SlideShare a Scribd company logo

Check point response to Cisco NGFW competitive

Moti Sagey מוטי שגיא
Moti Sagey מוטי שגיא

This document contains Check Point's responses to claims made in a Cisco competitive comparison. It summarizes Cisco's claims regarding efficacy, security features, operational capabilities, and ICS/SCADA protections, then provides Check Point's facts and details to counter inaccurate aspects of Cisco's statements. Check Point asserts it offers comparable or superior capabilities in these areas compared to Cisco.

Related slideshows

Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
 
Check Point NGFW
Check Point NGFWCheck Point NGFW
Check Point NGFW
 
Cyber intro 2017_hebrew
Cyber intro 2017_hebrew Cyber intro 2017_hebrew
Cyber intro 2017_hebrew
 
1 of 6
Download to read offline
©2016 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals Q3, 2016 | 1 ITEM 1: THIRD-PARTY FINDINGS CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS:  Efficacy : Cisco quotes NSS-BDS 2016 results where it indeed scored 100% and Check Point Scored 99.4% (both great results) , what is not mentioned that Cisco used 2 products to achieve that score (Firepower and AMP endpoint) where Check Point used 1  If comparing apples-to-apples NGFW solutions which is the scope of THEIR COMPARISON , if we take the latest NSS NGFW test, check point scored 99.8% security efficacy where cisco missed 2900% more exploits than check point (see more here)  Time to Detection: not clear why they represent it like this , in fact Check Point average response was ~50% faster than Cisco (see more here) WHAT  CISCO PUBLISHED A COMPETITIVE COMPARISON OF ITS NGFW SOLUTION VS. OTHER VENDORS (PAN, FORTINET, CHECK POINT) : http://www.cisco.com/c/m/en_us/products/security/firewalls/competitive-comparison.html  THE COMPARISON CONTAINS SOME INACCURACIES ABOUT CHECK POINT  THE BELOW CONTAINS FUD – FACTS, UNDERSTANDING AND DETAILS ABOUT CISCO COMPARISON IN REGARDS TO CHECK POINT CHECK POINT RESPONSE TO CISCO NGFW COMPETITIVE
©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and individuals Q3, 2016 | 2 Competitive Cheat Sheet ITEM 2: SECURITY FEATURES CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS Cisco claims are inaccurate: 1. Continuous analysis and retrospective detection – supported (in Early Availability ) 2. Network file trajectory – supported (SandBlast Agent) 3. Impact assessment – supported (SmartEvent, Sandblast) 4. Security automation – supported (R80) 5. Behavioral IOC – supported (Anti-bot) 6. User, network, endpoint awareness – supported (across all products) 7. NGIPS – supported , with the highest security effectiveness in the industry (according to NSS LABS) 8. Integrated ATP – supported (Sandblast suite) 9. Malware remediation – supported (SandBlast Agent)
©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and individuals Q3, 2016 | 2 Competitive Cheat Sheet ITEM 3: OPERATIONAL CAPABILITIES CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS Cisco claims are inaccurate (except the claim that our management is excellent): 1. Scanning architecture: Check Point supports parallel processing (more info here 1:19) 2. Software-based segmentation : supported (actually with Cisco TrustSec & ACI , but also NSX, Azure, Aws,OpenStack and more) 3. Automatic threat containment : supported (actually with the same Cisco ISE , but also with cooperative enforcement ) 4. Operations and management : we agree it is indeed excellent 5. Different API’s : supported (REST API ,SANDBLAST API, similar to their proprietary ones)
©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and individuals Q3, 2016 | 2 Competitive Cheat Sheet ITEM 4: ICS/SCADA CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS Cisco claims are inaccurate (except the first and last statement): 1. Base feature set : Check Point includes all relevant protections for SCADA 2. SCADA rules : rules meaning numbers of signatures and AVC , check point supports over 1,000 “rules” (more than 800 SCADA detectors , more than 300 IPS signatures) For a more accurate comparison, read the “zero tolerance” report here) below a recap
