Previously, there were options to uninstall the agent without a password if you had admin access, and this could be improved. It may require a password for uninstalling clients, which would be helpful (if it doesn't already).
It cannot currently block URLs over websites. From an improvement perspective, I want the tools to have the ability to block URLs over websites from a threat prevention point of view so that everything stays protected. The product needs to offer better integration capabilities.
Consulting & Support Region Senior Executive at Redington (India) Ltd
Real User
Top 10
2023-12-01T09:23:00Z
Dec 1, 2023
We must install an agent on every laptop. We do not know how to do it for the network. We shouldn’t have to install agents individually if it's a corporate network. The product does not provide options like tunnel creation or virtual appliances. If there are 2000 users and only one network administrator, installing the agent on every laptop will be time-consuming.
Cyber Security Specialist at a tech services company with 11-50 employees
Reseller
Top 5
2023-09-07T09:52:00Z
Sep 7, 2023
Due to the complexity of the technology that is used and its advanced threat detection capabilities, it is possible to encounter many delays in operation. It can impact the business itself, so I would suggest an improvement in that area.
The initial implementation of Cisco Secure Endpoint can be a pain and is an area in the solution that needs improvement. After the initial implementation phase, a person gets support from Cisco, making it a solid tool. The solution needs to improve in the area of the specific details of the threats it provides to its users.
System Administrator at bluegr Hotels & Resorts
Real User
Top 5
2023-08-30T13:35:00Z
Aug 30, 2023
The pricing policy could be more competitive, similar to Cisco's offerings. Cisco recently introduced the SecureX platform, where all the different platforms are consolidated. This means you need a single account to access all the platforms, simplifying the process. However, it can still be a bit frustrating because the access isn't straightforward. There are different links for logging in, and depending on which link you use, you might encounter issues with admin rights, even if you are an admin. It seems there are some access problems during the transition and migration process, which has affected my system as well. For instance, we had the Cisco Mail gateway, and I used to have specific links to report and configure guardian and spam checks for emails. Now, all of these have also been moved to the SecureX platform, which doesn't always function smoothly when logging in. Sometimes, I still have to log in using my old links. It's a bit inconvenient, but that's how it is.
Integration and dashboard are areas with certain shortcomings in Cisco Secure Endpoint. I would like Cisco Secure Endpoint to have a better dashboard and integration with different software solutions in future releases.
On the firewall level, they were lagging a little bit behind, but they are running up again. I have full trust in the new 3000 series of firewalls where we would also be able to look more into the traffic that we're monitoring and get more security layers in our services. That would definitely be a big step.
CISO at a computer software company with 201-500 employees
Real User
Top 20
2023-04-09T08:50:00Z
Apr 9, 2023
We would like to see the protection from the start of the endpoint till the end. Nowadays, we see that working from home is quite important, so there's a need to protect the whole layer, not only the network of the customer. There is a change towards starting from the process on the endpoint and then protecting that towards the application and the data on the back end. You need to protect that whole layer, which means that you have to have something on your endpoints that can protect. Today, at the Cisco Live event, I heard that there will be an AnyConnect solution from Cisco that will help us in delivering the kinds of security solutions that customers currently want. In some cases, we use AnyConnect, but because SaaS is coming up, many of the solutions or many endpoints are using a browser to make the connection to any place, anytime, and anywhere, so you want to have a secure connection at the start. It should be on every endpoint. I've heard Cisco is developing that right now to have all endpoints, not only laptops, desktops, and tablets, but also mobile devices, connected and secure towards the application and the data at the end. We are using AnyConnect as a VPN solution, but not as a whole set, which is currently being developed by Cisco. They can combine the platforms and the management tools so that they are a little bit simpler and easy to use. The integration of the Cisco products for security could be better in the sense that not everything is integrated, and they aren't working together. In addition, not all products are multi-tenant, so you can't separate different customer environments from each other, which makes it a little bit hard for a managed service provider to deliver services to the customers. The quality of the product should be on top. For instance, when they are being introduced, some firewalls have some bugs, and they are known bugs. So, going to the latest version of the firewall is not always the smartest thing to do. There could be an improvement to help us go to the most modern version.
Security Manager at a wholesaler/distributor with 10,001+ employees
Real User
Top 20
2023-04-02T12:20:00Z
Apr 2, 2023
Cisco is good in terms of threat intelligence plus machine learning-based solutions, but we feel Cisco is lagging behind in using artificial intelligence in its systems. Today, Cisco is more than enough to protect us from the threats, or the evolving threats, using threat hunt, threat intelligence, and machine learning. We feel that in a couple of years, Cisco will lag behind if Cisco does not improve in artificial intelligence. All these tools I am mentioning from Cisco need to be improved with AI so that it can reduce man-hours so that fewer resources need to monitor and respond. But AI is self-learning, taking self-defense, reducing the response time a lot, and also detecting not only threats and machine learning-based but abnormality-based. It's a little different than behavior-based protection, which currently Cisco has. AI models should keep learning and then attacking internet response immediately on top of that. We feel that Cisco needs to work a lot on the AI side, rather than sitting on threat intelligence teams, or machine learning. It is enough for today, but it will not be enough tomorrow.
