Professional Documents
Culture Documents
Partners only
January 2018
Hello and welcome to this short sales training module on Intercept X versus the
competition
1
Comparisons are based on Sophos’ research and
interpretation of publicly available information.
Information may not be complete and is subject to
change, is provided “as is” and without warranties
of any kind, and is the opinion of Sophos.
The information contained in these slides are based on Sophos’ own research and
interpretation of publicly available information.
Information may not be complete and is subject to change as products get updated,
so the information is provided “as is” and without warranties of any kind and the
information within this presentation is the opinion of Sophos
2
The competitive proposition for Intercept X
There are three things which together really set Sophos Intercept X apart from our
competitors both for Intercept X as a standalone product but especially when
Intercept X is used alongside Sophos’ own Endpoint product.
These are:
1) Breadth 2) Depth and 3) Useability
-------------------------------------------------------------------------------------------------------------------
Breadth is about the range of features and capabilities we have within Intercept X
product. It is about our features to reduce the risk of attack, stopping threats before
they run and being able to stop threats post execution.
All of these protection features combined go together to make up the breadth of
features within Intercept x.
-------------------------------------------------------------------------------------------------------------------
Depth is about the Quality of the rich feature set. Some of the features in Intercept
are best of breed and make us unique in market place and they ultimately allow us to
provide a better level of protection than our competitors with lower false positive
rates.
---------------------------------------------------------------------------------------------------------------
And Lastly Useability – Useability in terms of keeping things simple, offering simple
cloud management and automation to incident response without a lot of manual and
3
time consuming investigation for the customer.
Some competitors can claim to have 1 or 2 of these elements, but none of them have
all three.
3
NEW FEATURES
ACTIVE ADVERSARY DEEP LEARNING
MALICIOUS FILE
MITIGATIONS DETECTION
NEW Credential Theft Protection NEW Malicious Executable Detection
Protects Windows Credential Store Deep Learning Model
With the new features included with this release of Intercept X, such as;
1. Active Adversary Mitigations
2. Enhanced Process Lockdown feature
3. And Deep learning – malicious file detection
It gives us an even greater competitive edge in terms of the breadth and depth of our
feature set.
The new features are covered in detail in the “product overview” modules of this
course the rest of this module will focus on the high level differentiators between us
and our competitors
4
Machine learning closes a competitive gap
Cylance ✓
Central Mgmt. CrowdStrike ✓
SentinelOne ✓
Symantec ✓
Root Cause Analysis
Trend Micro ✓
Synchronized Security
Microsoft ✓
Sophos ✓
A lot of our competitors, both the traditional security vendors and the next
generation security vendors, are saying that they have machine learning in their
products… and up until now that has been a gap in our product feature list.
But with this new release of Intercept we have now added machine learning to our
feature set to fill this gap and help us to overcome this objection when being
compared to the competition .
But it isn’t just a “me too” feature as you will see over the next few slides
5
Deep learning is a competitive advantage
6
EDR-like protection…
• Malicious process migration (remote reflective DLL injection)
• Process privilege escalation
• Credential theft
• Code cave utilization
• Application Procedure Call (APC) abuse
• Inappropriate use of PowerShell from browser
• Inappropriate behavior of HTML applications (HTAs)
However Intercept has the detection features to detect APT’s such as to detect
process privilege escalation and credential theft but just in a different way to typical
EDR and with less manual user interaction.
7
…without EDR-like complexity
EDR Intercept X
Manual Strong protection
configuration using default
required policy
Detection Prevention
oriented oriented
Manual cleanup Automatic cleanup
Designed for SOCs Designed for IT
and incident and endpoint
responders security teams
EDR, when it first came out, was aimed at SOC’s or incident response teams or
security analysts and provided forensics to hunt across your estate for suspicious
activity. This works for some larger organisations who have an in house security ops
team and the time and resource to investigate.
But for those customers who do not have their own SOC or incident response team
this is too much for them and they do not want, or have time for manual investigation
of incidents. Nor to manually clean up or investigate security incidents that are
flagged. Those customers just want something that works, they have gotten used to
the automated way that anti-virus cleans up malware detected and want something
similar for EDR.
The screenshot on the slide is taken from Cisco AMP for endpoints of a security
incident which would take manual interpretation of the data presented and manual
investigation and clean up. The EDR reporting for Carbon Black and Crowdstrike’s
Falcon is equally as complicated and time consuming with manual configuration of
the security policies.
In comparison Intercept X provides protection out of the box with the default security
8
policies and automated clean up of incidents which has been designed to be simple
to use for the IT and security teams without the need for an in-house SOC.
