Battlecard

Cisco Confidential

Cisco Secure Endpoint - Selling Against SentinelOne

Overview Cisco and SentinelOne One Liners

SentinelOne offers the following security solutions:
1. Next-generation endpoint protection (EPP/EDR) and
XDR
2. Network Visibility and Control
3. Container and Cloud Workload Protection
4. Services – Managed Detection and Response and
DFIR, Managed Threat Hunting
Their Messaging
The EPP/EDR solution uses a single endpoint agent
on Windows/MacOS/Linux operating systems.
SentinelOne endpoint protection uses in-built static
and behavioral AI for known and unknown threats in
SentinelOne Weaknesses
SentinelOne Strengths and Strategies
Cisco Secure Endpoint stops
real-time. SentinelOne ActiveEDR offers threat hunting,
breaches using proven techniques
detection and response capabilities. The S1 platform
for comprehensive protection against
integrates with solutions like Splunk, Fortinet, Okta etc.
advanced threats.
SentinelOne offers coverage for malware (trojans,
Flexibility and choice–Cloud, On-Prem,
worms, backdoors), fileless in-memory malware,
exploits in office documents, Adobe files etc., browser in-line, gateway integration, Offline
exploits, scripts, credential scraping etc. as well as Deployment Supported with Tetra and
rollback protection for ransomware on Windows with Clam AV.
ransomware warranty.
SecureX enables centralized view into
Customer can choose from three bundles - Singularity malware behaviors, outbreaks across
Core/Control/Complete. Singularity Complete (highest networks, endpoints, email, cloud and
tier) is required for all EDR capabilities. enables rapid detection, remediation
and response.
Secure Endpoint delivers Point-in-Time
protection, Retrospective Security,
File Reputation and Sandboxing and
How to tackle/sell around them continuous analysis.

SentinelOne uses Microsoft Volume Shadow Copy Microsoft VSS can be enabled regardless of the
Service (VSS) on Windows to support remediation/ endpoint security solution since VSS is an OS-based
rollback feature. Multiple VSS backup snapshots can (Microsoft) technology. Implementation link. Comparison of Primary Features
lead to storage issues on clients. Modern ransomware Feature Cisco Secure
Cisco Secure Endpoint leverages several technologies SentinelOne
targets volume shadow copies first, so often files can’t Description Endpoint
to prevent, detect and remediate malicious code at
be retrieved. Consequently, it is not very reliable. Retrospective
the endpoint. The Malicious Activity Protection Engine Automated Manual
Detection
provides run-time detection and blocking of abnormal
behaviors (e.g., behaviors associated with ransomware). Threat
Extensive Limited
Intelligence
SentinelOne does not offer integrated sandbox Cisco Secure Malware Analytics within Cisco Secure
Data Enrichment Extensive Some
technology for zero-day threats which can potentially Endpoint provides an automated detonation engine that
slip through undetected to end hosts. observes, deconstructs, and analyzes using several Requires
File Analysis Included
methods. It’s proven effective against sandbox-aware Integrations
malware.
Key Tactics that work for SentinelOne
SentinelOne lacks effective and mature threat Cisco Talos offers industry leading cyber threat
intelligence which is critical for detecting and blocking intelligence - leveraging the broad data set from Tactic Why it Works
advanced threats as well as threat hunting. Cisco Security portfolio that spans across NGFW, IPS, Appeals to customers With primary focus on
Email, Endpoint, DNS and more., more than 185 intel running legacy AV solutions endpoint security only,
partnerships and proactively discovering vulnerabilities SentinelOne appeals to
customers running legacy
daily.
AV solutions that are looking
SentinelOne acquired Scalyr to expand their XDR Cisco SecureX enables accelerated threat investigations to get advanced endpoint
capabilities beyond endpoint. Scalyr requires an and incident management by aggregating and protection
extensive database (data from other security tools) that correlating global intel and local context in a single view. Easy-to-use solution/UI SentinelOne’s single
customers would need to pay for. SentinelOne is still Automatic enrichment adds context from integrated experience agent, single management
building an XDR strategy. Cisco Security products thus helping the customer platform easy to use story
(Cisco Secure Endpoint
understand which systems were targeted and how.
offers single agent, single
Orchestration allows automation of routine tasks with management platform as
prebuilt workflows. Threat hunting beyond endpoints well)
and deep drill down capabilities help determine the Aggressive protection Customers see more
scope of attacks and respond/remediate at speed. policies while conducting artifacts that were previously
PoCs invisible. However, does not
Vendors often proactively ‘optimize’ their solutions for In the MITRE 2020 ATT&CK Evaluation – S1 had one of
consider false positives
competitive evaluations and testing and more detections the highest detections, which could be troublesome for
by any solution does not necessarily translate to a the analyst in the real-world. There is no accountability Ransomware protection Although ransomware
protection is not exclusive
‘better solution’. for false positives (Cisco had zero FPs in the latest to SentinelOne, it may come
AV comparatives testing). Cisco Secure detections across as a major distinction
occurred early in the attack chain. (although with major caveats
related to VSS)
Lacks real-time endpoint query capabilities. Host data is Cisco Orbital (integrated with Cisco Secure Endpoint)
streamed to the cloud which may not provide the most offers 200+ pre-built and custom queries, enables AI-based protection Buzzword used to
distinguish themselves from
current/updated information from the endpoint (delay of running live and scheduled queries to all endpoints.
the rest of the vendors.
up to 5 minutes). Customers are charged for cloud data Cisco Orbital queries endpoints in real-time, thus Most of the endpoint
retention beyond the initial period. providing the most current data for posture assessment, security vendors (including
simplified threat hunting and accelerated investigations. Cisco) use ML/AI for
endpoint security

