10. 10
WORLD LEADERS RECOGNIZE:
CYBER SECURITY IS TOP CONCERN
Donald J. Trump
President of the United States
Florence Parley
French Defense Minister
THE CYBER WAR HAS
BEGUN
France must be ready to fight.
Cyberspace has become
a place of confrontation.
AN EXISTENTIAL
THREAT
Escalating Cyber risks present an
existential threat to economic
stability and national security.
41. 50
WORLD LEADERS RECOGNIZE:
CYBER SECURITY IS TOP CONCERN
Donald J. Trump
President of the United States
Florence Parley
French Defense Minister
THE CYBER WAR HAS
BEGUN
France must be ready to fight.
Cyberspace has become
a place of confrontation.
AN EXISTENTIAL
THREAT
Escalating Cyber risks present an
existential threat to economic
stability and national security.
42. 51
RECENT ATTACKS…
100 Million Accounts
Breached in the Cloud
Jul. 2019
Banking
2000 Beds were at risk.
Hospital in “Degraded”
mode
Nov. 2019
Healthcare
Malicious Cyber Attack
forces Airline to cut
flights
Dec. 2019
Aviation
44. 53
FIVE PHENOMENONS IN CYBER CRIME
CYBER CRIME BECOMES ORGANIZED
CLOUD SECURITY RISKS EVOLVE
RANSOMWARE ON THE RISE
MOBILE MALWARE INCREASE
NEW ATTACK VECTORS - 5G & IoT
83. HOW TO COMPETE AGAINST...
• Infrastructure Overhead: Requires 2-4 additional appliances - for email,
web and central management. In order to scan within SSL, an additional
dedicated appliance is required
• FireEye didn’t participate in NSS labs Breach Prevention test. In their
words FireEye is a Detection solution. (read here). Poor results in NSS labs
BDS test and one of the highest weighted TCO solution.
• FireEye is mostly about detection of “unknown threats” while neglecting the
“known” threats
• Wildfire cannot block threats from entering and infecting internal network
devices. If detected, It can only alert after the fact.
• Wildfire default PDF file size for emulation is only 3,072KB, changes
might lead to stability issues when uploading files
• It takes up to 48 hours for identified files to be shared with AV GWs around
the world
• Wildfire can’t scan email attachments or links that lead to files inside the
mail, there is no MTA deployment.
• 3 separate mgmt. consoles needed (FW, NGFW, SWG)
• Unable to perform preemptive actions (threat extraction) to remove active
content and prevent threats in documents
• The solution doesn’t prevent malware but notifies the administrator about
the malicious files retroactively
• Failed in NSS BPS 2019 test with caution rating and highest TCO
• No prevention capabilities – can only detect threats after the fact with
SPAN port deployment
• Zero visibility to incoming files over SSL: No SSL inspection, allowing files
in encrypted communications to get into the organization
• More that 2*TCO than CP in NSS BPS 2019 testing with lower security
effectiveness – prawn for evasions
Key Capability
by Vendor
CheckPoint
FireEye
PaloAlto
Cisco
Sourcefire
Fortinet
TrendMicro
Symantec
Bluecoat
Forcepoint
McAfee
Lastline
Proofpoint
Advanced Threat Prevention Matrix
Real-Time
Prevention-
Unknown Malware
Files Supported
OS Support
Threat Extraction
(CDR)
Protocols
Malicious mails
prevention
Deployment Options
Reporting &
Forensics
Anti-Evasion
EndPoint solution
Summary
A Complete Threat
Prevention
Solution
1
333 3
44
4 4
5
1
4
1) Prevention only w/ email solution
2) Only SPAN port
3) SSLi require separate appliance
4) Commercial hypervisor
5) No sandboxing on endpoint
6) Limited functionality, only on Legacy mode
7) Require additional Product/Appliance
8) Can’t scan SMBv3
Need more info about the matrix ratings? Check out the Heat Map (internal only)
6
Battle Card – SANDBLAST NETWORK
4
11 11
7 7 77 7 7
[Internal Use] for Check Point employees
Q1 2020
8
8
8
87. Battle Card – SANDBLAST AGENT
1
Security
Vendors
Check
Point
Palo Alto
Networks -
Traps
Cylance
Cisco-
FireAmp
Sentinel
One
Trend
Micro
Microsoft
ATP
Feature Comparison
Sandbox
Threat Extraction
Bot Detection /
Prevention (C&C)
Ransomware
Prevention
Data Restoration
(“Roll Back”)
Zero Phishing
Incident Analysis
Automated
Incident Analysis
Simple IoC
Search
In-depth Search
on Attacking Tree
Reveal Full Attack
Model & Damage
TCO
Annual price/user
(100 users)
$3,500 $9,000 $5,850 $6,600 $6,500 $3,200 $14,400
Summary
Additional Security
(FW, HIPS,APLC,URLF,
ME, FDE)
Vendor Provides
MTD Solution
Full Endpoint
solution
1
How to Compete Against...
