HP ESP Sales Enablement: ATA Competitive Battle Card

HP TippingPoint Advanced Threat Appliance Family

(ATA) vs. Cisco AMP
Competitor Overview
Cisco acquired Sourcefire in 2013 to boost Ciscos cyber security offerings and speed development of its security
strategy for defending, discovering and remediating advanced threats. Sourcefire was a lucrative acquisition
target considering its product line (NGIPS, NGFW) and leader position in the 2013 Gartner IPS MQ.
Furthermore, Sourcefire has large and often loyal community of users that is familiar with the underlying SNORT
Intrusion Detection System (IDS) language upon which Ciscos commercial IDS product is based. Cisco leverages
this familiarity to help extend their reach into organizations with complementary solutions, including their AMP
product line. Cisco AMP (formerly Sourcefire FireAMP) is available for endpoints, networks, and private clouds,
and scored very well in the 2014 NSS Labs Breach Detection Systems (BDS) tests.
Note: Cisco appears to be in the process of deprecating the Sourcefire brand, and is rolling the technology into
the larger Cisco name. They are removing all sourcefire.com sites, and are removing the Sourcefire and Fire
brandings from their products. More information can be found here:
http://www.sourcefire.com/solutions/advanced-malware-protection.

Competitive Comparisons
Competition for the HP TippingPoint ATA is the Cisco AMP Network Advanced Threat Appliances; Cisco does not
offer a Mail-based ATA product.
HP TP ATA Network 250

Cisco AMP7150

HP TP ATA Network 500

HP TP ATA Network 1000

Cisco AMP8150

HP TP ATA Network 4000

250 Mbps

500 Mbps

500 Mbps

1 Gbps

2 Gbps

4 Gbps

4 x 1 Gb

4 x 1Gb

4 x 1Gb

4 x 1Gb

4 x 1Gb; 2 x 10Gb

8 SFP

8 SFP

3 x 4-port RJ45
netmods

Unknown

Unknown

20

Unlimited/over 80

Limited/8

Unlimited/over 80

Unlimited/over 80

Limited/8

Unlimited/over 80

Asymmetric
Support

Yes

Yes

Yes

Yes

Yes

Yes

Form Factor

1 Rack Unit

1 Rack Unit

1 Rack Unit

1 Rack Unit

1 Rack Unit

2 Rack Unit

Capacity
Data Ports

Sandboxes
Ports/Protocols

Cisco Strengths
1.
2.

Excellent test results in the 2014 NSS Labs Breach Detection Systems (BDS) Security Value Map,
although this was bolstered in large part by the use of the Endpoint AMP.
Deep integration with other Cisco technology, including FirePOWER and FireSIGHT

3.

4.

FirePOWER hardware platform and FireSIGHT management console scores well in client shortlist and
independent tests respectively. Cisco is highly visible on Gartner client IPS shortlists, especially in the
government market in part due to their headquarters location in Maryland.
AMP technology available for multiple platforms, including endpoints, networks, and private clouds

Blocks to use against Cisco

What They Will Claim

Our Response

Deep Discovery uses legacy signature based

technology

Deep Discovery does use signature-based

technologies to rapidly identify any known malware
and advanced threats. However, this is one of
multiple engines, algorithms, behavior monitoring,
and other detection technologies used to identify all
aspects of the targeted attack lifecycle.
Flip the conversation and highlight that Cisco only
monitors 7-8 protocols as compared to the HP
TippingPoint ATA monitoring over 80 protocols to
provide a broader range of protection against a multivector attacks.

Cisco AMP is deeply integrated into the Cisco

Sourcefire solution set

While that is true, do customers really want to

sacrifice security with false positives in their IPS,
which directly affects their overall network
performance?
SNORT has long had problems with false positives,
and the true aim of FireSIGHT technology is to
minimize false positives by reducing the total number
of signatures applied.
HP TippingPoints vulnerability-based filters, backed
by the DVLabs security intelligence team, are simply
better written with minimal false positives to protect
against entire vulnerabilities, not just known exploits.
This is an important distinction because if only exploit
signatures are used, any future mutations of an
exploit will not trigger that signature. In addition,
through the HP Security Research Zero Day Initiative
(ZDI), HP TippingPoint can provide filters to protect
against application vulnerabilities before the
application/OS vendor has provided a software patch.
Moreover, FireSIGHT knowledge takes a customer as
long as 4 months to tweak compared to setting up a
ThreatDV reputation feed to HP TippingPoint at the
time of installation.