© 2021 Cisco and/or its affiliates. All rights reserved.

 Battlecard
Cisco Confidential

SentinelOne Strengths and Strategies

Weaknesses Details

While conducting PoCs, SentinelOne sets endpoint
protection policies to aggressive to catch maximum
number of threats
SentinelOne uses AI for endpoint and workload
protection
Rollback for ransomware mitigation using VSS (Volume
Shadow Copy Service)
Lightweight agent, appealing user interface/navigation
Deep Visibility for investigation and threat hunting
Third-party testing
Educate the customer about the false positives that are bound to show up with policies set to max in the real world.
Use the latest AV Comparatives report to highlight that Cisco has a higher catch rate with industry’s lowest false
positives
The Cisco Secure Endpoint solution is equipped with multiple engines that provide the highest protection against
threats: File Reputation, AV, Machine Learning, Exploit Prevention, Script Protection, Behavioral Protection, Malicious
Activity Protection, Cloud-based IOCs from Cisco Talos, industry’s leading threat intel organization, Host-based IOCs,
Vulnerability detection, Low Prevalence executables
VSS for ransomware protection is highly inefficient and ineffective against real world ransomware attacks. Cisco
Secure Endpoint leverages several technologies to prevent, detect and remediate malicious code at the endpoint.
The Malicious Activity Protection Engine provides run-time detection and blocking of abnormal behaviors (e.g.,
behaviors associated with ransomware)
Do not get into a UI/navigation comparison. Lead with SecureX and stick to the Threat-Centric, security-practitioner
focused story and ensure that a Sec-Ops stakeholder is present when presenting the Cisco Secure Endpoint
solution. Leverage differentiators - Retrospective security (trajectory), multiple detection methods, Talos Threat
Intelligence, Cisco Secure Malware Analytics, Threat Visualization, Threat Hunting capabilities beyond the endpoint -
all add prime value to the Cisco solution.
Cisco Orbital (integrated with Cisco Secure Endpoint) offers 200+ pre-built and custom queries, enables running live
and scheduled queries to all endpoints. Cisco Orbital queries endpoints in real-time, thus providing the most current
data for posture assessment, simplified threat hunting and accelerated investigations.
Leverage the following third-party reports when competing with SentinelOne:
• Cisco Secure Endpoint was promoted to VISIONARY in the 2020 Gartner: Endpoint
Protection Platforms MQ on its way to become a LEADER in the EPP MQ
• Cisco is a strong performer in the Forrester Wave Endpoint Security Software as a Service, Q2 2021 report
• In the 2020 MITRE Engenuity ATT&CK Evaluation, Cisco had one of the highest
protection rates of all vendors. This report must be taken in conjunction with the
AV Comparatives report where Cisco was named a Strategic Leader
• In the Radicati Endpoint Security MQ 2020, Cisco Secure Endpoint received the
highest rating and was named an Endpoint Security Top Player.
• Cisco Secure Endpoint was named a Strategic Leader in the Endpoint Prevention and Response
(EPR) 2020 Comparative Report. Secure Endpoint had one of the lowest costs per endpoint
over a five-year period, with the highest rated prevention and response capabilities.

Call to Action
Ensure the Cisco Secure Sales Team is engaged, when necessary, to understand all aspects of Cisco Secure Endpoint.
Use the AMP Everywhere Architecture by leveraging Cisco Secure Endpoint as a beachhead for upselling Cisco Secure Firewall
and other opportunities.
If ELA’s apply, ensure the customer is aware of all the licensing options for Secure Endpoint.

Cisco Security Cisco Secure Endpoint At-A-Glance

Cisco Security Product Page Cisco SecureX
Cisco Secure Endpoint Overview Cisco TALOS

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their
respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. 2504119 | 08/21