Sophos Confidential—Internal and

Partners only

Intercept X and the

competition

January 2018

Hello and welcome to this short sales training module on Intercept X versus the
competition

1
 Comparisons are based on Sophos’ research and
interpretation of publicly available information.
Information may not be complete and is subject to
change, is provided “as is” and without warranties
of any kind, and is the opinion of Sophos.

Sophos Confidential—Internal and Partners only

The information contained in these slides are based on Sophos’ own research and
interpretation of publicly available information.

Information may not be complete and is subject to change as products get updated,
so the information is provided “as is” and without warranties of any kind and the
information within this presentation is the opinion of Sophos

2
 The competitive proposition for Intercept X

Breadth Depth Usability

Layered protection Best of breed Ease of deployment
Defense in depth Rich functionality Cloud management
The Power of the Plus Unique technology Low false positives

Sophos Confidential—Internal and Partners only

There are three things which together really set Sophos Intercept X apart from our
competitors both for Intercept X as a standalone product but especially when
Intercept X is used alongside Sophos’ own Endpoint product.
These are:
1) Breadth 2) Depth and 3) Useability
-------------------------------------------------------------------------------------------------------------------
Breadth is about the range of features and capabilities we have within Intercept X
product. It is about our features to reduce the risk of attack, stopping threats before
they run and being able to stop threats post execution.
All of these protection features combined go together to make up the breadth of
features within Intercept x.
-------------------------------------------------------------------------------------------------------------------
Depth is about the Quality of the rich feature set. Some of the features in Intercept
are best of breed and make us unique in market place and they ultimately allow us to
provide a better level of protection than our competitors with lower false positive
rates.
---------------------------------------------------------------------------------------------------------------
And Lastly Useability – Useability in terms of keeping things simple, offering simple
cloud management and automation to incident response without a lot of manual and

3
time consuming investigation for the customer.

Some competitors can claim to have 1 or 2 of these elements, but none of them have
all three.

3
 NEW FEATURES
ACTIVE ADVERSARY DEEP LEARNING
MALICIOUS FILE
MITIGATIONS DETECTION
NEW Credential Theft Protection NEW Malicious Executable Detection
Protects Windows Credential Store Deep Learning Model

NEW Process Protections NEW Potentially Unwanted App Detection

Prevent Code Cave, APC and more Determines PUA vs malware vs benignware

NEW Registry Protections NEW Curated Allow Lists

Application Verifier
ENHANCED Process Lockdown
Browser behaviour and HTA app lockdown
Admin and Sophos defined white lists for
outlier applications
NEW Sophos Clean Safestore
Clean performs quarantine and directed
remediation functions

Sophos Confidential—Internal and Partners only

With the new features included with this release of Intercept X, such as;
1. Active Adversary Mitigations
2. Enhanced Process Lockdown feature
3. And Deep learning – malicious file detection

It gives us an even greater competitive edge in terms of the breadth and depth of our
feature set.

The new features are covered in detail in the “product overview” modules of this
course the rest of this module will focus on the high level differentiators between us
and our competitors

4
 Machine learning closes a competitive gap

Cylance ✓
Central Mgmt. CrowdStrike ✓
SentinelOne ✓
Symantec ✓
Root Cause Analysis
Trend Micro ✓
Synchronized Security
Microsoft ✓
Sophos ✓

Sophos Confidential—Internal and Partners only

A lot of our competitors, both the traditional security vendors and the next
generation security vendors, are saying that they have machine learning in their
products… and up until now that has been a gap in our product feature list.

But with this new release of Intercept we have now added machine learning to our
feature set to fill this gap and help us to overcome this objection when being
compared to the competition .

But it isn’t just a “me too” feature as you will see over the next few slides

5
 Deep learning is a competitive advantage

Sophos Deep Learning

Cylance Deep Learning
Comprehensive training data CrowdStrike Standard ML
+ SentinelOne Standard ML
smarter model
Symantec Standard ML
=
Better detection with fewer Trend Micro Standard ML
false positives Microsoft Standard ML
Carbon Black No ML
Cisco No ML
Newer vendors lack telemetry, which
leads to more false positives
Sophos Confidential—Internal and Partners only