©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and individuals Q3, 2016 | 2 Competitive Cheat Sheet ITEM 6: THREAT INTELLIGENCE CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS Cisco claims are inaccurate: Check Point ThreatCloud holds over 30M of IOC’s (files, hashes, domains, URL), with more than half a million unique samples per day ITEM 7: SERVICE PROVIDER CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS Cisco claims are mostly accurate, though shows their weakness: Cisco uses third-part stitching (mostly as a concept except Radware), where check point can provide best of breed in house solution
©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and individuals Q3, 2016 | 2 Competitive Cheat Sheet THE CHECK POINT ADVANTAGE Unbeatable security & best management efficiency with predictable performance in the real world Strongest Protection with Multi-Layer Security  Industry-leading security award winning Next Generation Firewall - Leader in Gartner's 2016 Magic Quadrant of Enterprise Network Firewall (NGFW), since 1997 - Recommended rating in NSS Labs 2016 Breach Detection System test (BDS) - Recommended in NSS Labs 2016 Next-Gen Firewall test (NGFW) Best management and visibility  Easily control over 7,270 apps, 264,256 internet widgets and 200M websites by user, group, or OU  Protect clear and encrypted traffic against data breaches with strong DLP  Provide simple and secure corporate access from all mobile and fixed endpoints Most efficient security consolidation while keeping predictable real world performance  Predictable real-world performance with Security Power (SPU)  Lowest management labor time according to NSS  Industry’s only true unified management and reporting solution covering all aspects of security CISCO FACTS Security: with its integrated Sourcefire solution, Cisco provides partial security solution  Cisco ASA equipment affected by severe vulnerability – (Read more: http://goo.gl/B6IVKR)  Vulnerable to a full inspection bypass, allowing an attacker to bypass malware detection mechanisms (https://goo.gl/VwCELc)  Cisco Botnet filter lacks core components to detect network behavioral anomalies  Cisco has limited visibility of risk with 68 P2P/File sharing types vs. Check Points 342+  The APP Gap: Cisco has limited application awareness with ~4,366 apps vs. Check Point over 7,270  Cisco management has multiple vulnerabilities (CSRF - http://goo.gl/I9ukZP) and (Cross-Site Scripting http://goo.gl/cRXw0n)  Cisco new unified image Firepower Threat Defense (FTD) has many limitations and missing features such as High Availability, remote access VPN, multiple context, QoS, PBR, etc.  Cisco has 3 separate images (ASA, FirePOWER and FTD) for different appliances lines and different managements which adds to deployment complexity and increase admin labor time Management: with its Sourcefire integrations, Cisco solution requires two separate management Interfaces  Cisco needs 3 separate management consoles to properly manage Threat Prevention, Content Security, and 3 rd party event analysis (Splunk, Logrythm) (vs. 1 from Checkpoint). In some cases with cisco CSM (core FW) is also needed  Cisco needs an added Security Administrator headcount compared to Check Point due to cumbersome management interface (according to 3rd party analysts)  Cisco lacks an Event Analysis solution—no correlation of security events leads to lack of visibility & added management time  Cisco troubleshooting with FirePOWER management, requires an admin to look at seven different categories for threat prevention and Next-Gen logs  Cisco central management lacks some basic multi-domain tasks such as Global IPS, Global services, Global VPN Performance: Cisco very high price performance makes it a less attractive solution  Cisco is limited in regards to VPN setup rate with 95% less tunnels comparing Check Point  Cisco fastest appliance performs only 225Gbps of Firewall throughput (Check Point’s is 400Gbps)  Cisco shows very high cost performance (x3 times more than Check Point )  Cisco-FirePOWER SSP20,40,60 with FirePOWER services and 4000 series show very low performance throughputs compared to Check Point parallel appliances FOR MORE FACTS SEE “WINNING AGAINST“SLIDE DECK IN COMPETITIVE WIKI OR PARTNERMAP

