Cisco Firepower employs continuous analysis, beyond the event horizon (point-in-time) and can retrospectively detect, alert, track, analyze, and remediate advanced malware that may at first appear clean or that evades initial defenses and is later identified as malicious.
LimitedPoint-in-time only. (Point-in-time analysis indicates that a verdict is made on the disposition of a file at the moment it is first seen. If a file morphs or begins acting maliciously later, there are no controls in place to keep track of what happened or where the malware ended up.)
LimitedPoint-in-time only. (Point-in-time analysis indicates that a verdict is made on the disposition of a file at the moment it is first seen. If a file morphs or begins acting maliciously later, there are no controls in place to keep track of what happened or where the malware ended up.)
LimitedPoint-in-time only. (Point-in-time analysis indicates that a verdict is made on the disposition of a file at the moment it is first seen. If a file morphs or begins acting maliciously later, there are no controls in place to keep track of what happened or where the malware ended up.)
Cisco Firepower employs continuous analysis, beyond the event horizon (point-in-time) and can retrospectively detect, alert, track, analyze, and remediate advanced malware that may at first appear clean or that evades initial defenses and is later identified as malicious.
Point-in-time only. (Point-in-time analysis indicates that a verdict is made on the disposition of a file at the moment it is first seen. If a file morphs or begins acting maliciously later, there are no controls in place to keep track of what happened or where the malware ended up.)
Point-in-time only. (Point-in-time analysis indicates that a verdict is made on the disposition of a file at the moment it is first seen. If a file morphs or begins acting maliciously later, there are no controls in place to keep track of what happened or where the malware ended up.)
Point-in-time only. (Point-in-time analysis indicates that a verdict is made on the disposition of a file at the moment it is first seen. If a file morphs or begins acting maliciously later, there are no controls in place to keep track of what happened or where the malware ended up.)
Network file trajectory
ContinuousCisco maps how hosts transfer files, including malware files, across your network. It can see if a file transfer was blocked or the file was quarantined. This provides a means to scope, provide outbreak controls, and identify patient zero.
Trajectory dependent on continuous analysis.
Trajectory dependent on continuous analysis.
Trajectory dependent on continuous analysis.
Cisco maps how hosts transfer files, including malware files, across your network. It can see if a file transfer was blocked or the file was quarantined. This provides a means to scope, provide outbreak controls, and identify patient zero.
Trajectory dependent on continuous analysis.
Trajectory dependent on continuous analysis.
Trajectory dependent on continuous analysis.
Impact assessment
Cisco Firepower correlates all intrusion events to an impact of the attack, telling the operator what needs immediate attention. The assessment relies on information from passive device discovery, including OS, client and server applications, vulnerabilites, file processing, and connection events, etc.
LimitedImpact is measured only against threat severity. No host profile information to determine if host is actually vulnerable to threat.
LimitedImpact is measured only against threat severity. No host profile information to determine if host is actually vulnerable to threat.
LimitedImpact is measured only against threat severity. No host profile information to determine if host is actually vulnerable to threat.
Cisco Firepower correlates all intrusion events to an impact of the attack, telling the operator what needs immediate attention. The assessment relies on information from passive device discovery, including OS, client and server applications, vulnerabilites, file processing, and connection events, etc.
Impact is measured only against threat severity. No host profile information to determine if host is actually vulnerable to threat.
Impact is measured only against threat severity. No host profile information to determine if host is actually vulnerable to threat.
Impact is measured only against threat severity. No host profile information to determine if host is actually vulnerable to threat.
Security automation and adaptive threat management
Cisco automatically adapts defenses to dynamic changes in the network, in files, or with hosts. The automation covers key defense elements such as NGIPS rule tuning and network firewall policy.
LimitedAll policies require administrator interaction. Policies are limited to basic tuning. False positives are manually identified and mitigated.
LimitedAll policies require administrator interaction. Policies are limited to basic tuning. False positives are manually identified and mitigated.
Cisco automatically adapts defenses to dynamic changes in the network, in files, or with hosts. The automation covers key defense elements such as NGIPS rule tuning and network firewall policy.
All policies require administrator interaction. Policies are limited to basic tuning. False positives are manually identified and mitigated.
All policies require administrator interaction. Policies are limited to basic tuning. False positives are manually identified and mitigated.
Policies require administrator interaction.
Behavioral indicators of compromise (IoCs)
Cisco Firepower considers file behavior and the reputation of sites, and correlates network and endpoint activity using >1000 behavioral indicators. It provides billions of malware artifacts for unmatched scale and coverage from global threats.
LimitedStandard, nonbehavioral IoCs are available in separate product.
LimitedIoCs are based upon threat severity, not behavior.
LimitedIoCs are based upon threat severity, not behavior.
Cisco Firepower considers file behavior and the reputation of sites, and correlates network and endpoint activity using >1000 behavioral indicators. It provides billions of malware artifacts for unmatched scale and coverage from global threats.
Standard, nonbehavioral IoCs are available in separate product.
IoCs are based upon threat severity, not behavior.
IoCs are based upon threat severity, not behavior.
User, network, and endpoint awareness
Cisco Firepower provides full contextual threat analysis and protection, with awareness into users, user history on every machine, mobile devices, client-side applications, operating systems, virtual machine-to-machine communications, vulnerabilities, threats, and URLs.
LimitedUser awareness only.
LimitedUser awareness only unless separate endpoint software is used.
LimitedUser awareness only unless separate endpoint software is used.
Cisco Firepower provides full contextual threat analysis and protection, with awareness into users, user history on every machine, mobile devices, client-side applications, operating systems, virtual machine-to-machine communications, vulnerabilities, threats, and URLs.
User awareness only.
User awareness only unless separate endpoint software is used.
User awareness only unless separate endpoint software is used.
NGIPS
Next-genNext-generation IPS with real-time contextual awareness and network mapping.
Signature-based
Signature-based
Signature-based
Next-generation IPS with real-time contextual awareness and network mapping.
Integrated advanced threat protection
Built-in, dynamic sandboxing capabilities (AMP-ThreatGrid), detects evasive and sandbox-aware malware, actionable event correlations, >1000 behavioral IoCs, billions of malware artifacts, and easy-to-understand threat scores.
LimitedSandbox available as cloud subscription or on-premises appliance.
LimitedSandbox available as cloud subscription or on-premises appliance.
LimitedSandbox available as cloud subscription or on-premises appliance.
Built-in, dynamic sandboxing capabilities (AMP-ThreatGrid), detects evasive and sandbox-aware malware, actionable event correlations, >1000 behavioral IoCs, billions of malware artifacts, and easy-to-understand threat scores.
Sandbox available as cloud subscription or on-premises appliance.
Sandbox available as cloud subscription or on-premises appliance.
Sandbox available as cloud subscription or on-premises appliance.
Malware remediation
Intelligent automation from Cisco AMP for Networks allows you to quickly understand, scope, and contain an active attack even after it happens.
LimitedNo root cause or trajectory results in an unknown threat scope. Remediation is a manual process during post-breach incident response.
LimitedNo root cause or trajectory results in an unknown threat scope. Remediation is a manual process during post-breach incident response.
LimitedNo root cause or trajectory results in an unknown threat scope. Remediation is a manual process during post-breach incident response.
Intelligent automation from Cisco AMP for Networks allows you to quickly understand, scope, and contain an active attack even after it happens.
No root cause or trajectory results in an unknown threat scope. Remediation is a manual process during post-breach incident response.
No root cause or trajectory results in an unknown threat scope. Remediation is a manual process during post-breach incident response.
No root cause or trajectory results in an unknown threat scope. Remediation is a manual process during post-breach incident response.
Threat Intelligence Talos
Unique malware samples per day
1.5 million
10s of thousands
10s of thousands
10s of thousands
Threats blocked per day
19.7 billionExcludes email
Excludes email
Not reported
Not reported
Not reported
Email messages scanned per day
600 billionOf the 600B scanned, more than 85% are spam.
not reported
6 million
Not reported
Of the 600B scanned, more than 85% are spam.
not reported
Not reported
Web requests monitored per day
16 billionWeb requests monitored by WSA/CWS per day. For perspective, Google processes 3.5 billion searches per day.
Not reported
35 million
Not reported
Web requests monitored by WSA/CWS per day. For perspective, Google processes 3.5 billion searches per day.
Not reported
Not reported
Automated intelligence feeds
Security intelligence feeds are updated every 2 hours, adjustable to 5-minute intervals.
Security intelligence feeds are updated every 2 hours, adjustable to 5-minute intervals.
Operational Capabilities
Scanning architecture
Single pass
Single pass
ASIC
Multipass
Single pass
Single pass
ASIC
Multipass
Software-defined segmentation
Cisco TrustSec and ACI provision security services separated from workload and deployment (physical, virtual, cloud). Security group tags (SGTs) segment software in the network.
Cisco TrustSec and ACI provision security services separated from workload and deployment (physical, virtual, cloud). Security group tags (SGTs) segment software in the network.
Automatic threat containment
Cisco Rapid Threat Containment automates quarantine actions by the Cisco Identity Services Engine.
Cisco Rapid Threat Containment automates quarantine actions by the Cisco Identity Services Engine.
Operations and management
ExcellentCombined security and network operations. One console or HA pair of consoles provides all updates, patching, reporting, and threat information.
LimitedSingle UI for NGFW management. Additional UIs for malware, endpoint, or any other platform features.
LimitedSingle UI for NGFW management. Additional product and UI for logging and events. Additional product and UI for sandboxing.
ExcellentSingle manager of managers for each individual function of NGFW, ATP, etc.
Combined security and network operations. One console or HA pair of consoles provides all updates, patching, reporting, and threat information.
Single UI for NGFW management. Additional UIs for malware, endpoint, or any other platform features.
Single UI for NGFW management. Additional product and UI for logging and events. Additional product and UI for sandboxing.
Single manager of managers for each individual function of NGFW, ATP, etc.
Deployment models
TypicalAppliance, virtual instance (VMware), and public cloud (AWS and Azure)
TypicalAppliance, virtual instance (VMware), and public cloud (AWS and Azure)
TypicalAppliance, virtual instance (VMware), and public cloud (AWS and Azure)
TypicalAppliance, virtual instance (VMware), and public cloud (AWS and Azure)
Appliance, virtual instance (VMware), and public cloud (AWS and Azure)
Appliance, virtual instance (VMware), and public cloud (AWS and Azure)
Appliance, virtual instance (VMware), and public cloud (AWS and Azure)
Appliance, virtual instance (VMware), and public cloud (AWS and Azure)
eStreamer API
Cisco Firepower can stream event data and host-profile information to client applications, SIEM and SOC platforms, enhancing your actionable intelligence.
Cisco Firepower can stream event data and host-profile information to client applications, SIEM and SOC platforms, enhancing your actionable intelligence.
Remediation API
Cisco Firepower can work in conjunction with third-party products. It can change an asset’s VLAN or access controls, or even open a ticket with the help desk.
Cisco Firepower can work in conjunction with third-party products. It can change an asset’s VLAN or access controls, or even open a ticket with the help desk.
Host API
Other systems such as inventory, vulnerability & asset management, and Nmap can feed data into the Cisco Firepower platform.
Other systems such as inventory, vulnerability & asset management, and Nmap can feed data into the Cisco Firepower platform.
Critical Infrastructure (ICS/SCADA)
Hardened and ruggedized versions available
Must run VM version of NGFW on a separate server; includes loading and managing a supported hypervisor.
Must run VM version of NGFW on a separate server; includes loading and managing a supported hypervisor.
Base feature set
NGFW, AMP, NGIPS, threat intelligenceNGFW includes application visibility, URL filtering, IPS, antivirus, user identity. Firepower also includes all key security enhancements mentioned above, such as NGIPS, Advanced Malware Protection (AMP), retrospection, impact analysis, etc.
NGFW only
NGFW only
NGFW only
NGFW includes application visibility, URL filtering, IPS, antivirus, user identity. Firepower also includes all key security enhancements mentioned above, such as NGIPS, Advanced Malware Protection (AMP), retrospection, impact analysis, etc.
SCADA rules
~250~250 rules based on Snort. Talos provides rules geared toward ICS industry. Third-party rules can be imported. Customers can build rules.
~100
~300
~180
~250 rules based on Snort. Talos provides rules geared toward ICS industry. Third-party rules can be imported. Customers can build rules.
Modbus, DNP, CIP pre-processors
Modbus, DNP3, and BACnet. SCADA protocols are available through the Firepower system.