Cisco DNA Center Network Operations Center Dashboard

Background

One common request from customers is a Network Operations Center dashboard view for Cisco DNA Center.  They would like this to be open-authentication (no need for credentials) and automatically refresh.  Critical data from Cisco DNA Center, such as network device and user health can be displayed and updated for the operations team on a large screen.

Using common tools like Influx (time series), telegraf (agent) and Grafana (visualization) (TIG) it is trivial to build a small dashboard and expose it via HTTP.  Many customers are already using these tools for other dashboards.

Telegraf-Influx-Grafana stack

The only real work I need to do is write a small python script to plug into telegraf to collect network and user health data from Cisco DNA Center and convert it to a simple JSON format.

For this script I am going to use the newly released Cisco DNA Center python SDK.

Getting started

The first step is to download the code from github and create a python virtual environment. The virtualenv is recommended, but optional.

git clone https://github.com/CiscoDevNet/DNAC-NOC.git

python3 -mvenv env3

source env3/bin/activate

Next install the python requirements (the dnacentersdk). It is a good idea to update pip first, as older versions may have issues installing the SDK.

pip install -U pip

pip install -r DNAC-NOC/requirements.txt

Now test the script to ensure it is working. By default the script will try to connect to the DevNet always on sandbox.  The data collected includes device health and counts as well as user (wired and wireless) health and counts.   There is more data that you can collect by modifying the script.

$ ./DNAC-NOC/dnac_assurance.py 

{"Core.count": null, "totalcount": 14, "WIRELESS-client.count": 80, "WLC.count": null, 

"WIRED-client.count": 2, "AP.count": null, "WIRED-client.value": 100, "Access.count": null, 

"totalscore": 100, "WIRELESS-client.value": 25, "AP.score": 100, "Router.score": 100, 

"ALL-client.value": 27, "Router.count": null, 

"Access.score": 100, "Core.score": 100, "WLC.score": 100, "ALL-client.count": 82}

Script Detail

There are two APIs used to get this data seen in the code below.

“get_overall_network_health” returns the health (and count) of the network devices. They are broken into categories (WLC, router,AP, access etc).  It requires a timestamp, but that can be left empty (returning the latest).

“get_overall_client_health” returns the health (and count) of clients.  In this case I need to provide a timestamp.  That is the current time (in epoch) converted to milli-epoch (i.e. multiply by 1000).

network_health= dnac.networks.get_overall_network_health(timestamp='')

timestamp = int(time.time() * 1000)

client_health= dnac.clients.get_overall_client_health(timestamp='{}'.format(timestamp))

Telegraf configuration

I am assuming you have telegraf setup and integrated into influxdb.  As there are many blogs outlining how to install these components, I will skip over these basic steps.

The custom python script above will be run every minute and update a time series database in influxdb.  The custom.conf file contains information on how to run the script.  You need to edit this file to change the path for the python virtual environment and the script.

Once you copy the script, restart telegraf so the custom script will be executed.  The script is called every minute as the client health score gets updated every minute.

sudo cp DNAC-NOC/telegraf.d/custom.conf /etc/telegraf/telegraf.d/

sudo systemctl restart telegraf

You will now see data being populated in influxdb.

$ influx

Connected to http://localhost:8086 version 1.7.8

InfluxDB shell version: 1.7.8

> use telegraf

Using database telegraf

> show field keys from "exec_dnac"

name: exec_dnac

fieldKey	fieldType
ALL-client.count	float
ALL-client.value	float
AP.score	float
Access.score	float
Distribution.score	float
Router.score	float
WIRED-client.count	float
WIRED-client.value	float
WIRELESS-client.count	float
WIRELESS-client.value	float
WLC.score	float
totalcount	float
totalscore	float

Grafana configuration

The final step is to import a json definition of the DNAC dashboard into gafana.

