BATTLECARD

TREND MICRO™ APEX ONE™ BATTLE CARD

Trend Micro Symantec McAfee Sophos Crowdstrike Carbon Black Cylance Microsoft

Pre-execution

Virtual Patching

Application Control
(Whitelist)

Runtime

Endpoint Detection and

Response (EDR)
Managed Detection and
Response (MDR)
Data Loss Prevention
(DLP)

Single Agent

Software as a Service
(SaaS)/On-premises Parity

Best in class

Feature exists, good enough

Feature exists, bare minimum

Feature/offering does not exist

CONFIDENTIAL – NOT FOR GENERAL DISTRIBUTION This document is intended to provide general guidance to and for the exclusive use of Trend Micro field sales, marketing personnel, and authorized partners. The contents represent the best
information available to Trend Micro at the time of publication and is provided “AS IS”, without warranty of any kind as to its accuracy, currency, or completeness, expressed or implied. The contents may not be applicable in all situations, may not reflect
the most current situation, and are subject to change without notice and at the sole discretion of Trend Micro. It is not intended and should not be construed to constitute legal advice and should not be relied upon as such. Neither Trend Micro nor any
party involved in creating, producing, preparing, or delivering the contents shall be liable for any consequences, losses, or damages, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out
of access to, use of or inability to use, or reliance upon the contents of this document, or any errors or omissions in the content. Do not disseminate, publish, disclose, or transmit this document, in whole or part, without the prior written permission of
an authorized representative of Trend Micro.
 BATTLECARD

APEX ONE™ VS. TRADITIONAL VENDORS

Apex One™ can take on traditional vendors: Sales motion:
Apex One is a strong contender against traditional vendors, with its powerful blend
™
We can displace established vendors by offering the best of both worlds: modern threat
of modern pre-execution and runtime threat detection techniques. Relative to other detection and EDR on par with “next gen” solutions, as well as stability and long-term
established endpoint security vendors, Apex One™ shines with its breadth of threat financial viability.
detection functionality, SaaS and on-premises parity, MDR service option, and high-quality
Traditional vendors background:
support.
We often encounter traditional vendors in new customer opportunities. Customers of
Differentiation:
vendors in this category frequently end up looking for alternatives because they have
Apex One™ stands out from the traditional vendors with its unique virtual patching ad- been experiencing frequent malware outbreaks, painful support experiences, and product
vantages, built-in data protection, and SaaS and on-premise options. Trend complements complexity. Trend Micro’s technical support is well-regarded and a key differentiator for
its EDR capabilities with a powerful MDR service, which is not directly available from all customers upset with their current vendor.
competitors in this group.

SYMANTEC

Pre-execution: Similar to Trend Micro, Symantec uses Runtime: SONAR provides runtime protection using Single agent: Symantec offers a robust single agent for
advanced machine learning (AML), along with a number of heuristics and behaviors such as system changes, but does their endpoint protection platform (EPP) and EDR, which is
other pre-execution techniques (although they don’t do as not add a machine learning layer like Trend Micro does perceived well by customers.
well on independent tests). (beyond behavioral rules).
SaaS/on-premises parity: Symantec has a cloud control
Virtual patching: Protects against exploits with intrusion EDR: Requires advanced threat protection (ATP) for on- panel that can be synced to an on-premises server, but not
prevention system (IPS) on Microsoft® Windows® and premises endpoint appliances. EDR functions integrate to a standalone SaaS console. Customers end up with both
macOS®, with memory exploit mitigation for up to 20 the Symantec® Endpoint Protection agent. consoles in this scenario and the cloud console and on-
popular applications, such as browsers, Java®, Adobe®, premises console don’t have 100% feature parity like Apex
MDR: Symantec recently launched a Managed Cloud
Microsoft® Office 365®, QuickTime®, and more. These days, OneTM does.
Defense Service, offering similar services as MDR
application exploits are generally impossible to catch via (security monitoring, threat correlation, remote incident
IPS, as most application traffic is encrypted and not visible investigation, containment, and threat hunting).
to an IPS. Trend Micro’s virtual patching protects against
operating system (OS)-specific exploits, and has more Data protection: Symantec is the leader in DLP
timely rules. functionality. However, the solution is expensive and not
integrated with their endpoint security product, requiring a
Application control: Application and device control separate management console and agent.
is available for Windows, but requires a lot of manual
configuration and effort to implement. System lockdown
(whitelisting) is also available, but also requires a lot of
manual and time-consuming configuration.
 BATTLECARD

