Transforming Endpoint Security

November 1, 2016 - 12 Comments

It’s been said before, but this bears repeating. On average, it takes organizations 100 days1 or more to detect a breach after it occurs. On average. This means attackers often have more than three months to examine an organization’s data and then steal what they want. Clearly, this is not effective.

These attacks ultimately target the endpoint – and organizations need to close this window of opportunity for attackers. But how?

Prevention-only technologies remain a mainstay of endpoint security, despite being inadequate at defending against more sophisticated attacks that can evade them.

To pick up the slack, the security industry has showered organizations with shiny new technologies for endpoint security. Should they keep the anti-virus they’ve always had? Add a new agent for visibility? And another for better investigation and response? It sounds complex because it is complex.

We need a simpler, more effective way to prevent threats from getting in, deep visibility into what is happening on endpoints to detect threats, and the ability to quickly get rid of any threats that could have found their way in. We need to work with and share intelligence across a broader security architecture. We need reduced time to detection.

At Cisco, it’s our mission to help customers achieve truly effective security with more integrated threat defenses. We are aggressively innovating across our portfolio, strengthening our architectural approach from the network to the cloud and now out to the endpoint.

In February we announced our new Firepower NGFW for continued network security momentum. And we have sparked an industry transition to cloud security with Umbrella Roaming, Cisco Defense Orchestrator and the acquisition of CloudLock this summer.

Today, I’m excited to share important updates to the third pillar of our portfolio – the endpoint.

Cisco AMP for Endpoints delivers modern, next generation endpoint security in one powerful package. Simply. Effectively. With automation and integration with existing technologies. AMP delivers three key elements that endpoint security solutions must deliver today – prevention, detection, and response. AMP prevents attacks and blocks known and unknown malware at point of entry. However, should something get in, AMP provides continuous monitoring and threat detection to quickly spot malicious behavior, and response capabilities to eliminate threats before damage can be done. This provides a first and last line of defense for endpoints, and it gives customers the level of visibility, context, and control they need to stop advanced attacks.

Effective Security to Prevent Attacks

We start with preventing known and unknown attacks. Why are we successful at this? While we won’t hit on every detail here, we stop attacks at point of entry through a combination of various malware detection methods, including machine learning and fuzzy fingerprinting, our built-in Threat Grid sandbox, and leading Talos threat intelligence. It all comes together as an effective way to prevent attacks.

Deep Visibility for Detection

Monitoring, endpoint visibility, threat hunting. No matter what you call it, you need to know what is happening on endpoints, because as we know, advanced attacks can evade even sophisticated defenses. AMP for Endpoints delivers the deep visibility and continuous monitoring of endpoint activity needed to quickly detect threats, investigate an indication of compromise, and trigger automated response before damage can be done. This means the best time to detection capabilities for the endpoint, and best security value for organizations looking to reduce agent bloat.

Automated Remediation

But we don’t just detect advanced threats in a matter of minutes – once discovered, we automatically stop and remove threats from every computer in the enterprise. 

The powerful integration of prevention along with detection and response calls on innovation the endpoint space has not seen. What about file-less or memory-only malware that injects code into a running process? AMP for Endpoints stops it. How about understanding what laptops and devices are vulnerable to attack? We give you a list of vulnerable computers and software so you know what is most likely to be compromised – and what to fix fast. What about endpoints that could be compromised but don’t have an AMP for Endpoint agent? We use machine learning analytics of web proxy traffic to detect compromised systems without an agent.

An Integrated Architecture

We don’t stop there. Something else that is unique about AMP for Endpoints is that it’s part of a greater integrated security infrastructure. The AMP ecosystem allows organizations to see more threats in more places, not just on the endpoint, so if you see a threat once, you can block it everywhere—automatically, with no human involvement. And it seamlessly integrates with other platforms like the next-generation firewall or secure network access technology becoming vastly more powerful as they are used together. This amounts to a force multiplier effect for IT security teams.

Recent breach detection testing from NSS Labs shows we detected 100 percent of tested threats.  And our time to detection was second to none: we blocked 92% of attacks in less than 3 minutes, the fastest of any vendor tested. This test highlights how AMP for Endpoints works as part of an integrated architecture (network + endpoint) to both prevent and also quickly detect and remediate when attackers evade preventative security tools.

And we are not just integrated with products — Cisco Security Services help you quickly and accurately deploy your AMP for Endpoints solution so you can quickly gain the benefits of AMP technology in your network. Our Deployment Service helps you deploy, configure, test, and tune the implementation for up to 25,000 endpoints or custom deployments.

The Way Forward

What does this amount to? The fastest time-to-detection. We said at the beginning that it takes organizations 100 days or more to detect a breach after it occurs. Cisco prevents nearly all malware from getting in, but more importantly, detects the most advanced threats quickly – usually in around 13 hours or less, and in many cases, minutes – compared with the 100-day average, so attackers don’t have time to operate and organizations stay safer.

AMP for Endpoints will transform endpoint security for your organization. To learn more about Cisco AMP for Endpoints, check out our webcast, watch the video below, visit our webpage, or talk to your Cisco account representative.

1 Cisco 2016 Midyear Cybersecurity Report

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Hey Thanks TOM, Is any discount or rebate price for security bundle ?

  2. Is any special subscription licence for AMP ?

    • Hi Shital, are you asking if a subscription license is needed for AMP for Endpoints?

      If so, yes. AMP for Endpoints is a subscription based product and is based on the number of endpoints being protected.

  3. Great Tom , AMP is perfect solution for threats

  4. Cisco AMP for Endpoints is simply the best!

  5. As an endpoint security mechanism, this technology will not only allow for more flexibility as Cybersecurity Managers, when it comes to overall management within an organization, but will allow more time to focus on other areas, such as plans, policies, and procedures. When it comes to layered security you have to like what AMP provides to the IT world. I am looking forward to reading and learning more about this solution.

  6. AMP is simply the best choice!

  7. Good solution. does it also act as our antivirus or having this do we need to do away with our endpoint solution in-house.

    • Great question. What AMP for Endpoints provides is the flexibility to do either scenario. We have customers that are using AMP for Endpoints to replace their traditional prevention only AV, plus they get all the detect and respond capabilities with AMP for Endpoints. However, if you want to continue using your AV but add AMP for Endpoints to gain the detect and respond capabilities, that is also a scenario customers choose. In this scenario, it’s as simple as including the existing AV in the AMP for Endpoints exclusion list and the two can operate side by side. And since AMP for Endpoints uses a light weight connector architecture, the dual mode will have negligible performance impacts beyond existing AV.

  8. Thank you Tom for a great article, as a customer success manager just begining my journey with AMP this gave me a lot of great insight into the power of AMP!

  9. Nice Article,Easy to understand.

  10. Great Tom !