First browse to gafana homepage (typically port 3000).  The select “+” -> create -> import

Import Dashboard

Next select “upload .json file”

Upload .json File

The select “grafana/dashboard.json” from the files you downloaded from GitHub.

select dashboard.json from the “grafana” directory

Then select Import.

import dashboard spec

Very soon you should see the dashboard being populated.

First data

Continue reading

New Threat Grid App for IBM QRadar SIEM

Two years ago, Cisco and IBM Security announced a strategic alliance to address the growing threat of cybercrime. This collaboration builds on each organization’s strengths and complementary offerings to provide integrated solutions, managed services and shared threat intelligence to drive more effective security for our joint customers. We continue to develop new applications for IBM’s QRadar security analytics platform and the Cisco Threat Grid app for QRadar with DSM was just released.

Cisco’s Threat Grid App integrates with IBM’s QRadar SIEM, enabling analysts to quickly identify, understand and respond to system threats rapidly through the QRadar dashboard. Downloadable via the IBM Security App Exchange, this powerful app combines advanced sandboxing, malware analysis and threat intelligence in one unified solution.

Threat Grid + QRadar enables analysts to quickly determine the behavior of possible malicious files, which have been submitted to Threat Grid, and rapidly drill down from QRadar into the Threat Grid unified malware analysis and threat intelligence platform, for deeper insight. This integration expedites the threat investigation process, with a dashboard view into the highest priority threats, delivered directly through QRadar versus having to pivot on disparate tools and interfaces.

Detailed results from the sandbox analysis of Threat Grid can be aggregated by QRadar to determine whether the potential threats within the organization are malicious or benign. Malware samples are then assigned a Threat Score, and displayed by hash value and the user which submitted the sample.

This information displayed on the Threat Grid dashboard can be used to quickly resolve threats detected by QRadar. This results in improved efficiency and optimization for security analysts, by quickly identifying the top priorities for threat investigation.

With the QRadar DSM capabilities, you can see the analysis results over time.

Also, under Log Activity, for suspicious IP addresses, you can use the right-click to see instant contextual threat intelligence from Threat Grid.

Threat Grid also integrates with IBM Resilient Incident Response Platform (IRP) for automated response and X-Force Exchange for even greater threat intelligence enrichment. For example, analysts in the IRP can look up Indicators of Compromise (IoC) with Cisco Threat Grid’s threat intelligence, or detonate suspected malware with its sandbox technology. This empowers security teams to gain valuable incident data in the moment of response.

These technology integrations between Cisco Security and IBM Security enables a more extensive security architecture for greater speed and efficiency in identifying, investigating, and remediating threats. Together, we deliver the intelligence, automation and analytics required to provide data and insights that today’s security practitioners require.

Continue reading

Business Benefits of Segmentation with Software-Defined Access

The goal of moving applications to the cloud and integrating with SaaS platforms is to satisfy the growing demand for connectivity to data resources and applications at any time, from anywhere. However, achieving that goal with high levels of Quality of Experience (QoE) for applications depends on the enterprise wide area networks. Managing QoE connectivity among campus, branch, and cloud resources naturally increases network complexity. That translates into an increase in workload for IT teams to keep up with changing prioritization of traffic, network access rules, and data security policies.

But just because a network is complex doesn’t mean it has to be complicated. A Software-Defined Architecture (SDA) is the antidote for complicated. Separating data, control, and management planes makes networks both more flexible and manageable by automating many formerly manual tasks. A significant portion of those tasks are handled by Cisco Software-Defined Access (SD-Access) working at the controller plane level, reducing complexity and improving scalability and mobility of devices and the workforce.

Empowering IT with an Architecture for Access

When people, devices, and applications are located anywhere, automating the onboarding and provisioning of them with the correct access and security policies is paramount to maintaining control and security. SD-Access applies access and security policies generated by network intents. Translating intents into actions is the foundation of Intent-Based Networking, where higher-level business intents create network access and security policies that are automatically applied to devices and people to determine access rights and security privileges.