• Very intrusive, causing severe compatibility issues with applications
• Forensics of malicious activity is limited and complicated - a raw memory
snapshot at time of infection
• Requires Cortex Data Lake for EDR, making it expensive with separate Ui’s
• Cannot detect post-infection communication (C&C)
• Traps cannot upload files to emulation, it only sends the ‘PE’ part of the
files, and must be connected to the organization’s ESM server
• Cylance lacks file emulation and does not have a multi-layers protection
• Cylance cannot restore the OS to its previous safe state
• Cylance has limited capabilities for detecting Script based malicious files
• CylanceProtect lacks advanced forensics. For info about story line, needs to
purchase CylanceOptics and adds it to total TCO (also 2 agents on host)
• Very limited pre-defined reporting – requires SIEM
• FireAMP client records only files, registry, process, and media. This does not
always allow for tracking of the attack execution tree
• Requires multiple agents, AMP, AnyConnect and potentially others.
• Requires an extra appliance for data storage
• Cannot automatically identify entry point and damage
• Very weak anti-exploit engines – leaving hosts vulnerable
• Relies heavily on signature updates and a lower ransomware detection
rate offline
• Limited capabilities for Macro and Script based malicious files
• Ransomware restoration feature is prone to bypass because it relies heavily
on “windows shadow copy service”
• Lacks a sandboxing solution, does not detect zero-days
• TrendMicro unable to detect ROP, leaving endpoint exposed
• No preemptive approach to protect against threats, whereas Check Point
delivers zero-malware documents with threat extraction
• Must deploy ‘Deep Discovery’ server in the organization for file emulation.
The deployment is cumbersome and requires a high level of expertise
• Requires the deployment of an additional OfficeScan server for off-premise
connection and protection, it leads to higher TCO and additional labor hours.
• Sandbox is limited to PE files only - .exe, .dll and macros in office + PDF
• Cannot prevent ransomware or restore encrypted files automatically,
requires manual “folder locking” to reduce attack surface
• Phishing engines only in O365 package
• Weak automated incident analysis – requires hours of incident response
expertise investigations
Traps
FireAMP
Heat Map (internal only)
Q4 2019
1
1
1
1
1. Buy additional solution (Cortex) – scaling costs to keep logs
2. Email files only – with a separate O365 solution
3. Intune (MDM) + MTD from partners
Microsoft
2
3
88. Battle Card – SANDBLAST AGENT
Security
Vendors
Check
Point
Sophos
Intercept X
Forticlient
Crowd
Strike
Carbon
Black
Mcafee
VirusScan
Symantec
Feature Comparison
Sandbox
Threat Extraction
Bot Detection /
Prevention (C&C)
Ransomware
Prevention
Data Restoration
(“Roll Back”)
Zero Phishing
Incident Analysis
Automated Incident
Analysis
Simple IoC Search
In-Depth Manual
Search
Reveal Full Attack
Model & Damage
TCO
Annual price/user
(100 users)
$3,500 $3,190 $800 $8,000 $6,700 $2,800 $4,200
Summary
Additional Security
(FW, HIPS,APLC,URLF,
ME, FDE)
Vendor Provides
Mobile Solution
Full Endpoint
solution
How to Compete Against...