Software Engineer at Thessaloniki Port Authority SA
Real User
Top 10
2023-02-21T14:23:00Z
Feb 21, 2023
In terms of features, I don't have any areas for improvement. It has a good interface. Its reporting is also good, and the updates are very frequent. Its price is okay for us, but it can always be better. There's always room for improvement when it comes to pricing.
Level 2 tech at a tech services company with 11-50 employees
Real User
2022-08-10T06:09:00Z
Aug 10, 2022
We were using a third-party help desk. One of the ways that they were fixing problems was to delete the client and then add the client back if there was an issue where the client had stopped communicating. Any improvement in the client communicating back to the server would be good, particularly for machines that are offline for a couple of weeks. A lot of our guys were working on a rotation where the machine might be offline for that long. They were also terrible about rebooting their machines, so those network connections didn't necessarily get refreshed. So, anything that could improve that communication would be good. Also, an easier way to do deduplication of machines, or be alerted to the fact that there's more than one instance of a machine, would be useful. If you could say, "Okay, we've got these two machines. This one says it's not reporting and this one says it's been reporting. Obviously, somebody did a reinstall," it would help. That way you could get a more accurate device count, so you're not having an inflated number. Not that Cisco was going to come down on you and say, "Oh, you're using too many licenses," right away. But to have a much more accurate license usage count by being able to better dedupe the records would be good. I also sent over a couple of other ideas to our technical rep. A lot of that had to do with the reporting options. It would be really nice to be able to do a lot more in the reporting. You can't really drill down into the reports that are there. The reporting and the need for the documentation to be updated and current would be my two biggest areas of complaint. Also, there was one section when I was playing with the automation where it was asking for the endpoint type rather than the machine name. If I could have just put in the machine name, that would have been great. So there are some opportunities, when it comes to searching, to have more options. If I wanted to search, for example, by a Mac address because, for some reason, I thought there was a duplication and I didn't have the machine name, how could I pull it up with the Mac address? When you're getting to that level, you're really starting to get into the ticky tacky. I would definitely put the reporting and documentation way ahead of that.
When we first installed the solution, we faced significant issues, as the server needs to be rebooted when the agent upgrades. This isn't easy in a production environment, and we relayed our concerns about this problem to Cisco. The Linux agent is a simple offline classic agent, and it doesn't support Secure Boot, which is important to have on a Linux machine. The Linux agent has conflicts with other solutions, including the Exploit Prevention system found in Windows servers. We didn't find a fix during troubleshooting, and Cisco couldn't offer one either. Eventually, we had to shut down the Exploit Prevention system. We didn't like that as we always want a solution that can fit smoothly into the setup without causing problems, especially where security is concerned. The tool also caused CPU spikes on our production machine, and we were seriously considering moving to another product. However, Cisco has improved its product, and version 7.1 ended the need to reboot machines for updates. It's also more stable than before, though I still think they have a lot of work to make this a genuinely stable product. Cisco Secure Endpoint is a developing solution, but they need to do more. It doesn't match up to the offerings from CrowdStrike, FireEye, and perhaps Carbon Black.
Director of I.T. Services at a non-tech company with 201-500 employees
Real User
2022-07-06T10:03:00Z
Jul 6, 2022
This product has issues with the number of false positives that it reports. Especially when updates are released for Chrome, many detections report a virus when it really wasn't. Another problem that I notice is that Outlook 2016 creates cache files of attachments, and when this product detects them as malware, it can't delete them. I assume this is because Outlook still has the file open. This means that I get notices about the issue but I can't do anything about it until later, after Outlook has closed them. This may not be Cisco's fault as much as it is Microsoft's fault.
They could simplify the solution and make it a little bit easier to understand how things are happening or if something serious has happened. They could improve the main dashboard to more clearly show me the things that I want to see. When I open the dashboard right now, I see a million things and they are not always the things that I need. I would also like it to update itself so that I don't need to click to make that happen. Of course, having to click is not a hard thing to do, but I would like to see things done automatically as much as possible.
System Administrator at a manufacturing company with 201-500 employees
Real User
2021-08-17T21:42:00Z
Aug 17, 2021
While I've attended a lot of their training webinars, they were mostly high-level. They just say that these are the feature, and this is how you access them, but I would like to see more scenario-based information. They should provide us examples of how to resolve something when we see something happening. They should give us an example of the flow on how to resolve it. In Orbital, there are tons of prebuilt queries, but there is not a lot of information in lay terms. There isn't enough information to help us with what we're looking for and why we are looking for it with this query. There are probably a dozen queries in there that really focus on what I need to focus on, but they are not always easy to find the first time through.