SD-Access simplifies network management, especially for segmentation and secure access policies, but also for operational consistency, increasing productivity, and a seamless experience. In this post, we will examine the business and security benefits of automating segmentation and access control.

Automation Simplifies Network Segmentation Management

To simplify the complexity of campus-branch-cloud connectivity, SD-Access shifts the workload from IT staff performing routine tasks of onboarding every individual device and managing network configurations, to building intelligence into the network itself. The network learns to manage itself by, for example, automatically onboarding specific device types with pre-ordained security and access policies that follow people and devices across the wired and wireless fabrics, from ground to cloud.

Automating access and segmentation is also critical for the successful integration and security of the Internet of Things (IoT) and the myriad types of devices that are being deployed throughout buildings, campuses, branches, and cloud edge. As sensors, cameras, and edge-processing applications proliferate, they need to be securely added to network segments with tight control over who and what can access them, and with which services they can communicate.

Video cameras, for example, should only communicate with a video server, not an application or web server. Placing cameras and their peer servers in one segment, isolated from other enterprise network assets, is a simple way to secure video devices. As additional cameras are connected, the network recognizes the device type and automatically adds them to the correct segment. Sudden changes in attempts to communicate with resources outside the segment can indicate a takeover attempt by malware, resulting in the network isolating the device  and thwarting the malware’s attempt to move laterally through the network.

The business benefits of automating onboarding of devices are plentiful: from eliminating the need to send technicians to remote locations to securely configure devices, denying access to unknown devices to prevent infections from spreading, and enabling IT to move from routine tasks to working on innovative projects.

Cisco SD-Access gives IT time back by reducing the effort it takes to manage and secure the network and improve the overall end-user experience.

Enforce Consistent Policies Across the Enterprise

Consistency is key to ensuring people, devices, and data resources all interact according to network policies. For enterprises with many regional locations, it’s common to have instances of Cisco DNA Center for each region to provide location-specific contextual insights for faster issue resolution and capacity planning. That could complicate the consistent application of policies. Fortunately, the regional Cisco DNA Centers can leverage a master instance of Cisco Identity Services Engine (ISE) so that SD-Access can apply access and segmentation policies across each region. With this capability, SD-Access ensures that security and access policies defined by corporate IT are implemented consistently across global networks, while enabling regional control over specific aspects of workforce and device rules.

Segmentation Eases Regulatory Compliance

With all the new privacy regulations coming online across the globe, being able to demonstrate compliance with these rules is paramount to avoiding legal battles and court fines resulting from data breaches. Employing SD-Access to define segmentation to keep private information strictly separated from other business data helps organizations prove they are in compliance.

Compliance with Payment Card Industry (PCI) regulations for protecting payment card information is an example of the business benefits of segmentation that SD-Access can manage. To comply with PCI standards, payment data must be kept separate from any other IT system and limit access to specific people and processes with no external internet connections—thus contained in a “PCI Island”. SD-Access creates microsegments that effectively isolate every device and application that “touches” payment data, effectively creating virtual PCI Islands where they are needed in a global network.

Building this level of segmentation would be difficult with a manual, case-by-case approach. Assigning people and compute resources to a PCI Island security group tag (SGT) simplifies segmentation, helping to maintain compliance, saving time and minimizing rigorous PCI testing. Securing payment and personal information this way also reduces the risk of exposing sensitive data in breaches.

SD-Access Directly Benefits Business Processes Across Industries

Every industry is moving applications and data to the cloud, some faster than others, but all driven by competitive pressures, operational changes, and regulatory demands.

◈ Healthcare organizations are methodically moving sensitive patient data to cloud platforms where it can be accessed by healthcare providers distributed across regions, while ensuring that access is strictly controlled and monitored for compliance.

◈ Pharmaceutical enterprises, which use acquisitions as a growth strategy, use SD-Access to simplify their network operations and the process of integrating IT operations by first segmenting resources during the acquisition process, and then uniting them by changing access policies across the board as the acquisition culminates.