• Must export endpoints from Sophos ‘Enterprise Console” to “Central
Endpoint Mgmt” to have its CryptoGuard capabilities. This adds to
deployment complexity and additional labor hours
• Sandbox is only part of their Firewall / Email solution – additional costs
• Unable to deliver files safely – lacks threat extraction
• Lacks dedicated ransomware detection techniques
• Must have Sandbox subscription on the organization’s gateway to submit
the file to emulation
• No data restoration option in case ransomware has encrypted a host
• Limited forensics capability for incident analysis, only management logs
• No data restoration capability. In case of a ransomware attack, all encrypted
files will be lost and cannot be restored.
• No threat extraction capability. Files are either passed or blocked, leading to
a high false positive rates and uncleaned docs passing.
• Mainly focused on End-Point Protection and Forensics – a security vendor
that provides partial security and requires additional security vendors.
• Can take up to 40 minutes to apply a policy
• Lacks zero phishing engine and host based FW, URLF, APP Ctrl or
disk/media encryption
• Forensic analysis requires a high level of expertise from IT staff
• High TCO and labor hours for deployment – requires deployment of 2
separate clients, one for forensics and another for prevention
• Did not receive a ‘Recommend” award on the latest NSS lab “Advanced
Endpoint Protection”, due to high TCO
• Lacks intelligent backups / data restoration capability. Compromised hosts
cannot be restored
• Does not have a Threat extraction solution (CDR), nor Anti-phishing
• Sandboxing emulation time can take more than 10 minutes – separate
solution increased TCO
• Requires additional product for EDR and forensics visibility
• Lacks intelligent backups / data restoration capability. Compromised hosts
cannot be restored
• Sandboxing solution is limited to 10 MB in the cloud, and requires on
premise appliance for threat emulation of larger files
• High false positive rate, too many alerts on Admins’ & Users’ dashboard
• Requires Symantec WSS (WTR) for securing roaming users – additional
product in the cloud that requires routing traffic
Sophos
Q4 2019
Need more info about the matrix
ratings? Check out the Heat Map
(internal only)
1. After the acquisition Skycure – mobile security vendor
2. Zimperium OEM
3. Cannot restore post-encryption
12
3
104. How to Compete Against...
(Formerly RedLock)
A. Prisma PC subscription is based on 100 assets, however this also includes micro-instances, load-
sharing nodes, Databases, containers and others. Dome9’s 100 asset limit only includes the
bigger instances
B. Prisma Public Cloud’s visualization capability is basic – based only on traffic logs
C. Prisma PC does not alert of a breach of security policy in real-time. It takes up to an hour to show
assets and up to 3 hours to show alerts about them. Dome9 takes 5 and 60 minutes respectively
D. Prisma PC is inefficient. It starts from 10,000 API calls per day per account. This drastically
increases the TCO.
