What is our primary use case?
Being the primary AV/IDS within the enterprise, we have the solution deployed across multiple platforms including workstations, servers and Operating Systems.
The solutions conveniently integrates with other existing on-prem and cloud application will relatively minimum to stand up, using APIs and security best practices.
Most out-of-the-box features are either being utilized or pipelined to be deployed going forward, including MAP, ETHOS, SPERO, Exploit Prevention, SecureX, and Tetra which serves as an offline definition repository for workstation who are unable to pull definition updates using the default Cisco AMP cloud route.
How has it helped my organization?
It has been effective as the primary AV tool.
The visibility, dashboard and the navigations gives pretty decent insights into threats, IOCs and endpoint events to help with proactive monitoring. Deployment and connector upgrades are straightforward with available technical documentation for most scenarios.
AMP simplifies endpoint protection, detection, and response workflows, like security investigation, threat hunting, and incident response. By using the solution, we've been able to divert attention towards of the tasks, saving us significant time and effort. It has also served as a one stop shop for endpoint anomaly detection and proactive protection, thwarting the need to gathering inputs from various applications and having to compile that data into one relevant result. It has obviously minimized security risks to the entire business, most importantly, endpoints, servers and other crown-jewel assets.
What is most valuable?
Recently, we have engaged the vendor regarding optimization, bug detections and extended features. Identity persistence, a feature request that was recently granted for instance gives virtual and physical devices deployed using gold image the ability specify an Identity Synchronization option. This persistence feature can apply by MAC address across business, by MAC address across policy or by host name across business.
Speaking of scalability, integrating with other Cisco products, secure email, network, SIEM, API, open source and a number of selected proprietary applications have been encouraging.
Of all valuable features, these are worth mentioning:
- CI/CD pipelining and feature prioritization by actioning on user requests/ identified bugs, releasing connector upgrades, and deploying console upgrades for better usability
- Subscription functionality where console administrators able to Subscribe to receive immediate alerts(digest) on specific or group of monitored workstations
- Identity and access management capability within the console that allow administrators the ability to drill down user visibility on a Role based access control, limiting access to policies, groups, exclusions, and other controls
In terms of operating system compatibility, the coverage is almost in its entirety. Integration and deployment to Windows workstations, Windows servers, Mac, Linux and mobile is seamless
Being a unified AV engine, AMP conveniently delivers both Intrusion detection systems (IDS) and Intrusion Prevention Systems (IPS) capabilities with a specialty in cloud-delivered protection, next-generation antivirus, endpoint protection platform (EPP), and advanced endpoint detection and response (EDR)
What needs improvement?
Like any other security tool, there's always rooms for improvement. Some of the ways the product can be improved are:
- Vendor needs to understand a one-size-fits-all approach will not work with addressing TAC cases and service requests. For "once in a blue moon" cases, most approach still sound like the engineers are acting off of a runbook. In this case the recommended solutions will not totally align with the scenario
- Since customers do not have the ability to allow or decline console updates, there have been a number of instances where the console GUI appear buggy and functionalities do not work correctly after an upgrade. This can be improved by informing customers prior to the upgrades.
Other additional features that should be improved in next releases include:
- The dashboard is great for quick visibility prior to deeper dive, however, making the dashboard more customization will improve interaction, grant the ability to filter out irrelevant outputs and encourage personalized drill-downs based on daily requirements
- Integration with enterprise monitoring applications and ticketing systems that differentiates noise, forwards events, generates tickets and have them automatically assigned to application owning group.
For how long have I used the solution?
I have been using Cisco AMP for Endpoints for about three years, this is inclusive of my prior assignments before being the SME for the application within the firm.
What do I think about the stability of the solution?
Stability is below average. There have been several issues with frequency of release, feature release and wait time for overhanging time-bombs.
From a customer stand-point, these released are aimed at fixing known bugs from last release and introducing new features either in beta or live versions. However, this means that an enterprise running 50K+ endpoints need to go through the rigors of setting up test/dev/qa/pilot then production for iteration, so as to limit the blast radius.
This can be tasking if as the frequency increases.
What do I think about the scalability of the solution?
Long story short, Cisco AMP is scalable. Having used the product as a 'demanding' customer, I can attest to the availability of proper technical documentation and seamless integration with existing application, infrastructure and appliances
How are customer service and technical support?
- Vendor needs to understand a one-size-fits-all approach will not work with addressing TAC cases and service requests. For "once in a blue moon" cases, most approach still sound like the engineers are acting off of a runbook. In this case the recommended solutions will not totally align with the scenario. Also escalations can be more flexible, for instance, certain case priorities (P2, P1) require phoning in, which can be fuel to an already burning bush.
How was the initial setup?
From my understanding, initial setup was tasking with various gray areas. For a new customer trying to set up AMP, there is room for improvement.
The initial deployment happened prior to me joining the organization, based on my interactions with the application deployment team, the effort took months.
Customers can get better during product's initial setup if vendor provides documentation that suggest important objectives like naming convention, default config and collection of product's best practices
What about the implementation team?
What was our ROI?
AMP is worth the money. In recent years, we have spent less time/money and require lesser human resources for task completion. On the higher level, this has saved the firm the need to hire more security engineers to manage the application, reducing overhead cost.
A discrepancy with the number of assets per license should be reviewed to apply based on preference or number of endpoints versus ranges.
Compared to other competitors, there's a significant price difference, although different applications tend to focus more on different cybersecurity functionality
What other advice do I have?
It's been really interesting working with the application, going from 5.X.X connector versions up until 7.X.X. As previously highlighted, there are numerous ways to improve the products. Working with the engineers in previous cases, there is the zeal to improve and an attitude that embraces change
Which version of this solution are you currently using?