Actually, we don't need others features or improvements of this product. It is a complex product and offers us exactly what we need - security and trust. We chose Cisco because we wanted security and trust. That is what we needed from Cisco, and what our customers expected from us. We are using many Cisco products, and, with every new product, every new feature, the trust in Cisco security is growing. We think that Cisco covers all of the security aspects on the market. They continue to innovate in the right way.
Network security engineer at a tech services company with 1,001-5,000 employees
Real User
2021-05-14T17:19:12Z
May 14, 2021
The GUI needs improvement, it's not good. There are false positives in emails. At times, the emails are blocked and detected as malware when they are not. They should work on some of the signatures because of the emails that have been blocked and detected as malware that can never be opened.
Like any other security tool, there's always rooms for improvement. Some of the ways the product can be improved are: - Vendor needs to understand a one-size-fits-all approach will not work with addressing TAC cases and service requests. For "once in a blue moon" cases, most approach still sound like the engineers are acting off of a runbook. In this case the recommended solutions will not totally align with the scenario - Since customers do not have the ability to allow or decline console updates, there have been a number of instances where the console GUI appear buggy and functionalities do not work correctly after an upgrade. This can be improved by informing customers prior to the upgrades. Other additional features that should be improved in next releases include: - The dashboard is great for quick visibility prior to deeper dive, however, making the dashboard more customization will improve interaction, grant the ability to filter out irrelevant outputs and encourage personalized drill-downs based on daily requirements - Integration with enterprise monitoring applications and ticketing systems that differentiates noise, forwards events, generates tickets and have them automatically assigned to application owning group.
Some of the dashboards don't always populate with data. Most of them do, but some of them don't. Another issue for me, that would be the greatest value of all, would be to make the security into a single pane of glass. Whilst these products are largely integrated from a Talos perspective, they're not integrated from a portal perspective. For example, we have to look at an Umbrella portal and a separate AMP portal. We also have to look at a separate portal for the firewalls. If I could wave a magic wand and have one thing, I would put all the Cisco products into one, simple management portal. If I were Cisco, that would be my greatest focus of all because it would be of such great value if I could give one pane of glass to an engineer and he could look across all the Cisco products. The other thing I would say to Cisco is they need to move more to a consumption model like Office 365, because I want to be able to sell it and deploy it by just adding things on to a particular client. For example, you set a client up on the AMP portal, which I'm looking at as I speak. I have X number of clients. If I need to sell or deploy Umbrella, I've got to go through a completely different process and enter exactly the same sort of thing. I've got to create the client somewhere else, I've got to put the information somewhere else, and I've got to run the deployment from somewhere else. Whereas with the Office 365 model, I'm able to upgrade packages and add features and functionality all from the one place. That is an incredibly powerful selling tool. The other area for improvement is to make billing simpler. The billing process for us is hard where we've got those two users. We've got to create a separate bill for those clients and we have to create a separate report to Cisco to say that we're billing those clients. Anything they could do to make that billing process more seamless would be of great value. If they could almost automate it, so that it is something that links in with accounts packages to make the billing process neater, it would help promote the sale of it and make it more profitable to sell. If someone deploys AMP For Endpoints on a client, at the moment that process is very disjointed. We've got to do a check once a month to see how many deployments there are relative to last month and, if we had to add one, we not only have to bill an extra one but we also have to buy an extra one from Cisco. And all that is manual.
The biggest area where I liked seeing improvement is in the interface and its interaction with the customer and portal. Since these things are quite technical, it's important that you can find your way around the console quickly without having to remember where things are. I think the interface has improved quite a lot in the last couple of years, which is good, but also the integrations are starting to be incorporated a lot more too. We can see more value in the product as time goes on. It's a different product to what it was when we first got it in terms of visibility and also its user interface. You need a certain level of technical experience because the console is not the easiest thing to look at. It's very in-depth and there's a lot going on. It does a lot of stuff. I often compare that to our antivirus console, which is pretty self-explanatory, but it is not really doing a lot in terms of its visibility. It will do similar remediation work, but AMP has the visibility. You can see where it's going and what processes are running. Everything that it's tracking can be overwhelming to some people so you need a level of IT and technical experience to understand what it's doing and your way around the console. It's a very high-level product in that respect. Therefore, it might scare a few people off if they're not up to that level. However, if you have someone who can handle it, then it's fine. There are some features with the integrations that I'm not using because I haven't gotten my head around how they integrate and how best to integrate them into what we're doing. It is just a matter of giving me some time to sit down with a Cisco rep and working through it to understand exactly what these things are doing, then implementing them. I am not one to pay for something that we're not going to use. However, from what I can see, everything that comes with the product is worth doing. Obviously, the threats out there now in the internet world are only getting more complex. Therefore, it makes sense that we keep up with all the technology and software that comes with it.
