We changed our name from IT Central Station: Here's why
Get our free report covering CrowdStrike, Microsoft, SentinelOne, and other competitors of Blackberry Protect. Updated: January 2022.
563,327 professionals have used our research since 2012.

Read reviews of Blackberry Protect alternatives and competitors

Enterprise Security Architect at a recruiting/HR firm with 10,001+ employees
Real User
Top 10
Single pane of glass allows us to run a lean team while protecting tens of thousands of endpoints around the world
Pros and Cons
  • "SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's... There are cost savings not only on licensing but because I don't have to have different people managing different consoles."
  • "If it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit."

What is our primary use case?

We use it for endpoint protection. It's an active EDR endpoint protection tool. Think of it as an antivirus and endpoint protection solution with machine learning, like McAfee on steroids.

In our company it is deployed in 83 countries and on over 40,000 workstations and servers.

How has it helped my organization?

It provides incredible visibility in a single pane of glass. The dashboard gives me visibility over all the endpoints, which are broken down by country, and then broken down within each country by brand and machine type. It provides a very simple way for me to understand if

  • we're being targeted globally
  • my endpoints are actively being attacked
  • we have outstanding issues in any one region
  • we have malicious activity.

In addition, it logs to my SIEM tool, cloud-natively, which makes it a very effective weapon to help diagnose and remediate any potential bad actors in my environment.

The Behavioral AI feature for ransomware and anti-malware protection does an outstanding job of identifying abnormal behavior patterns in my environment. Once we allowed it to sit in learning mode for about 30 days, we switched all our endpoints into what is called Protect mode, instead of Detect mode. With Protect mode, we have different functions available to us, such as kill, quarantine, identify, and rollback. Using those features, we are really able to protect our endpoints much better. We take advantage of the fact that we have a machine, or an automated process, governing our endpoint protection. That reduces the total headcount needed to babysit my environment.

Furthermore, Behavioral AI recognizes novel and fileless attacks and responds in real-time. It improves my security, reduces my total cost of ownership and management, and provides enhanced protection for what is now a highly mobile population. Due to COVID-19, we have had to take most of our workforce, and that's over 40,000 people around the world, and give them access to work remotely through a series of different mechanisms. In doing so, we felt much more comfortable because we have this endpoint protection tool deployed. It provides us not only the visibility into what the tool is doing and how it's protecting us, but it allows us to look at what applications are installed, what IP range is coming on, and what network it's sourced from.

And with Ranger we're able to help identify additional networks. Using SentinelOne with Ranger, allowed us to take a look at some of our smaller offices in Asia Pacific where we didn't have exceptional visibility.

We also use the solution’s automatic remediation and rollback in Protect mode, without human intervention. I want to protect mode for both malicious and suspicious, and that is in Protect mode. Having turned that on, we saw no negative impact, across the board, which has been an outstanding feature for us. It does save time on having to go in and identify things, because we allowed it to run in learning mode for so long. It learned our business processes. It learned what's normal. It learned file types. It learned everything that we do enough that, when I did turn that feature on, there were no helpdesk calls, no madness ensued, no people complaining that files were being removed that they needed. It worked out very well for us. 

We also use the solution’s ActiveEDR technology. Its automatic monitoring of every OS process, at all times, improves our security operations greatly. There is a learning time involved. It has to learn what processes are normal. But the fact that it's actively engaged with every process—every file that moves across it, every DLL that's launched, whether or not it's automated or process-driven—everything is viewed, inspected, and categorized. And it allows us to have enhanced visibility that ties directly into the Deep Visibility. I can look at and help identify behavior patterns. 

For example, yesterday I wrote a series of queries for Deep Visibility that are based on MITRE ATT&CK parameters. Those give me reports, on a daily basis, of how effective this tool really is because I can use MITRE ATT&CK engine parameters to help define what's going on. Even if something is not considered malicious behavior by the tool itself, if I take that information and couple it with information I can pull from Tanium and information I pull from other tool sets, and aggregate that into my SIEM tool, my use case is provided. I get more positive and actionable intelligence on how my endpoints are behaving. If I have somebody out there who is doing testing of software, I can pick that out of a crowd in a second.

We have application control and containers available. Since we have AWS, Azure, and a myriad of cloud platforms, it's been hugely beneficial to us. Considering that we are endeavoring, as an organization, to move into cloud-based solutions, this has been a huge benefit.

Overall, SentinelOne has absolutely reduced incident response time. It's instantaneous. It has reduced it by at least 95 percent.

I use the tool to help me determine how well my other tools are working. For example, we have a role called a RISO, a regional information security officer. Those people are responsible for regions of the globe, whether it be Latin America, Asia Pacific, or AMEA. The RISOs now use the tool because it can help them identify other tools we have rolled out, like Zscaler. They can go into the SentinelOne console and query for Zscaler and look at all the machines in their environment and determine what the delta is. It allows people with different levels of knowledge and different roles in an organization to have visibility. It's been outstanding. That, in and of itself, makes it a better tool than its counterparts and it makes it usable for non-technical and non-security people.

We get the long-term strategic benefits of having enhanced visibility and the more short-term tactical benefits of knowing that our endpoints are protected, the visibility is there, and that no matter what lands on top of it, it's going to get taken care of.

What is most valuable?

The most valuable feature of the solution is its ability to learn, the fact that once you tune it correctly, it knows how to capture and defeat malicious activity on the endpoints. It's not set-it-and-forget-it, but it does give me a much more comfortable feeling that my endpoints are secure and protected from malicious behavior.

SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's. The latest Mac OS X that's coming out is already supported and in test for our organization. The complete coverage of every OS that we have in our environment has been a huge benefit because I don't have to have different tools to support them. There are cost savings not only on licensing but because I don't have to have different people managing different consoles. For me, having single pane of glass visibility is incredibly important because we run a very lean team here. We are a skeleton crew governing all 83 countries. In doing so, it provides us the ability to do a lot more with a lot less.

I use the Deep Visibility feature every single day. It is outstanding because I just create hunting cases and then I can load them. I can figure out what queries I want to run and I can go digging. And with the queries that I have built for the MITRE ATT&CKs, it makes it very simple to identify something. And now that I have reporting set up based on those queries, I get emails every day.

Using Deep Visibility I have identified a threat and figured out information about it. I've also used Deep Visibility to be proactive versus reactive as far as my alerting goes. I know that SentinelOne will protect my endpoints, but there's also a case where there isn't specific malicious behavior but the patterns look malicious. And that's really what I'm writing these queries for in Deep Visibility.

Here's an example. You can do a lateral movement in an organization. You can RDP to one server and RDP to another server, depending on how your software defined perimeter is configured. Unless you do something malicious, SentinelOne will look at it, but it won't necessarily stop it, because there is no malicious activity. But I can write a query in Deep Visibility to show me things. Let's say somebody breached my secure remote access solution. With the Deep Visibility queries that are being run, I can see that that one machine may have RDPed to a server and RDPed to another server and been jumping around because they may have gotten compromised credentials. That can be reported on. It might not have been malicious behavior, but it's an activity that the reporting from Deep Visibility allows me to pursue and then do a deeper dive into it.

What needs improvement?

If they would stop changing the dashboard so much I'd be a happy man. 

Also, if it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit.

The nice thing about SentinelOne is that I get to directly engage with their leadership at any time I want. That allows me to provide feedback such as, "I would like this function," and they've built a lot of functions for me as a result of my requests. I don't really have much in the way of complaints because if I want something, I generally tend to get it.

For how long have I used the solution?

I have been using SentinelOne for about 14 months now.

What do I think about the stability of the solution?

It's incredibly stable. We really haven't had any significant issues. There have been a couple of things here and there where certain versions of the product weren't disabling Windows Defender effectively. I think that was predicated on a GPO that we identified that had been accidentally linked and that kept turning Defender back on again. The issues were very trivial things.

How are customer service and technical support?

I talk to my TAM once a week, minimum. I think I have the best customer support in the business.

I had an issue that I raised a couple of weeks ago and within minutes I had an army of engineers working on it. By the end of the week, I had senior management calling me asking me what else I want, what else I need, and how else they could help me. 

They go all-in. I have never had to wonder or concern myself with whether I will be getting adequate support? Will the support be on time? Will the support be effective and accurate? Not once, not ever.

I have such a close relationship with the team, not only the team that sold it to me but the team that supports me. We call each other on a first-name basis and we talk about how we're doing. It's that kind professional relationship. That's how good it is.

Which solution did I use previously and why did I switch?

Before, we had a mix of dozens of different solutions across the enterprise. We didn't have any one, ubiquitous solution. We had a mix of McAfee and Panda and Kaspersky. You name it, we owned a copy of it, and that didn't provide a unified field of view. It also didn't provide the best protection that money can buy and, in my opinion as a professional in this industry for 25 years, this is the best protection money can buy.

How was the initial setup?

The initial setup of SentinelOne was very simple. I packaged the executables into MSIs, including the token ID, I created a package in Tanium, and I dropped it on all the workstations. I was able to deploy it to over 40,000 endpoints in 35 days.

When you govern as much real estate as I do, meaning the number of endpoints and the number of different business units that those endpoints comprise, there had to be a deployment strategy for it. I broke it down into countries, and in each of those countries I broke into brands and I broke it into asset types, whether they be servers or workstations, whether they're mobile or localized. It's not difficult to push out there, as long as you create exclusions. I used my legacy tools in parallel with this for a month and still never faced any issues.

For any organization, if you have any kind of deployment mechanism in place, you could put your entire workforce on this and it wouldn't matter how many endpoints. If they're online and available and you have a deployment solution, you could do it in a month, easily, if not less. I could've done it much faster, but I needed to do a pilot country first. I did all the testing and validations and then, once we went into production mode, it was very fast.

What's my experience with pricing, setup cost, and licensing?

I got a really good deal so I'm very happy with the pricing.

Which other solutions did I evaluate?

I looked at everything. I looked at CrowdStrike, Cylance, Carbon Black, and I had McAfee as the largest of the incumbents. I tested them all and I validated them all and I pushed every malware virus—everything in my collection—at them. I built a series of VMs to test and validate the platform. I tested against multiple operating systems. I tested against downloads, I tested against uploads. I tested visibility. I did this entire series of tests and listed out 34 or 35 different criteria. And at the end of the day, SentinelOne came out on top.

One of the huge benefits of SentinelOne is the Full Remote Shell. That has been an incredibly useful tool for me.

Cylance came in second. It has very similar functionalities, very similar builds, but not a full remote shell. It had the single pane of glass dashboard, but the visibility I get out of SentinelOne, as well as the protection and the capability to run the Full Remote Shell pushed it over the top.

Carbon Black was nice, but I had to run two different dashboards, one cloud and one local. I couldn't get single pane of glass visibility from that.

When I tested SentinelOne against all the engines, they all pretty much found everything. Mimikatz was the deciding factor. A couple of the solutions flagged it but didn't remediate it. SentinelOne just rolled everything back as it started to discover it. It actually pulled the installer out, so that was nice. 

A lot of new technologies that are out there are very similar. They are pulling from public threat feeds and other learning engines. But if you compare and contrast all the features available, SentinelOne is just going to edge everybody else out. And they're constantly evolving the product to make it more efficient and to have a smaller footprint too. When they came out with Ranger, we were still doing some network discoveries around our environment to try to figure out exactly what was still out there. That came to be a very useful tool.

