Products and Services

Cisco AMP Deployment Options

February 19, 2019

Cisco AMP or Advanced Malware Protection, is Cisco’s answer to the Next Generation of detection, visibility, control, and protection against advanced threats for today’s internet connected world. AMP gives you real-time blocking of malware and advanced sandboxing, that is backed up by world class global threat intelligence, to provide rapid detection, containment and removal of advanced malware.Cisco AMP comes as a subscription-based security service, that is integrated into a broad range of Cisco Security products and is available with a variety of deployment options. These options look to enforce Cisco’s model for ‘AMP Everywhere’. Three main areas cover these deployment options:

  • Protect your Network with ‘AMP for Networks
  • Protect your Endpoints with ‘AMP for Endpoints
  • Protect your Web and Email traffic with ‘AMP for Web and Email security

AMP for Networks

Let’s start with Cisco AMP for Networks. Originally designed for operation with the Cisco Firepower network security appliances, AMP for Networks delivers real-time security enforcement at the network layer, to detect, track, analyse and remove threats.With AMP for Networks, analysis of files doesn’t end when the files enter the network, continuous analysis, and tracking of files (through File Trajectory), occur as they move around the network.By using the Talos groups global threat intelligence, network defences are strengthened by informing the security devices to block malware, through the use of known bad file signatures.Suspicious files can be captured and sent for further analysis using the Threat Grid advanced sandboxing integration. This executes and analyses the file in a safe and secure environment so there is no risk of potential malware spreading.AMP for Networks is currently available on the Cisco platforms listed below:

  • Cisco NGIPS (Next Gen Intrusion Prevention)
  • Cisco NGFW (Next Gen Firewall)
  • Cisco ISR Branch routers
  • Meraki MX Security Appliances

AMP for Endpoints

AMP for Endpoints gives advanced visibility into the file activity and behaviour on your computer endpoints, using continuous static and dynamic analysis to detect and remove malware.AMP for Endpoints prevents attacks by using, the latest global threat intelligence to strengthen endpoint defences, built-in anti-virus (AV) engines to detect and block attacks based on known malware signatures, and proactive protection capabilities that shutdown attacks and minimize vulnerabilities.Built-in sandboxing technology (Threat Grid integration) can be used to analyse unknown files for malicious behaviour.Our previous post What is Cisco AMP for Endpoints? goes into this option in more detail.AMP for Endpoints currently protect devices such as:

  • PCs and Laptops
  • Servers
  • Microsoft Windows
  • Apple Mac OS
  • Linux
  • Android mobile devices

Cisco AMP for Endpoints is also available for Apple iOS mobile devices, but in partnership with Apple, Cisco have agreed to rename AMP to Cisco Clarity. Cisco Clarity is deployed to iOS devices via the Cisco Security Connector. The Cisco Security Connector incorporates a bundle of features, which include both Cisco Clarity (AMP for Endpoints) and Cisco Umbrella.

AMP for Web and Email security

The third option extends the AMP features discussed above to Web and Email security products.In recent years, web traffic and even more so, email traffic have become the primary transport methods for the launching of the cyber-attacks we see today.With Web traffic, AMP provides comprehensive protection against web-based threats and file downloads. Malicious files can be present anywhere on the internet, even on legitimate good websites, so AMP inspects all downloaded files to give you the confidence to determine whether they are safe or not.For Email traffic, AMP analyses your company emails for the presence of threats; this includes exploits hidden in email attachments, as well as protection against ransomware, phishing, and advanced email attacks.Like the other options AMP continuously watches and records the activity of files that pass through the web and email gateways, and it does this regardless of whether the file is good or bad. If a good file turns bad, AMP sends a retrospective alert, so the malicious file can be contained and removed.Cisco brings AMP based Security to the following:

  • Cisco Email Security Cloud
  • Cisco Email Security Appliance
  • Cisco Web Security Appliance
  • Cisco Umbrella – Secure Internet Gateway

Open Integration and automation is key

Although each of these options on their own deliver excellent next generation malware protection, the brilliance comes from the open integration and automation that exists between each of the products running AMP. All options and products above use AMP to work together and ensure that your organisation is secure.Retrospective security is another key component of AMP, which via the use of continuous monitoring, not only informs us if an unknown or good file turns bad but understands the full extent and root cause of the infection, allowing all instances of the file to be blocked or removed.Verdicts on the status of a file can change dynamically in AMP, this status is referred to as ‘a files disposition’. The files disposition in the AMP Cloud can change based on analysis performed by the Talos research teams or via Threat Grid analysis.For example, let’s say AMP sees a file appear on the network which has an unknown disposition, if that files disposition changes to bad, the AMP cloud will be updated, which in turn pushes the status to all the AMP enabled products. AMP will know where that file has been seen before, therefore can go back and contain the threat automatically. All future detection's of this file will be blocked.


The options discussed above realise Cisco’s holistic approach of AMP Everywhere. With AMP positioned in more places throughout the network, we get increased visibility to malicious activity and multiple points where this activity can be controlled.

Through the delivery of AMP, you can achieve the following business outcomes:• Accelerate Security response• Make the unknown, known• See malware once and block it everywhereHopefully you can start to see that through this approach you can have a suite of security products that not only provide next generation levels of protection, but also have excellent levels of cross platform integration, delivering significant improvements to your overall security, through automation and retrospection.Ironshare are a small, niche security consultancy focused on delivery of fast and efficient solutions to businesses. Our experienced team aim to provide a fully managed service that takes the strain away from your employees and allows you to focus on your core business.At the time of writing Ironshare focuses on providing services relating to AMP for Endpoints, as along with Umbrella we feel that these cloud services fit with our mindset of simple security and provide the biggest immediate benefit to our customers. Email security is on the roadmap for inclusion as our portfolio increases, so watch this space for more information.Ironshare – Security, SimplifiedIf you have any questions or would like to get in touch – please Contact Us here .


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi