Presentation is loading. Please wait.

Presentation is loading. Please wait.

Competitive Analysis: McAfee vs

Similar presentations


Presentation on theme: "Competitive Analysis: McAfee vs"— Presentation transcript:

1 Competitive Analysis: McAfee vs
Competitive Analysis: McAfee vs. Check Point Endpoint Security Total Protection June 2009

2 Agenda Product Overview (McAfee Total Protection)
- McAfee Total protection for Endpoint - McAfee Total protection for Data Learn about the various components of McAfee solution Discuss about key weaknesses and strengths Summary

3 McAfee Overview Company Stats:
Founded in 1987 and became public in 1992 5,563 (as of Dec. 31, 2008) employees Santa Clara, California based with offices worldwide Revenue: $1.6B 2008 Market Cap: $5.17B (March 2009) Major acquisition in Endpoint Security Protection Acquired SafeBoot Holding B.V. (Disk and Content Encryption) for approximately $350 million in cash November 2007 Acquired privately held Onigma Ltd. (Data-loss prevention product) October 2006

4 McAfee Total Protection for Endpoint Overview
Key components of McAfee Total Protection for Endpoint ePolicy Orchestrator Server - Centralized management, deployment, reporting and enforcement ePolicy Orchestrator Database - Information store for policy configurations and events reported by managed systems ePolicy Orchestrator Console - Web based GUI Interface Master and Distributed Repositories - Product updates and signature Agents - main client component to communicate with ePO server SuperAgent - additional software to proxy server calls Rouge System Detection Sensor - used to detect rogue or non-compliant systems by checking the presence of McAfee agent and current virus definition (DAT) file Managed Endpoint Security Applications - Antivirus, Anti-spyware, Host-based intrusion prevention, Desktop firewall (Network and Application based) Anti-spam, and optionally, Network Access Control (NAC)

5 McAfee ePO Architecture
ePolicy Orchestrator Architecture

6 Client Deployment Options
Agent Deployed While Creating or Populating Directories Deploying Agent from ePO server Login Scripts 3rd party deployment tools, SMS, Tivoli, Novell ZENWorks Install manually Include agent in system image There is no option to include any policy setting or security application file into McAfee Agent install package

7 Web based ePO console Time consuming and cumbersome process of importing each security packages and respective framework extensions separately in to the ePO server Master repository McAfee ePO is a web based management console. McAfee also offers a SaaS-based management console for SMBs that eliminates the need for an ePO server on-premises.

8 Antivirus Properties Standard signature based Anti-malware solution are important but are rapidly losing effectiveness against the surging volume of new web based threats, and have very little value against targeted threats. Prevents malware, spyware, and potentially unwanted programs. The antivirus and anti-spyware database has been combined into a single anti-malware database.

9 MacAfee HIPS HIPS is managed by an extension to an existing or newly installed ePO Server for management, policy and content update (signatures), and event logging/reporting Up to 100,000 endpoints per single HIPS deployment is supported Complicated and lengthy install process - ePO Agent is required to be deployed to client computers before a HIPS client can be installed Basic protection - The initial (default) policy is only as good as the quality of signatures (many features are off or in observation) Advanced protection - Adaptive mode fingerprints applications and networks automatically, but offers no client-side protection while Learning mode involves user response to new program or network behavior. These decisions are used to create new rules, so choose your users wisely Over 800 signatures available as of April 2009 – as these are evaluated client-side, potential client performance implications and network traffic to be affected for evaluation and reporting The ability to add or customize existing signatures is not trivial False positives are common, particularly for “behavior-based” rules. When false positives happen with enforcing rules, expect impact on client behavior and user experience. While Pre-defined and custom reports of HIPS reporting capabilities are extensive, they are still segregated by product. No easy way to get an overall view of an endpoint’s security posture across products

10 Application Blocking Policy
Manages program execution and hooking control Observations: Compare with CPES SA Application Control and Program Advisor Initial application set is only populated with McAfee and core MS executable knowledge – the rest will have to be populated or discovered with Learn/Adaptive mode Interface presents a single list – no capability to group applications Product version & MD5 fingerprint management capability 10

11 Network Traffic Control
Firewall Policy Observations: Compare to CPES SA Firewall and Zone Rules There are no connection-specific policies: all location-based firewall rules (VPN/LAN etc) are contained in one ruleset McAfee is not known as a firewall vendor McAfee’s Connection Awareness feature is very similar to CPES SA Office Awareness Time-limited hotspot functionality is also supported Learn/Adaptive mode available for unknown network behaviours – similar to our Observation Policy Network Traffic Control Stateful firewall providing static filtering/inspection using rule matching Network control features (internal/trusted/restricted etc.) 11

12 HIPS is complicated… To create a completely new HIPS Policy, the admin would need to examine/modify/configure of up to 12(!) policies per overall profile! Some of those contain extensive content (Signatures/Applications) Confusing amount of navigation/ excessive amount of clicking Multiple protection profiles involve even more rules/combinations Many features set to “off” or “observe” by default will need to be enabled for protection What about testing? You’ll need to do a lot of it Even more policies will need to be considered for: Multiple versions/patches/SPs/types/builds of OS Varying endpoint configurations (laptop/desktop) Servers Admin and test environments 12

13 Overall HIPS “Gotchas”
No connection-aware policies We can only assign policies to machines using the System Tree As this tree normally syncs with AD, the result is one overall HIPS policy per system, won’t change unless the admin moves the machine within the tree No authentication-aware policies We can only assign policies to machines, not users All users on a particular system get the same policy Use of HIPS has the potential of generating large (even excessive) amounts of data, not all of it useful 13

14 Overall HIPS “Gotchas”
No option for policy pre-loading/pre-protection Freshly installed client must connect to ePO server to receive initial and subsequent HIPS policies/signatures Significant admin effort required to manage HIPS Management and testing of Applications, Rules, and Signatures Observation and handling of false positives Not all organizations have the size or expertise needed to do this 14

15 Performance Results Application Without any Security System
McAfee Endpoint security client Check Point Endpoint security client Results Office Word file (5 MB) open time in seconds 2.5 4 3.8 The MS Word 2007 file open access time performance of the Check Point Endpoint system was better than the McAfee Endpoint system Office 2007 Power point file (5 MB) open time in seconds 2.7 4.2 3 The MS Power point 2007 file open access time performance of the Check Point system was much better than McAfee Endpoint system Lower number has better performance

16 McAfee Total protection for Endpoint comparison
Weaknesses Application Blocking and Hooking policies are system centric and not user centric. There is no capability to group applications No Support for single deployment package - Policies defined for endpoints by McAfee’s ePO, cannot be packaged along with the custom agent installation package No built in component for Remote Access Client (VPN) Weak program control (No real time Program Advisor service) Management console is cluttered and can be installed on only Microsoft Windows server - Check Point Endpoint Server can be installed on Microsoft Windows server, Red Hat Enterprise Linux and Check Point Secure Platform McAfee Total Protection for Enterprise integrates with 3rd party VPN gateways but does not provide a built-in VPN for remote access protection. Check Point Endpoint Security on the other hand provides both- integration with 3rd party VPN gateways and a VPN for remote access protection

17 Performance Impact with Microsoft Office applications
Weaknesses continued Report templates do not have reports for reporting events by endpoints or network segments No easy way to get an overall view of an endpoint’s security posture across products HIPS is anything but “easy” Multiple, complex policy settings that need constant attention, testing, tuning, and reporting! False positives are common, particularly for “behavior-based” rules. When false positives happen with enforcing rules, expect impact on client behavior and user experience. Use of HIPS has the potential of generating large (even excessive) amounts of data, not all of it useful Extensive configuration and testing to ensure patch mitigation with HIPS will consume significant admin resources  $$$! Server installation process is time and resource consuming. Dependency of various security products on McAfee VirusScan product Performance Impact with Microsoft Office applications Unlike Check Point single server installer and client Deployment utility which can be used to configure and create single installer package, McAfee server installer is time consuming and cumbersome process of importing each security packages and respective framework extensions separately in to the ePO server Master repository. Policies defined for endpoints by McAfee’s ePO, cannot be packaged along with the custom agent installation package.

