can integrate our firewalling, DNS protection, and email security appliance, so if there's a malicious file, and I see it on one of those devices. I can say, "Hey, I want to have this blocked," and it will immediately stop it being emailed in or out our environment. It also can no longer be downloaded from the Internet. Thus, with one click, we have multiple points protected.

AMP is a bit of a time machine for our environment. We can see any action being executed, connection being made, or file being written, whether it's malicious or not. Everything is been logged. I can basically go back in time and see, "This user opened this website," or, "This process created this file." If at any point in time, we do get something where, "There has been malicious activity there," we can completely follow it back:

• How did it get there? 
• Did it change other files? 
• Did it leave a scheduled task somewhere? 
• Did it connect to other machines? 
• Did it drop software on another place even before it was know to be malicious? 

All activity has been logged. If something turns out to be malicious, or if it's a user doing something they shouldn't be doing without using any malicious software but just using system tools, you can still see every command being run from the console.

The management console is cloud-based and the deployment goes to the endpoints, which are either in our data center or on the laptops and desktops that users have in their offices.

We worked a lot from home over the past few months. This was our only product that did not need to be changed in configuration when all the laptops did not come into the office for a few weeks. As long as there's an Internet connection, it will get the updates. Anything happening locally will upload to your cloud so you have full mobility on it. You have no need to update your console. You log in one day, and there's a note saying, "We added these new features. Click here for more." It has taken a lot of the hassle out so you don't have to worry about the connectivity or updates. You can just worry about stopping the malware you're investigating and incidents in your environments.

Any alert that we get is an actionable alert. Immediately, there is information that we can just click through, see the point in time, what happened, what caused it, and what automatic actions were taken. We can then choose to take any manual actions, if we want, or start our investigation. We're no longer looking at digging into information or wading through hundreds of incidents. There's a list which says where the status is assigned, e.g., under investigation or investigation finished. That is all in the console. It has taken away a lot of the administration, which we would normally be doing, and integrated it into the console for us.

With Cisco AMP, or any Cisco security products, you get Cisco Threat Response. Threat Response takes the intelligence from all your different solutions, then combines it with sources, like VirusTotal, and includes general information that Cisco has available on those threats. E.g., if I see a file somewhere, I can with one click go from my AMP console to Cisco Threat Response, and there it will be enriched, saying, "We have already seen this piece of software two months ago in Japan. This is what we thought of it. We did an automatic analysis on it. These are the indicators on this piece of software being either malicious or benign." With Threat Response, it is very easy to go from what's happening on my environment to what's happening in the world.

If there's spam coming from a machine, I can with one click determine, "Has there been any other intrusive events originating from this machine? Has it been sending me just spam or has it also been scanning me, making connections to other machines, or login attempts?" With Threat Response, we get the view from all sides, both inside and outside our network.

Orbital helps us with investigation, especially if there's been an incident on one machine, and I want to know, "Are there other machines in my environment with the same type of modifications." It's just a click away. I don't have to leave the Orbital or AMP to do the incident investigation. Thus, I don't have to pivot to another solution to check the event logs or files on the endpoints, and not having to leave the tool is very efficient. You have the same casebook in which you can keep notes of your investigation, then you can share the notes with your colleagues. 

The solution simplifies endpoint protection, detection, and response workflows, such as security investigation, threat hunting, and incident response. This positively affects our operational efficiency. We don't have to guess anymore if we have everything or need to use different tools. I can query the machines directly from Orbital. It's a complete tool set. You don't need anything else besides the tools you get with Cisco AMP. There are things now possible which we could not do before, and they're easier than before as well.

We deployed Cisco Secure Endpoint for our customers two to three years back. The use case was to secure their endpoints and servers by deploying the EDR.

Cisco Secure Endpoint is very good in machine learning, which allows it to secure offline contents even if not connected to the internet. We haven't encountered a single breach after it's deployed. It controls USB devices and has a separate antivirus solution called Tetra, providing security even for real-time, day-zero attacks through its strong Talos threat intelligence platform.