It really just shines. If you compare it to everybody else there are a lot that come close, but nobody else can really quite get to the top. SentinelOne really gives you the best overall picture.

What other advice do I have?

Do your homework. I would encourage everybody, if you have the capabilities, to do what I did and test it against everything out there. If you don't have those capabilities and you want to save yourself a lot of time, just go straight to SentinelOne. I cannot imagine any organization regretting that decision. With the news stories you read about, such as hospitals under attack from malware and crypto viruses—with all the bad actors that exist, especially since the pandemic took over—if you want to protect your environment and sleep soundly at night, and if you're in the security industry, I highly encourage you to deploy SentinelOne and just watch what it's capable of.

I don't use the Storyline technology that much simply because I'm really turning this into a more automated process for my organization. An example of where we may use Storyline is when we download an encrypted malicious file. Let's say that email was sent to 500 people. If it gets through our email gateway, which is unlikely, I can not only identify those users quickly, but I can also use the Storyline to determine where it came from, how it got there, and what it was doing along the way. And while it killed it, it will tell me what processes were there. It helps us create and identify things like the hash, which we then summarily blacklist. Overall, Storyline is better for identifying what had happened along the way, but after the fact. For me, the fact that it has actually taken care of it without me having to go hunt it down all the time is the real benefit.

The only thing we don't take advantage of is their management service. We do have a TAM, but we don't have Vigilance.

For top-down administration, there's only about six of us who work with the solution. For country level administration, we have one or two in every country in those 83 countries.

We run a myriad of different front office and back office environments. SentinelOne had to learn different environments in different countries. It had to understand the business processes that are surrounding those. We did a substantial amount of tuning along the way, during the deployment. And then, of course, there are agent updates and there are considerations when you get a new EA version and are creating test groups. But, as an organization, we have reduced our total cost of ownership for our EPP platform, we have improved our visibility a hundred-fold, and we have maintained our data integrity. It really is the one end-all and be-all solution that we needed.

It's a home run. I've been doing this a long time and I've done this in over 48 countries around the world. Given what we do with this product and the visibility it has given us and the protection it has given us, I feel very comfortable with my security right now.

Which deployment model are you using for this solution?

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Mark Bonnamy
Technical Director at Ridgewall Ltd
Top 5
Targets issues more accurately, helping us to focus high-cost engineering resources more accurately
Pros and Cons
  • "If somebody has been compromised, the question always is: How has it affected other devices in the network? Cisco AMP gives you a very neat view of that."
  • "The ability to detonate a particular problem in a sandbox environment and understand what the effects are, is helpful. We're trying, for example, to determine, when people send information in, if an attachment is legitimate or not. You just have to open it. If you can do that in a secure sandbox environment, that's an invaluable feature. What you would do otherwise would be very risky and tedious."
  • "...the greatest value of all, would be to make the security into a single pane of glass. Whilst these products are largely integrated from a Talos perspective, they're not integrated from a portal perspective. For example, we have to look at an Umbrella portal and a separate AMP portal. We also have to look at a separate portal for the firewalls. If I could wave a magic wand and have one thing, I would put all the Cisco products into one, simple management portal."

What is our primary use case?

We needed an endpoint security product and this was the one that we chose. We also use Cisco Umbrella, which fits in neatly with the endpoint as endpoints are moving, more and more, out of the office now. Traditionally, it's slightly harder to manage that, so we use Cisco AMP and Umbrella on those endpoints to secure them.

It's almost entirely on-premise. Although there are some small cloud installations where we use it.

How has it helped my organization?

The fact that the solution offers cloud-delivered endpoint protection makes it simpler to use. Historically, Cisco's appliances have been relatively expensive and that has been a block to Cisco getting into the SME space, which is our particular focus. Having it cloud-based, where there's no cost, as such, to get the deployment running, has made it easier to sell to small businesses. We've got AMP installations with as few as two users. In the past, with Cisco, we would never have been able to deliver into that size of business without some sort of cloud for delivering it.

It also has a neat web interface that allows us to access it simply and therefore more people are able to manage it, rather than it being a specialist product. We're able to give it to more junior people on the helpdesk and they're able to determine quite quickly and simply what the state of the environment is and, if needed, escalate it to more senior people if they believe there's an issue. That's worked well for us.

We had quite a large client that had a partial AMP installation only covering key assets, and they were hit by ransomware. It was only Cisco AMP that showed where the problems were. The rest of the antivirus that they had across the estate was completely ineffective. AMP was intact and it gave the engineers the vital information they required to remediate the problem. With all attacks what we're interested in is knowing what was "patient zero," where the problem came in, and where it's spread. That can be a challenge sometimes when you've got multiple devices in a network and you're looking across a large number of PCs to work out who was compromised first and, therefore, what the course of action is.

It has decreased our time to remediate. In the scenario of the client that was hit by ransomware, effectively, none of the endpoints were compromised. We were able to detect what the issue was via the AMP client, which discovered and alerted us to what the actual problem was. We then had to do a cleanup process on the remaining. It certainly showed its value to us and the client in that particular incident. It is hard to say how much time it saved us, because in that particular incident they only had a limited deployment. It actually took six man-days to solve the problem, but it didn't affect any of the AMP clients. It arguably could have taken even longer, had they not had AMP deployed on at least some of the assets. It's very simple: If they had had AMP on all of them, they would have probably avoided the problem in the first place. And they certainly wouldn't have needed six days to actually resolve the issue.