◈ Government branches, consisting of dozens of agencies, use SD-Access to streamline, unite, and secure wired and wireless network operations among the distributed workforce in offices, branches, and in the field.

◈ Manufacturing facilities, which have a complex mix of IoT devices, mobile computing, and data center resources, use SD-Access to segment traffic to provide the appropriate SLAs for latency for time-critical manufacturing processes, keep malware from spreading should one device be infected, and provide secure workforce access to the appropriate applications.

◈ Financial institutions with highly distributed sites use SD-Access—along with SD-WAN—to securely connect branch and headquarter networks while ensuring that sensitive data is accessible only to employees with the appropriate access privileges.

While each industry has its own path for designing and building a software-defined architecture based on SD-Access, ISE, and Cisco DNA Center, most achieve breakeven results in about 14 months, an ROI of 300%, and cost savings of over 52%. In addition, business benefits often shared by Cisco customers are a 67% reduction in network provisioning costs, 48% reduction in the cost of a security breach, 80% reduction in cost to resolving networking issues, and 94% reduction in the cost to optimize policies.

It’s time for your organization to examine how to benefit from software-defined segmentation based on SD-Access.

Continue reading

Automating Your Network Operations: Focus on Outcomes

When I started this blog series, I had intended to present a cohesive approach to automating your network operations, eventually leading to DevOps. The intent was to take you beyond simply automating ad-hoc tasks using contrived examples to a more systematic way of automating your network operations (hence the title). Unfortunately, I completely failed because I presented it in an ad-hoc way. So in this blog, I am going to go back to the beginning: What are we trying to achieve?

Before I do that, I want to introduce a new blogger, Jason King. Jason and I have a very similar background in operations and development. We’ve both spent a large part of our careers on the front lines designing, building, and operating large systems and networks and hope to leverage that experience in our blogs, repos, and other works. With his help, hopefully we can get the series moving more smoothly.

Automated Humans vs. Automated Business

Do we just want a human to be able to perform a single operation faster? If so, then we might not actually achieve that. Why is this? Automation is geared at deploying single or multiple changes across a large number of devices. However, many changes do not fall into this category.

Engineering vs. CRUD

There are basically two types of changes that are made to a network in steady state operations:

◈ Architectural/Engineering: These are changes to the architecture of the network (e.g. Routing, QoS, Multicast) that generally affect the entire network. It is also the architecture for how new services are deployed (e.g. tenants, remote sites, etc.)

◈ Create, Read, Update, Delete (CRUD): These are changes that deal with delivery of network services to a particular customer or application (e.g. putting a port in a VLAN, adding an ACE to an ACL, or adding a load balancing rule).

The rigor of DevOps is absolutely the way to make major architectural changes to a network because of the network-wide effect that these changes have and the relatively small number of changes that occur.

CRUD is often different, however. While making a single change (e.g. SNMP Community Strings) on thousands of devices is an operation for which the overhead of DevOps is justified, that same overhead may significantly slow down operations involving a single change on a single device (e.g. changing a port VLAN).

The DevOps overhead is not necessarily a bad thing, even for small changes. There are significant advantages in enforcing configuration management, revision control, code review, and testing on every change. It does not, however, always make network operations faster or easier. This increased friction can make it unpalatable to many network teams and hinder adoption.

Constraints-based IT

There is also the Theory of Constraints with states that “any improvements made anywhere besides the bottleneck are an illusion.” (Eliyahu M. Goldratt, 2014)

This means that if you are automating processes that are not slowing down your business, you are not having an effect on your business. The entire effort is potentially a waste of time and money. That is why automation should begin with a thoughtful process that identifies the most important outputs of your infrastructure and what the current bottlenecks are in producing those outputs.

In general, automation is going to provide your business two main improvements:

When your enterprise produces customer value faster (e.g. onboarding new customer and/or offering new services), the business generally brings in more revenue. Adding a faster time to remediation (e.g. less maintenance and quicker trouble resolution) reduces operating costs and increases customer satisfaction. When done right, it is a powerful combination proves the best outcomes for any automation project.