E. Prisma PC is less secure. It requires write permissions for your account. Dome9 allows remediation
without write permissions using CloudBots
F. Prisma PC offers limited Forensic capabilities – Logs are aggregated - not kept intact
G. Prisma PC has fewer compliance rules out-of-the-box, CloudGuard Dome9 provides 4x rules out-
of-the-box. Creating new rules in Prisma is much more complicated
A. Native tools do not support multi-cloud environments and can only show the vendor’s cloud data
B. Compliance reports only support CIS standard and does not support continuous compliance or
exclusions
C. Security Hub only has basic correlation or stacking rules for creating insights out of findings.
Dome9 has a much more robust ruleset
D. Config has only 70 rules and creating new rules requires creating lambda functions from scratch
E. GuardDuty can be used as a source by Log.ic. Without Dome9 and Log.ic, It is a feed of alerts that
doesn’t give the administrator the context needed to make quick decisions
A. Dome9 offers superior visualizations for cloud environments that Azure Sentinel lacks
B. Azure Security Center supports only 4 compliance standards, only on Azure. Dome9 supports 9
standards for Azure and an additional 11 for AWS
C. Azure Security Center relies on log-collecting agents installed on all instances. Dome9 doesn’t
require any additional deployment
D. Dome9 offers continuous compliance and remediation that Azure Sentinel lacks
E. Dome9 provides much more robust reporting capabilities
A. Google Cloud native tools do not provide any continuous compliance solution
B. Native tools do not support multi-cloud environments and can only show the vendor’s cloud data
C. GCP native tools do not have any auto remediation capabilities
D. Dome9 offers superior visualizations for the cloud environment
Network
Vendors
Compliance Standards
Support
1 B B A
Compliance in Real-Time 2 C B B A
Auto-Remediation 1 1 1 C
Cloud Environment API
integrations
3
Cloud Environment
Visualizations
B 1 1
Asset Type Coverage
(EC2, ELB, Lambda etc.)
1 4 4 4
Forensic Capabilities
F 1 1 1
Multi-Cloud Support
4 6
UEBA
5 1 4 1
Compliance rules (Out-of-
the-box and ease of creation)
G D 4
Active Protection
6 7
Complete Cloud Visibility
and Security
Q4 2019
Battle Card – Check Point CloudGuard Dome9
1. Partial/Limited
2. As close to real-time as possible
3. Less in AWS,Azure. More in GCP
4. Own cloud only
5. AWS Only, No anomaly detection
6. IAM Safety (JIT), Tamper Protection
7. Just-in-time only
[Internal Use] for Check Point employees
129. Battle Card – CGS – Email Protection Positioning
1) Must deploy a GW for Shadow IT
2) Limited to Geo location only
3) No real-time prevention
4) Manual API configuration
How to Compete Against...
• Prisma SaaS scans and analyzes PDF, EXE and doc files
only
• Unable to perform preemptive actions (threat extraction) to
remove active content and prevent threats in documents
• Inferior detection for files and malicious phishing emails. The
solution doesn’t detect ROP attacks
• Emulation engines don’t provide in-depth file report analysis
• Protection of SaaS applications requires CloudApp Security
solution, managing policies on a separate console, which is
cumbersome and adds to overall labor costs
• Complex Policy Controls and limited information on
incidents form multiple management views
• Unable to perform preemptive actions (threat extraction) to
remove active content and prevent threats in documents
• Use MTA for primary email protection, a complex deployment
with MX record changes. Single point of failure to emails
• Must have a separate solution for Shadow IT and SaaS
applications protection
• Requires to buy additional solution for Account Protection
which relay on API connector beside the MTA solution
• To improve Sandbox capabilities recently acquired Solebit,
expected long term integration
• Can’t protect any SaaS applications
• Doesn’t have account takeover protection
• Must deploy an Agent or a Proxy in addition to API’s
integration in order to gain Shadow IT visibility and controls
• Must deploy an Agent solution for Inbound email inspection
• Supports limited file types for static and dynamic analysis
• Lacks account take over protection solution
• Costly, must purchase expensive Professional Services days
for every bundled solution
Security
Vendors
CGS
PAN
Prisma
SaaS
Microsoft
ATP
Proofpoint MimeCast Netskope
Deployment
Email Threat Prevention
Threat Extraction
Zero Day Protection
Phishing Protection
Shadow IT
Account Protection
Gmail Protection
Gsuite Protection
SharePoint & one drive
Total # of supported
Cloud Apps
Summary
A complete O365 and
cloud applications
protection Solution
Q1 2020
2
5) MTA – MX record change
6) Need additional solution
7) Must deploy an agent for inbound emails
8) Support limited file types
3
3
3
1 1
8
3
4
4
5
6
6
6
6
6
5
7
8
8
132. [Internal Use] for Check Point employees
How to Compete Against...