Cisco Threat Response accelerates Cisco Umbrella security operation functions. The abilities of Talos are definitely one of the reasons we bought into this as a product. It enables us to react more quickly. We're relying on Cisco providing that updated information in a timely fashion, and that obviously has a knock-on effect on our ability to support our clients if they've been compromised. That ability to push information automatically into Talos and their environment and then prove it's a problem or otherwise, and then update the system automatically, saves us an enormous amount of time. It gives us a lot of confidence in what we do, because Cisco is able to update things and do that part of the function for us, rather than our relying on in-house skills to try to determine what is good and what is bad.

We use it internally, in our business, to secure us, as we are an MSP, which means we are at particular risk. Obviously, we have a duty of care for our clients to ensure that we take the utmost responsibility and steps to secure our businesses and, in turn, secure our clients' businesses. The Cisco suite of security solutions definitely gives us a great deal of comfort that we are doing that. Relying on Cisco for those updates certainly takes a load off my mind, knowing that we've got the backing of Talos across the suite of products. We feel, with all the steps we have taken, that there are very few gaps in our security.

The solution has also made our team more effective by being able to focus on high-value initiatives. We have it integrated into our helpdesk system where it alerts us of things that are of particular concern. That minimizes the amount of time that we're looking at non-threatening situations. A lot of these systems can throw up an awful lot of information and you can end up spending an awful lot of time looking at things that aren't an issue — false positives. If we're able to target things more accurately, it helps us focus that high-cost engineering resource more accurately. It does save time and money.

Cisco AMP has definitely decreased our time to detection, relative to where we were with previous products. Before this type of next-gen solution, we were relying on things like antivirus, which is pretty poor and didn't produce much in the way of protection, certainly around ransomware and other things. We were relying heavily on perimeter protection, like firewalls. That was, of course, completely ineffective when people took their laptops home. The risk was great and we saw more people bringing problems back into the business. The AMP and Umbrella combination has made life a lot more secure and enables us to deliver consistent policy, which is the other important thing. When people are in our building, we've got a reasonably consistent policy because we have greater control. But the minute a person leaves the building and connects via a phone or at an internet cafe, we lose most of the traditional protection we had. The endpoint becomes everything.

The decrease in time to detection has been significant. It's very hard to put a percentage to it because, before it, we were often blissfully unaware that devices had a problem at all. It's given us visibility and we are much more effective. I'm guessing in terms of what it saves time-wise, because it's given us visibility that we otherwise didn't have, but I would say 80 percent, if I had to put a figure on it.

What is most valuable?

It has a number of valuable features. One of them is its ability to look across the estate. If somebody has been compromised, the question always is: How has it affected other devices in the network? Cisco AMP gives you a very neat view of that.

It has worked well where there have been compromises of clients and the software has automatically sent a sample to Cisco. Cisco has very quickly turned that around and an update has been issued and therefore, within an hour, all the devices are protected against it. We've been quite impressed with that.

We're a Cisco-centric organization. We use things like Cisco FirePOWER, the Next Gen features, as well as Umbrella portal and AMP. We've got a SIEM solution and we see all the events. It gives us a very good overall view of what's going on, very quickly.

We get all the alerts fed in centrally and it enables the security team to act upon them quickly. The alerts seem to be high-quality. We don't get an awful lot of false positives. With the dashboards it's clear, and you can understand quickly where the issues are, with instant responses.

The tools provided by the solution to help you investigate and mitigate threats are very helpful too. I'm the person who manages the engineers, so I don't use it on a day-to-day basis. I use it to get an overall view of, and a feeling for, where our various clients are in terms of issues: How secure they are, whether the engineers have been acting upon threats, etc. But our engineers like the product very much. The ability to detonate a particular problem in a sandbox environment and understand what the effects are, is helpful. We're trying, for example, to determine, when people send information in, if an attachment is legitimate or not. You just have to open it. If you can do that in a secure sandbox environment, that's an invaluable feature. What you would do otherwise would be very risky and tedious.

All our engineers have been very impressed with the features that it delivers and the fact that it has been low impact on the endpoints. It hasn't caused us any problems with performance. Generally, it's a very well-liked product amongst the engineering team.

What needs improvement?

Some of the dashboards don't always populate with data. Most of them do, but some of them don't. 

Another issue for me, that would be the greatest value of all, would be to make the security into a single pane of glass. Whilst these products are largely integrated from a Talos perspective, they're not integrated from a portal perspective. For example, we have to look at an Umbrella portal and a separate AMP portal. We also have to look at a separate portal for the firewalls. If I could wave a magic wand and have one thing, I would put all the Cisco products into one, simple management portal. If I were Cisco, that would be my greatest focus of all because it would be of such great value if I could give one pane of glass to an engineer and he could look across all the Cisco products. 

The other thing I would say to Cisco is they need to move more to a consumption model like Office 365, because I want to be able to sell it and deploy it by just adding things on to a particular client.

For example, you set a client up on the AMP portal, which I'm looking at as I speak. I have X number of clients. If I need to sell or deploy Umbrella, I've got to go through a completely different process and enter exactly the same sort of thing. I've got to create the client somewhere else, I've got to put the information somewhere else, and I've got to run the deployment from somewhere else. Whereas with the Office 365 model, I'm able to upgrade packages and add features and functionality all from the one place. That is an incredibly powerful selling tool.

The other area for improvement is to make billing simpler. The billing process for us is hard where we've got those two users. We've got to create a separate bill for those clients and we have to create a separate report to Cisco to say that we're billing those clients. Anything they could do to make that billing process more seamless would be of great value. If they could almost automate it, so that it is something that links in with accounts packages to make the billing process neater, it would help promote the sale of it and make it more profitable to sell. If someone deploys AMP For Endpoints on a client, at the moment that process is very disjointed. We've got to do a check once a month to see how many deployments there are relative to last month and, if we had to add one, we not only have to bill an extra one but we also have to buy an extra one from Cisco. And all that is manual.

For how long have I used the solution?

I have been using Cisco AMP for Endpoints for three years, maybe more.

What do I think about the stability of the solution?

The stability is very good. We've had no issues with performance or things crashing. That aspect has all been very positive. When doing as much as these products are doing, it can create quite an overhead and take a toll on the performance of PCs, but we have had none of that kind of experience.

We are predominantly a Microsoft environment. I'm aware that it supports Mac, but I don't think we have any installations across Mac environments at the moment. From a Windows standpoint, it works very well. It hasn't caused instability. It hasn't affected performance in a negative way. All those things are really positive, given what it's actually doing.

What do I think about the scalability of the solution?

Without any question it's scalable. We've got it on as few as two, and as many as 250 or so clients. We don't have any questions about scalability.

How are customer service and technical support?

I've not personally used any support around this solution. I don't think we have needed to from an implementation perspective. It's all gone smoothly.

Which solution did I use previously and why did I switch?

We used Sophos in the past. We're replacing it, so when the renewals come up we replace Sophos with AMP, wherever possible.

How was the initial setup?

The initial setup is quite simple. We needed a method of delivery and that's the hardest part. But the deployment and the actual tuning of it are relatively minimal, so that has been a good experience. We didn't have to mess about with performance tuning, whereas with other products we have to do quite a lot for excluding this, that, and the other directory, to make sure the performance is reasonable.

If it's a small environment, it's quick to set up because we've got closer management. But in bigger environments, we bump into the challenge — and this is not an AMP issue or an installation issue — of people who are away, or people who haven't restarted their machines. Those sorts of little things tend to be the things that are a little bit more of a pain to get the final installation done. But the rollout of AMP, per se, is quite straightforward. The setup time of AMP isn't an issue and it is quite acceptable. These types of problems would exist with whichever product was chosen.

In terms of an implementation strategy for this product, our security team is very comfortable with rolling it out. The sales process is that we define the client's needs, the number of devices that they intend to secure, and that goes to the security team to coordinate and roll out. That's a reasonably templated process now for us.

In our company, the security team is comprised of four people, and they are the people who primarily look after and manage the products. We also have a deployment team, another three or four people, who are the people that would ultimately push the client out to the various devices that need it.

What was our ROI?

Certainly, from a protection standpoint, we have seen ROI. It's doing what we want it to do and it's protecting us and the clients who have it installed. Neither they nor we have been compromised and that's the greatest testament of all.

What's my experience with pricing, setup cost, and licensing?

We use the MSP model, so we're able to pay as we go. We report usage based on the actual usage, which is very handy. The old model of Cisco doing it was dated and archaic, and that goes for most of their products. The previous way they did it, which was that you bought something upfront for a certain period, was terrible because of the actual process of updating it. It wouldn't scale down and it was very hard to scale up. When you added users to the system, it wasn't easy to then add licenses to that particular agreement. It was really difficult, in fact; difficult to the point where we stopped selling it in that model, because it was just too problematic.

For example, if we had a user with 10 devices and they bought some more devices, so it went to, say, 15, getting an extra five licenses within their agreement was immensely hard. To me, the only way forward is the MSP model.

Which other solutions did I evaluate?

We looked at a number of different solutions: Carbon Black, Cylance, Sophos Intercept X and we liked the Cisco AMP solution over those products because it fit in neatly with the rest of the Cisco portfolio. We believe that the management of the various security products fit better with one manufacturer, rather than picking various manufacturers to try and manage a security solution.

The integration of Cisco Threat Response with Cisco Umbrella is getting a lot better. What we like, across the board, is that the solutions are backed by Talos, and Talos is the largest, independent, security-research and threat-hunting organization in the world. We like the fact that the protection is spread across the Cisco environment. That's where this set of products wins when compared to other vendors. It's not that other vendors, like Carbon Black and Cylance, aren't delivering good products. They're just not doing the whole suite. They're not providing the firewall, they're not providing the CASB solution like CloudLock. I'm not sure if they're doing DNS filtering yet; a lot of vendors are catching up on that. But effectively, when you get a known issue, Cisco have the ability to roll it out across a suite of products and therefore you get protection very quickly. So if you discover a problem in Cisco Umbrella, they can update that threat, where need be, in AMP. That's quite a unique selling point for Cisco.

What other advice do I have?

It's very simple to deploy, doesn't cause much in the way of management overhead, and does what it suggests. I would have no hesitation in recommending it. We obviously do, as we're selling it and have been using it for a number of years.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner.
Mark Krishnan
Associate Director - Infrastructure Engineering at AFT
Real User
Top 20
Great protection, excellent customer service, and an easy to understand UI
Pros and Cons
  • "The UI is simple and self-explanatory. Everything is easy to understand."
  • "Basically, they don't cover legacy OS or applications. That's the only issue we're concerned about"

What is our primary use case?

We primarily use the solution as advanced threat protection. It is used to protect all endpoints, servers, etc. 

What is most valuable?

They're very good at what they do. As far as the product is, in its current state, I don't have any complaints at all right now. They do a quarterly review with us, just so they can let us know how many viruses or how much malware they've stopped, etc. Those features are quite good. They also go through the portal step-by-step to describe whatever they improved or tightened up. They will explain everything clearly and in a way that a customer can understand.

They do also ask for feedback, which is nice. They'll ask things like "The last time we changed this, how was your experience?" or "Did you get a lot of false positives?" or "Did you get any complaints?" etc. That's pretty good. Not many companies do that.

The UI is simple and self-explanatory. Everything is easy to understand.