This is why we must focus on automating business processes and not just humans. In fact, the best way to automate a business is to remove the human from the process, at least from that value chain between the customer’s request and the delivery of that request.

“If it does not have an API, it does not exist”

– Mitchell Hashimoto

Automating Business Processes: API-Driven Automation

When we consider how to automate business processes, we must focus on reducing the time between the time a customer requests a new service and the time they receive that service. Humans, generally, are not the best way to reduce this time, which is where APIs come in. APIs allow each step of the process to be automated.

For example, when a user wants to add a firewall exception for a new server, they can go to a self service portal to make that request. That request can then go through the review process to make sure that it is aligned with business policies (hopefully automatically) and appropriately approved. Once it is approved, the ITSM pokes the automation framework through an API to begin the delivery of the service. The advantages of this approach is that:

1. It takes the network team out of the CRUD

2. It allows the network team to define and put checks around how changes to the network are performed

Hold the phone!

We are going to let a customer request a complex service with potentially harmful repercussions without having a human in the loop??? Well … yes. But even if you do need a human in the loop, you don’t need an entire team of them in the loop. And in either case, that is why DevOps is important. DevOps is not just automation, it is the development, testing, deployment, and validation of the artifacts that provide the service. If you properly develop and test these artifacts, you can be reasonably assured that the process does not go pear shaped. If you do the proper validation of deployed services, you can “fail fast” back to a previous version of the artifacts.

DevOps is the safety harness for automation, but that does not mean that you cannot start automating without it. In fact, very few organizations are able to implement a righteous DevOps pipeline in one go. The DevOps journey should be viewed as a stepwise approach to delivering business value. In this blog, we have provided some criteria for how to determine what to automate in order to achieve maximum value. You should not automate just to automate. Start with automation that addresses your critical business needs that fall into the categories outlined above, but always keep an eye on the end goal of building toward DevOps processes and, ultimately, business transformation.

What’s next?

Well, instead of writing blogs over the past 6 months, we’ve been working with a team of people to create a CI/CD pipeline for SD-WAN. Not a set of examples of what you could do, but a fully functional, operationally righteous framework that we and our customers use in their operations. To get there, we wrote Ansible modules for Viptela, VIRL, NFVIS, and PyATS that automate every step of the process. We’ll cover this in our next blog, followed by an in-depth treatment of each component and how to consume it individually on your stepwise path to DevOps.

Continue reading

How to Prepare for 200-105 exam on CCNA Routing and Switching?

Exam Name: Interconnecting Cisco Networking Devices Part 2

Exam Code/Number: 200-105 ICND2

Exam Overview: 

Cisco CCNA 200-105 Routing and Switching (ICND2) exam tests a candidate's knowledge and skills related to LAN switching technologies, IPv4 and IPv6 routing technologies, WAN technologies, infrastructure services, and infrastructure maintenance.

Practice Exam: Cisco Certified Network Associate Routing and Switching Practice Test

Sample Questions: Cisco 200-105 Sample Questions

Continue reading

Mobile Operators and 5G: Evolving into Digital Service Providers

5G is a revolutionary technology that’s expected to enable Industrial Digitization. It envisions a digital network that enables society to become mobile and connected, while driving value creation in sustainable business models. 5G implementation will have an impact in social and business developments some of them would be as:

◈ High-capacity or high-performance outdoor and indoor broadband access in high density spaces
◈ Increased user mobility
◈ Proliferation of Internet of Things (IoT) devices
◈ Extreme real-time communication
◈ Ultra-reliable and lifeline communications

With 5G technology powering the next wave of business ecosystems and capabilities, a new and diverse revenue mix will be created for mobile operators who can turn their mobile networks into platforms for deeper interaction with content and services. This transformation to digital service providers will facilitate the creation of new disruptive business models coupled with lean operational efficiency. While this evolution has the potential to drive revenue streams for service providers into enterprises and vertical solutions, it is a significant business and technology transformation that must be visualized in an end-to-end fashion. The technology transformation is underpinned by the Network as a Service (NaaS) model, which creates a slice in the network to carry various types of traffic and service SLAs over a single network.

