Harmony Unified Competitive Battle Card

Navigation Menu

©2021 Check Point Software Technologies Ltd. 1

©2021 Check Point Software Technologies Ltd. 2
 Battle Card – Harmony Endpoint
OVERVIEW THE CHECK POINT ADVANTAGE MARKET LANDSCAPE

Harmony Endpoint is the industry’s most
comprehensive security for endpoint
devices, protecting users wherever they go.
Combining advanced behavioral analysis
and machine learning engines, and
powered by the largest threat intelligence
hub in the world, Harmony Agent
proactively prevents, detects, and
remediates even the most evasive malware
attacks.
Harmony Endpoint is most comprehensive
endpoint security solution:
• Only endpoint security solution that combines a
wide array of threat prevention engines
including traditional and advanced threat
prevention, data protection, EDR, VPN and
more
• Leverages many innovative technologies
including deep behavioral analysis and machine
learning to deliver the highest catch rates and
lowest false positives
• Single unified agent enables security teams to
reduce costs and streamline processes
Harmony Endpoint falls within the endpoint
security market. Endpoint security covers
solutions that tightly integrates threat
prevention, detection and response. It
includes traditional endpoint protection
capabilities, and endpoint detection and
response (EDR).
According to The Insight Partners, the global
EDR market is expected to grow from USD
786M in 2017 to USD 5.82B by 2025 at a
CAGR of 28.8% between 2018 and 2025.
The competition in this market is comprised of
mainly smaller point product vendors, as well
as several traditional threat prevention
vendors. Check Point is well-positioned with a
complete solution.

Need more info? Contact Threat_Prevention_Sales@checkpoint.com

ELEVATOR PITCH – TOP 3 SELLING POINTS MAKING DETECTIONS
SALES RESOURCES
ACTIONABLE
Harmony Endpoint is the only endpoint security solution that: • Internal Resources Automated Incident
Analysis
• Partner Resources PROTECTION
AND
• Public Resources
• Prevents evasive zero-day attacks CONTAINMENT

• Automatically and completely remediates the entire cyber kill Product Information
chain available includes: FORENSICS
• Customer Presentation AND
• Automatically analyze and investigate security incidents to • Product Page Policy Changes RESPONSE
provide actionable insight and understanding of security posture • Datasheet IOC Updates
Remediation
• FAQ
• Videos
IMPROVE SECURITY
• And More POSTURE
 Battle Card – Harmony Endpoint
How to Compete Against... Palo Alto
Security Check Cisco- Sentinel Trend Microsoft
Networks - Cylance
Vendors Point Amp One Micro ATP
• Forensics of malicious activity is limited – cannot reveal full attack chain Traps
• Cannot detect post-infection communication (C&C)
• Cannot upload files to emulation, it only sends the ‘PE’ part of the file
Feature Comparison
• End-of-support for on-premise solution Sandbox 1 1
• Logging is limited to 30 days (or very expensive if extended)
* 1

Cortex XDR Agent • Cannot perform file scrubbing (TE) Threat Extraction
2
(Traps) • Requires additional solution for protection against phishing or URL Filtering
Bot Detection /
• Cylance lacks file emulation and does not have a multi-layers protection Prevention (C&C)
• Cylance cannot restore the OS to its previous safe state Ransomware
• Cylance has limited capabilities for detecting Script based malicious files Prevention
• CylanceProtect lacks advanced forensics. For info about story line, needs to purchase CylanceOptics and adds it to
total TCO (also 2 agents on host)
Data Restoration * *
(“Roll Back”)
• Very limited pre-defined reporting – requires SIEM
Zero Phishing
• AMP client records only files, registry, process, and media. This does not always allow for tracking of the attack
execution tree URL Filtering
• Requires multiple agents, AMP, AnyConnect and potentially others.
• Requires an extra appliance for data storage Endpoint detection and response (EDR)
• Cannot automatically identify entry point and damage Forensic
• Very weak anti-exploit engines – leaving hosts vulnerable investigation
value
• Relies heavily on signature updates and a lower ransomware detection rate offline Containment &
• Limited capabilities for Macro and Script based malicious files Remediation
• Ransomware restoration feature is prone to bypass because it relies heavily on “windows shadow copy service” Hunting
• Lacks a sandboxing and file scrubbing solution, does not detect zero-days capabilities

TCO

• TrendMicro unable to detect ROP, leaving endpoint exposed Annual price/user

$3,500 $9,000 $5,850 $6,600 $6,500 $3,200 $14,400
(100 users)
• No preemptive approach to protect against threats, whereas Check Point delivers zero-malware documents with threat
extraction Summary
• Must deploy ‘Deep Discovery’ server in the organization for file emulation.
• Requires the deployment of an additional OfficeScan server for off-premise connection and protection, a total of 4-5 Additional Security
(FW, HIPS,APLC,URLF,
servers need to be deployed (DDA, CM, Smart Protect, EDR server)  Cumbersome deployment & high TCO ME, FDE)