So far, in the past three years, they've been absolutely great. They've been more proactive than the solution we had previously was. They even introduced new products in their line and they came back and told us that they could add that product to our current solution. At first, we added them, then we decided we had sufficient resources in house to manage it ourselves and removed it. They were great about the change. 

They've caught quite a lot of viruses and malware that have been sent through improper links, which is very reassuring. 

They report any network isolation that has been done on certain endpoints if they detect a malicious file or malware on the device that couldn't be cleaned by automation. They isolate it or us. The end-user can contact the service desk and say, "Hey, I'm not able to surf the internet. I can't do anything, so can you help me?" or we're able to look at the endpoint and see "oh, your PC is infected, that's why you aren't allowed on." It's protecting us well.

Even though the users are somewhere else, even when they're not at headquarters, we are able to remediate everything before we put them on the network again. Those network isolations are great when we detect high threat malicious items. Those are valuable tools that we appreciate.

What needs improvement?

If an operating system is stopped by support by the original vendor like Microsoft, or maybe Apple, within a few weeks, CrowdStrike will also decide they no longer support it, and they kind of move on. I understand their model. However, if we still have the OS, it's hard to keep it protected. So, for example, if Microsoft decides to stop supporting or patching a solution, Crowdstrike too will stop supporting it and making updates. It's still a useable product, it's just not getting updates or patches and therefore may be vulnerable. 

The result is that we can't guarantee we're going to be able to protect that hardware or operating system. We either have to upgrade to a newer platform, which sometimes is not possible because you have a legacy application. Whatever that constraint is, sometimes we're not able to move things. We still have to rely on other products to support that. That's the only quandary I have with them. 

Basically, they don't cover legacy OS or applications. That's the only issue we're concerned about.

When a file is infected or it detects a ransomware file network, when it does remediate, it should self-heal as Sophos does. That's a good feature to have, but I don't know enough pros and cons about that to kind of recommend that because if it is a false positive, that may be a problem. If it detected a valid file and if for some reason it decides, "Oh, this looks like an infection," and maybe it's not actually infected, and if it goes in and remediates it by replacing it with an older file, that may be a problem. However, I don't know, because I've never used that feature or heard anybody say that's a problem.

For how long have I used the solution?

I've been using the solution for about three years now.

What do I think about the stability of the solution?

I have two engineers that regularly watch everything. We all get alerts. We'll see if something gets isolated, or a user will tell us. We isolate the issues and work on them so nothing gets through the endpoints into the system. Within 30 minutes to an hour, an issue can be cleared.

It's therefore very stable. We're able to catch everything before it can get it. It's reliable for sure.

They're so pro-active there's very little intervention that we have to do on our end.

What do I think about the scalability of the solution?

The solution is easily scalable. A company shouldn't have any issues with that aspect of the solution.

How are customer service and technical support?

Technical support is great. We've never had to contact them at all. Instead, they've always been proactive and reached out to us.

Their quarterly review manager will contact us every three months. They schedule it months ahead and we actually jump on a Zoom or WebEx meeting. They actually go through the improvements, how much detections they go through, all of our features, anything new that has been added, anything they're seeing out in the world in terms of threats, and where we need to tighten up the roles.

They would improve the sensitivity level or they will decrease the sensitivity level for some false positives. For example, they might say "Hey, we detect these, but they're not really a threat because this is just a Word document that's produced in an older format. It's not something that's malicious." Then they would decrease the sensitivity in certain areas, to eliminate the issue going forward. They always ask permission before tweaking anything. They will come to us and say, "this is what we're considering doing it and why we want to do it. Is that okay?" We usually agree to that and then they go ahead and do it.

It's just a phenomenal company. If they ever stopped the way they handle their customer service, then I would probably move on to a different company. So far they've been pretty good. For the last three years, they contacted us always and told us about every aspect of the solution. I don't think I missed a quarterly meeting so far with them due to the fact that it's all been so valuable.

Which solution did I use previously and why did I switch?

Originally, we had Webroot. We used to get, every so often, a slew of viruses that would get through the cracks. I don't know if Webroot's definition didn't get updated in a timely manner or if they were just delayed in something, however, whatever it was, we used to get that intrusion quite a bit. Then we would patch it and we would have to remediate everything. It wasn't ideal. 

We were looking for a product that would be more proactive than a reactive solution, and after doing a bunch of research, we decided on CrowdStrike. 

How was the initial setup?

The solution's initial setup was very simple. The only thing we had an issue with is our network operation. Is a separate organization that manages it. We have a network operation that we used for 24 hour monitoring. They don't support CrowdStrike and they were not experts in it. They stood us we would have to manage it ourselves. In the beginning, we were kind of worried about it. However, after that initial stage, the simplicity of how to install it, configure it was like a breeze.

We manage the entire solution in house. For maintenance, we have me and two engineers, plus a second level of support. There are around five people altogether.

What's my experience with pricing, setup cost, and licensing?

I'm not sure of the exact cost of the solution. That's a detail our finance department handles.

Which other solutions did I evaluate?

We did research on Cylance. We looked at Norton as well. We went through a bunch of products and we decided CrowdStrike was probably the most advanced threat protection at that time, which was three years ago. 

One of the products we were looking at is Sophos. The reason we were looking at Sophos is we were purchasing a backup and disaster recovery tool. In that tool, they had a built-in Sophos pack; they integrated Sophos in to protect the backup and replication and recovery. That way, if a backup had infections, for some reason, and they weren't picked up, and it got into our backup product, then Sophos could kick in and pick it up. It has automated remediation, meaning it reverses back the infection before infection if that makes sense.