MCAFEE

Many customers remain on legacy versions of McAfee Runtime: Uses machine learning for post-execution SaaS/on-premises parity: Cloud McAfee ePO has similar
(8.8) due to migration issues caused by McAfee. These behavioral analysis, similar to Trend Micro. functionality but some limitations. No lightweight directory
customers may be more willing to switch vendors and access protocol (LDAP) support, limited to 10k clients,
EDR: On-premises solution requires the combination of
should be sought out. and limited product support (endpoint security mainly).
McAfee® Endpoint Security (ENS) plus McAfee® Active
Customers can deploy McAfee ePO in AWS and retain all
Pre-execution: Uses machine learning for pre-execution Response (MAR) and McAfee® Threat Intelligence Exchange
the functionality of McAfee ePO in a cloud environment,
static analysis of files—similar to Trend Micro’s approach. (TIE).
but the customer bears the cost and maintenance burden.
Virtual patching: McAfee® Host Intrusion Prevention for MDR: Managed service provider (MSP) partners (third- Additionally, migrating to cloud McAfee ePO requires a
Desktop Advanced vulnerability shielding protects against party) offer MDR service for McAfee’s EDR solution while database migration, McAfee ePO disaster recovery, and re-
exploits that target new vulnerabilities. This feature is Trend Micro owns and operates its MDR service. deployment of agents.
reported by customers as being very difficult to manage Data protection: DLP is manageable through McAfee ePO.
and configure. It works on Windows and Mac and integrates with email and
Application control: Application control has a whitelist web gateway appliances via simple mail transfer protocol
mode (default deny) and can be managed by McAfee® (SMTP) and internet content adaptation protocol (ICAP).
ePolicy Orchestrator® (McAfee ePO), which works on Single agent: McAfee’s current architecture requires
Windows and Linux® workloads. The feedback is that this multiple agents (McAfee ePO, endpoint security, etc)
product is powerful, but cumbersome to configure and running on a machine which consumes a significant
manage. amount of central processing unit (CPU) and memory.

SOPHOS

Pre-execution: Sophos® Intercept X®, Intercept X Runtime: Various techniques are employed by Intercept SaaS/on-premises parity: To get the full features of EPP
Advanced, and Intercept X Advanced with EDR leverage X to provide runtime detection, including behavior and EDR, it is recommended to use the SaaS version of
machine learning focused on Windows portable executable monitoring (HIPS), real-time strategy (RTS), advanced anti- Intercept X Advanced with EDR. The on-premises product,
(PE) files for pre-execution detection. However, the ransomware, Sophos® Cryptoguard®, Sophos® Wipeguard®, Central Endpoint and SaaS product are not equal in terms
Sophos® Endpoint Protection product does not have and others. Sophos has not been as effective in key tests of features. Central Endpoint lacks many of the more
machine learning capabilities, instead it relies on legacy such as NSS Labs’ AEP or AV-test. modern protection techniques, such as machine learning,
detection capabilities to provide protection. EDR, and ransomware protection.
EDR: Intercept X Advanced with EDR was recently
Virtual patching: Pre-execution and runtime host intrusion announced, with expected availability in November 2018.
prevention systems (HIPS) are available in Sophos® Central MDR: None, so many customers will face challenges
Endpoint® and Intercept X Advanced and Intercept X operating Sophos EDR themselves.
Advanced with EDR to protect against attempted exploits.
Trend Micro has a rule set that is timelier due to the Data protection: DLP available with pre-built or custom
strength of its research. rules, similar to the capabilities of Trend Micro.

