Showing results for 
Search instead for 
Did you mean: 

Advantage to using AMP for Endpoints + AMP for Network (FirePower) + Umbrella?

Right now we use Umbrella for endpoint security and FirePower with AMP for network security. I think this is a good solution since we get the advantage of DNS level protection on all computers, even if they are outside of our network. But we also can use FirePower with AMP to protect against malicious files traversing our network. 


It was recommended to us that we buy AMP for Endpoints to better secure our environment. My question to the community is, is this overkill? We already have AMP for Network with FirePower, so would AMP for Endpoints add any more protection? 


I understand that AMP for Endpoints will protect devices that are outside of our network (away from FirePower), but that is what we have Umbrella to protect us for. I also understand that AMP for Endpoints will scan files and devices inside of our network and before it traverses the FirePower, but doesn't the malware need to go across our network at some point, thus having FirePower/Umbrella block it?


Does anyone have all three of these products in their environment and can speak to how they work together? Any recommendations from the community if it is worth adding AMP for Endpoints?


Re: Advantage to using AMP for Endpoints + AMP for Network (FirePower) + Umbrella?

No, it's not overkill to have Amp for Endpoints as well, there are other ways for malware to get to machines that Umbrella won't catch. Umbrella doesn't look at content for most traffic, it looks at DNS... so if you allow webmail, and someone gets sent malware, Umbrella won't stop the attachment download. Umbrella won't stop my workstation running a worm from hitting the machines on my subnet... Firepower may catch that, but you'll still have 100 machines to clean up...
Also AMP will show you what exactly happened on a machine when something does get through, and there are interesting things coming (e.g. endpoint isolation, Orbital).
I have all of them. They all report data to/can be queried from Cisco Threat Response (CTR), Firepower incidents can be sent to CTR so its sort of SEIM like... There's an integration between AMP and FMC, so you can use FMC as a starting point for incidents if you want... They're still shaking out ways to tie all of these pieces together...