Vendor Provides 3 4

Microsoft • Sandbox is limited to PE files only - .exe, .dll and macros in office + PDF Mobile Solution
• Cannot prevent ransomware or restore encrypted files automatically, requires manual “folder locking” to reduce attack
surface, and to relies on weak windows shadow copies mechanism
Full Endpoint
• Weak automated incident analysis – requires hours of incident response expertise investigations to understand the Solution
attack scope
1. Portable Executable Headers only 3. Android protection only
2. Only for email files, with additional licensing 4. Bitlocker for encryption only Heat Map (internal only)
 Battle Card – Harmony Endpoint
How to Compete Against... Security Check Sophos FortiClient Crowd Carbon
MacAfee TP Symantec
Vendors Point Intercept X /EDR Strike Black
• Must export endpoints from Sophos ‘Enterprise Console” to “Central Endpoint Mgmt” to have its CryptoGuard
capabilities. This adds to deployment complexity and additional labor hours
• Sandbox is only part of their Firewall / Email solution – additional costs Feature Comparison
Sophos • Unable to deliver files safely – lacks threat extraction Sandbox *

• Lacks dedicated ransomware detection techniques Threat Extraction

• Must have Sandbox subscription on the organization’s gateway to submit the file to emulation
• No data restoration option in case ransomware encrypts a host Bot Detection /
• Requires Ensilo solution (new acquisition, more TCO) for Forensics features Prevention (C&C)
Ransomware
Prevention
• Data restoration capability is based on windows Shadow copy, which can be Deleted by a sophisticated ransomware. Data Restoration 3

• No threat extraction capability. Files are either passed or blocked, leading to a high false positive rate and uncleaned (“Roll Back”)
docs passing. Zero Phishing
• Mainly focused on End-Point Protection and Forensics – a security vendor that provides partial security and requires
additional security vendors.
URL Filtering
• Lacks zero phishing engine and URLF, APP Ctrl or disk/media encryption
• Requires hours of manual threat hunting instead of automated analysis Endpoint detection and response (EDR)
Forensic 4
investigation value
• Forensic analysis requires a high level of expertise from IT staff
• High TCO and labor hours for deployment – requires deployment of 2 separate clients, one for forensics and another Containment &
for prevention Remediation
• Did not receive a ‘Recommend” award on 2019 NSS lab “Advanced Endpoint Protection”, due to high TCO Hunting capabilities

TCO
• Does not have a Threat extraction solution (CDR), nor Anti-phishing
• Sandboxing emulation time can take more than 10 minutes – separate solution  increased TCO Annual price/user
$3,500 $3,190 $800 $18,000 $6,700 $2,800 $4,200
• Requires additional product for EDR and forensics visibility (100 users)
• Requires additional solution for Sandboxing
• By default it has No Remediation, it disabled to improve performance Summary
• Does not include Anti-phishing or Anti-bot engines Additional Security
*
• Switching policies in McAfee requires uninstallation of the agent and installing a new one (FW, HIPS,APLC,URLF,
ME, FDE)
• Lacks intelligent backups / data restoration capability. Compromised hosts cannot be restored
• Sandboxing solution is limited to 10 MB in the cloud, and requires on premise appliance for threat emulation of larger Vendor Provides
2 1
files Mobile Solution
• High false positive rate, too many alerts on Admins’ & Users’ dashboard
• Requires Symantec WSS (WTR) for securing roaming users – additional product in the cloud that requires routing traffic
Full Endpoint
solution

