Ironport Email Security, AMP Add on, is it worth the extra cost?

NPT_2 · ‎12-14-2015

I am looking at Cisco's IronPort Email Security Solution in the Cloud which seems to be a very good product. However, I am debating whether the extra features in the Advanced Malware Protection is worth the extra cost or if the base solution will be sufficient to protect our email from spam, malware, and viruses?

If you are running the IronPort Email Solution (either standalone or in the Cloud) are you also running AMP and is it worth it?

Jim

Paul Cardelli · ‎12-17-2015

I have installed it in two environments. AMP does add an extra layer of security to a commonly used area to deliver advanced and zero day exploits to your users.

AMP for ESA is focused on common file manipulations in emails. Anything suspicious will be sent back for further analysis. If it can't make a decision immediately it will still deliver the message.

For any messages that it delivered and found that it was malicious after the fact (99% of these were already marked as spam anyways), it will list it in the Update Verdict Dashboard. You can then search and see where all these messages when.

An added feature is the ability to search all files that have been delivered by SHA256 hash. Which is very good for those times when you want to know if a malicious file has entered your environment.

Problem with relying on just a definition based AV such as McAfee or Sophos, is that they don't catch everything. Usually in the area of 5% of active viruses. AMP helps fill the gap, and even tells you what was missed. I recommend both Sophos and AMP on Ironport for this reason. Think of AMP as the last line of malware defense before delivery.

And yes, I have several viruses with AMP over the past year, that would have been missed by other AVs