Sr Network Engineer at a real estate/law firm with 1-10 employees
Real User
2020-07-08T09:01:00Z
Jul 8, 2020
The endpoint agent on a machine doesn't provide much data. And the thing I hate the most, which they have not fixed, is when it creates duplicate entries within a console. If you have a computer and you upgrade from Windows 7 to Windows 10, or you upgrade your agent from version 6 to 7, it creates a new instance in there instead of updating the information. Instead of paying a license for one computer, I have to license two computers until I manually go in, search for all the duplicate entries, and clean them out myself. There are features that are supposed to work that don't that reduce the duplicates.
Security Officer at a healthcare company with 51-200 employees
Real User
2020-07-08T09:01:00Z
Jul 8, 2020
The solution’s endpoint protection, in terms of the operating systems and devices that it protects, is pretty comprehensive. The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on. It's a rapidly evolving product. Every time they turn on a new feature, you're going to have glitches. Recently, they put out a bad version of a Connector, but they put out a new version of a Connector every other week it seems, so they pulled that back and put out a new version.
Systems Architect at a consultancy with 5,001-10,000 employees
Real User
2020-06-10T08:01:00Z
Jun 10, 2020
The room for improvement would be on event notifications. I have mine tuned fairly well. I do feel that if you subscribe to all the event notification types out-of-the-box, or don't really go through and take the time to filter out events, the notifications can become overwhelming with information. Sometimes, when you're overwhelmed with information, you just say, "I'm not going to look at anything because I'm receiving so much." I recommend the vendor come up with a white paper on the best practices for event notifications. As far as reducing the attack surface, Orbital really doesn't decrease that surface.
Technical Team Lead Network & Security at Missing Piece BV
Real User
2020-06-09T07:46:00Z
Jun 9, 2020
We have had some problems with updates not playing nice with our environment. This is important, because if there is a new version, we need to test it thoroughly before it goes into production. We cannot just say, "There's a new version. It's not going to give us any problems." With the complexity of the solution using multiple engines for multiple tasks, it can sometimes cause performance issues on our endpoints. Therefore, we need to test it before we deploy. That takes one to three days before we can be certain that the new version plays nice with our environment.
If it could physically go out and slap the end-user to keep him or her from doing the bad thing initially, that would be great. But seriously, maybe there is room for improvement in some of the automated remediation. We have other tools in place that AMP feeds into that allow for that to happen, so I look at it as one seamless solution. But if you're buying AMP all by itself, I don't know if it can remove malicious software after the fact or if it requires the other tools that we use to do some of that.
System Architect at COMPASS IT Solutions & Services Pvt.Ltd.
Real User
2020-01-29T08:35:00Z
Jan 29, 2020
I would recommend that the solution offer more availability in terms of the product portfolio and integration with third-party products. AMP works very well within the Cisco ecosystem. If it could work along with the third party ecosystem as well, if that integration or even more APIs came into play, I think we could utilize this product a little bit better. One thing which I would like to see in terms of a major improvement would be AMP supporting the IoT infrastructure, which has been coming up in networks recently. It should also support more factory managed devices, like systems running Linux. Better support is what I'm looking for. The common endpoints are already covered and we work very well with them. That would be the case if support is extended to new devices as well. I think that would bring real value to the table. AMP has recently released email security and web security. If there was something like a common dashboard, similar to that of CrowdStrike, it would be useful. AMP needs to come up with a common dashboard for all of the solutions. That single pane of information would allow us to view everything. Instead of installing a plugin, what we need AMP to do is run installs in the background. Then the user doesn't know that AMP is running on the system. That would be a fantastic use case or the recommendation which I would like to make, in they're looking for products and features to develop. Something like that would allow me to have a high-end deployment in place for AMP which would be ideal.
I think there should be better support and I would also like to see an easier implementation of the solution. The support should be cheaper and more available during the implementation stage. It would be great if they could have support teams that involve an AMP team because there's a specific team for AMP.
I would like more seamless integration, because I have a security solution based on Cisco and I'm looking at integration for the old solution. It would be much easier for the security administrator to monitor integration.
Solution Architect / Presales Engineer at a comms service provider with 1,001-5,000 employees
Real User
2019-09-24T05:43:00Z
Sep 24, 2019
It should be doing backups. Every stage that this malware is going forward, it should snapshot the situation. Then I could go back to the first stage before it got infected. It doesn't have this option, and I know that other manufacturers have it, like Check Point, for example. In the next release, I would for it to have back up abilities. I would like the ability to go back to a point in time to when my PC was uninfected and to the moment of when the infection happened.
When we're talking about anti-malware protection, AMP is a very good solution, but again, the CSO level reports are not generated. There is a dashboard, there is a report, but again, those reports have to be taken to the CSO, because when it comes to security, we always want to have high-level reports. So if we had a system that generated reports from the AMP itself, that would be great for us. Also, the solution needs more in-depth analytics. Right now they have implemented AMP, so, monitoring is happening, but you need to see what exactly is happening, the updates and then the mode of attacks that have happened and have been prevented. An in-depth report could be generated, and it should be on a CSO level. That's the value should be added to AMP solution.
