ATA Battle Card-CiscoAMP Mar2015

7/17/2019 ATA Battle Card-CiscoAMP Mar2015

http://slidepdf.com/reader/full/ata-battle-card-ciscoamp-mar2015 1/6

HP ESP Sales Enablement: ATA Competitive Battle Card

HP TippingPoint Advanced Threat Appliance Family

(ATA) vs. Cisco AMP

Competitor Overview

Cisco acquired Sourcefire in 2013 to boost Cisco’s cyber security offerings and speed development of its security

strategy for defending, discovering and remediating advanced threats. Sourcefire was a lucrative acquisition

target considering its product line (NGIPS, NGFW) and leader position in the 2013 Gartner IPS MQ.

Furthermore, Sourcefire has large and often loyal community of users that is familiar with the underlying SNORT

Intrusion Detection System (IDS) language upon which Cisco’s commercial IDS product is based. Cisco leverages

this familiarity to help extend their reach into organizations with complementary solutions, including their AMP

product line. Cisco AMP (formerly Sourcefire FireAMP) is available for endpoints, networks, and private clouds,

and scored very well in the 2014 NSS Labs Breach Detection Systems (BDS) tests.

Note: Cisco appears to be in the process of deprecating the Sourcefire brand, and is rolling the technology into

the larger Cisco name. They are removing all sourcefire.com sites, and are removing the “Sourcefire” and “Fire”

brandings from their products. More information can be found here:

http://www.sourcefire.com/solutions/advanced-malware-protection.

Competitive Comparisons

Competition for the HP TippingPoint ATA is the Cisco AMP Network Advanced Threat Appliances; Cisco does not

offer a Mail-based ATA product.

HP TP ATA -Network 250

Cisco AMP7150 HP TP ATA -Network 500

HP TP ATA -Network 1000

Cisco AMP8150 HP TP ATA -Network 4000

Capacity 250 Mbps 500 Mbps 500 Mbps 1 Gbps 2 Gbps 4 Gbps

Data Ports 4 x 1 Gb 4 x 1Gb

8 SFP

4 x 1Gb

8 SFP

4 x 1Gb 3 x 4-port RJ45

netmods

4 x 1Gb; 2 x 10Gb

Sandboxes 1 Unknown 2 4 Unknown 20

Ports/Protocols Unlimited/over 80 Limited/8 Unlimited/over 80 Unlimited/over 80 Limited/8 Unlimited/over 80

Asymmetric

Support

Yes Yes Yes Yes Yes Yes

Form Factor 1 Rack Unit 1 Rack Unit 1 Rack Unit 1 Rack Unit 1 Rack Unit 2 Rack Unit

Cisco Strengths

1.

Excellent test results in the 2014 NSS Labs Breach Detection Systems (BDS) Security Value Map™,

although this was bolstered in large part by the use of the Endpoint AMP.

2. Deep integration with other Cisco technology, including FirePOWER and FireSIGHT



3. FirePOWER hardware platform and FireSIGHT management console scores well in client shortlist and

independent tests respectively. Cisco is highly visible on Gartner client IPS shortlists, especially in the

government market in part due to their headquarters location in Maryland.

4.

AMP technology available for multiple platforms, including endpoints, networks, and private clouds

Blocks to use against CiscoWhat They Will Claim Our Response

Deep Discovery uses legacy signature based

technology

Deep Discovery does use signature-based

technologies to rapidly identify any known malware

and advanced threats. However, this is one of

multiple engines, algorithms, behavior monitoring,

and other detection technologies used to identify all

aspects of the targeted attack lifecycle.

Flip the conversation and highlight that Cisco only

monitors 7-8 protocols as compared to the HP

TippingPoint ATA monitoring over 80 protocols to

provide a broader range of protection against a multi-

vector attacks.

Cisco AMP is deeply integrated into the Cisco

Sourcefire solution set

While that is true, do customers really want to

sacrifice security with false positives in their IPS,

which directly affects their overall network

performance?

SNORT has long had problems with false positives,

and the true aim of FireSIGHT technology is to

minimize false positives by reducing the total number

of signatures applied.

HP TippingPoint’s vulnerability-based filters, backed

by the DVLabs security intelligence team, are simply

better written with minimal false positives to protect

against entire vulnerabilities, not just known exploits.

This is an important distinction because if only exploit

signatures are used, any future mutations of an

exploit will not trigger that signature. In addition,

through the HP Security Research Zero Day Initiative

(ZDI), HP TippingPoint can provide filters to protect

against application vulnerabilities before the

application/OS vendor has provided a software patch.

Moreover, FireSIGHT knowledge takes a customer as

long as “4 months” to tweak compared to setting up a

ThreatDV reputation feed to HP TippingPoint at the

time of installation.