Sophos has a self-healing technology built into it, which is an AI technology that they invented. We were looking at that because we thought that may be a better product. We were doing some homework on that and trying to figure out more about it. We're still in the process of purchasing a backup and recovery tool, so we're still doing our homework.

What other advice do I have?

We're just customers. We don't have a business relationship with the company.

I'm not sure which version of the solution we're using. The last time I checked, it was version 5.6. It is up-to-date, however. I get a report every so often saying, we've updated the sensors, or current version, etc. It's an auto-update and it does that. Whenever it's missing something or it couldn't reach an endpoint, the company will send me a report of that, saying these endpoints are not updated because we couldn't detect it on the network any longer.

The only advice I would say to others considering the solution is, if they have an unsupported operating system or legacy application, to look closely at CrowdStrike to see if the solution actually makes sense for them. This is due to the fact that they're not going to be able to support it. If they have thousands of servers and 20% of them are legacy applications, they may not want to think about CrowdStrike because the solution doesn't support legacy products. Other than that, I fully recommend CrowdStrike. The advanced threat protection they have has always been great.

I'd rate the solution a solid nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
IT Infrastructure Manager at a financial services firm with 51-200 employees
Real User
Top 5
Protect your business against a wide variety of threats
Pros and Cons
  • "It's quite easy to install agents."
  • "With McAfee, if there is a zero-day vulnerability, you have to download the patch for it from the McAfee website, then apply it to your endpoint."

What is our primary use case?

We currently have around 50 servers. We aren't really a big company but we have 50 servers which we manage. We use McAfee for the web filtering portion of it. For example, if a user is doing a search on Google, there's a risk-rating web content filter built into McAfee. This alerts us if there are any threats present. 

We have licensed McAfee ENS on a per-server basis. As of now, from memory, I think we have 56 endpoints running McAfee — 56 servers in total.

What is most valuable?

From the McAfee side, I really like the ePolicy Orchestrator software that allows us to manage all of our endpoints. You can create the deployment policies and whenever there is a new update — a new version of the ENS Agent, or threat protection — we could test it out in the evaluation branch, and even test it on some of our servers.

It's quite easy to manage. Quite intuitive. I would say the dashboard of ePolicy Orchestrator software is quite intuitive and quite easy to understand and manage. 

For how long have I used the solution?

I have been using this solution for 15 to 20 years.

What do I think about the stability of the solution?

We have had some issues from the performance side of things, especially when we were deploying new types of software. Sometimes the consumption of resources from McAfee was a bit high. Afterward, these problems were resolved gradually in future versions of McAfee. From what I've read from the release notes, in regard to the handling of memory, McAfee has been doing a better job, which wasn't really the case in the early years. 

What do I think about the scalability of the solution?

It's easily scalable. If I need to deploy the Agent over 800 endpoints, I just have to script it and run a group policy to deploy it to all of our computers on the network — it's quite easy. 

How are customer service and technical support?

For day-to-day management and ongoing queries, if ever I didn't have the solution to queries, I would just raise the case to the case management section of the McAfee website. Then the McAfee support team would help me out.

I was definitely satisfied with the support team. I really can't complain. They always sent me the correct knowledge-based article and they provided really insightful information to help me find a resolution to the issue. 

Which solution did I use previously and why did I switch?

At the previous company that I worked for, we used Symantec Endpoint Protection. Now, we are working with CylancePROTECT and OPTICS.

The main reason that we moved from McAfee to Cylance is that McAfee is still a signature-based product. We moved to Cylance, a signatureless-based product, where everything is updated. What I was doing, from an ENS product point stance, I had set reminders to myself and my team to update the Agent and look into the software repository to see if there were any updates every month.

Indeed, every month we had software updates and fixing restrictions. It wasn't good but I now have less of a hard time looking into this from a Cylance perspective as the Cylance library doesn't push one-minute software updates per year. I would say at most, two or three software updates a year, which is very, very small from a software update perspective in comparison to McAfee.

They're both good products. I'm not saying McAfee is a bad product. It's a very, very good product. It's mainly for these reasons that we moved to Cylance.

The ePolicy Orchestrator console is good, but from my side, I would say Cylance has a better artificial intelligence module — the OPTICS module which I would say is the way to go. I haven't really seen the trend in terms of what other companies other than McAfee or Symantec are doing, but Cylance is doing a really good job with this artificial intelligence module. It's great when it comes to notifying the team when it detects something malicious.

With McAfee, if there is a zero-day vulnerability, you have to download the patch for it from the McAfee website, then apply it to your endpoint. With Cylance, it's not like that. Each agent does it by itself — it's like a self-healing application. This is something that signature-based antivirus solutions like McAfee and Symantec didn't have until now, unfortunately. That's why we moved towards Cylance.

How was the initial setup?

It's quite easy to install agents. Deployment and product updates are quite easy, as well. It goes without saying that it comes with some, I would say, low-level training and upscaling but these are easily retrievable from the knowledge base of McAfee.

We manually downloaded their AMCore versions to keep all our endpoints up to date. This way, whenever we troubleshoot the root cause of an issue, we still keep our endpoints as updated as possible and keep our environment safe.

When we installed the Agent — let's say I am building a new VM and new server. When you run the frame package, it's really intense. I would say it takes roughly two minutes to install, then afterward, to install the ENS modules, like the threat protection and web filtering packages, you've got to go through the ePolicy Orchestrator management console. I would say, all in all, it takes roughly 10 minutes.

To get it up to date, to download everything, all the packages, the software updates, and all of the AMCore DAT files as well as the virus definitions, it's quite easy. It doesn't take much time at all.  

What about the implementation team?

For deployment, I worked with one external consultant.

Initially, when I came to the company, I didn't really have a background or any experience managing McAfee. I came from more of a Symantec background but I gained some knowledge from one of our external consultants who really had a deep understanding of McAfee products and their deployment. We had some training sessions and then I could manage the McAfee forum on my own. After a week's worth of training, I could manage McAfee on my own.

What's my experience with pricing, setup cost, and licensing?

We had McAfee on a year renewal. We purchased it initially and then we renewed it on a yearly basis. I think the only reason we are renewing the license is for support reasons. 

What other advice do I have?

I would definitely recommend this solution to others. McAfee is a good product. I worked with Symantec, but personally, I think McAfee is better.

However, in my opinion, now having worked with CylancePROTECT and OPTICS, I think  CylancePROTECT and OPTICS are on another level. Still, we have been working with McAfee for nearly 10 years and I feel it's a very good product. 

Overall, on a scale from one to ten, I would give McAfee a rating of eight.

Which deployment model are you using for this solution?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Randy Lahti
Founding Partner, Security Architect at ISS
Top 20
Well organized documentation, overall superior functionality, and helpful visualizations
Pros and Cons
  • "Some of the valuable features I have found are the online documentation of the solution is well organized and thorough. I like the simplicity of bypass and the visualization of the active components."
  • "This solution could have greater granular control on how certain applications work."

What is our primary use case?

Some of my client's use cases are typical endpoint protection, telemetry, and threat hunting. We are using all three of the most popular services that point back to the cloud central console.

What is most valuable?

Some of the valuable features I have found are the online documentation of the solution is well organized and thorough. I like the simplicity of bypass and the visualization of the active components. If I want to know which file is being utilized and what sub-files it is calling, the visualization given is very helpful.

I would like to see them continue to run some of the AI-type comparisons. I know everyone is really secretive about what they do and what they have engineered, but I think Cylance was a good market disruptor years ago with their approach. Now we see SentinelOne and everyone is approaching that piece of the puzzle similarly now. I just would like to see more of a comparison. We have done our own technical comparison but it is fairly expensive. All solutions have pros and cons, if more third-party organizations or teams could evaluate how each product works in pros and cons many people would benefit.

What needs improvement?

This solution could have greater granular control on how certain applications work. You are able to do the operation of allowing or disallow, or you can block unusual usage of an application, but they do not define it well. 

The PowerShell is being called in any way that the threat actor might use it versus an administrator. You are in a way taking this solutions' best guess at it or their understanding of it. They do not clearly tell you in technical terms how they make that determination. They should be more forthright about it, or if they can not tell us, they should just give us the control to make those selections. We are choosing it because at least we have that control where we do not have that same amount of control with other solutions like Cylance. However, they are still not telling us precisely what constitutes suspicious behavior, what actions, or what calls. It is a check box to say, lock if we have inappropriate use, or block if we have suspicious behavior. It would be helpful to tell us what that actually meant.

In the future, I would like to see more granular control of PowerShell and more administrative tools.

For how long have I used the solution?

I have been using the solution for approximately six months.

What do I think about the stability of the solution?

The stability of the solution has been good. I like the fact that their call home is a single port, 443, a well-known port with a backup port, 54443. Their architecture, that way is easy for network admin to understand and open up and passing firewalls. In contrast with ATP, ATP has a lot of port requirements, It is much more complex and easy to misunderstand ATP communications until you really dig hard to see how does it work. This solution is much simpler that way. Additionally, performance-wise, user agents seem to hover around 1%-2%, it is fairly efficient and lightweight.

What do I think about the scalability of the solution?

The scalability of the solution has been good. We implemented a couple of large POCs. We have some clients and colleagues that are running it at scale, with more than 5,000 endpoints with great success. We are pleased overall. Most of our clients are mid-cap or small enterprises.

How are customer service and technical support?

I have found the solution support has been strong. 

I would rate the support of Carbon Black CB Defense a seven out of ten.

Companies need to work on the timeliness of support. Getting directed to a strong enough, experienced enough technical person sooner is important. That just is not the way support is currently built. Usually, they start at tier one and move up. I am sure there are a lot of customers that call in support with simpler questions that you do not want to tie up a tier-three person's time. However, I do not think my request for support to improve is not unique to this solution. 

We have a very knowledgeable technical team. When we call for support we are wanting to interact with tier two or tier three right away. It is frustrating to have to work through the tiers to get where we want to go.

Which solution did I use previously and why did I switch?

We previously used Cylance and we are coming off of a direct comparison of the two. In the current version of this solution, they have a stronger AI version or component. The overall general quality of the breadth of the solution is better. To receive the same functionality in Cylance, we needed to add the CylanceOPTICS product and we have not had great success with it.

What I do not like about Cylance is it is very binary. You either allow AST to be a 56-bit hash or you do not. I think there is room for more granular control, which we now receive by using this solution.

Overall this solution is better than Cylance.

How was the initial setup?

The initial setup has been straightforward. I think their user interfaces in mature and understandable, they did a good job in it. I would not say any end-point solution is simple, but I think it is more intuitive than many of them.

What other advice do I have?

My advice to others is to take advantage of the POC and work with your POC rigorously. I think we have good responses on the POC as they get closer and closer to wanting to close. We were able to get stronger and stronger and more timely support. It is a good program and they are very fair about it. In any EDR, I would test them heavily and do not rely on marketing.

When applying an overall rating to this solution I do not think there are any tens in the marketplace. We very pleased and we evaluate this every year or two. In our POC, we had 200 samples including ones that were available but not as popular and we received a 100% efficacy. We were very pleased with the results.

I rate Carbon Black CB Defense an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Flag as inappropriate
Get our free report covering CrowdStrike, Microsoft, SentinelOne, and other competitors of Blackberry Protect. Updated: January 2022.
563,327 professionals have used our research since 2012.