We would like to have an API integration with a SIEM solution, because as far as I know, it currently hasn't yet been released. We are looking forward to it because it's important for us to integrate the product with a SIEM solution in order to provide our customers a good, robust solution. It needs major improvement with its ease of integration.
I would like them to add whatever makes filtering more advanced in scanning and blocking for malware in emails. It would just improve the product further. I think they are working on this, the continuous improvement aspect.
Cisco Secure Endpoint is a comprehensive endpoint security solution that natively includes open and extensible extended detection and response (XDR) and advanced endpoint detection and response (EDR) capabilities. Secure Endpoint offers relentless breach protection that enables you to be confident, be bold, and be fearless with one of the industry’s most trusted endpoint security solutions. It protects your hybrid workforce, helps you stay resilient, and secures what’s next with simple,...
Previously, there were options to uninstall the agent without a password if you had admin access, and this could be improved. It may require a password for uninstalling clients, which would be helpful (if it doesn't already).
Cisco Secure Endpoint is an expensive solution.
The solution can be cheaper.
It cannot currently block URLs over websites. From an improvement perspective, I want the tools to have the ability to block URLs over websites from a threat prevention point of view so that everything stays protected. The product needs to offer better integration capabilities.
We must install an agent on every laptop. We do not know how to do it for the network. We shouldn’t have to install agents individually if it's a corporate network. The product does not provide options like tunnel creation or virtual appliances. If there are 2000 users and only one network administrator, installing the agent on every laptop will be time-consuming.
Due to the complexity of the technology that is used and its advanced threat detection capabilities, it is possible to encounter many delays in operation. It can impact the business itself, so I would suggest an improvement in that area.
The initial implementation of Cisco Secure Endpoint can be a pain and is an area in the solution that needs improvement. After the initial implementation phase, a person gets support from Cisco, making it a solid tool. The solution needs to improve in the area of the specific details of the threats it provides to its users.
The pricing policy could be more competitive, similar to Cisco's offerings. Cisco recently introduced the SecureX platform, where all the different platforms are consolidated. This means you need a single account to access all the platforms, simplifying the process. However, it can still be a bit frustrating because the access isn't straightforward. There are different links for logging in, and depending on which link you use, you might encounter issues with admin rights, even if you are an admin. It seems there are some access problems during the transition and migration process, which has affected my system as well. For instance, we had the Cisco Mail gateway, and I used to have specific links to report and configure guardian and spam checks for emails. Now, all of these have also been moved to the SecureX platform, which doesn't always function smoothly when logging in. Sometimes, I still have to log in using my old links. It's a bit inconvenient, but that's how it is.
Integration and dashboard are areas with certain shortcomings in Cisco Secure Endpoint. I would like Cisco Secure Endpoint to have a better dashboard and integration with different software solutions in future releases.
It's pretty good as it is, but its cost could be improved.
On the firewall level, they were lagging a little bit behind, but they are running up again. I have full trust in the new 3000 series of firewalls where we would also be able to look more into the traffic that we're monitoring and get more security layers in our services. That would definitely be a big step.
We would like to see the protection from the start of the endpoint till the end. Nowadays, we see that working from home is quite important, so there's a need to protect the whole layer, not only the network of the customer. There is a change towards starting from the process on the endpoint and then protecting that towards the application and the data on the back end. You need to protect that whole layer, which means that you have to have something on your endpoints that can protect. Today, at the Cisco Live event, I heard that there will be an AnyConnect solution from Cisco that will help us in delivering the kinds of security solutions that customers currently want. In some cases, we use AnyConnect, but because SaaS is coming up, many of the solutions or many endpoints are using a browser to make the connection to any place, anytime, and anywhere, so you want to have a secure connection at the start. It should be on every endpoint. I've heard Cisco is developing that right now to have all endpoints, not only laptops, desktops, and tablets, but also mobile devices, connected and secure towards the application and the data at the end. We are using AnyConnect as a VPN solution, but not as a whole set, which is currently being developed by Cisco. They can combine the platforms and the management tools so that they are a little bit simpler and easy to use. The integration of the Cisco products for security could be better in the sense that not everything is integrated, and they aren't working together. In addition, not all products are multi-tenant, so you can't separate different customer environments from each other, which makes it a little bit hard for a managed service provider to deliver services to the customers. The quality of the product should be on top. For instance, when they are being introduced, some firewalls have some bugs, and they are known bugs. So, going to the latest version of the firewall is not always the smartest thing to do. There could be an improvement to help us go to the most modern version.