Application control: Sophos has basic application control Single agent: Sophos Intercept X Advanced with EDR
that allows for the blocking of pre-determined applications is a single agent for endpoint protection and EDR. EDR
by category or application name (blacklisting), but does functionality is not available in Intercept X, Intercept X
not have an option to block all applications except those Advanced, or Endpoint Protection.
allowed (whitelisting). Sophos does not allow administrators
to add their own applications like Trend Micro does.
 BATTLECARD

APEX ONE™ VS. “NEXT-GEN” VENDORS

Apex One™ can take on “Next-Gen”: Sales motion:
Apex One is a strong contender against “next-gen” vendors, with its powerful blend of
™
In enterprises, security response and security operations center (SOC) teams are
modern pre-execution and runtime threat detection techniques. frequently interested in finding a powerful EDR tool, Crowdstrike and Carbon Black often
get to the table this way. Since Apex One™ covers a range of threat detection and EDR
Differentiation:
capabilities, it’s important to be in contact with the relevant (and potentially multiple)
Apex One™ stands out from the “next-gen” vendors with its unique virtual patching advan- teams influencing the purchase.
tages, built-in data protection, and SaaS and on-premises options. Trend Micro comple-
What do they say about us?
ments its EDR capabilities with a powerful MDR service, which is not available from all
competitors in this group. The vendors in this category love to say that their detection abilities surpass the likes of
Trend Micro, and that our solutions rely on outdated signature-based detection of known
Next-gen background: threats. These claims are simply untrue. We haven’t relied on signatures in over 15 years,
and our threat detection abilities are world-class, as proven by independent testing.
Vendors in this category have typically started with a single capability (EDR for
Crowdstrike and Carbon Black, pre-execution machine learning for Cylance) and They’re expensive:
expanded (a little or a lot) from there. Next-gen solutions are typically considerably more expensive than established vendors,
yet are delivering similar value.

CROWDSTRIKE

Pre-execution: Crowdstrike Falcon Prevent™ provides pre- malicious script which can be effective against fileless Data protection: No DLP, but does provide basic USB device
execution machine learning, but only covers executable files. malware. Crowdstrike isn’t participating in advanced tests, control. It’s possible to configure access to different types of
Trend Micro looks at all files, including documents that may such as NSS Labs’ AEP test, so effectiveness is hard to USB devices, but not possible to restrict access based on the
contain malicious scripts. assess. type of data.
Virtual patching: CrowdStrike® Falcon Spotlight™ only offers EDR: Crowdstrike has one of the most fully featured EDR Single agent: Crowdstrike uses a single agent for EPP and
vulnerability assessment and not filtering or patching, which offerings on the market, covering all operating systems, with EDR. However, the single agent does not provide the breadth
means they rely on runtime behavioral techniques to block a focus on enterprise and large enterprise. These tools are of functionality that Trend Micro provides, because the
exploits. Trend Micro offers virtual patching to protect earlier favored by large SOC security teams, but can be complex for product lacks some features like DLP, application control,
and more effectively by blocking on arrival. those with smaller and less technically savvy teams. If you and virtual patching.
Application control: Provides a rudimentary way to purchase the solution at the default price, the data is only
SaaS/on-premises parity: SaaS only, no on-premises option.
manually whitelist or blacklist individual applications and retained for seven days, which limits the ability to investigate
Trend Micro has SaaS or on-premises available, with 100%
hashes, but does offer enterprise application control attacks. Trend Micro retains data for 30 days in its SaaS EDR,
feature parity.
functionality. and data retention time is unlimited on-premises.