Cisco AMP protects more because it combines HP TippingPoint ATA does not require an endpoint

agent to perform remediation; instead, HP



network and endpoint protection together TippingPoint uses integration with SMS to

automatically take action against infected endpoints

using the network IPS, including quarantining, rate

limiting, or completely blocking access for infected

systems.

The endpoint agent is an additional cost andmanagement console. This could be a major hassle in

larger environments where there is a network team

and an endpoint team as the Cisco agent will force

these two groups to work together and require the

endpoint team to test the agent ensuring it doesn’t

cause problems with the corporate image.

Additionally, this may require extensive testing and

validation for the corporate gold image every time a

new version of the endpoint agent is released.

Furthermore, more and more organizations are

adopting BYOD, making it very difficult to ensure alldevices have the endpoint agent installed. If the

solution is truly reliant on the endpoint agent for

complete protection, this can lead to holes in security.

Cisco Weaknesses

1.

Weak non-sandbox detections for activity like C&C and attacker communication.

2. Cisco AMP’s sandboxing has limited customization, meaning customers may not be able to configure it to

their exact specifications. Attackers can use generic evasion techniques to avoid detection, including

checks for operating system, license file, language, and more.

3.

Customers need both AMP for Networks and AMP for Endpoints to see highly effective detection andblocking.

4. Lack of integration with SIEM solutions. HP TippingPoint solutions integrate with HP ArcSight, allowing

customers to do more with their investments in a faster, more automated way.

5. Lackluster Security Research - Question how well it protects against targeted attacks leveraging zero-

day and variant vulnerabilities and exploits.

Traps to set against Cisco

Ask the Customer Our Response

How do you detect targeted attacks and advanced

threats with appliances that do not monitor all

network ports?

How do you detect targeted attacks and advanced

threats on unsupported protocols?

How do you detect lateral movement and evolving

attacks with appliances that are located on the

Make sure you are protecting your network from all

phases of the attack lifecycle. The HP TippingPoint

ATA – Network is network agnostic and scans all ports

across over 80 protocols to provide a broader range

of protection against a multi-vector attack.



perimeter?

How do you counter new and emerging threats with

inferior Security Research?

Don’t sacrifice your security just because they are a

recognized name. In 2013, HP TippingPoint won the

Company of the Year Award for Vulnerability Research

from Frost and Sullivan (fourth year in a row) with a

market leading 25% of the market share in

vulnerabilities reported. This translates to HP

TippingPoint having the most effective vulnerability

research and filters. This enables customers to

effectively block exploits and attacks to improve their

security posture up to six months before other

vendors.

How concerned are you about security effectiveness

and false positives?

In the Breach Detection Systems (BDS) NSS Labs

report, the Trend Micro software that is included in

the HP TippingPoint ATA topped the list in security

effectiveness with a score of 99.1%. This isimpressive but what is more impressive is the fact

that they achieved this high score with 0% false

positives. Additionally, it is worth noting that this

test only covered three protocols – HP TippingPoint

ATA-Network supports more than 80, meaning your

effectiveness will not be compromised when

attackers use less common protocols in their attacks.



2014 NSS Labs Breach Detection Systems (BDS) Security Value Map™

Note: for internal use only; do not leave this behind with a customer. New test results are due mid-2015.

What are HP TippingPoint ATA - Network Appliance Strengths?360° detection means your network security will be

better, broader, and more accurate

Detects malware, C&C, lateral movement, and

attacker activity.

Zero-day and known threats for all internal and

external traffic across any network port on over 80

protocols and applications and any IP based device

that is generating network traffic .

Detect the malware targeted at your organization

with custom sandboxing

Identifies custom malware targeting your

organization (for example, your Windows license,

language, applications, etc.)

Thwarts evasions based on configuration checks

(generic license, English language, known FE/other

specs, etc.)

Security Effectiveness A network security solution is only as effective as the

research organization that stands behind it. The

combination of HP TippingPoint DVLabs security



intelligence team and the HP Security Research Zero

Day Initiative (ZDI) form the basis of the best security

research team in the world. Between 2007 and 2013

HP was acknowledged for its vulnerability research

leadership for Adobe and Microsoft.

A complete solution Only HP offers an enterprise-class advanced threat

solution that integrates with HP TippingPoint Next

Generation network security solutions and HP

ArcSight, providing complete detection, logging,

correlation, and remediation for security events as

they occur.

Additional Resources

TippingPoint Sales Portal

ESP Sales

ESP Competition

ATA Blog: Network Security: No need to drop, cover and hold on

Competitive Bottomline: Cisco Buys Sourcefire

Competitive Bottomline: Cisco to Acquire ThreatGRID

Frost & Sullivan: Analysis of the Global Public Vulnerability Research Market in 2013

Contacts

Mike Plavin, Technical Product Marketing Manager

TJ Alldridge, Product Marketing Manager

ATA Battle Card-CiscoAMP Mar2015

Documents

Transcript of ATA Battle Card-CiscoAMP Mar2015