Cisco AMP protects more because it combines

HP TippingPoint ATA does not require an endpoint

agent to perform remediation; instead, HP

network and endpoint protection together

TippingPoint uses integration with SMS to

automatically take action against infected endpoints
using the network IPS, including quarantining, rate
limiting, or completely blocking access for infected
systems.
The endpoint agent is an additional cost and
management console. This could be a major hassle in
larger environments where there is a network team
and an endpoint team as the Cisco agent will force
these two groups to work together and require the
endpoint team to test the agent ensuring it doesnt
cause problems with the corporate image.
Additionally, this may require extensive testing and
validation for the corporate gold image every time a
new version of the endpoint agent is released.
Furthermore, more and more organizations are
adopting BYOD, making it very difficult to ensure all
devices have the endpoint agent installed. If the
solution is truly reliant on the endpoint agent for
complete protection, this can lead to holes in security.

Cisco Weaknesses
1.
2.

3.
4.
5.

Weak non-sandbox detections for activity like C&C and attacker communication.
Cisco AMPs sandboxing has limited customization, meaning customers may not be able to configure it to
their exact specifications. Attackers can use generic evasion techniques to avoid detection, including
checks for operating system, license file, language, and more.
Customers need both AMP for Networks and AMP for Endpoints to see highly effective detection and
blocking.
Lack of integration with SIEM solutions. HP TippingPoint solutions integrate with HP ArcSight, allowing
customers to do more with their investments in a faster, more automated way.
Lackluster Security Research - Question how well it protects against targeted attacks leveraging zeroday and variant vulnerabilities and exploits.

Traps to set against Cisco

Ask the Customer

Our Response

How do you detect targeted attacks and advanced

threats with appliances that do not monitor all
network ports?

Make sure you are protecting your network from all

phases of the attack lifecycle. The HP TippingPoint
ATA Network is network agnostic and scans all ports
across over 80 protocols to provide a broader range
of protection against a multi-vector attack.

How do you detect targeted attacks and advanced

threats on unsupported protocols?
How do you detect lateral movement and evolving
attacks with appliances that are located on the

perimeter?
How do you counter new and emerging threats with
inferior Security Research?

Dont sacrifice your security just because they are a

recognized name. In 2013, HP TippingPoint won the
Company of the Year Award for Vulnerability Research
from Frost and Sullivan (fourth year in a row) with a
market leading 25% of the market share in
vulnerabilities reported. This translates to HP
TippingPoint having the most effective vulnerability
research and filters. This enables customers to
effectively block exploits and attacks to improve their
security posture up to six months before other
vendors.

How concerned are you about security effectiveness

and false positives?

In the Breach Detection Systems (BDS) NSS Labs

report, the Trend Micro software that is included in
the HP TippingPoint ATA topped the list in security
effectiveness with a score of 99.1%. This is
impressive but what is more impressive is the fact
that they achieved this high score with 0% false
positives. Additionally, it is worth noting that this
test only covered three protocols HP TippingPoint
ATA-Network supports more than 80, meaning your
effectiveness will not be compromised when
attackers use less common protocols in their attacks.

2014 NSS Labs Breach Detection Systems (BDS) Security Value Map
Note: for internal use only; do not leave this behind with a customer. New test results are due mid-2015.

What are HP TippingPoint ATA - Network Appliance Strengths?

360 detection means your network security will be
better, broader, and more accurate

Detects malware, C&C, lateral movement, and

attacker activity.
Zero-day and known threats for all internal and
external traffic across any network port on over 80
protocols and applications and any IP based device
that is generating network traffic .

Detect the malware targeted at your organization

with custom sandboxing

Identifies custom malware targeting your

organization (for example, your Windows license,
language, applications, etc.)
Thwarts evasions based on configuration checks
(generic license, English language, known FE/other
specs, etc.)

Security Effectiveness

A network security solution is only as effective as the

research organization that stands behind it. The
combination of HP TippingPoint DVLabs security

intelligence team and the HP Security Research Zero

Day Initiative (ZDI) form the basis of the best security
research team in the world. Between 2007 and 2013
HP was acknowledged for its vulnerability research
leadership for Adobe and Microsoft.
A complete solution

Only HP offers an enterprise-class advanced threat

solution that integrates with HP TippingPoint Next
Generation network security solutions and HP
ArcSight, providing complete detection, logging,
correlation, and remediation for security events as
they occur.

Additional Resources
TippingPoint Sales Portal
ESP Sales
ESP Competition
ATA Blog: Network Security: No need to drop, cover and hold on
Competitive Bottomline: Cisco Buys Sourcefire
Competitive Bottomline: Cisco to Acquire ThreatGRID
Frost & Sullivan: Analysis of the Global Public Vulnerability Research Market in 2013

Contacts
Mike Plavin, Technical Product Marketing Manager
TJ Alldridge, Product Marketing Manager