1. Skycure – Symantec - Broadcom 4. With Ensilo (much higher TCO) * Refer to competitor bullets
2. Zimperium OEM 5. FortiEDR Product
3. Cannot restore post-encryption Heat Map (internal only)
 Battle Card – Harmony Endpoint
TARGET AUDIENCE AND QUESTIONS TO ASK OBJECTION HANDLING
AV products can only protect from known attacks
DIRECTOR of SECURITY We already have
CIO or CISO (based on signatures). Determined attackers can
IT / INFOSEC MANAGERS full AV deployment easily modify known malware to evade detection by
on the network and AV. Our solution is not intended to replace existing
How do you enable How do you protect How often do you have
employees to work against unknown to remediate malware all of the endpoints antivirus solutions, it augments them.
remotely and protect malware or zero-day infections introduced by
the organization attacks on the remote employees? Harmony Agent complements sandboxing by also
against bot infection endpoints of We are already protecting remote users browsing or reading email
and zero-day threats? employees working doing sandboxing while outside the perimeter. It also provides forensics
remotely? on the network with actionable incident analysis for a deeper
understanding of the full attack cycle.
How quickly can your How do you identify How do you identify
incident response team and contain infections machines infected with Harmony Agent provides the additional critical ability
contain infections introduced by remote unknown malware We already have
to protect from zero-day threats. Automated incident
introduced by a device employee devices? caused by user an IR agent from
used by an employee download of files from analysis generates a detailed view of attack flow
Tanium or Carbon
working remotely? USB/storage devices? automatically, rather than as a time-consuming and
Black
highly manual operation.
What challenges exist How long does it take How do you identify an
that limit the for your IRT to identify infection? What tools TOP POSITIONING TIPS FROM THE FIELD
organizational ability to threats and understand do you have to 1. Highlight that we have the best prevention capabilities with Check
rapidly return to normal attacks, damage scope determine the root Point’s industry-leading CPU-level sandbox, unique Threat Extraction,
business after a & entry point? cause and the scope of and Anti-Bot capabilities – as well as powerful forensic analysis. Most
security event? the damage? solutions do one or the other, not both.
How do you and your What visibility do you How long does it take 2. Emphasize the importance of automatically analyzing the business
IRT determine how to have into security to analyze and respond impact, entry point and flow of the attack. Other solutions require
respond to an attack or events that occur on to incidents? What manual analysis which is time-consuming, forcing organizations to
infection? endpoint devices tools are available for decide which events require further analysis.
across–your
SUMMARY enterprise?
ENSURING forensics analysis?
THE WIN 3. Include the IR and SoC teams in the conversation. They are economic
buyers who provide an additional path to sales, and will see significant
Check Point Harmony Agent extends our industry-leading zero-day value especially with forensics.
protection to endpoint devices to stop advanced threats. By continuously 4. For existing customers elaborate on their ability to capitalize on their
monitoring activity on the endpoint, and automating analysis when threats investment with Check Point and extend Harmony to endpoints with
are detected, Check Point Harmony Agent forensics enables organizations to minimal effort, while gaining advanced forensic capabilities.
dramatically reduce the time required to understand, triage, and respond to 5. Harmony Agent is the only endpoint security solution that automatically
attacks, minimizing potential damages and related costs. and completely remediates the entire cyber kill chain to shorten
response time
[Confidential] for designated groups and individuals
©2021 Check Point Software Technologies Ltd. 7
 Battle Card – Harmony Mobile
Overview Most comprehensive solution: The only solution that
provides advanced mobile threat prevention across:
SandBlast Mobile is the market leading Mobile Threat Defense (MTD) solution, providing enterprises with a
comprehensive security solution that protects devices against advanced mobile cyberattacks and secures Infected Apps
corporate data and access to internal resources, while ensuring employees’ privacy and productivity. Detects and prevents the download of
malicious apps, zero-day malware
Elevator Pitch – Top 4 selling points
Network Attacks
• Only solution to do a full suite of preventive network security (Zero-Phishing, Safe Browsing, Anti-Bot, Detects Man-in-the-Middle attacks, poisoned Wi-Fi
networks, phishing attacks on any platform, malicious
Conditional Access, URL Filtering, Download prevention of malicious apps and files) on-device. URLs, and blocks C&C communications (Anti-Bot),
• Industry’s highest threat catch rate Prevents DNS service attacks
• Industry’s largest team of elite researchers and security analysts proactively investigating customers’ live OS Exploits
mobile cyberattacks Detects OS vulnerabilities, misconfigurations,
• Exceptional user experience; immediate detection and removal of threats without degrading advanced rooting and jailbreaking
device performance
Top positioning tips from the field Sales Enablement Resources
TIP 1: Only solution to do a full suite of preventive network security on device. Extends Check Point’s 25 Success Stories
years of network security experience NHS England
TIP 2 : Performed better than all leading competitors in Miercom Industry Assessment for Mobile Threat Mutua Universal
Defense (September 2019), detecting and blocking 100% of all tested threats Mississippi Secretary of State
Telefonica
TIP 3: Check Point researchers discovered more zero-day malware and mobile OS vulnerabilities than any
other vendor from 2015-2018 (Android Security 2016 Year in Review)
Relevant Videos
TIP 4: Leverages real-time data from Check Point ThreatCloud, the industry’s largest threat intelligence Introducing SandBlast Mobile
engine with inputs from network, cloud, endpoint, and mobile products through 150,000 security gateways SandBlast Mobile Architecture
Target Market / Buyer Product Page
Target Market SandBlast Mobile product page
Check Point Internal
• Sweet spot: Regulated industries, such as Financial Services, Healthcare, State & Local Government
and businesses with BYOD programs.
3rd Party Report Reference:
Decision Makers: Miercom 2019 Report
• Strategic – CIO or CISO
• Primary – Head of Mobility, Head of Security, Head of IT, Head of End-User Computing
• Secondary – Director of Security, Director of IT
 Battle Card – Harmony Mobile
How to Compete Against... Check Symantec PAN
MTD vendors Lookout Zimperium Wandera
Cortex
Point Skycure
• Inferior Catch rate - The solution has weak dynamic analysis capabilities which leaves the organization exposed to Zero-
Day malicious apps risks Feature Comparison
• Lookout solution only alerts and does not prevent app installation, making it a risk assessment platform; not a security
solution Detect unknown 1 1
malicious apps
• iOS app limitation – For iOS application protection, an organization must have a MDM or deploy the private API that is not
available on the store. The app store app doesn’t install a profile on the device Detect malicious 2

• Policy enforcement delays – Policies can take up to 24 hours to apply networks (MitM)

7
Phishing Protection
• Limited detection methods – the solution uses behavioral analysis only to detect malicious activity on the device, leaving it
exposed to more sophisticated attack vectors
4 7
• Does not support “Safe Browsing”, URL Filtering and Anti-Bot in case connection has been established to C2C Safe Browsing
• Very weak risk assessment for analyzed apps, and very basic app fileting capabilities- making it problematic to
investigate malicious apps 7
Anti Bot

4 4
Conditional Access 8

• High False Positive in network detection – Symantec’s client will alert on EVERY captive portal network as malicious
network. Admin will have to manually configure a ‘trusted network’ to reduce the false positive alerts, adding to security 7
URL Filtering
admin labor hours
• Lacks Anti-Bot protection to protect data leakage to C2C
3 3
• Symantec’s future is uncertain after being acquired by Broadcom and later sold in pieces to Accenture Client UX 3 3

• Requires Symantec WSS for Conditional Access and Safe Browsing– additional costs
Reporting -
• Focused on data consumption optimization rather than security – Check Point is a 100% security company Threat Intelligence
• Privacy invasion – all mobile traffic is being inspected. Almost all enterprises do not allow such abuse of privacy
• Lacks on-device anti bot protection PRICE
• Weak iOS Prevention – cannot block malicious IOS profiles / side loaded apps
1 Device / 1Y $48 $63.6 $72 $56 $48 $70
Summary
• Partial protection – Palo Alto Wildfire can analyze only android applications. It has limited ability to protect against iOS A complete MTD
based attacks and exploits Solution
• Doesn’t scan the device risk score and can’t protect against device vulnerabilities
• For URLF and safe browsing capabilities , admins must have additional solution – Global Protect, with a different client, 1) Behavioral Analysis only 5) Data collection and research team
console and policy management 2) High False Positive rate 6) On Android only
3) On Demand Scan Request 7) Must have Global Protect, traffic is routed
4) VPN activation - routing traffic from the device 8) Only with MS Intune
 Battle Card – Harmony Mobile
How to Compete Against... Check Better Cisco
MTD vendors Point
Sophos
Mobile
Cylance Pradeo
AMP
McAfee
• Does not support deployment inside Android Enterprise Work Profile
• Requires iOS supervised devices Feature Comparison
• Must use additional solution (Sophos Mobile)
Detect unknown
• Does not detect IOS side-loaded apps malicious apps
• Does not have any engines to analyze IOS apps (see potential risks)
Detect malicious
• Lacks Anti-bot, cannot prevent C&C communication networks (MitM)

• Does not support URL filtering Phishing 3

• Cannot block installation of a malicious app – alert only Protection

• Lacks URL Filtering and Anti-Bot in case connection has been established to C2C 1 3
Safe Browsing
• Very small company with limited intelligence sources
MOBILE • Does not detect zero-day malicious apps 3

• Not available on Google Play or App store Anti Bot

• Does not detect zero-day phishing Conditional

6 6 8

• Lacks Anti-Bot protection to protect data leakage to C2C Access

• Does not support corporate resource conditional access – company assets are not protected if device is compromised 7 3
URL Filtering
• Does not protect against malicious networks (MiTM attacks)
• Requires internal browser for Safe browsing 2 2 4 4
Client UX -
• Does not protect against social attacks or phishing
• Requires a special browser for secure browsing
Reporting -
• Does not support corporate resource conditional access – company assets are not protected if device is compromised Threat Intelligence
5

• Cannot block unwanted site categories (URLF)

PRICE
• Partial protection – It has limited ability to protect against iOS based attacks and exploits 1 Device / 1Y $48 $74 N/A N/A N/A $66 $60
• Relies heavily on VPN tunneling and cloud gateway
• Does not protect against malicious networks Summary
A complete MTD
Solution
• Focus on protecting the device only and not the user therefore it's missing Anti-Phishing with Zero-Phishing and Safe
Browsing
1) Only with a custom browser 5) Data collection and research team
• Cannot block unwanted site categories (URLF) 2) On Demand Scan Request 6) With MS Intune only
• Lacks Anti-Bot protection to protect data leakage to C2C 3) VPN activation - routing traffic from the device 7) Small number of categories
4) Device status only 8) DLP only
 Battle Card – Harmony Mobile
Customer Script / Questions to Ask Selling to Different Positions
According to Gartner, in 2018 mobile attacks almost doubled compared to the previous CISO, CIO, Head of Security, Head of IT
year, with a surge in unique users. It is also being delivered in a more efficient manner.
This puts corporate data at risk for organizations all around the world. Cybersecurity concerns:
• Do you have visibility into the security of your employees’ mobile devices? • Cybersecurity is a prerequisite and key enabler of digital transformation initiatives
• Do you know whether any of the apps on your employees’ devices are malicious? And if • Compliance and business risks (related to cybersecurity)
their devices are infected? • Operational efficiencies in IT
• Can your UEM (MDM) block sophisticated threats? (The answer will be universally • Brand reputation
“No.”) • Customers and market trust
Mobile security concerns
Objection Handling • Mobile is a new, but very real attack vector; no visibility into mobile threats
• May not be convinced threats are real yet
I already have an UEM solution • Looking to understand how to protect what they don’t control (BYOD)
UEMs (new term for MDM/EMM solutions) enable mobile access and provide static policy • Want to be able to provide strong security without impacting user experience or device
controls, but do not protect against advanced mobile threats such as malicious apps, performance
phishing, APTs, spyware, and Man-in-the-Middle attacks. SandBlast Mobile detects and Our value to them:
blocks threats before they do any damage. • SandBlast Mobile extends controls used in the network and endpoint to mobile devices
• SandBlast Mobile provides highest level of security for mobile
I already have a secure container; it provides all the security I need • SandBlast Mobile provides immediate remediation of threats
Secure containers are designed to prevent unauthorized access or data leakage, but do not • SandBlast Mobile provides full visibility into mobile cyber threats
protect against all mobile threats. Moreover, they lack visibility on the security posture of • SandBlast Mobile enables businesses to deploy BYOD without compromising security
the entire device. • SandBlast Mobile simplifies deployment by integrating with all leading UEM solutions
I have iOS and believe I am secure Heads of Mobility / End-User Computing
iOS devices are intrinsically more secure than Android. However, iOS devices are not
invulnerable, and don’t need to be jailbroken to be breached through attacks like phishing, Mobile cybersecurity concerns:
drive-by malware, and side-loaded apps. Check Point can demonstrate this with a live • Operational efficiencies in IT
demo. • Policy control and compliance
• Want to be able to provide strong security without impacting user experience or device
I don’t think mobile security is a problem for us performance
With mobile threats increasing in quantity and sophistication, we see a high infection rate • Need buy-in and budget from security team
with our customers. In fact, each one of our customers has had at least one malware attack Our value to them:
during the past year, with the average being 54. Do you feel confident you have the full • SandBlast Mobile adds additional security layer to existing UEM platforms
visibility into the security posture of your entire mobile deployment? • SandBlast Mobile allows for easy deployment through any UEM
• SandBlast Mobile provides immediate remediation of threats
Summary – Ensuring the win • SandBlast Mobile provides full visibility into threats to an organization’s entire mobile
SandBlast Mobile provides the highest level of mobile security for the enterprise. deployment
• Only solution that detects and remediates OS exploits, infected apps, in-network, • SandBlast Mobile enables organizations to deploy BYOD without compromising security
phishing, drive-by malware
• Provides full mobile threat visibility and intelligence
• Offers simple deployment and exceptional user experience, fully respecting user privacy
and device performance
©2021 Check Point Software Technologies Ltd. 12
 Battle Card – Check Point Harmony Connect Internet Access

OVERVIEW THE CHECK POINT ADVANTAGE MARKET LEADERSHIP

Connecting branch offices directly to the cloud
significantly increases security risks to any organization
with remote sites. SD-WAN vendors optimize branch
connectivity. Now their local Internet breakouts can be
protected against sophisticated cyber attacks.
Check Point Harmony Connect delivers enterprise
grade security to branches as a cloud service, with top-
rated threat prevention, quick and easy deployment,
and unified management saving up to 40% in OpEx.
• Check Point CPU-level detection catches
even the most sophisticated attacks --
including unknown zero day threats and
those using evasion techniques.
• Best catch rate of both known and unknown
malware, fastest time to verdict (up to 4
min), and fastest update of Threat
Intelligence feeds.
• Unlike other sandboxing solutions that are
often deployed in detection mode to avoid
delays, SandBlast provides practical
prevention capabilities.
• Integrated architecture leverages existing
branch infrastructure, reducing capital costs
and implementation time, and providing a
single, consistent view into events & alerts.
• Simplified central management and APIs
mean branch offices can have enterprise
grade security within minutes.
NSS Labs is a recognized leader in
independent security research and testing.
NSS Labs’ 2019 Breach Prevention Systems
tests named Check Point a top-scoring
“Recommended” vendor.
• 98.4% overall security effectiveness
• 100% block rate
• 100% exploit resistance
• 100% malware prevention, email and web
• 0% false positives
Check Point is 20x a Leader in Gartner
Enterprise Firewall Magic Quadrant:
focused on security, we believe we are
recognized as a leader for;
• Advanced threat prevention
• Strong partner ecosystem
• Completeness of security vision
• Central management leadership

Need more info? Contact Threat_Prevention_Sales@checkpoint.com

ELEVATOR PITCH – TOP 3 SELLING POINTS SALES ENABLEMENT RESOURCES
• NSS Top-Rated Threat Prevention with 100% Cyber Attack Catch Success Stories Videos Third Party
Rate. • Phoenix International • Cloud-delivered Analysis
• Smart & Final Branch Security • 2019 NSS Labs BPS
• Five Minutes to Protect your SD-WAN from the Cloud or On-premises. • How to Transform Group Test
Branch Security
• Unified security architecture reduces OpEx costs up to 40% and Product Information • NSS Labs 20x
• CPU-Level Threat
CapEx by 20%. • Webcast Replay (internal,partners) Recommended
Protection
• Product Page (public, PartnerMAP) since 2011
• Datasheet (public) • Gartner 2019
SD-WAN Partners
“We cut time on managing security by 80% and 90% of • FAQ (partner) • Silver Peak
Network Firewall MQ
our IT security is now automated.” –Phoenix International • Test Plan (internal) • VMware
• Free Trial (public)
[Q1 2021 [Confidential] for designated groups and individuals
 Q1 2021

Battle Card – Check Point Harmony Connect Internet Access

How to Compete Against...
Network Vendors

A. Requires additional purchase – two additional products: Panorama for visibility and management, and Cortex
data lake for logs. Check Point provides a simplified web-based management with built-in logging and Connect Prisma Zscaler Umbrella
monitoring
Security Features(NGTP) A
B. Detection, not prevention – WildFire (Sandbox) cannot block threats from entering the network and infecting
end point devices and also can’t prevent zero days. It can only alert after the fact Security Effectiveness 1
C. Panorama UI is complicated – Onboarding a new branch/new tunnel requires significant time and expertise
Sandbox and CDR Solution 2 D
(see The Agony Meter) (TE/TEX)
D. Charges by site allocated bandwidth – with a minimum of 200 Mbps pool. This is inefficient since customers
NSS Certified
will have to allocate more than the average usage
Management and Logs 3 4

Ease of Deployment C
A. Not a cybersecurity-focused company – they do not inspect encrypted traffic in the base bundle while over
85% of internet traffic is encrypted Performance per tunnel
B. Unproven – Zscaler products have never participated or been tested by any third parties testing like NSS Labs. (Mbps) 870 500 250 150
C. Lack of coverage – Only protects HTTP and FTP protocols and only over their dedicated ports, meaning any Protocol Coverage C
site using a custom port will not be inspected
Traffic Forwarding Methods5 6 7 7
D. Basic sandbox is extremely limited – Zscaler only offers competitive sandboxing abilities as a paid add-on
(more info). In addition, unknown malicious files are allowed by default and can only alert after the fact On Premises Virtual Gateway
(VNF)

Integration with SD-WAN 8 A

A. Lacking security – Cisco Umbrella is good as a first line of defense against security threats, most of their API / Automation Capabilities 9
bundles are just not enough and can’t provide the necessary security for a company on its own
B. Complex Management – Cisco Umbrella is not easy or granular for management as they claim, managing Price for NGTP $51/User $140/Mbps $96/User N/A
individual users requires the implementation of additional virtual appliance on customer site.
Summary
C. Basic Firewall capabilities – engines like AV and Malware protection are not applied on non-web traffic
D. Limited Integration – Umbrella doesn’t support integration with any 3rd party SD-WAN device or gateway Complete Cloud Security Solution

E. All vendors except Cisco believe in integration with customer existing networking equipment while Cisco has
in house solution which requires replacing 1. Measured by # of NGTP signatures, size 6. Harmony connect for Users will be
of security research team, incident available in Q3
response and cloud feeds 7. PAC file/Proxy chaining method is
2. CDR will be added in H2 2021 deprecated by Microsoft (security
3. Additional capabilities when managed weakness)
A. Not “Gateway as a Service” – solution is based on physical Fortigate appliances with SD-WAN capabilities through SmartConsole 8. Integration with additional SD-WAN
4. Added cost for Panorama and Cortex partners will be added during Q3
B. Complex Deployment – large deployment with multiple branch offices make their solution hard to manage Requires extra subscription
5. IPsec, GRE, Client, BGP, DNS, legacy PAC 9.
file
 Battle Card – Check Point Harmony Connect Internet Access

TARGET AUDIENCE AND QUESTIONS TO ASK OBJECTION HANDLING

I am in charge of Do you centrally manage that equipment using
DIRECTOR of SECURITY network equipment only. SD-WAN? Are you interested in a maintenance
CIO or CISO
IT / INFOSEC MANAGERS I don’t deal with security. free option for securing your branch offices?
Is your branch office How are your branch How often do your We already have full AV AV and IPS products can only protect from
security at the same offices secured today? users click on links or deployment on the known attacks (based on signatures).
level as your corporate open attachments, network and all of the Determined attackers can easily develop
security? resulting in a need for
end points. Why do we custom zero-day attacks that will not be
you to remediate a
malware infection? need more? detected. This is why many companies are
turning to sandboxing/emulation solutions.
We have a lot of Harmony Connect is a Internet Access that
How prepared is your How long does your Are you concerned
branches and don’t connects to any equipment that supports
organization for staff spend updating about ransomware or
malware, APTs and equipment or security targeted phishing have the time or budget setting up GRE or IPsec tunnels. We also
zero-day threats? at remote locations? attacks? right now to update integrate with SD-WAN vendors to automate
them all. site setup, all from a central location.

Do you have Are you adequately How does your current Traffic from our branch Check Point can give you the same level of
application and threat staffed to support and sandbox solution offices is secured by security for your branch offices that you have
visibility across your manage security for handle advanced backhauling traffic today and significantly improve application
organization? branch office users? evasion techniques and through our corporate performance to cloud applications from your
encrypted HTTP firewalls. We’re secure. branch offices. Want to see how?
traffic?

