When organizations begin their search for an advanced, next-generation endpoint security solution to protect PCs, Macs, servers, and mobile devices, they have a lot of different vendors to choose from and a lot of questions. Can it prevent attacks? What kind of malware can it protect against? What if malware gets in, can it still help me? How do I deploy it? Is management of the tool easy? Will it protect my endpoints on and off the corporate network?

Whether I’m attending a cybersecurity conference, a customer forum, or just in my day-to-day interactions with security practitioners, I get asked these questions. I think any endpoint security solution should provide all of the following “must-haves”:

1. Cloud or on-premises deployment options, across multiple operating systems

Cloud deployment of a next-gen endpoint security solution ensures flexibility, easier management, scalability, and real-time threat intelligence delivery. But sometimes organizations require an on-premises deployment to satisfy stringent privacy requirements dictated by their industry, like in government or finance.  Your next-gen endpoint security solution should offer both deployment options.

Furthermore, every endpoint in the enterprise should be protected, whether it’s a Windows PC, Mac, Linux system running on a server, or a mobile device. No endpoint is immune to an advanced cyberattack. Ensure that the technology provides coverage for all of the different types of endpoints used throughout the organization.

2. Prevention Capabilities

Prevention is your first line of defense. Preventing cyberattacks and blocking malware at point-of-entry in real time is essential. To ensure the best possible prevention, make sure your next-gen endpoint security solution provides the following:

  • Global Threat Intelligence – a team of threat hunters detecting the newest threats and uncovering zero-days to keep you protected 24/7
  • AV Detection – let your Next-Gen Endpoint Security solution do all the AV heavy lifting and consolidate protection onto one lightweight agent
  • Proactive Protection – identify and patch vulnerabilities, and analyze and stop suspicious low-prevalence executables fast

3. Integrated Sandboxing Capabilities

Sandboxing is essential for static and dynamic analysis of unknown files. Don’t settle for a third-party sandboxing product that must work alongside your endpoint security solution. Sandboxing should be built-into, and fully integrated with, your next-gen endpoint security solution. Submitting suspicious files to the sandbox should be easy and seamless, and not require multiple management systems.

4. Continuous Monitoring and Recording

No prevention method will ever be 100% effective. Advanced malware can get into your endpoints, and if you have no visibility into what files are doing on your endpoints, you’ll be blind to the presence of a potential compromise.

Therefore, your endpoint security solution must watch everything on all of your endpoints (on and off the corporate network) at all times so you can quickly spot malicious intrusions and stop them quickly. It must provide continuous monitoring of all files on every endpoint, regardless of file disposition, and record the activity of those files so you can quickly access the recorded history of those files and quickly scope a compromise from start to finish. This continuous monitoring will provide the ability to spot malicious behavior when it happens and give you visibility into where malware came from, where it’s been, what it’s doing, and how to stop it – before damage can be done.

5. Rapid Time to Detection

The industry average to detect a breach after it occurs is 100 days. That’s insane. It’s plenty of time for malware to infiltrate your organization and exfiltrate confidential information. Your endpoint security solution should be able to speed up your time to detection and spot threats in hours or minutes, not days, weeks or months.

6. Agentless Detection

Sometimes an organization cannot install an endpoint agent on every single endpoint throughout the enterprise, or they would like visibility into devices that do not have an operating system that can support an endpoint agent. Also, some malware is file-less and might not be visible to an endpoint agent. Therefore, your endpoint security solution should provide agentless detection. Make sure it can uncover file-less or memory-only malware, catch malware before it compromises the OS-level, and get visibility into devices where no agent is installed.

7. Easy, streamlined management interface for efficient decision-making

Organizations face a myriad of attacks each day, often more than they can triage efficiently or effectively. Many security teams are simply buried in security alerts each day. They need security solutions that are easy to use and help them make fast and informed decisions.

Look for a next-gen endpoint security solution with an easy-to-use management interface that even a tier 1 analyst can use. Make sure that the interface allows you to quickly assess the health and state of your security deployment at both a macro and micro level. Make sure that the workflow to address a malware intrusion is seamless, intuitive and flexible, allowing you to triage, manage, and respond to possible breaches fast and effectively.

8. Simple, Automated Response

Responding to a cyberattack can be difficult and time-consuming. After a breach, many security teams might not have the tools to rapidly respond and remediate. Some reach out to costly third parties to do the work for them.

Your next-gen endpoint security solution should enable you to respond and remediate threats quickly and comprehensively, without the need to engage with an outside vendor.  Make sure the solution can accelerate investigations and reduce management complexity by searching across all endpoints for IoC’s and malware artifacts; easily connect the dots on a malware compromise, from start to finish, across all endpoints and the network; and systemically respond to and remediate malware across PCs, Macs, Linux, and mobile devices – automatically or with just a few clicks.

9. Not just a siloed point product but rather part of a larger integrated security architecture

Many vendors offer endpoint security products that are just that – point-products. These products are not integrated with other security tools, and when deployed, simply add to the mixed bag of security products from multiple vendors used throughout the enterprise. Many organizations use upwards of 60 different security tools. That’s a nightmare. Each product has its own management system and displays information in different ways. This requires more people to operate and makes it harder to decipher threat information, connect the dots to understand the full scope of an attack, and respond quickly. Juggling all of these siloed tools will slow you down.

Instead, you should deploy an integrated threat defense, whereby every security tool in your arsenal can work together to fight threats systemically. Make sure that your next-gen endpoint security solution can be deployed as part of an integrated system of security technologies that can work together to close security gaps and detect threats faster across your entire security ecosystem – from endpoint to network, email, and web. Threat information and event data should be shared and correlated across all security tools, and communicated to the security team in common formats.

We know that you have choices out there when it comes to endpoint security tools. Make sure your endpoint security solution has these 9 “must-have” capabilities to ensure the best protection for your organization. And make sure Cisco AMP for Endpoints is on your short list, as it provides all of these capabilities. In a recent study, IDC looked at 11 different endpoint security tools and named Cisco AMP for Endpoints a leader in the industry. We took a deeper look at a few of the top contenders in that report and compared them with Cisco AMP for Endpoints in this comparative table.


John Dominguez

Product Marketing

Cisco Security Business Group