The Business Proposition for 5G

The new network infrastructure will address exponential bandwidth demands, massive logic scale, and the rise in low-latency requirements from new applications and services in an efficient, automated, and programmable manner using a flexible and agile network fabric.

Operators can grow Enterprise revenue streams through use cases like Fixed Wireless Access (FWA) and create varied business models as 5G enables IoT, machine-to-machine communication at scale, and low latency services, also known as ultra-reliable low-latency communication (URLLC).

The adoption of technology advancements in the radio domain also offers the potential for operators to accelerate the implementation and monetization of massive multiple-input and multiple-output (MIMO) technology. MIMO allows the dynamic transmission of data as highly focused beams to send and receive multiple data signals simultaneously over the same radio channel, with multiple users using the same time and frequency resources through millimeter wavelengths and small cells.

Bringing possibilities to life using Network as a Service (NaaS)

For operators to provide the use cases detailed above, the network must be used as a Service. There will be a need for a flexible, dynamic network configuration based on user-specific service requirements, as opposed to a one-size-fits-all architecture. To achieve the Network as a Service approach, network slicing – a critical service feature, is introduced in 5G technology. This feature, coupled with a slice orchestration engine, working in tandem and across various domains, as well as software-defined networking (SDN) controllers, allow operators to offer the NaaS solution to their enterprise customers.

Network slicing allows multiple logical networks to be run as virtually independent business operations on a common physical infrastructure. Network slicing provides a network with user-specific functionality without losing the economies of scale of a common infrastructure. Network slicing will be an end-to-end solution approach, traversing across the different layers of the packet network from access to core. For implementation, Network slicing will require platforms to be much more programmable, intelligent, and flexible in order to cope with heterogenous environments and requirements.

The new services enabled by 5G will require that separate slices can be provisioned for different services based on the operator’s requirements, as well as those of the enterprise customer. Network slicing can be a combination of hard and soft slicing; hard slicing comprises the creation of separate planes or topologies with dedicated links, while soft slicing is a logical isolation and traffic classification using VPN and quality of service (QoS).

In the 5G era, a single network infrastructure can meet diversified service requirements. A 5G E2E network architecture is envisaged to have the following attributes: Provides logically independent hard and soft network slicing on a single network fabric to meet diversified service requirements and provides Telco Cloud consisting of DC SDN fabric and virtualization stack, providing a platform to host 5G infrastructure services as well as business services. Radio disaggregation and virtualization will reconstruct radio access networks (RAN) to provide massive connections of multiple standards and implement the on-demand deployment of RAN functions required by 5G. This also simplifies the core network architecture to implement the on-demand configuration of network functions through control and user plane separation, on-demand distributed functions and workloads, and unified orchestration and management.

The key tenets of 5G network transformation

Traditionally, mobile operators have had network architectures that are complex, rigid, monolithic resulting in high operating costs. To be operationally efficient, agile and to deliver NaaS, Service Providers will have to transform to Network Cloud architectures for 5G. The key tenets of this transformation are as follows:

◈ Transport simplification 

     ◈ To reduce the number of devices from access to core, states and protocols on the IP transport layer with stringent timing considerations

◈ Network functions virtualization (NFV) 

     ◈ Benefits include virtualization, disaggregation, agility and the ability to drive Capex savings leveraging non-modified opensource technologies

◈ Distributed Edge Cloud 

     ◈ Hosting services at the network edge translates to bandwidth savings and a better user experience while reducing touchpoints for network operations and management if deployed correctly

◈ SDN and Orchestration 

      ◈ To build an automated network service and analytics framework visualized to a network management for reduced time to market and improve operational efficiency

Bringing it all together: Cisco 5G

Network as a Service is a key framework for operators to monetize 5G. Cisco’s approach is to build a programmable, packet-based network architecture with orchestration and closed-loop automation. This takes place across various domains of the 5G network like Transport networks, Central and Distributed Edge data centers to host cloud-native network functions in an agile manner. This approach empowers operators to transform holistically from the one-size-fits-all approach to a dynamic network slice architecture to capitalize on the opportunity 5G will bring.