Cisco is good in terms of threat intelligence plus machine learning-based solutions, but we feel Cisco is lagging behind in using artificial intelligence in its systems. Today, Cisco is more than enough to protect us from the threats, or the evolving threats, using threat hunt, threat intelligence, and machine learning. We feel that in a couple of years, Cisco will lag behind if Cisco does not improve in artificial intelligence. All these tools I am mentioning from Cisco need to be improved with AI so that it can reduce man-hours so that fewer resources need to monitor and respond. But AI is self-learning, taking self-defense, reducing the response time a lot, and also detecting not only threats and machine learning-based but abnormality-based. It's a little different than behavior-based protection, which currently Cisco has. AI models should keep learning and then attacking internet response immediately on top of that. We feel that Cisco needs to work a lot on the AI side, rather than sitting on threat intelligence teams, or machine learning. It is enough for today, but it will not be enough tomorrow.
In terms of features, I don't have any areas for improvement. It has a good interface. Its reporting is also good, and the updates are very frequent. Its price is okay for us, but it can always be better. There's always room for improvement when it comes to pricing.
Logging could be better in terms of sending more logs to Cisco Firepower or Cisco ASA. That's an area where it could be made better.
We were using a third-party help desk. One of the ways that they were fixing problems was to delete the client and then add the client back if there was an issue where the client had stopped communicating. Any improvement in the client communicating back to the server would be good, particularly for machines that are offline for a couple of weeks. A lot of our guys were working on a rotation where the machine might be offline for that long. They were also terrible about rebooting their machines, so those network connections didn't necessarily get refreshed. So, anything that could improve that communication would be good. Also, an easier way to do deduplication of machines, or be alerted to the fact that there's more than one instance of a machine, would be useful. If you could say, "Okay, we've got these two machines. This one says it's not reporting and this one says it's been reporting. Obviously, somebody did a reinstall," it would help. That way you could get a more accurate device count, so you're not having an inflated number. Not that Cisco was going to come down on you and say, "Oh, you're using too many licenses," right away. But to have a much more accurate license usage count by being able to better dedupe the records would be good. I also sent over a couple of other ideas to our technical rep. A lot of that had to do with the reporting options. It would be really nice to be able to do a lot more in the reporting. You can't really drill down into the reports that are there. The reporting and the need for the documentation to be updated and current would be my two biggest areas of complaint. Also, there was one section when I was playing with the automation where it was asking for the endpoint type rather than the machine name. If I could have just put in the machine name, that would have been great. So there are some opportunities, when it comes to searching, to have more options. If I wanted to search, for example, by a Mac address because, for some reason, I thought there was a duplication and I didn't have the machine name, how could I pull it up with the Mac address? When you're getting to that level, you're really starting to get into the ticky tacky. I would definitely put the reporting and documentation way ahead of that.
When we first installed the solution, we faced significant issues, as the server needs to be rebooted when the agent upgrades. This isn't easy in a production environment, and we relayed our concerns about this problem to Cisco. The Linux agent is a simple offline classic agent, and it doesn't support Secure Boot, which is important to have on a Linux machine. The Linux agent has conflicts with other solutions, including the Exploit Prevention system found in Windows servers. We didn't find a fix during troubleshooting, and Cisco couldn't offer one either. Eventually, we had to shut down the Exploit Prevention system. We didn't like that as we always want a solution that can fit smoothly into the setup without causing problems, especially where security is concerned. The tool also caused CPU spikes on our production machine, and we were seriously considering moving to another product. However, Cisco has improved its product, and version 7.1 ended the need to reboot machines for updates. It's also more stable than before, though I still think they have a lot of work to make this a genuinely stable product. Cisco Secure Endpoint is a developing solution, but they need to do more. It doesn't match up to the offerings from CrowdStrike, FireEye, and perhaps Carbon Black.
This product has issues with the number of false positives that it reports. Especially when updates are released for Chrome, many detections report a virus when it really wasn't. Another problem that I notice is that Outlook 2016 creates cache files of attachments, and when this product detects them as malware, it can't delete them. I assume this is because Outlook still has the file open. This means that I get notices about the issue but I can't do anything about it until later, after Outlook has closed them. This may not be Cisco's fault as much as it is Microsoft's fault.
It could be improved in connection with artificial intelligence and IoT.
They could simplify the solution and make it a little bit easier to understand how things are happening or if something serious has happened. They could improve the main dashboard to more clearly show me the things that I want to see. When I open the dashboard right now, I see a million things and they are not always the things that I need. I would also like it to update itself so that I don't need to click to make that happen. Of course, having to click is not a hard thing to do, but I would like to see things done automatically as much as possible.
While I've attended a lot of their training webinars, they were mostly high-level. They just say that these are the feature, and this is how you access them, but I would like to see more scenario-based information. They should provide us examples of how to resolve something when we see something happening. They should give us an example of the flow on how to resolve it. In Orbital, there are tons of prebuilt queries, but there is not a lot of information in lay terms. There isn't enough information to help us with what we're looking for and why we are looking for it with this query. There are probably a dozen queries in there that really focus on what I need to focus on, but they are not always easy to find the first time through.
