It’s been said before, but this bears repeating. On average, it takes organizations 100 days1 or more to detect a breach after it occurs. On average. This means attackers often have more than three months to examine an organization’s data and then steal what they want. Clearly, this is not effective.

These attacks ultimately target the endpoint – and organizations need to close this window of opportunity for attackers. But how?

Prevention-only technologies remain a mainstay of endpoint security, despite being inadequate at defending against more sophisticated attacks that can evade them.

To pick up the slack, the security industry has showered organizations with shiny new technologies for endpoint security. Should they keep the anti-virus they’ve always had? Add a new agent for visibility? And another for better investigation and response? It sounds complex because it is complex.

We need a simpler, more effective way to prevent threats from getting in, deep visibility into what is happening on endpoints to detect threats, and the ability to quickly get rid of any threats that could have found their way in. We need to work with and share intelligence across a broader security architecture. We need reduced time to detection.

At Cisco, it’s our mission to help customers achieve truly effective security with more integrated threat defenses. We are aggressively innovating across our portfolio, strengthening our architectural approach from the network to the cloud and now out to the endpoint.

In February we announced our new Firepower NGFW for continued network security momentum. And we have sparked an industry transition to cloud security with Umbrella Roaming, Cisco Defense Orchestrator and the acquisition of CloudLock this summer.

Today, I’m excited to share important updates to the third pillar of our portfolio – the endpoint.

Cisco AMP for Endpoints delivers modern, next generation endpoint security in one powerful package. Simply. Effectively. With automation and integration with existing technologies. AMP delivers three key elements that endpoint security solutions must deliver today – prevention, detection, and response. AMP prevents attacks and blocks known and unknown malware at point of entry. However, should something get in, AMP provides continuous monitoring and threat detection to quickly spot malicious behavior, and response capabilities to eliminate threats before damage can be done. This provides a first and last line of defense for endpoints, and it gives customers the level of visibility, context, and control they need to stop advanced attacks.

Effective Security to Prevent Attacks

We start with preventing known and unknown attacks. Why are we successful at this? While we won’t hit on every detail here, we stop attacks at point of entry through a combination of various malware detection methods, including machine learning and fuzzy fingerprinting, our built-in Threat Grid sandbox, and leading Talos threat intelligence. It all comes together as an effective way to prevent attacks.

Deep Visibility for Detection

Monitoring, endpoint visibility, threat hunting. No matter what you call it, you need to know what is happening on endpoints, because as we know, advanced attacks can evade even sophisticated defenses. AMP for Endpoints delivers the deep visibility and continuous monitoring of endpoint activity needed to quickly detect threats, investigate an indication of compromise, and trigger automated response before damage can be done. This means the best time to detection capabilities for the endpoint, and best security value for organizations looking to reduce agent bloat.

Automated Remediation

But we don’t just detect advanced threats in a matter of minutes – once discovered, we automatically stop and remove threats from every computer in the enterprise. 

The powerful integration of prevention along with detection and response calls on innovation the endpoint space has not seen. What about file-less or memory-only malware that injects code into a running process? AMP for Endpoints stops it. How about understanding what laptops and devices are vulnerable to attack? We give you a list of vulnerable computers and software so you know what is most likely to be compromised – and what to fix fast. What about endpoints that could be compromised but don’t have an AMP for Endpoint agent? We use machine learning analytics of web proxy traffic to detect compromised systems without an agent.

An Integrated Architecture

We don’t stop there. Something else that is unique about AMP for Endpoints is that it’s part of a greater integrated security infrastructure. The AMP ecosystem allows organizations to see more threats in more places, not just on the endpoint, so if you see a threat once, you can block it everywhere—automatically, with no human involvement. And it seamlessly integrates with other platforms like the next-generation firewall or secure network access technology becoming vastly more powerful as they are used together. This amounts to a force multiplier effect for IT security teams.

Recent breach detection testing from NSS Labs shows we detected 100 percent of tested threats.  And our time to detection was second to none: we blocked 92% of attacks in less than 3 minutes, the fastest of any vendor tested. This test highlights how AMP for Endpoints works as part of an integrated architecture (network + endpoint) to both prevent and also quickly detect and remediate when attackers evade preventative security tools.

And we are not just integrated with products — Cisco Security Services help you quickly and accurately deploy your AMP for Endpoints solution so you can quickly gain the benefits of AMP technology in your network. Our Deployment Service helps you deploy, configure, test, and tune the implementation for up to 25,000 endpoints or custom deployments.

The Way Forward

What does this amount to? The fastest time-to-detection. We said at the beginning that it takes organizations 100 days or more to detect a breach after it occurs. Cisco prevents nearly all malware from getting in, but more importantly, detects the most advanced threats quickly – usually in around 13 hours or less, and in many cases, minutes – compared with the 100-day average, so attackers don’t have time to operate and organizations stay safer.

AMP for Endpoints will transform endpoint security for your organization. To learn more about Cisco AMP for Endpoints, check out our webcast, watch the video below, visit our webpage, or talk to your Cisco account representative.

1 Cisco 2016 Midyear Cybersecurity Report


Tom Stitt

Product Marketing Director

Advanced Malware Protection