18 McAfee Total protection for Endpoint comparison
Strengths Scalable Architecture Scalability is further enhanced in Check Point’s R72 version which is expected to be released Q3 2009 Support for and File server Antivirus solution Check Point offers network protection through variety of UTM gateway devices. It is also working on a plan to include file server Antivirus solution in future release Agent for Multiple OS support for heterogeneous environment Check Point (FDE) supports more platforms than McAfee solution

19 McAfee Total Protection for Data Overview
Key components of McAfee Total Protection for Data McAfee Endpoint Encryption - full disk encryption solution McAfee Media Encryption - Persistent Encryption on removable devices & Network share folder McAfee Port Control - specify and control various classes of devices McAfee Data Loss Prevention - safeguards sensitive Information McAfee Endpoint Encryption for Mobile – provides authentication and encryption services for PDA devices SafeBoot product Certifications Common criteria Level 4 (EAL4) FIPS 140-2 BITS Certified CSIA Certified

20 McAfee SafeBoot Architecture

21 McAfee Endpoint Encryption Management
Central Administration SBAdmin (Proprietary Windows based Administrative Interface) Object Directory SBServer Directory Connectors Configuring Users Configuring Machines Encryption Key (Content Encryption) Configuring Policies Difficult to know which policy is applied to whom Very cluttered and confusing Interface leaves multiple “details” windows open 21

22 McAfee Endpoint Encryption
Key Features Client-Server using TCP/IP connection Disable access if not synchronized Includes Endpoint Encryption Connector Manager for Directory services Decryption can be initiated from the Management console even if initial encryption has not yet been completed 22

23 McAfee Endpoint Encryption (Auto-boot)
Auto-boot users Special user IDs containing the name “$autoboot$” with a password of “12345” can be used to auto-boot a Endpoint protected machine. WIL-like functionality but difficult to manage since set as a user not as a policy No support for Network Awareness No support for automatic user account acquisition _ No support for Wake on LAN as a policy _ Recovery using recovery disk needs daily changing access code 23

24 Disk Performance Result after the Disk is fully encrypted
Disk Test Disk encrypted with Check Point FDE Disk encrypted with McAfee FDE Result Check Point FDE compared to McAfee FDE Disk - Sequential Read Mbytes per second 33.0 29.1 +13.6% Disk - Sequential Write 28.5 28.9 -1.5% Disk - Random Seek +RW 2.07 2.41 -13.9% Disk Mark Composite average of other result 230 218.6 +5.2% PassMark Rating 46 43.7 Post initial encryption, overall disk performance test shows that Check Point FDE system’s PassMark rating is about 5.2% better than McAfee SafeBoot Device Encryption system.

25 Full Disk Encryption for PC
Feature McAfee Check Point Automatic User account acquisition X Wake on LAN support as a policy for remote system patch management Support for Network Location Awareness Auto – boot users (WIL) can be set as a policy Support for online switchover of Database server Recovery using recovery disk does not need to contact vendor for daily changing access code FDE support for multiple platforms (Windows, Mac & Linux) Only supports Windows OS FDE support for Windows, Mac & Linux Web and Database technology use standard ports Scalable solution based on standard technologies Proprietary DB, Poor Scalability MS SQL and MMC, high scalability

26 McAfee Media Encryption
File/Folder Encryption Used to define if files need to be automatically encrypted when stored on Removable Media CD/DVD User based Access Control (defined by keys) Network share encryption Offline access McAfee Endpoint Encryption - No offline access is possible - Media can only be used on the machine where it has been encrypted No granular control for encrypting media (only black list) Audit logs are only stored locally in windows event viewer 26

27 SafeBoot Port Control Port Control is basic and requires manual operations for customization Integrated Management Console Granular Device Management (Adding Specific Device Class) No support for XP SP3 and Vista 27

28 McAfee Port Control Client
User is not alerted if a device is blocked Needs to display the GUI to understand why device is blocked Nothing is logged centrally All logs are stored in the local Windows Event Viewer 28

29 Reminder – No Single Integrated Unified Client
McAfee Endpoint client components are not unified You may end up with 3 to 4 different icons if using an equivalent of our Endpoint Total Security offer (including VPN) McAfee Data Protection Icon (Safeboot icon) McAfee NAC icon McAfee AV and Network Protection Icon 29

30 McAfee Client Uninstallation
You can’t uninstall McAfee clients using Add/Remove Programs You need to run an executable using the –uninstall option For EEPC: sbsetup.exe For EEFF: sbcesetup.exe For EEPP: sbpcsetup.exe Any local administrator can execute the software uninstallation you can’t decrypt and remove EEPC if you don’t have connection to the server If you want to remove EEPC using the SafeTech boot disk, you will need the authorization daily code from McAfee support 30