Actually, we don't need others features or improvements of this product. It is a complex product and offers us exactly what we need - security and trust. We chose Cisco because we wanted security and trust. That is what we needed from Cisco, and what our customers expected from us. We are using many Cisco products, and, with every new product, every new feature, the trust in Cisco security is growing. We think that Cisco covers all of the security aspects on the market. They continue to innovate in the right way.
The GUI needs improvement, it's not good. There are false positives in emails. At times, the emails are blocked and detected as malware when they are not. They should work on some of the signatures because of the emails that have been blocked and detected as malware that can never be opened.
Like any other security tool, there's always rooms for improvement. Some of the ways the product can be improved are: - Vendor needs to understand a one-size-fits-all approach will not work with addressing TAC cases and service requests. For "once in a blue moon" cases, most approach still sound like the engineers are acting off of a runbook. In this case the recommended solutions will not totally align with the scenario - Since customers do not have the ability to allow or decline console updates, there have been a number of instances where the console GUI appear buggy and functionalities do not work correctly after an upgrade. This can be improved by informing customers prior to the upgrades. Other additional features that should be improved in next releases include: - The dashboard is great for quick visibility prior to deeper dive, however, making the dashboard more customization will improve interaction, grant the ability to filter out irrelevant outputs and encourage personalized drill-downs based on daily requirements - Integration with enterprise monitoring applications and ticketing systems that differentiates noise, forwards events, generates tickets and have them automatically assigned to application owning group.
I would like to see integration with Cisco Analytics.
Some of the dashboards don't always populate with data. Most of them do, but some of them don't. Another issue for me, that would be the greatest value of all, would be to make the security into a single pane of glass. Whilst these products are largely integrated from a Talos perspective, they're not integrated from a portal perspective. For example, we have to look at an Umbrella portal and a separate AMP portal. We also have to look at a separate portal for the firewalls. If I could wave a magic wand and have one thing, I would put all the Cisco products into one, simple management portal. If I were Cisco, that would be my greatest focus of all because it would be of such great value if I could give one pane of glass to an engineer and he could look across all the Cisco products. The other thing I would say to Cisco is they need to move more to a consumption model like Office 365, because I want to be able to sell it and deploy it by just adding things on to a particular client. For example, you set a client up on the AMP portal, which I'm looking at as I speak. I have X number of clients. If I need to sell or deploy Umbrella, I've got to go through a completely different process and enter exactly the same sort of thing. I've got to create the client somewhere else, I've got to put the information somewhere else, and I've got to run the deployment from somewhere else. Whereas with the Office 365 model, I'm able to upgrade packages and add features and functionality all from the one place. That is an incredibly powerful selling tool. The other area for improvement is to make billing simpler. The billing process for us is hard where we've got those two users. We've got to create a separate bill for those clients and we have to create a separate report to Cisco to say that we're billing those clients. Anything they could do to make that billing process more seamless would be of great value. If they could almost automate it, so that it is something that links in with accounts packages to make the billing process neater, it would help promote the sale of it and make it more profitable to sell. If someone deploys AMP For Endpoints on a client, at the moment that process is very disjointed. We've got to do a check once a month to see how many deployments there are relative to last month and, if we had to add one, we not only have to bill an extra one but we also have to buy an extra one from Cisco. And all that is manual.
The biggest area where I liked seeing improvement is in the interface and its interaction with the customer and portal. Since these things are quite technical, it's important that you can find your way around the console quickly without having to remember where things are. I think the interface has improved quite a lot in the last couple of years, which is good, but also the integrations are starting to be incorporated a lot more too. We can see more value in the product as time goes on. It's a different product to what it was when we first got it in terms of visibility and also its user interface. You need a certain level of technical experience because the console is not the easiest thing to look at. It's very in-depth and there's a lot going on. It does a lot of stuff. I often compare that to our antivirus console, which is pretty self-explanatory, but it is not really doing a lot in terms of its visibility. It will do similar remediation work, but AMP has the visibility. You can see where it's going and what processes are running. Everything that it's tracking can be overwhelming to some people so you need a level of IT and technical experience to understand what it's doing and your way around the console. It's a very high-level product in that respect. Therefore, it might scare a few people off if they're not up to that level. However, if you have someone who can handle it, then it's fine. There are some features with the integrations that I'm not using because I haven't gotten my head around how they integrate and how best to integrate them into what we're doing. It is just a matter of giving me some time to sit down with a Cisco rep and working through it to understand exactly what these things are doing, then implementing them. I am not one to pay for something that we're not going to use. However, from what I can see, everything that comes with the product is worth doing. Obviously, the threats out there now in the internet world are only getting more complex. Therefore, it makes sense that we keep up with all the technology and software that comes with it.