More Related Content

Check point response to Cisco NGFW competitive

  • 1. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Restricted] ONLY for designated groups and individuals Q3, 2016 | 1 ITEM 1: THIRD-PARTY FINDINGS CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS:  Efficacy : Cisco quotes NSS-BDS 2016 results where it indeed scored 100% and Check Point Scored 99.4% (both great results) , what is not mentioned that Cisco used 2 products to achieve that score (Firepower and AMP endpoint) where Check Point used 1  If comparing apples-to-apples NGFW solutions which is the scope of THEIR COMPARISON , if we take the latest NSS NGFW test, check point scored 99.8% security efficacy where cisco missed 2900% more exploits than check point (see more here)  Time to Detection: not clear why they represent it like this , in fact Check Point average response was ~50% faster than Cisco (see more here) WHAT  CISCO PUBLISHED A COMPETITIVE COMPARISON OF ITS NGFW SOLUTION VS. OTHER VENDORS (PAN, FORTINET, CHECK POINT) : http://www.cisco.com/c/m/en_us/products/security/firewalls/competitive-comparison.html  THE COMPARISON CONTAINS SOME INACCURACIES ABOUT CHECK POINT  THE BELOW CONTAINS FUD – FACTS, UNDERSTANDING AND DETAILS ABOUT CISCO COMPARISON IN REGARDS TO CHECK POINT CHECK POINT RESPONSE TO CISCO NGFW COMPETITIVE
  • 2. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and individuals Q3, 2016 | 2 Competitive Cheat Sheet ITEM 2: SECURITY FEATURES CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS Cisco claims are inaccurate: 1. Continuous analysis and retrospective detection – supported (in Early Availability ) 2. Network file trajectory – supported (SandBlast Agent) 3. Impact assessment – supported (SmartEvent, Sandblast) 4. Security automation – supported (R80) 5. Behavioral IOC – supported (Anti-bot) 6. User, network, endpoint awareness – supported (across all products) 7. NGIPS – supported , with the highest security effectiveness in the industry (according to NSS LABS) 8. Integrated ATP – supported (Sandblast suite) 9. Malware remediation – supported (SandBlast Agent)
  • 3. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and individuals Q3, 2016 | 2 Competitive Cheat Sheet ITEM 3: OPERATIONAL CAPABILITIES CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS Cisco claims are inaccurate (except the claim that our management is excellent): 1. Scanning architecture: Check Point supports parallel processing (more info here 1:19) 2. Software-based segmentation : supported (actually with Cisco TrustSec & ACI , but also NSX, Azure, Aws,OpenStack and more) 3. Automatic threat containment : supported (actually with the same Cisco ISE , but also with cooperative enforcement ) 4. Operations and management : we agree it is indeed excellent 5. Different API’s : supported (REST API ,SANDBLAST API, similar to their proprietary ones)
  • 4. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and individuals Q3, 2016 | 2 Competitive Cheat Sheet ITEM 4: ICS/SCADA CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS Cisco claims are inaccurate (except the first and last statement): 1. Base feature set : Check Point includes all relevant protections for SCADA 2. SCADA rules : rules meaning numbers of signatures and AVC , check point supports over 1,000 “rules” (more than 800 SCADA detectors , more than 300 IPS signatures) For a more accurate comparison, read the “zero tolerance” report here) below a recap
  • 5. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and individuals Q3, 2016 | 2 Competitive Cheat Sheet ITEM 6: THREAT INTELLIGENCE CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS Cisco claims are inaccurate: Check Point ThreatCloud holds over 30M of IOC’s (files, hashes, domains, URL), with more than half a million unique samples per day ITEM 7: SERVICE PROVIDER CISCO CLAIM CHECK POINT FACTS, UNDERSTANDING & DETAILS Cisco claims are mostly accurate, though shows their weakness: Cisco uses third-part stitching (mostly as a concept except Radware), where check point can provide best of breed in house solution
  • 6. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Confidential] ONLY for designated groups and individuals Q3, 2016 | 2 Competitive Cheat Sheet THE CHECK POINT ADVANTAGE Unbeatable security & best management efficiency with predictable performance in the real world Strongest Protection with Multi-Layer Security  Industry-leading security award winning Next Generation Firewall - Leader in Gartner's 2016 Magic Quadrant of Enterprise Network Firewall (NGFW), since 1997 - Recommended rating in NSS Labs 2016 Breach Detection System test (BDS) - Recommended in NSS Labs 2016 Next-Gen Firewall test (NGFW) Best management and visibility  Easily control over 7,270 apps, 264,256 internet widgets and 200M websites by user, group, or OU  Protect clear and encrypted traffic against data breaches with strong DLP  Provide simple and secure corporate access from all mobile and fixed endpoints Most efficient security consolidation while keeping predictable real world performance  Predictable real-world performance with Security Power (SPU)  Lowest management labor time according to NSS  Industry’s only true unified management and reporting solution covering all aspects of security CISCO FACTS Security: with its integrated Sourcefire solution, Cisco provides partial security solution  Cisco ASA equipment affected by severe vulnerability – (Read more: http://goo.gl/B6IVKR)  Vulnerable to a full inspection bypass, allowing an attacker to bypass malware detection mechanisms (https://goo.gl/VwCELc)  Cisco Botnet filter lacks core components to detect network behavioral anomalies  Cisco has limited visibility of risk with 68 P2P/File sharing types vs. Check Points 342+  The APP Gap: Cisco has limited application awareness with ~4,366 apps vs. Check Point over 7,270  Cisco management has multiple vulnerabilities (CSRF - http://goo.gl/I9ukZP) and (Cross-Site Scripting http://goo.gl/cRXw0n)  Cisco new unified image Firepower Threat Defense (FTD) has many limitations and missing features such as High Availability, remote access VPN, multiple context, QoS, PBR, etc.  Cisco has 3 separate images (ASA, FirePOWER and FTD) for different appliances lines and different managements which adds to deployment complexity and increase admin labor time Management: with its Sourcefire integrations, Cisco solution requires two separate management Interfaces  Cisco needs 3 separate management consoles to properly manage Threat Prevention, Content Security, and 3 rd party event analysis (Splunk, Logrythm) (vs. 1 from Checkpoint). In some cases with cisco CSM (core FW) is also needed  Cisco needs an added Security Administrator headcount compared to Check Point due to cumbersome management interface (according to 3rd party analysts)  Cisco lacks an Event Analysis solution—no correlation of security events leads to lack of visibility & added management time  Cisco troubleshooting with FirePOWER management, requires an admin to look at seven different categories for threat prevention and Next-Gen logs  Cisco central management lacks some basic multi-domain tasks such as Global IPS, Global services, Global VPN Performance: Cisco very high price performance makes it a less attractive solution  Cisco is limited in regards to VPN setup rate with 95% less tunnels comparing Check Point  Cisco fastest appliance performs only 225Gbps of Firewall throughput (Check Point’s is 400Gbps)  Cisco shows very high cost performance (x3 times more than Check Point )  Cisco-FirePOWER SSP20,40,60 with FirePOWER services and 4000 series show very low performance throughputs compared to Check Point parallel appliances FOR MORE FACTS SEE “WINNING AGAINST“SLIDE DECK IN COMPETITIVE WIKI OR PARTNERMAP