SUMMARY – ENSURING THE WIN TOP POSITIONING TIPS FROM THE FIELD

For enterprises at risk of targeted attacks such as spear phishing and APTs,
Check Point Zero-Day Threat Emulation, with its unique CPU-level detection,
provides an additional layer of security from even the most sophisticated
hackers. Unlike traditional sandboxing solutions that are subject to evasion
techniques, Check Point catches more malware, with minimal impact on
delivery times to remote branch offices with Harmony Connect.
Promote the Security Checkup (internal, partners) to demonstrate our value proposition.
[Q1 2021 [Confidential] for designated groups and individuals
1. Highlight the proven (NSS) best catch rate and evasion resistant
detection capabilities, especially with the CPU-level engine.
2. Stress out the importance of practical prevention Check Point offers
vs. detection only with the other players.
3. For customers with SD-WAN or GRE or IPsec capable branch office
equipment, elaborate on their ability to capitalize on their investment
and add security with minimal effort.
4. Push for a PoC for customers who are cost or risk-aware. Offer a free
trial at portal.checkpoint.com/register/cloudguardnsaas.
©2021 Check Point Software Technologies Ltd. 16
 Q1 2021

Battle Card – Check Point Harmony Connect Remote Access

OVERVIEW THE CHECK POINT ADVANTAGE MARKET LEADERSHIP

• Check Point ZTNA provides users with an agentless, NSS Labs is a recognized leader in independent security
Check Point’s Zero-trust Network Access (ZTNA) platform helps IT research and testing. NSS Labs’ 2019 Breach Prevention
SaaS-like user experience. There is no endpoint agent to
and security teams to simplify, secure and scale network access install, appliances to deploy, or maintenance to perform. Systems tests named Check Point a top-scoring
across multi-cloud and on-premises infrastructures. Our agentless Simply set up a Docker container to create a connection “Recommended” vendor.
solution allows teams to manage access to web applications, to our cloud proxy. • 98.4% overall security effectiveness
servers and databases in a single unified location, with full visibility • 100% block rate
• Layer-7 access only, eliminating Network-layer access
on all user activity. • 100% exploit resistance
risks, with least-privilege granular policies. Authentication
• 100% malware prevention, email and web
Harmony Connect Remote Access is an easily deployed SaaS and Authorization is set before the user logs in.
• 0% false positives
solution that enables customers to quickly take control of their Application connectors conceal the datacenter
applications creating datacenter blackening.
remote access strategy. Check Point a world-class cyber security leader, known for;
• Full audit trail of user activity, including full web requests • Advanced threat prevention
audit and RDP recorded sessions,. All audit logs are tied • Strong partner ecosystem
to users’ accounts and devices, and can be exported to • Completeness of security vision
your SIEM for additional contextual data. Control access • Central management leadership
to sessions and block suspicious commands in real time. • deployed in production across tens of thousands of
corporations

Check Point Remote Access will be enhanced with advanced

threat prevention in Q1 2021.

Need more info? Contact Sase-Remote-Access@checkpoint.com

ELEVATOR PITCH – TOP 3 SELLING POINTS SALES ENABLEMENT RESOURCES
• Zero Trust Network Access with least-privilege granularity for user access to Remote Product Information Partnerships Use Cases
applications • Product Video (public) • Zero Trust Network Access with • ZTNA for third-party access
• Webinar Replay (public) Check Point and Okta • Secure remote access for
• Five minutes cloud-based, clientless and agentless deployment • Product Page: Remote Access engineers
(public) ZTNA Guides • ZTNA in Covid-19 era
• Clientless approach for BYOD and contractors access
• Product Page: Odo (public) • Network vs. Application level access
• Datasheet (public) • How to implement ZTNA
“Controlling remote access and visibility to production and • FAQ (public) • ZTNA Best Practices
development applications is complex Check Point solution is • Demo Request (public) • Check Point ZTNA as first step to
SASE
something that no other platform has been able to give • SASE Wiki (internal)
before!” CISO of Gett
 Q1 2021

Battle Card – Check Point Harmony Connect Remote Access

How to Compete Against...

Vendors
A. Requires additional purchase – two additional products: Panorama for visibility and management, and Cortex
data lake for logs. Check Point provides a simplified web-based management with built-in logging and
Harmony Prisma Zscaler ZPA Cisco DUO
monitoring
Supported Applications A 1
B. Panorama UI is complicated – Onboarding a new branch/new tunnel requires significant time and expertise (see For Clientless users
The Agony Meter). Prisma Access “Cloud managed” lacks essential features and is only available at the 3 A D
Network Access Methods 2
Americas region
C. Limited deployment – Prisma Access for Users license is limited to only three “Service Connections” to Zero Trust Architecture 7
(Pre-login, user checks)
customer’s DC’s, which prevents resilience and fault tolerance and also limits access to applications in case of
multiple DC’s Zero Trust Architecture C
(Post-Login, Least Privileges control)
D. Prone to errors and failures – Deploying service connections (IPSEC tunnel) is cumbersome (Requires proper 4 E 8
manual health monitoring plus routing and failover configuration) Authentication

