HARMONY ENDPOINT VS.

MICROSOFT DEFENDER FOR ENDPOINT

ELEVATOR PITCH
Emphasize 4 points:
• Harmony Endpoint provides the best protection for both known and unknown attacks whether online or offline.
• Harmony Endpoint provides a unified policy view and a single management console for both EPP & EDR
• Harmony Endpoint protects endpoints at every point of the cyber kill chain with MITRE ATT&CK mapping.
• Harmony Endpoint enables faster deployment than Defender, and it is user friendly.

THE CHECK POINT HARMONY ENDPOINT ADVANTAGE

Superior Security and Forensics for advanced threats
Unprecedented real-time prevention against unknown malware, zero-day, and targeted attacks
• Harmony Endpoint extends Check Point’s advanced threat prevention (sandbox)
• Provides preemptive approach to protect against advanced threats and delivers sanitized documents.
• Combination of cloud-based and local engines leads to much higher offline catch rate.
o It identifies malicious and suspicious behaviors with a local behavioral engine.
o Provides both static and dynamic machine learning components to thwart even the most evasive malware.
Better Management and visibility
• Unified policy - in Harmony Endpoint, System Administrator can create one single policy in one location, simple and
understandable compared to defender with 9 different policies each in a different location.
• Automated Incident Analysis provides a comprehensive view of the attack flow, root cause, business impact and entry point to
enable accelerated remediation. Microsoft defender adds additional unnecessary information to the report that consume the
analyst time.
• High catch rates and low false positives ensure security efficacy and effective prevention.
• Harmony Endpoint is a leader in 3rd-party analyses: MITRE 2022, NSS AEP 2020, Forrester AMA Wave, AV-test, AV lab.

MICROSOFT DEFENDER FOR ENDPOINT FACTS

Security: Defender is a good enough solution to stop known attacks, but it struggles with advanced attacks
• MS Defender misses more unknown malware when not connected to the cloud https://tinyurl.com/msdefender-faceoff
o Misses 3x more malicious files when offline
o Web download protection with Firefox (3rd most popular browser worldwide) is practically useless – 0% prevention. l
• IoC – It might take up to 2 hours for the endpoint to receive new indicators.
• Sandbox – (see diagram on the next page) Defender Endpoint is unable to protect patient zero from unknown
ransomware/malicious files, the first host will always be infected and 14min later Sandbox will have a verdict which is too late.
• CDR- Harmony Endpoint can instant delivery of clean documents, it increases the level of security without affecting business
continuity. Microsoft doesn't have this capability.
• MS Defender file restoration- Microsoft restoration requires windows shadow copy which is subject to being disabled and deleted
by sophisticated malware. Microsoft’s approach to addressing this issue is:
o Option 1: Activate “controlled folder access”- it will prevent from applications to make changes to folders but if there will
be an attempt to access it no logs or notifications will be alerted
o option 2: backup windows shadow copy to One Drive but there are some issues with that method.
o It requires an active Office 365 account which increases TCO
o Needs Enterprise policy agreement to upload corporate files to the cloud.
o Constant connection to the cloud to have the latest backup
o Users can accidentally upload malware and encrypted files to OneDrive and destroy backup
o OneDrive does not restore system files that have been corrupted
o The file restoration process is manual.

Harmony Endpoint Anti-Ransomware is based on evasion-proof proprietary file protection and protects backup in a unique vault
inaccessible to any user or application.

• Defender URL filtering is not user friendly - browsers present a generic block page, Harmony Endpoint includes the reason
for the block page message with UserCheck to engage end users and improve security awareness

• Phishing - the Defender engine “Network Protection” uses its MS Threat Insights database to assign a reputation score
(protection is provided by blocking known malicious domains and low reputation addresses)
o A lot of event data is being stored in Microsoft Threat Insights, that data is being mapped to a security score. Then
Microsoft Defender stops the data and inspects it against the reputation score that is already known in their Threat
Insights database

©2023 Check Point Software Technologies Ltd. All rights reserved. Q2, 2023 | 1 [Internal Use] for Check Point employees
 Competitive Cheat Sheet

• MS Defender hides CPU utilization, during active investigation jumps to over 21% – 3x that of Harmony Endpoint
• Microsoft has always been one of the most vulnerable vendors, should we trust them with security?
o Many cases have been seen in the wild where hackers were able to bypass Windows Defender http://tiny.cc/c0l0vz
o Defender had a serious security flaw for over 12 years & patched in 2021 https://tinyurl.com/3p8bx6a8
o Defender recently created widespread panic with a host of Cobalt Strike false positives https://tinyurl.com/29uh7hmf
• MS Defender behavioral analysis is severely limited (important in stopping unknown variants and zero-days)

Management & Visibility: Defender has limited forensics and requires complex config for full effectiveness.
• Defender requires configuring 9 different policies which are separated into different tabs, this is a very complex configuration
which can lead to collisions between policies. Also, there is no unified view of all the policies, which increases the complexity
and prone to errors.
• An hour for onboarding process, device will not show up in the Devices list.
• Dashboard does not display critical alerts, a drill down is required to see the incidents.
• MS Defender forensics of malicious activity requires high level of training.
• MS Defender does not include MITRE ATT&CK mapping to highlight the tactics and techniques used during each attack;
Harmony Endpoint includes this in every Forensic report.
• MS Defender average time to incident remediation is almost 10 minutes, compared to seconds for Harmony.
• MS Defender Threat Hunting requires the manual creation of complex queries additionally it presents so much noise,
making it difficult for the analyst to spot an ongoing attack. Harmony offers simple, object-oriented queries.
• With Microsoft, to deploy clients, you need to utilize two different dashboards; for security operations, an EDR dashboard
is needed – this adds to the complexity, whereas with Harmony it’s all unified into a single console.

Features & Pricing

KEY CAPABILITY BY VENDOR Harmony EP Harmony EP Harmony EP MS Defender for

MS Defender for Endpoint P2
Basic Advanced Complete Endpoint P1 (E3)
Host Firewall
Anti-Malware / Antivirus
Anti-Ransomware
Behavioral Guard
Anti-Bot
Anti-Exploit
Application Control
Zero-day Phishing site only for known malicious
Corporate Password Protection Credential Guard
URL Filtering
Malicious site protection
Ransomware encrypted files restoration 2

Cannot provide protection

Sandbox
against zero-day
Sanitizes files
Encryption (FDE)
Threat Hunting
MITRE mapping
EDR Ability
Remote Access VPN
Not competing
1 User / year $21 $38 $58 $62.4
against this bundle

1 - No centralized configuration, administration, monitoring, analytics, and reporting

.
2 - Based on System Restore (Shadow Copy), which is subject to destruction by ransomware

©2023 Check Point Software Technologies Ltd. All rights reserved. Q2, 2023 | 2
 Competitive Cheat Sheet

THE FOLLOWING IMAGES ARE SANDBOX INFRASTRUCTURE AND PLANS FOR MICROSOFT DEFENDER

We can see here that in this diagram the first host will always be infected, the process from 1 to 9 will take about 14 minutes,
this is a huge amount of time until the next victim will be protected.

BONUS: CATCH RATE DEMO

Defender VS Ransom 2021 - https://www.youtube.com/watch?v=VXtTgP8JkSk
Defender VS Malware - https://www.youtube.com/watch?v=iWL9cHgYfRw&list=RDCMUCKGe7fZ_S788Jaspxg-_5Sg&index=8

©2023 Check Point Software Technologies Ltd. All rights reserved. Q2, 2023 | 3