The endpoint agent on a machine doesn't provide much data. And the thing I hate the most, which they have not fixed, is when it creates duplicate entries within a console. If you have a computer and you upgrade from Windows 7 to Windows 10, or you upgrade your agent from version 6 to 7, it creates a new instance in there instead of updating the information. Instead of paying a license for one computer, I have to license two computers until I manually go in, search for all the duplicate entries, and clean them out myself. There are features that are supposed to work that don't that reduce the duplicates.
The solution’s endpoint protection, in terms of the operating systems and devices that it protects, is pretty comprehensive. The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on. It's a rapidly evolving product. Every time they turn on a new feature, you're going to have glitches. Recently, they put out a bad version of a Connector, but they put out a new version of a Connector every other week it seems, so they pulled that back and put out a new version.
The room for improvement would be on event notifications. I have mine tuned fairly well. I do feel that if you subscribe to all the event notification types out-of-the-box, or don't really go through and take the time to filter out events, the notifications can become overwhelming with information. Sometimes, when you're overwhelmed with information, you just say, "I'm not going to look at anything because I'm receiving so much." I recommend the vendor come up with a white paper on the best practices for event notifications. As far as reducing the attack surface, Orbital really doesn't decrease that surface.
We have had some problems with updates not playing nice with our environment. This is important, because if there is a new version, we need to test it thoroughly before it goes into production. We cannot just say, "There's a new version. It's not going to give us any problems." With the complexity of the solution using multiple engines for multiple tasks, it can sometimes cause performance issues on our endpoints. Therefore, we need to test it before we deploy. That takes one to three days before we can be certain that the new version plays nice with our environment.
If it could physically go out and slap the end-user to keep him or her from doing the bad thing initially, that would be great. But seriously, maybe there is room for improvement in some of the automated remediation. We have other tools in place that AMP feeds into that allow for that to happen, so I look at it as one seamless solution. But if you're buying AMP all by itself, I don't know if it can remove malicious software after the fact or if it requires the other tools that we use to do some of that.
Nice to have URL management, password protection of the app, more details of the machine & user running the app.
I would recommend that the solution offer more availability in terms of the product portfolio and integration with third-party products. AMP works very well within the Cisco ecosystem. If it could work along with the third party ecosystem as well, if that integration or even more APIs came into play, I think we could utilize this product a little bit better. One thing which I would like to see in terms of a major improvement would be AMP supporting the IoT infrastructure, which has been coming up in networks recently. It should also support more factory managed devices, like systems running Linux. Better support is what I'm looking for. The common endpoints are already covered and we work very well with them. That would be the case if support is extended to new devices as well. I think that would bring real value to the table. AMP has recently released email security and web security. If there was something like a common dashboard, similar to that of CrowdStrike, it would be useful. AMP needs to come up with a common dashboard for all of the solutions. That single pane of information would allow us to view everything. Instead of installing a plugin, what we need AMP to do is run installs in the background. Then the user doesn't know that AMP is running on the system. That would be a fantastic use case or the recommendation which I would like to make, in they're looking for products and features to develop. Something like that would allow me to have a high-end deployment in place for AMP which would be ideal.
I think there should be better support and I would also like to see an easier implementation of the solution. The support should be cheaper and more available during the implementation stage. It would be great if they could have support teams that involve an AMP team because there's a specific team for AMP.
I would like more seamless integration, because I have a security solution based on Cisco and I'm looking at integration for the old solution. It would be much easier for the security administrator to monitor integration.
The reporting and analytics areas of the solution need to be improved.
It should be doing backups. Every stage that this malware is going forward, it should snapshot the situation. Then I could go back to the first stage before it got infected. It doesn't have this option, and I know that other manufacturers have it, like Check Point, for example. In the next release, I would for it to have back up abilities. I would like the ability to go back to a point in time to when my PC was uninfected and to the moment of when the infection happened.
In the next version of this solution, I would like to see the addition of local authentication.
When we're talking about anti-malware protection, AMP is a very good solution, but again, the CSO level reports are not generated. There is a dashboard, there is a report, but again, those reports have to be taken to the CSO, because when it comes to security, we always want to have high-level reports. So if we had a system that generated reports from the AMP itself, that would be great for us. Also, the solution needs more in-depth analytics. Right now they have implemented AMP, so, monitoring is happening, but you need to see what exactly is happening, the updates and then the mode of attacks that have happened and have been prevented. An in-depth report could be generated, and it should be on a CSO level. That's the value should be added to AMP solution.
We would like to have an API integration with a SIEM solution, because as far as I know, it currently hasn't yet been released. We are looking forward to it because it's important for us to integrate the product with a SIEM solution in order to provide our customers a good, robust solution. It needs major improvement with its ease of integration.
I would like them to add whatever makes filtering more advanced in scanning and blocking for malware in emails. It would just improve the product further. I think they are working on this, the continuous improvement aspect.