31 Media Encryption & Port protection
Feature McAfee Check Point Easy to use and simple offline access to encrypted CD/DVD media on non corporate machine without media encryption software installed. X Central storage of audit logs & granular reporting on removable media devices Local storage only Central SQL database for audit Logs store Active audit alerts for encryption and port violations alerts Support to integrate with3rd party antivirus products for removal media scanning Media virus scan required before granting user access Re-authorization of media required if media altered outside of protected environment Scalable deployment Proprietary DB, Poor Scalability MS SQL and MMC, high scalability

32 McAfee Data Loss Prevention
Safeguards sensitive information by deploying policies which are made up of tagging rules (Location Tags, Application Tags, Content Tags), reaction rules (Block, Monitor, Notify, Store Evidence), user and group assignments Consists of two major server components: the DLP Server and the ePO server Policies are monitored and certain actions are blocked, as per defined policy

33 McAfee Total Protection for Data comparison
Weaknesses No support for automatic User Account Acquisition "Do you really want to manually assign users to computers when deploying hard disk encryption?" Difficult to manage for remote system maintenance- No real Wake on LAN support a policy "Do you want your administrator remember to remove Auto-boot user manually when the all remote system patch management is over?” The recovery using SafeTech recovery disk needs daily changing code (Authorization code) Requires access to McAfee support "Do you expect to call your vendor support if you need to perform a hard drive recovery?" "Do you feel confident in an encryption solution which require the vendor authorization to get access to your encrypted data?" No support for Network Location Awareness No support for real time monitoring of installation process and population of client status in Management console. Complex and non standard Management console Interface. Difficult to know which policy is applied to whom. Old Windows style interface.

34 Weaknesses continued No endpoint unification with other McAfee Endpoint Security components "Do you expect to have real unified client? Unlike Check Point’s unified Endpoint Client, McAfee still uses old SafeBoot icon When user name authentication fails directly indicate as wrong user name. Weak security. No support for online switchover in replication of Database server. The Active Directory connector is complex to use. Lots of scripting is required initially to populate object directory. No unique way to automatically encrypt a media with offline capabilities. With EEPC (Device encryption) media can only be accessed from one computer (where it has been encrypted). No offline access With File & Folder encryption. Encryption is done on a file by file basis (as PME) but for offline access

35 Weaknesses continued No centralized event logging & alerts mechanism on server for media encryption and port protection "Do you expect to use the Windows Local Event Viewer on each computer to understand which external devices are used?" Auto boot users feature is difficult to manage No Removable media scanning No endpoint unification with other McAfee Endpoint Security components Still the old Safeboot icon No integrated reporting across multiple products Central logging & reporting is not available on McAfee Media Encryption and Port control DLP Management and configuration is separate from Endpoint Encryption server

36 McAfee Total Protection for Data comparison
Strengths McAfee Total protection for Data includes solution for Data Loss Prevention (DLP) DLP is an immature technology. Check Point will announce a network based DLP in 2009 with integrated management. Endpoint DLP will follow later. McAfee has been promoting DLP for many years, we do not see Onigma installations, still felt the need to buy Reconnex Check Point will announce a network based DLP in 2009 with integrated management. Endpoint DLP follow later Single integrated console for all encryption components No unified Management (console for DLP module is separate) Check Point’s single Management console for Total Endpoint security is work in progress and is expected to be released in 2H 2009. McAfee ePO (ePolicy Orchestrator) server can be used for deployment and reporting of McAfee data encryption products Currently McAfee ePO is only able to deploy Endpoint Encryption for PC & Endpoint Encryption File & Folders but not port control. Endpoint Encryption for PC Logs can be accessed from the ePO server for reporting but there is no central logging and reporting capability for McAfee media encryption and Port control. Logs are stored only in local Windows event viewer.

37 Strengths continued Slightly faster initial encryption speed
This is at the expense of user experience. The Endpoint system performance is poor when the user runs multiple applications during the initial disk encryption. Support for multiple authentication token including TPM chip, Biometric and fingerprint reader Check Point has a far superior Smart Card support and have done some research work on Biometric authentication. We still have not seen this kick off in the market and is more of an RFP question than actually being used. Support for Network share folder encryption It is being planned and expected to be released in 2H, 2009 Support for disable Access if not synchronized within pre defined period (Poison timer) This functionality is targeted for the FDE client side release included in Single Management release. Don't try to compete on specific features Sell the FDE scalability and proven track record Sell ME as an additional component their “ME” is extremely weak, let’s insert some doubt in Customer’s mind : Do you plan to deploy a Media Encryption & Port protection solution ? When ? Why not testing this now ?