Single Sign On 9 F

A. Limited to web-based applications in the clientless solution D G,H A

Ease Of Deployment
B. Complicated deployment – requires every application to have a unique DNS record that points to Zscaler
servers Management & Logs B C

C. Separate Management – uses two different MGMT platforms for managing applications and users
User Activity Monitoring 6
D. Lacks Backward compatibility – Only TLS 1.2 web server applications are supported
E. Limited authentication methods – supports Only SAML as the authentication method DevOps & Automation 10 11 E
F. No SSO capabilities – will require a second login process to access each application
Price
$60/User $96/User $165/User $108/User
G. Manual steps required – App Connector requires significant manual configuration /Year 12 /Year 5 /Year /Year
H. Requires support involvement – when adding any branch IP addresses Summary
Complete SDP Solution

A. Not a cloud solution - Cisco Duo is by far the most complex “SAAS” solution. Besides the main system it requires 1. Requires a software to be installed on
three additional server components within customer’s data centers. This is hard to maintain and configure user’s computer
B. Limited usability - Cisco Duo supports only Web and SSH-based local applications publishing. Further, SSH 2. Agent, portal, direct URL, intra-branch
communication
requires additional software to be installed 3. Harmony Connect Agent will be
C. No ongoing inspection - Cisco Duo is just an authentication broker. There is zero inspection of the exchanged available in Q1 2021
traffic, allowing an infected valid user to compromise the network 4. Support local DB and SAML
authentication
D. Limited connectivity - Cisco Duo lacks a client for traditional VPN connectivity (achievable manually with Any 5. not including log storage. New
Connect and Cisco GW on-premises) customers will need to purchase extra
E. Limited API - e.g. no option for application creation license for Panorama and Cortex
6. Provide session recording, image
capture and http session track. helping
in forensics
7. Pre login check capabilities will be added
as part of Harmony Connect agent
8. Requires on-prem gateway and proxy for
local authentication
9. Doesn’t support any type of SSO method
10.Support unique developers features
such as AWS resource discovery
11.No API
12.SB Web included as part of the price for
additional browsing protection
 Q1 2021

Battle Card – Check Point Harmony Connect Remote Access

TARGET AUDIENCE AND QUESTIONS TO ASK OBJECTION HANDLING

CIO or CISO
If your remote access strategy
agile enough to maintain
business productivity in
uncertain times?
DIRECTOR of
IT / INFOSEC
Have you had scalability or
user experience challenges
with your existing VPN?
SECURITY MANAGERS
Is Zero Trust security being
adopted in your organization?
How do we know your cloud
based remote access is
secure?
We have a lot of users on our
existing VPN. How do I know
your solution will scale?
Remote Access is a SOC 2 Type II certified SaaS service
with support for GDPR data protection controls.
Remote Access is hosted on AWS with auto-scalability and
resilient architecture. We can scale up/down infinitely based
on user demand.

How will your solution handle Remote Access is hosted on multiple POPs (points of
our performance presence) to support a global workforce. Users would
Are you migrating hosted How are you ensuring secure Were does remote access fit
requirements? We have users connect to their closest POP for fast, seamless and secure
applications to the public developer access to the into your Zero Trust plans?
cloud? What are your plans public cloud? and offices all over the world. access to their applications.
for secure remote access?
Our organization has a few Harmony for remote users will be available to support
How is your organization Is cloud or network What is your initial zero trust legacy “thick client” applications that require traditional VPN capabilities. This is
enabling secure and transformation on your radar? use case? applications that aren’t going delivered and managed via the Infinity portal and either
seamless 3rd party network How will you address remote - VPN replacement anywhere. How will your solution can be deployed to meet requirements.
access? access? - Developer (cloud) access support us?
- 3rd party network access
TOP POSITIONING TIPS FROM THE FIELD
1.) Discuss the advantages and low TCO of our SaaS-based, clientless ZTNA solution:
- Deploys in mins
SUMMARY – ENSURING THE WIN - Low operational overheard
- Auto-scalability
Check Point’s Harmony Connect Remote Access is a great solution for enterprise who need to 2.) Highlight our vast protocol support including Web, RDP, SSH and DB
adapt to modern changes including the work from home shift, cloud transformation/migration, 3.) Display Odo’s privileged access capabilities including credential vaulting and recorded sessions
M&A integration or B2B 3rd party collaboration. We offer a SaaS based solution that is simple to 4.) Bring up the ability to support multiple use cases including business workers, DevOps and 3rd parties
deploy but also provides advanced Zero Trust Network Access to protect an organizations (contractors, partners, suppliers)
internal assets. The shift from perimeter based VPN solutions is happening within most Pro tip #101 - Focus on driving the sales cycle based on solving the business problem vs feature
enterprises driven by the need for Zero Trust Network Access. analysis.