6X Consoles
AWS Security Hub
AWS WAF
Amazon GuardDuty – Threat Detection
Amazon Macie (DLP)
Amazon Inspector (Compliance)
AWS Artifact (Compliance)
A. GuardDuty analyzes logs to detect threats and infected hosts after the fact – It cannot block
threats
B. After a host is infected, GuardDuty cannot isolate the host or stop the spread of the
malware
C. Flow-Logs are network oriented, making troubleshooting more difficult
D. Security is based on access-lists, No stateful inspection
E. AWS WAF, as all WAFs, only inspects inbound traffic meant for web servers
F. AWS WAF only inspects web-oriented protocols/files - other protocols/files are not
inspected
G. AWS Security Hub ingests logs from 3rd party vendors, like Check Point, and concentrate the
information in one place – it doesn’t provide security per se, only visibility
H. AWS uses 6 different products with separate managements while Check Point manages all
competitive features from one console
4X Consoles
Azure Firewall
Azure Advanced Threat Protection
Azure Application Gateway
Azure Security Center
A. Azure Firewall does not include any sort of threat prevention, leaving your network exposed
to many basic and easy to prevent threats
B. Azure Firewall doesn’t offer signature based application control, and has very basic URL
filtering
C. Azure Firewall cannot restrict access based on AD user and/or time of day
D. The Azure Firewall does not track/audit rule changes nor does it provide an easy way to roll
back to a previous policy
E. The Azure Firewall has limitations when dealing with ICMP and does not support a hub and
spoke deployment with spokes in multiple regions
F. Azure Security Center relies on third party reports, and suggests you deploy an NGFW
solution
G. Azure Application Gateway is a WAF and, as all WAFs, only inspects inbound traffic meant
for web servers
H. Azure Application Gateway only inspects web-oriented protocols/files - other protocols/files
are not inspected
2X Consoles (no WAF)
Cloud Security Command Center
Stackdriver (Logging)
A. SCC cannot block threats, only detect them after the breach already occurred
B. Google Cloud SCC’s main feature is scanning for vulnerabilities, not threats or attacks
C. Logging is managed in a separate console (Stackdriver) and requires additional payment
Network
Vendors
Hybrid-Cloud & Multi-Cloud
1 1 1
Security Logging
2,C 2,3 2,3
Threat Prevention +
Sandbox
A A A
DLP
4 4 4
Unified Security
Management
5 5 5
Access-Rules Based on
User-ID / Time
Compliance
7 6
SSL Inspection
8 8
WAF
9 9
Complete Cloud Security
Q4 2019
1. Only applies to vendor’s own cloud
2. Additional payment
3. Logs are network-oriented
4. Protects stored data only
5. Separate management consoles
6. Static instructions only
7. Limited standard support
8. Only inbound inspection
9. ACL-Based
Battle Card – Check Point CloudGuard IaaS Public Cloud
133. [Internal Use] for Check Point employees
1) Per cloud policy on each
VM-Series GW
2) Only on local VM-Series
GW policy (not in logs)
3) FW rules/logs are by IP
4) With CloudGuard Dome9
5) No Sandbox / APCL
6) Basic DLP
7) Partial
8) With Prisma (Redlock)
9) Separate managements
10) With FortiCASB-Cloud
How to Compete Against...