38 Check Point vs. McAfee Competitive Landscape
Key Features Check Point McAfee Comments Single agent and single deployment package McAfee Total Protection agent is a loose conglomeration of applications with light integration. There is no option to include any policy setting or security application file into McAfee Agent package Single Installation process McAfee installation process is time consuming and cumbersome. Each security packages and respective framework extensions should be imported separately in to the ePO server Desktop firewall Network and Application level Firewall Program/application control McAfee program control is a minor sub-feature of their firewall with few configuration options or real-time services. Program Advisor Check Point delivers vastly superior value to program control using Program Advisor service which consists of knowledgebase of over 2.2 million black listed applications over the manually defined McAfee solution. Remote Access client (VPN) McAfee does not include secure Remote Access client (VPN) module. NAC McAfee customers must purchase the Advanced version of the product to get this feature. Antivirus/anti-spyware Based on award-winning ZoneAlarm—protecting millions of PCs worldwide Full Disk Encryption McAfee: Wake on LAN cannot be set as a policy, No support for network location awareness, No automatic user acquisition, No real time monitoring of installation process, No Removable media scanning, No re-authorization of removable media if media altered outside of protected environment, No central storage of audit Logs and alert mechanism for port and media encryption. No support for cross platform FDE support with Windows/Mac/Linux Media Encryption Port protection Juniper NS 5000 series and ISG platform

39 Competitive positioning
Check Point Endpoint Security suite McAfee Endpoint Security suite Security Most Complete Endpoint Security Solution Firewall – 16 years of industry leadership Antivirus /Antispyware – based on award-winning ZoneAlarm products. Data security- based on market leading Pointsec technology Advanced Remote Access – 13 years of VPN leadership No Remote Access Client. Weak program control. No authentication-aware policies (HIPS). No support for Network Awareness (FDE). When user name authentication fails directly indicate as wrong user name (FDE). Simplicity Streamlined distribution utility for rapid client deployment and a unified management server installer for fast installation and setup Transparent to end users, requiring no user interaction to keep systems updated and secure No easy way to get an overall view of an endpoint’s security posture across products. No Support for single deployment package. No simple offline access to encrypted CD/DVD media on non corporate machine . The Active Directory connector is complex to use (FDE). Manageability Check Point Endpoint security is managed from Secure Access and Data security management server. Check Point’s single Management console for Total Endpoint security is work in progress and is expected to be released in 2H 2009. McAfee Endpoint security suites also requires multiple separate management servers. Endpoint encryption policy can not be managed by ePO. DLP is policy creation & management is done through separate server. Unified Architecture Single integrated Endpoint security Client Shared tools for Endpoint & Network McAfee Endpoint client components are not unified. No single tray for endpoint components.

40 Summary: Key Points Against McAfee
McAfee Disadvantages Check Point Advantages Best-of-breed most comprehensive Total Endpoint Security suite including Secure Remote Access Client (VPN), unique Program Advisor service and market-leading Data Security component. First in the industry to offer single deployment package for all the security modules including single agent and single server installer enabling much faster deployment and lower TCO. Highly scalable architecture based on industry standard technologies. Single integrated Endpoint security Client Unified Endpoint and Network Security Shared Management server, centralized security logs, management, and reporting with Event Correlation and Reporting Software Blade No built in component for Remote Access Client (VPN) Weak Program Control. No support for Program Advisor service. No Single Deployment Package. Each product file has to be individually imported, configured and deployed resulting in time & resource consuming installation process. No Unified Endpoint client Antivirus centric point solution with weak Network security integration (NAC, VPN) with third party Gateways. Complex and non standard SafeBoot Management console Interface resulting in poor scalability and higher TCO Weak Data Security No support for Wake on LAN as a policy, Removable media encryption for offline use has severe limitations, No central storage of audit Logs and alert mechanism for port and content encryption, No FDE support on Mac & Linux platform


Download ppt "Competitive Analysis: McAfee vs"

Similar presentations


Ads by Google