8
Positioning against traditional EP vendors
Depth Usability
Intercept X exploit mitigations SEP exploit mitigations
• Enforce DEP • Enforce DEP
• Mandatory ASLR • Mandatory ASLR
• Bottom-up ASLR • EnhASLR
• Null Page (Null Deference Protection) • Null Page (Null Deference Protection)
• Heap Spray Allocation • Heap Spray Allocation
• Dynamic Heap Spray • Stack Pivot
• Stack Pivot • StackNX
• Stack Exec (MemProt) • ROPCall
• Stack-based ROP Mitigations (Caller) • ROPHeap
• Branch-based ROP Mitigations • SEHOP
• SEHOP • DllLoad
• Import Address Table Filtering (IAF) • Java Security Manager
• Load Library
• Reflective DLL Injection
• Shellcode SEP has no behavior-based
• VBScript God Mode ransomware or MBR
• WoW64
• Syscall protection
• Hollow Process Synchronized
• DLL Hijacking
•
•
Squiblydoo Applocker Bypass
Leverage Intel CPUs for enhanced ROP protection
SEP lacks deep learning Security
Sophos Confidential—Internal and Partners only
The competitive information for Intercept X has been broken down in two main
categories across the next two slides, how it compares against traditional vendors
and how it compares against next generation security vendors.
Starting with traditional vendors on this slide and using Symantec or SEP as an
example. But the same principles applies when comparing to any of the other
traditional AV companies - they have been around a long time, they have built up a
large comprehensive feature which is comparable to other traditional anti-virus
products and also next generation security products, however unless a customer
does their own due diligence or testing, they may not see beyond the checkbox of
feature comparisons or marketing material.
So you have to get them to see the detail beyond the datasheets and marketing
material and ask them to focus on the depth and quality of those features that are of
interest to them.
For example when you compare the exploits that Symantec Endpoint protects against
compared to what Intercept X protects against you will see that Symantec only
protects against half of the exploits that Intercept does. Intercept X is a best of
breed product and Symantec isn’t.
9
Symantec also say they have ransomware protection, which they do, and they can
check that feature box. But they do not have the roll back feature or the behaviour
based ransomware detection feature that Intercept X has in Cryproguard
Or they do not have the ability to detect and roll back tampering of the Master Boot
Record like Wipeguard in Intercept X. So even though they can say they can check
the box and have anti-ransomware features they do not go as deep as Intercept does.
Symantec also have machine learning but they are using the traditional approach
rather than the newer better deep learning approach.
And in terms of Useability – Sophos is known as the simple solution and we make it
easy for our customers by offering cloud management. Symantec only has on-
premise managed for larger customers, their cloud managed solution is aimed at
smaller customers. Their application control is manual and complex to set up as you
can see from the screenshot in the slide as an example.
Plus Synchronised security is the cherry on the cake – not only does our product have
a greater breadth and depth, offering you the best of breed technologies. But we
also offer simplified management, to save you time And we also have synchronised
security which allows our firewall, safeguard encryption and the endpoint to share
security intelligence to automate and speed up incident response, which no other
vendor can offer.
9
Positioning against newer EP vendors
Breadth Usability
Now compared against the newer next generation vendors on the market who have
mostly Grown up from being niche players, with one or two key features which they
built up their product set from, which means that most of these vendors fall down in
terms of the breadth of their feature set and their product portfolio in general.
They cannot cover the full risk spectrum and offer protection against each type of
attack or threat vector.
The table on the slide compares Sophos EA and IX together against Carbon Blacks CB
defence which is their all rounder mid market and SMB focus product which includes
ep and edr
As you can see from the table Carbon Black is missing a lot of features when
compared with Sophos EA and IX.
Its main focus is behaviour detection and it does have Good EDR features including
root cause analysis
However It does not give you machine learning let alone deep learning
Plus It doesn’t protect against some of the basics of endpoint protection, such as
10
protection from malicious websites with web protection or any automated rollback
or clean up of malware incidents.
Plus in terms of useability as Carbon Black was built from an EDR platform it requires
a lot of manual config of incident response actions And manual investigation of
suspicious activity as well as manual cleanup of detected threats
It is more complex to configure and manage than Intercept X
We also have Sync Sec, which is not something that the newer vendors can offer as
they do not have their own network security products and the same breadth of
portfolio as Sophos
10
Summary: New features add breadth, depth, usability
So in summary
If you look at all of the new features in Intercept we have added to the breadth of our
feature set by adding many new features but more importantly focused on the quality
of those features and added depth in several areas including deep learning, active
adversary, and also protecting against exposure to threats in the first place using our
endpoint features such as app control, web control and device control
11
This has been a high level summary of Intercept versus the competition.
For more detailed information all of the competitive battlecards can be found on
Sophos hub for internal users and the partner portal under the quick links section.
These are for internal use only or partner use only. However if you need a quick
comparison for customers then the table of feature comparison from the first page
can be shared with customers. Please note ONLY this section of the battlecards can
be shared with customers.
Please complete the following knowledge check questions regarding Intercept X and
how to handle objections from your customers about the competition.
12
TRAINING FEEDBACK