VM-Series
A. PAN requires more than 3x administrator “agony” managing cloud instances – Cloud Agony Meter
B. Dynamic Address Groups are limited to just 10 sources in AWS and require a separate monitoring
host to be deployed in Azure
C. Dynamic Addresses Groups learned on one cloud cannot be used to enforce access on another
cloud or on premise
D. 4 core instance required for 2 core license paying extra for unused cores
E. No cloud instance names in logs, events and reports - only by IP (which are dynamic and hard to
be resolved in cloud)
F. Limited deployment use cases via templates. Requires manual import of templates and bootstrap
files
Fortigate-VM
A. Fortinet requires more than 3x administrator “agony” managing cloud instances – Cloud Agony
Meter
B. Limited dynamic enforcement – Requires manual creation of objects to be used in policy and object
names are not displayed in logs
C. Requires multiple gateways and managements for complete cloud protection (Fortigate,
FortiWeb & FortiMail)
Deep Security
A. Lack of consolidated cloud security with missing core features in Deep Security ( no app control,
DLP, email/web security & VPN)
B. Lack of unified corporate policy for physical/on-premise (perimeter, branch offices gateways) and
virtual/cloud networks
C. Lack of real-time prevention of zero-day malware with no sandbox solution for public cloud
D. Cumbersome deployment with Deep Security agent – agent must be installed on all cloud instances
(different agent per OS)
E. Lack of scalability - Agent installation effect deployment times, costs and cloud instances
performance
F. Lack of Cloud access and VPN control - Rely on native cloud security controls (L3-L4 access lists)
with no VPN to cloud support
CloudGen
A. Lack of Unified management requires the use Barracuda Control Center & Barracuda Cloud
Management for different cloud products
B. Limited central management with different policies, configurations and logs for each cloud gateway
C. Lack of dynamic enforcement with no option to import and use/view public cloud instances in policy
or logs
D. Lack of support for hybrid cloud deployment with no security solution for VMWare NSX, Cisco ACI
or other SDN platforms
Network
Vendors
Unified Security
Management
1 9
Instance names in
Policy and logs
2 3
Threat Prevention +
Sandbox
5
Compliance & DLP
4 8 6 6 6
VPN to cloud
Auto Scaling
Deployment Templates
and initialization scripts
7 7 7 7 7
Scalable Licensing
(Pay per core)
Cloud Asset
Management
4 8 10
User Account Security
4 8
Complete Cloud
Security
Q4 2019
Battle Card – Check Point CloudGuard IaaS Public Cloud
151. Q4, 2019
Key Feature Comparison
MTD vendors
Check
Point
Lookout Zimperium Symantec Wandera
Better
Mobile
Detect unknown
malicious apps
Detect malicious
networks (MitM)
Phishing Protection
Safe Browsing
Anti Bot
Conditional Access
URL Filtering
Client UX
N/A
Reporting
N/A
Intelligence
Summary
A complete MTD
Solution
1) Behavioral Analysis only
2) High False Positive rate
3) On Demand Scan Request
4) VPN activation - routing traffic from the device
How to Compete Against...