Deep learning is the signature feature of this release of Intercept X

As well as adding in the deep learning feature to our product, we wanted to go above
and beyond, to ensure it is the best of breed …to give us that depth and quality in our
product set that some of our competitors lack.
-------------------------------------------------------------------------------------------------------------
A lot of the traditional security vendors and new next generation vendors in the
security market do have standard machine learning as part of their products too, but
generate a lot of false positives, ultimately resulting in more time spent by the
customer to investigate.
------------------------------------------------------------------------------------------------------------------
We use a smarter model for our machine learning, by using the security intelligence
from SophosLabs as well as from telemetry from our 250 million protected endpoints
providing us with data about the files being used, the source and the prevalence and
therefore providing comprehensive training data for our machine learning to make
sure it is better at detecting malware with fewer false positives.
-----------------------------------------------------------------------------------------------------------
Our research on this is based on what the competitors are saying about themselves.
Most are using machine learning as part of their cloud reputation sandboxing, not as
part of their endpoint client. One of the few competitors who offer deep learning as
part of their endpoint client is Cylance, However Cylance does not have the same
broad spectrum of user data for security intelligence as we do.
--------------------------------------------------------------------------------------------------------------
Compared to more traditional vendors such as Symantec or Microsoft who do have
access to good telemetry but however they do not have the advanced capabilities of
6
our deep learning built by our in house data science team.

6
 EDR-like protection…
• Malicious process migration (remote reflective DLL injection)
• Process privilege escalation
• Credential theft
• Code cave utilization
• Application Procedure Call (APC) abuse
• Inappropriate use of PowerShell from browser
• Inappropriate behavior of HTML applications (HTAs)

Sophos Confidential—Internal and Partners only

Another new feature is our EDR like protection

Traditionally the EDR market was built around detection of Advanced Persistent
Threats which typically evaded the detection techniques used by traditional anti-virus
security solutions. So EDR solutions were created to detect suspicious activity on an
endpoint device, but typically involved a lot of manual administrator configuration
and investigation into flagged suspect files and processes.

However Intercept has the detection features to detect APT’s such as to detect
process privilege escalation and credential theft but just in a different way to typical
EDR and with less manual user interaction.

7
 …without EDR-like complexity
EDR Intercept X
Manual Strong protection
configuration using default
required policy
Detection Prevention
oriented oriented
Manual cleanup Automatic cleanup
Designed for SOCs Designed for IT
and incident and endpoint
responders security teams

Sophos Confidential—Internal and Partners only

EDR, when it first came out, was aimed at SOC’s or incident response teams or
security analysts and provided forensics to hunt across your estate for suspicious
activity. This works for some larger organisations who have an in house security ops
team and the time and resource to investigate.

But for those customers who do not have their own SOC or incident response team
this is too much for them and they do not want, or have time for manual investigation
of incidents. Nor to manually clean up or investigate security incidents that are
flagged. Those customers just want something that works, they have gotten used to
the automated way that anti-virus cleans up malware detected and want something
similar for EDR.

The screenshot on the slide is taken from Cisco AMP for endpoints of a security
incident which would take manual interpretation of the data presented and manual
investigation and clean up. The EDR reporting for Carbon Black and Crowdstrike’s
Falcon is equally as complicated and time consuming with manual configuration of
the security policies.

In comparison Intercept X provides protection out of the box with the default security

8
policies and automated clean up of incidents which has been designed to be simple
to use for the IT and security teams without the need for an in-house SOC.

8
 Positioning against traditional EP vendors
Depth Usability
Intercept X exploit mitigations SEP exploit mitigations
• Enforce DEP • Enforce DEP
• Mandatory ASLR • Mandatory ASLR
• Bottom-up ASLR • EnhASLR
• Null Page (Null Deference Protection) • Null Page (Null Deference Protection)
• Heap Spray Allocation • Heap Spray Allocation
• Dynamic Heap Spray • Stack Pivot
• Stack Pivot • StackNX
• Stack Exec (MemProt) • ROPCall
• Stack-based ROP Mitigations (Caller) • ROPHeap
• Branch-based ROP Mitigations • SEHOP
• SEHOP • DllLoad
• Import Address Table Filtering (IAF) • Java Security Manager
• Load Library
• Reflective DLL Injection
• Shellcode SEP has no behavior-based
• VBScript God Mode ransomware or MBR
• WoW64
• Syscall protection
• Hollow Process Synchronized
• DLL Hijacking
•
•
Squiblydoo Applocker Bypass
Leverage Intel CPUs for enhanced ROP protection
SEP lacks deep learning Security
Sophos Confidential—Internal and Partners only

The competitive information for Intercept X has been broken down in two main
categories across the next two slides, how it compares against traditional vendors
and how it compares against next generation security vendors.

Starting with traditional vendors on this slide and using Symantec or SEP as an
example. But the same principles applies when comparing to any of the other
traditional AV companies - they have been around a long time, they have built up a
large comprehensive feature which is comparable to other traditional anti-virus
products and also next generation security products, however unless a customer
does their own due diligence or testing, they may not see beyond the checkbox of
feature comparisons or marketing material.
So you have to get them to see the detail beyond the datasheets and marketing
material and ask them to focus on the depth and quality of those features that are of
interest to them.