Continue reading

Cisco Advanced Malware Protection for Endpoints Awarded AV-Comparatives’ Approved Business Product Award

We are very pleased to share the news that our Advanced Malware Protection (AMP) for Endpoints won the Approved Business Security Award from AV-Comparatives. And we’re happy about this for a couple of reasons.

Most vendors’ marketing materials look great, your organization exists in the real world. So, having an independent third-party conduct months of testing against our technology, and us coming out a winner, helps to show the world what our customers already know: that the strength, flexibility, and ease of use of our endpoint security establishes our leadership. We have over a decade of experience in endpoint protection through Immunet (creators of AMP) and Sourcefire (creators of ClamAV).

AV-Comparatives’ Business Main-Test Series ran from March to June and consisted of two, in-depth tests:

The Malware Protection Test

This test ran in March and consisted of having 1,311 malware samples thrown at us during that time. A passing score required a 90% or higher detection rate and this time zero false positives. We did very well scoring a 99.8% with zero false positives.

The Real-World Protection Test

The idea here was to mimic what happens in, well, the real world. This test ran from March to June and was based upon 732 test cases. The focus here was on user behaviors such as clicking malicious links, opening malicious email attachments, etc.

An efficacy score of 90% or higher and a false positive count of 100 or less were the criteria to pass this test. And, we came in with 98.9% and ranked in the lowest false positive group.

In short, AMP for Endpoints achieved test results that demonstrated a balance of strong protection rates with very low false positives. AV-Comparatives also highlighted Cisco’s broad endpoint platform support and relative ease of deployment.

Beyond antivirus

Secondly, we view this report as further evidence that the security world has moved past the legacy world of antivirus. I’m not saying antivirus doesn’t have a role to play in endpoint security. Our own ClamAV is one of the several mechanisms that AMP for Endpoints uses. What I am saying is that the ‘antivirus as a sole means of endpoint protection’ ship has sailed – and sailed a long time ago.

The biggest problem with antivirus is that it’s not operationally efficient. That means a lower return on your investment and weaker protection of your business. Back in my IT days in the late 90s and early 2000s, antivirus was a big deal, but it was tough enough to administer when I was at a small, two-office operation let alone when I moved up a 50,000-user, global enterprise. And when the Love Letter worm hit us in 2003, that was a couple days and nights of manual remediation for our entire department, worldwide, because antivirus couldn’t remediate the problem or identify infected hosts.

Now fast forward to today’s world of fileless malware and multi-vector attacks that combine email, web, endpoints, etc. What’s antivirus going to do about those? The answer is pretty obvious.

What was surprising for me to learn recently was that the majority of organizations out there still rely on antivirus for their endpoint protection. I attribute this to deployment fatigue. Rolling out software is hard. I know. I’ve deployed my share of enterprise software. The good news about AMP for Endpoints is that we can be up and running quickly, as noted on page 28 of the AV-Comparatives report:

“Getting started with Cisco Advanced Malware Protection for Endpoints is very straightforward. The console requires no setup, and deploying the client software is quick and easy.”

The Big Picture

We believe it’s important to put our technology to the test and we feel the results speak to how our solution helps our customers protect their organizations. (I’ve included links to other real-world tests below.) We also believe that strong endpoint protection comes from being a part of an integrated security portfolio. One that dynamically shares the latest threat intelligence is the most effective way to defend against modern attacks. And we’ve designed our integrated security portfolio to do exactly that. But that’s another story for another day.

Continue reading