• Inferior Catch rate – the solution has weak dynamic analysis capabilities which
leaves the organization exposed to Zero-Day malicious apps risks
• Lacks comprehensive On-device Network Protection – can’t protect
Corporate Resources in case of attacks. Lacks URL Filtering
• iOS app limitation – for iOS application protection, an organization must have
an MDM or deploy the private API that is not available on the store. The app
store app doesn’t install a profile on the device
• Policy enforce delays – policies can take up to 24 hours to apply
• Limited detection methods – the solution uses behavioral analysis only to
detect malicious activity on the device, leaving it exposed to more sophisticated
attack vectors
• Limited logs visibility – the solution provides limited information about
application installs in the organization
• Lacks On-device Network Protection for “Safe Browsing”, URL Filtering and
Anti-Bot in case a connection has been established with C&C
• Inferior Catch rate – Symantec cannot protect against advanced threats, the
solution runs signatures and behavioral analysis on apps
• High False Positive in network detection – Symantec’s client will alert on
EVERY captive portal network as malicious network. Admin will have to manually
configure a ‘trusted network’ to reduce the false positive alerts, adding to security
admin labor hours
• Lacks Anti-Bot protection to protect data leakage to C&C
• Lacks URL Filtering to block access to malicious or unsanctioned URLs
• Very complicated dashboard – specific configurations are hard to locate
• Focused on data consumption optimization rather than security – Check Point
is a 100% security company
• Privacy invasion – all mobile traffic is being inspected. Almost all enterprises do
not allow such abuse of privacy
• SSL Traffic – Wandera cannot inspect HTTPS traffic
• Weak iOS Prevention – cannot block malicious IOS profiles/side loaded apps
• The solution lacks On-device Network Protection – cannot detect C&C
communication and does not support Safe Browsing or URL Filtering
• Relies on Machine Learning only for app analysis – lacks the threat
intelligence Check Point collects from the millions of sensors in different
products
• Does not support Zero-Day phishing – relies on reputation only
5) Data collection and research team
6) On Android only
7) Must have Global Protect, traffic is routed
8) Requires IAM provider
9) No Zero - phishing
Battle Card – SandBlast Mobile
1
2
3 3
5
3
4
4
1
48
3
9 9 9
Mobile
1
9
190. Battle Card – Check Point Security Management
How to Compete Against...
A. Lack of unified console with 2 different platforms to manage the
entire security operation (Panorama, Traps)
B. PAN admin will require 3x more time to create a security rule vs.
Check Point (read the AGONY METER)
C. Partial threat visibility with no event analysis and actionable
security – requires 3rd party SIEM at extra cost
D. Lack of policy segmentation (layers, sub-policy) for admin
delegation
E. Multi-admin concurrency is impractical – no automatic refresh
after changes made by other admins, potential security risk
A. Lack of unified console - requires 3 different platforms to manage
the entire security operation (FortiManager, FortiAnalyzer and
Fortigate-VMX Manager).
B. Limited forensics with 5 different log views; with multiple and
complex log search. Decreases network and threat visibility.
C. No policy verification when applying local Fortigate policy. Admin
will not be notified of policy misconfigurations.
D. Lack of policy segmentation (layers, sub-policy) for admin
delegation.
E. Multi-admin concurrency is impractical – no automatic refresh
after changes made by other admins, potential security risk
A. Lack of unified console with 4 different platforms to manage the
entire security operation (FirePOWER management, Cloud
Security, Email Security and Cisco AMP for Endpoints). No support
of multi-tenancy for full separation of management duties.
B. Partial threat visibility with no event analysis or actionable
security– requires 3rd party SIEM at extra cost.
C. Limited forensics with 5 different log views over multiple consoles
(ASDM/CSM and FMC). Decreases network and threat visibility
D. Lack of policy segmentation (policy layers) for admin delegation
E. Lack of multi-admin concurrency and support for policy sessions
in workflow for simultaneous and safe collaboration.
Capabilities
Feature Comparison
Consolidated and unified
Management
A A A
Unified policy of networks,
applications and data
Policy segmentation (policy
layers)
D D D
Multi-tenancy (with domain
load sharing)
1 2
Policy apps (hit count,
integrated logs, rule history)
Rule expiration
Best Practices (compliance)
3 3
Security Incident Event
Management (SIEM)
Concurrent administrators
& Session workflow
Number of log views 1 4 5
5 (in 2
consoles)
Time to configure
NGFW rule
1:45 min /
45 clicks
4:03 min /
71 clicks
(x2)
5:03 min /
148 clicks
(x3)
8:05 min /
141 clicks
(x5)
Time to create full mesh
VPN between 5 gateways
0:19 min /
12 clicks
15:00 min /
350 clicks
10:35 min /
240 clicks
1:45 min
/ 48 clicks
Security Management
Operational Efficiency
Q4 2019
[Confidential] for designated groups and individuals
1. No separate customer DB
2. No domain load sharing
3. No real time compliance
[Internal Use] for Check Point employees