For example when you compare the exploits that Symantec Endpoint protects against
compared to what Intercept X protects against you will see that Symantec only
protects against half of the exploits that Intercept does. Intercept X is a best of
breed product and Symantec isn’t.

9
Symantec also say they have ransomware protection, which they do, and they can
check that feature box. But they do not have the roll back feature or the behaviour
based ransomware detection feature that Intercept X has in Cryproguard
Or they do not have the ability to detect and roll back tampering of the Master Boot
Record like Wipeguard in Intercept X. So even though they can say they can check
the box and have anti-ransomware features they do not go as deep as Intercept does.

Symantec also have machine learning but they are using the traditional approach
rather than the newer better deep learning approach.

And in terms of Useability – Sophos is known as the simple solution and we make it
easy for our customers by offering cloud management. Symantec only has on-
premise managed for larger customers, their cloud managed solution is aimed at
smaller customers. Their application control is manual and complex to set up as you
can see from the screenshot in the slide as an example.

Plus Synchronised security is the cherry on the cake – not only does our product have
a greater breadth and depth, offering you the best of breed technologies. But we
also offer simplified management, to save you time And we also have synchronised
security which allows our firewall, safeguard encryption and the endpoint to share
security intelligence to automate and speed up incident response, which no other
vendor can offer.

9
 Positioning against newer EP vendors
Breadth Usability

Sophos Carbon Black Cb Defense requires:

CEA+CIX Cb Defense • Configuration of
Device/app/web control ✓ response actions
Signatures ✓ ✓ • Investigation of
Machine learning ✓ suspicious activity
Behavior detection ✓ ✓ • Manual cleanup of
Web protection ✓ detected threats
Anti-exploit ✓ ✓
Rollback ✓
Cleanup ✓
Synchronized
Root cause analysis ✓ ✓ Security

Sophos Confidential—Internal and Partners only

Now compared against the newer next generation vendors on the market who have
mostly Grown up from being niche players, with one or two key features which they
built up their product set from, which means that most of these vendors fall down in
terms of the breadth of their feature set and their product portfolio in general.

They cannot cover the full risk spectrum and offer protection against each type of
attack or threat vector.

The table on the slide compares Sophos EA and IX together against Carbon Blacks CB
defence which is their all rounder mid market and SMB focus product which includes
ep and edr

As you can see from the table Carbon Black is missing a lot of features when
compared with Sophos EA and IX.
Its main focus is behaviour detection and it does have Good EDR features including
root cause analysis

However It does not give you machine learning let alone deep learning
Plus It doesn’t protect against some of the basics of endpoint protection, such as

10
protection from malicious websites with web protection or any automated rollback
or clean up of malware incidents.

Plus in terms of useability as Carbon Black was built from an EDR platform it requires
a lot of manual config of incident response actions And manual investigation of
suspicious activity as well as manual cleanup of detected threats
It is more complex to configure and manage than Intercept X

We also have Sync Sec, which is not something that the newer vendors can offer as
they do not have their own network security products and the same breadth of
portfolio as Sophos

10
 Summary: New features add breadth, depth, usability

Breadth Depth Usability

Machine learning App lockdown enhancements Not EDR
Active adversary Deep learning ML with few FPs

Sophos Confidential—Internal and Partners only

So in summary

If you look at all of the new features in Intercept we have added to the breadth of our
feature set by adding many new features but more importantly focused on the quality
of those features and added depth in several areas including deep learning, active
adversary, and also protecting against exposure to threats in the first place using our
endpoint features such as app control, web control and device control

Finally by maintaining our position of offering SIMPLE solutions and continuing to

make all of our products easy to use and manage and automating our responseto
threats means that we maintain our postion as being a highly useable product and
company to work with.

11
This has been a high level summary of Intercept versus the competition.

For more detailed information all of the competitive battlecards can be found on
Sophos hub for internal users and the partner portal under the quick links section.
These are for internal use only or partner use only. However if you need a quick
comparison for customers then the table of feature comparison from the first page
can be shared with customers. Please note ONLY this section of the battlecards can
be shared with customers.

Please complete the following knowledge check questions regarding Intercept X and
how to handle objections from your customers about the competition.

12
TRAINING FEEDBACK

Feedback is always welcome

Please email globaltraining@sophos.com

Feedback on our courses is always welcome – please email us at

globaltraining@sophos.com with your comments.

Module x: Module Title - 13

14