Cisco Blogs

Cisco AMP Just Got Better – Enhancements for Continuous Breach Detection, Response, and Remediation

April 8, 2015 - 3 Comments

Breaches happen.

It makes us cringe to say it, but it’s the obvious truth. A week doesn’t go by that we don’t hear about the latest breach in the news. All of us in the IT security industry would love to say, “our technology can prevent all breaches.” But it’s a pipedream. Being able to prevent 100 percent of breaches or detect all threats trying to infiltrate the network is simply not reality.

Of course, we prevent what we can. And we can get pretty close. In fact, Cisco Advanced Malware Protection (AMP) was shown to block 99 percent of incoming malware in a comparative test on Breach Detection Systems done by NSS Labs.  Ninety-nine percent is pretty darn good, and in fact, Cisco AMP emerged a leader in that test. But still, it only takes one percent to cause a breach.

When malware gets through your front-line defenses, you need continuous threat protection in place that can quickly detect it, contain it, and remediate it before damage can be done. Cisco AMP provides the visibility and control to do exactly that. Even after files are initially inspected, AMP’s continuous analysis engines constantly monitor activity on endpoints, mobile devices, and in the network to spot any signs of malicious behavior, and provide continuous detection of threats in your environment. As a result, you have protection before, during, and after an attack.

Today I am excited to announce that Cisco AMP just got even better.  We are announcing new features and new innovations that enhance Cisco AMP’s protection capabilities and continuous threat protection in the following areas:

Continuous Detection and Retrospective Security

  • AMP still provides continuous analysis of files after an attack so that you can see the complete ancestry of an attack, scope a compromise, and continuously detect and uncover evasive threats. You get deep visibility to see threats in your environment and the control to quickly stop them.
  • Endpoint Indications of Compromise (IoCs) in AMP for Endpoints lets users now submit their own IoCs using the open IoC standard to catch targeted attacks.
  • The Low Prevalence feature in AMP for Endpoints uncovers stealthy, targeted threats that were only seen by a small number of users and automatically sends them for sandbox analysis.

Threat Intelligence and Dynamic Malware Analysis

  • The recent integration of Threat Grid capabilities into AMP gives you context-rich threat intelligence feeds, over 350 unique behavioral indicators that analyze the actions of a file, easy to understand threat scores and analytics, and billions of malware artifacts at your disposal to improve your ability to detect and prevent future attacks. These capabilities and more are also available as a standalone threat intelligence and dynamic malware analysis solution via AMP Threat Grid.
  • The new Vulnerabilities feature in AMP for Endpoints identifies vulnerable software being targeted by malware, and the potential exploit, providing you with a prioritized list of hosts to patch.

Deployment Flexibility and Choice

  • Deploy the solution how and where you want it: on the endpoint, mobile devices, in the network on a Cisco FirePOWER Next-Generation IPS security appliance, on a Cisco ASA firewall, and on web and email gateways. You can also deploy AMP Threat Grid as a standalone threat intelligence and dynamic malware analysis solution.
  • No need to manage multiple security platforms or deploy multiple appliances. Cisco AMP is fully integrated with Cisco security products for ease-of-deployment, ease-of-use, and ease-of operation.

To learn more about these innovations, visit our Cisco Security Launch page to watch videos, product demos, customer testimonials, and more.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Hi John,
    Thanks for the information.
    What is performance impact of having the AMP agent running on laptops, desktops, mobiles…compared to an AV for example?

    Also I assume that the AMP is sort of “all-in-one”. What I mean is that if you have the AMP agent you don’t need things such as host IPS etc running on the endpoint device.


    • Hi Murilo,

      The endpoint connector for AMP for Endpoints is a lightweight 20mb application and no user will even notice it’s there. Furthermore, unlike a traditional client that does heavy scans and analysis on the device itself (using up cycles and impacting users), AMP does all the heavy lifting in the cloud.

      With regard to deployment of AMP for Endpoints vs. AMP for Networks (AMP on a FirePOWER NGIPS), it really just depends on the level of visibility and control you want to achieve, and this varies based on the specific needs of each organization, their current security architecture, etc. Many deploy AMP for Networks alone or AMP for Endpoints alone – each are a powerful tool on their own and gives the organization the level of visbility and protection they need. Of course, the endpoint deployment gives you visibility into application/executable information on endpoints, which some organizations really value. Many also deploy AMP for Endpoint and AMP for Network together, which gives the ultimate in visibility and control because the products communicate and share information with eachother to correlate events on the endpoint and on the network level to help you detect and remediate threats even faster.

      For more information on AMP for Endpoint, I would recommend watching this overview video here: and for a demonstration of AMP for Endpoints and also how it integrates with AMP Threat Grid and AMP for Networks, check this out: