Battle Card – Check Point Harmony Endpoint

OVERVIEW THE CHECK POINT ADVANTAGE MARKET LEADERSHIP

A complete market-leading endpoint security (EPP and EDR)
solution to protect remote users from today’s complex threat
landscape. It prevents the most imminent threats to the
endpoint, such as ransomware, phishing, or drive-by
malware, while quickly minimizing breach impact with
autonomous detection and response.
Harmony Endpoint is part of the Check Point Harmony
product suite, the industry’s first unified security solution for
users, devices and access. Harmony consolidates six products
to provide uncompromised security and simplicity for
everyone.
Check Point Harmony Endpoint has been recognized for
delivering the most comprehensive threat detection and
visibility across detection categories in the 2021 MITRE
Engenuity ATT&CK® Evaluations. Harmony Endpoint
successfully detected 100% of unique techniques used during
the test.
In 2022, 100% of Harmony Endpoint’s sub-step detections
provided visibility and context, 98% of them with the highest
technique detection level providing additional data
enrichment to help user thoroughly understand the attack
• Advanced behavioral analysis and machine learning
algorithms shut down malware before it inflicts damage
• High catch rates and low false positives ensure security
efficacy and effective prevention
• 360° user protection against known and zero-day
threats from all vectors across all devices
• Automated forensics data analysis offers detailed
insights into threats
• Full attack containment and remediation to quickly
restore any infected systems
Harmony Endpoint falls within the endpoint security market.
Endpoint security covers solutions that tightly integrates threat
prevention, detection and response. It includes traditional
endpoint protection capabilities, and endpoint detection and
response (EDR).
• The endpoint security market size in 2020 stood at $8.2bn
with 14.4% CAGR. (Worldwide Corporate Endpoint Security
Market Shares, 2020. IDC) The market is expected to grow to
$15.6bn by 2024 (Statista)
The competition in this market is comprised of mainly smaller
point product vendors, as well as several traditional threat
prevention vendors. Check Point is well-positioned with a
complete solution.
Gartner MQ for EPP 2021:
• By the end of 2023, cloud-delivered EPP solutions will exceed
95% of deployments.
• By 2023, core EDR capabilities will be included in all EPP
solutions rather than separate licenses.
• By 2025, 50% of organizations using EDR will use managed
detection and response capabilities. (Gartner MQ for EPP 2021)

ELEVATOR PITCH – TOP 3 SELLING POINTS SALES ENABLEMENT RESOURCES

Harmony Endpoint is a complete endpoint security solution built to protect the remote workforce Product Information Partnerships
from today’s complex threat landscape. • Product Page (public) • PartnerMAP sales tools
Harmony Endpoint provides: • Datasheet (public) • Win The Competition (CheckMates)
• Complete endpoint protection, including runtime protection against ransomware, phishing, • Product Tour video (public) • Sales Enablement (internal)
• Competitive Wiki (internal)
bots, file-less attacks, or malware coming from web browsing or email attachments, • Threat Hunting Video (public)
• Fastest recovery with 90% automation of attack detection, investigation, and remediation tasks • Interactive Brochure (public)
with auto-generated forensic reports, detailed visibility into the attack flow, in correlation with • Demo Request (public)
the MITRE ATT&CK® Framework, and
• Best TCO - ensuring you get all the endpoint protection you need in a single, efficient and cost-
Need more info? Contact
effective solution. [email protected]
©2021 Check Point Software Technologies Ltd. 1
 Battle Card – Check Point Harmony Endpoint
Competitive Benefits of Harmony Endpoint
Comparison ❖ Unique abilities – 0-Day Phishing Protection, CDR, Corporate password protection, web filtering & FDE
Matrix ❖ Preemptive approach – Threat Emulation & Extraction (CDR) prevents delivery of unknown malicious file to the end user
Harmony Cylance Cisco Sentinel1 TrendMicro Microsoft
❖ Single platform and bundles with all protection layers such as EDR & Sandbox included
Sandbox A D C5 D ❖ For the 2nd year in a row Harmony EP has been recognized as a leader for providing high-quality threat detection in the
MITRE Engenuity ATT&CK coverage
Anti-Malware / AV B ❖ Superior Threat Intelligence - ThreatCloud provides real-time intel from multiple security products

Bot protection (C&C) How to Compete Against...

A. Can NOT prevents Patient-0, Lacks file emulation(Sandbox), can only generates an alert post-infection
Zero-day Phishing site A B. Rely heavily on machine learning therefore does not provide multi-layer protection – Public Example
C. Cylance has Poor detection results in MITRE although Used 3 solutions including network device with Endpoint (MITRE)
Malicious site protection 2 1 D. CylanceProtect lacks advanced forensics. For EDR capabilities, the customer need to purchase CylanceOptics, This raises the
total TCO and requires deployment of additional agent on the host.
URL Filtering 2 E. Lacks ransomware data restoration capability, so encrypted files cannot be recovered
EPP

F. Cylance suffered an embarrassing universal bypass – LINK & LINK

Application Control 2 G. Does not provide on device behavioral analysis, so verdicts are based on weighted static analysis and user remains clueless
about the incident
Machine learning (AI) G A. Limited visibility - Secure Endpoint (AMP) Cannot automatically identify point of entry. providing limited view of the attack
chain (tree). Cannot automatically identify point of entry and damage -
Corporate Password
B. Has one of the worst detection rate products in the market verified by 3rd party evaluation (MITRE)
Protection
C. Cisco’s forensics module is not a protected process, so a user with suitable permissions can disable it – LINK (p.119)
Exploit protection E
A. Ransomware restoration feature is prone to be bypassed, it relies heavily on “windows shadow copy service”(VSS).
1 D B. Security team has limited time to restore infected host before next Snapshot (every 4 hours ) Then rollback won't be possible.
CDR
C. Threat hunting customization abilities is cumbersome- user require knowledge of the syntax to use this tool.
Data Restoration From 4 D. Lacks a sandboxing and file scrubbing solution, unable to detect zero-day malicious content.
ransomware (Roll Back) E. Fileless malware detection rely on built-in OS capabilities available in Windows 10 and above, legacy OS Is not supported
MITRE ENGENUITY
Evaluations EDR 2022
94.5% 52.2% 67.8% 99.0% 91.7% 89.9% A. No preemptive approach to protect against threats, whereas Harmony delivers zero-malware documents with CDR
B. Sandbox solution is not included in the product. (Deep Discovery Analyzer) Customer will need to purchase it separately
EDR

Hunting capabilities 2 F C. On average, samples are processed within 30 minutes when using Sandbox as a Service.
Containment & D. No Corporate Password Protection in a non-corporate website.
E
Remediation E. Lacks phishing Protection engine, URL Filtering and FDE is not included.
F. Required 2 products to achieve MITRE results, APEX & XDR because only the XDR provides incident information
G. 5 minutes or more of delay until the incident appeared on dashboard (source)
Annual Price-list per user $38 $72 $70 $65 $63 $62 H. Don’t support Linux OS deployment
(1-50)
A. Phishing Protection Based on previously known malicious, cannot prevent 0-day phishing site & Limited threat
extraction(CDR)[Safe documents]
1.Use reputation database 7.Not a zero-day phishing
B. Data restoration capability is based on windows Shadow copy, which can be Deleted by a sophisticated ransomware.
2.Separated product
C. Microsoft Defender forensic analysis provides unnecessary information leading to increased incident response times
3.Only view mode
D. Sandbox can take up to 14 minutes in order to get verdict on unknown malicious file. (source) And MS sandbox doesn’t
4.based on windows Shadow copy
prevent unknown malicious files, it just notifies 10 minutes later after a verdict is reached
5.Additional cost
E. On average time to incident remediation is almost 10 minutes!
6.Detect, does not prevent [Internal Use] for Check Point employees​ F. MS threat hunting involves manual creation of complex queries; Harmony offers simple, object-oriented query creation
 Battle Card – Check Point Harmony Endpoint
Comparison How to Compete Against...
Matrix A. Cannot prevent post-infection communication (C&C)

Cortex XDR Agent

Harmony Palo Alto Sophos Fortinet Crowdstrike McAfee B. Cortex XDR bypassed by modified Mortar loader technique – VIDEO and description
C. PAN didn’t take action after responsible disclosure of Cortex XDR Bypass vulnerabilities for 300 Days VIDEO & VIDEO

(Traps)
Sandbox B 2 6 5 D. No automatic remediation – only provides remediation recommendations that must be manually performed, Cannot
recover encrypted files from ransomware attack.
Anti-Malware / AV E. No preemptive approach to protect against threats, Harmony delivers zero-malware documents with threat
extraction(CDR)
Bot protection (C&C) 6 F. Protection against Phishing or URL Filtering requires different product & agent such as Prisma Access (equivalent to
harmony connect).
Zero-day Phishing site A. Must export endpoints from Sophos ‘Enterprise Console” to “Central Endpoint Mgmt” to have its CryptoGuard
capabilities. This adds to deployment complexity and additional labor hours
Malicious site protection
B. Sandbox is only part of their Firewall / Email solution – additional costs
URL Filtering C. No preemptive approach to protect against threats, Harmony delivers zero-malware documents with TH extraction(CDR)
EPP

D. Has no ransomware rollback ability

Application Control E. Sophos Tamper Protection can be disabled, which allows a non-admin user to uninstall the agent – watch HERE
F. Has one of the worst detection rate products in the market For the last two years verified by MITRE
Machine learning (AI)
Corporate Password A. Need Sandbox subscription For a file emulation for 0-day detection, It is not included with the solution.
Protection B. Require additional endpoint for a VPN connection
C. Will push for FortiEDR In high budget deals , for low budget SMB will sell FortiClient (has no EDR)
Exploit protection
D. A privilege escalation vulnerability in FortiClient for Windows can allow an attacker to gain SYSTEM privileges - LINK
CDR E. Did not prove itself as good EDR product in the last 2 years in the MITRE testing & Never submitted Linux protection
Data Restoration From D 4 A. Data restoration capability is based on windows Shadow copy, which can be Deleted by a sophisticated ransomware.
ransomware (Roll Back) B. No threat extraction capability. Files are either passed or blocked, leading to a high false positive rate and infected
MITRE ENGENUITY documents reaching the host and compromising it.
94.5% 98.1% 61.4% 77.9% 88.6% 77.0%
Evaluations EDR 2022 C. Can NOT prevents Patient-0, has a Low catch-rate and Falcon can only generates an alert post-infection.
EDR

Hunting capabilities 5 D. Lacks URLF, Application Control and Disk/Media encryption

E. Lacks phishing protection and unable to detect post-infection CnC connection (no Anti-bot engines)
Containment &
Remediation F. MITRE – 2021 had horrible result, in 2022 Used 3 different products & Unrecommended configuration (lab environment)
G. high false positive rate http://tiny.cc/crwd_falsepositive
H. Has a 75% default discount
Annual Price-list per user $38 $70 $44 $87 $140 $76
(1-50) A. No preemptive approach to protect against threats, whereas Harmony delivers zero-malware documents with threat
extraction(CDR)
1.Use reputation database 7.Not a zero-day phishing B. Zero-day protection(sandbox) is not included as a part of the solution, required to be purchased separately (increased TCO)
2.Separated product C. For full visibility and EDR tools, additional XDR subscription is required
3.Only view mode D. In legacy version by default, it has No Remediation, it disabled to improve performance
4.based on windows Shadow copy E. Lacks phishing protection and Corporate Password Protection
5.Additional cost F. Mvision rely on sharing the load with Microsoft defender making Maintenance, updates, CVE double the amount because
6.Detect, does not prevent [Internal Use] for Check Point employees​ now there is 2 security agents. without the defender in the background protection drops dramatically
 Battle Card – Check Point Harmony Endpoint
Comparison How to Compete Against...
A. Lacks intelligent backups / data restoration capability. Compromised hosts cannot be restored
Matrix B. Sandboxing solution is limited to 10 MB in the cloud, and requires on premise appliance for threat emulation of larger files
Harmony Symantec CarbonB Bitdefender
C. High false positive rate, many false alerts has been flagged to the support team so a dedicated procedure has been created
B
D. Requires Symantec WSS (WTR)(additional product) to secure users from web-based malicious content, abilities such as
Sandbox URL-filtering and anti-phishing (see here).
E. Since the security department has been purchased by Broadcom, clients and partners complain that Symantec customer
Anti-Malware / AV support and technical support have stopped providing assistance, and trouble tickets can stay open for a long time
unanswered.
Bot protection (C&C) F. Only SES complete offers EDR solution – to see all offering and features click here
G. Has a 50% default discount
Zero-day Phishing site 2
A. Forensic analysis requires a high level of expertise from IT staff, missing human readable explanation like in Harmony
B. High TCO when adding on auditing and remediation capabilities
Malicious site protection
C. Provides absolutely no data restoration capabilities for files encrypted by ransomware
2 D. No file sandboxing capabilities – requires 3rd party integration
URL Filtering
E. For the second year Scored poorly overall (<60%) on the MITRE ATT&CK test 2021&2022 – see here
EPP

Application Control
F. The MITRE Engenuity report exposed that Carbon Black lacks visibility into C&C attempts – Example from MITRE
G. Critical bug in Carbon Black could enable attacker w/ network access to the server to get admin without authenticating
Machine learning (AI)
A. Cannot fully remediate from ransomware attacks when the host is fully encrypted
Corporate Password B. Bitdefender EDR capability lacks advanced threat hunting, automated threat feed integration, custom blocking rules
Protection C. The application control capability is only available with the on-premises platform
Exploit protection D. The Sandbox capability is only available with the on-premises deployment
E. Only subscription for GravityZone Elite can Compete against Harmony Advance
CDR 1

Data Restoration From A A

ransomware (Roll Back)
MITRE ENGENUITY
94.5% 79.8% 52.2% 97.2%
Evaluations EDR 2022
EDR

Hunting capabilities F

Containment & F
Remediation

Annual Price-list per user $38 $142 $136 $69

(1-50)

1.Use reputation database 7.Not a zero-day phishing

2.Separated product
3.Only view mode For The Full
4.based on windows Shadow copy HEAT MAP
5.Additional cost
6.Detect, does not prevent [Internal Use] for Check Point employees​
Q2 2022 Internal only