Runtime: No machine learning. Like Trend Micro has done MDR: Crowdstrike offers its Falcon Overwatch™ platform
for 10 years, Crowdstrike uses indicators of attack (IOA) to leverage the sale of its complex EDR into less-staffed or
behavioral blocking at runtime. This is done to determine less skilled organizations. Overwatch primarily provides
whether the activity is legitimate or suspicious and detect services for endpoints only, although there is an integration
with Lastline® to extend Crowdstrike’s MDR visibility to the
network.
 BATTLECARD

CARBON BLACK

Pre-execution: Cb Defense® does not do any pre-execution EDR: Cb Response® is a feature-rich EDR. It’s good in larger Single agent: Carbon Black uses a single agent and single
analysis; it relies on behavioral analysis called Streaming organizations that have more resources due to application console to deliver functionality from multiple licensed
Prevention in order to identify threats at runtime. programming interfaces (APIs) integration. Cb Response components.
can feed many global threat intelligence resources. Carbon
Virtual patching: No virtual patching, HIPS, or vulnerability SaaS/on-premises parity: Cb Defense is provided on SaaS,
Black has a few higher-end features for large SOC teams,
protection. Trend Micro has virtual patching to protect and Cb Response is provided on-premises (although this
including third-party threat feeds, slightly more telemetry
earlier and more effectively by blocking on arrival. Carbon isn’t featured prominently in their marketing). Trend Micro
(packet capture and memory dumps), and slightly more
Black relies on runtime detection, which is riskier. has SaaS or on-premises available, with 100% feature
MITRE ATT&CK framework coverage. The majority of
parity.
Application control: Powerful application control customers will be more than satisfied by Apex One™ EDR.
(Cb Protection® formerly Bit9). Generally considered best
MDR: MDR is only delivered by third-party partners and not
in class, with a bit more functionality than Trend Micro.
directly from Carbon Black; Trend Micro operates its own
Runtime: Cb Defense combines signatures, reputation, MDR service and built its own MDR platform.
and Streaming Prevention which is a behavioral analysis
Data protection: No DLP, but does provide basic USB
technique to detect and prevent threats at runtime.
device control. It’s possible to configure access to different
types of USB devices, but not possible to restrict access
based on the type of data.

CYLANCE

Pre-execution: Cylance relies heavily on pre-execution Runtime: Fairly limited versus Trend Micro. Uses memory Single agent: Cylance is a single agent, although Cylance
machine learning and a little on script analysis for exploit protection and script analysis to analyze at runtime lacks many protection capabilities. This means additional
protection. Cylance started with a heavy focus on pre- and provide protection. No IOA behavioral detection products and agents may be required to match the same
execution machine learning, and it’s still their main focus. capability, machine learning, or other runtime techniques. level of protection provided by Apex OneTM.
While their agent is small and efficient, using machine EDR: CylanceOPTICS®—not comprehensive enough (basic SaaS/on-premises parity: Saas is the main deployment
learning for everything is more resource intensive than rules). Viewed as weak by industry analysts. As a result, model for very large enterprises. An extremely expensive
using other, more efficient techniques to detect known bad Cylance packages EDR with their endpoint product at appliance solution that also requires manual updates is
threats. a competitive price to offset the shortcomings of the available for air-gapped and industrial control systems
Virtual patching: No virtual patching, HIPS, or vulnerability CylanceOPTICS. (ICS)/supervisory control and data acquisition (SCADA) use
protection. Trend Micro offers virtual patching to protect cases but this is not intended for customers interested in
MDR: Cylance THREATZERO® is a managed prevention and
earlier and more effectively by blocking on arrival. Cylance SaaS and on-premises parity.
response service offered by the Cylance’s Consulting group.
depends on runtime exploit detection, which is riskier. Proficio is also offering MDR services that use Cylance
Application control: Application control is very Data protection: No DLP, but does provide basic USB
rudimentary and only allows endpoints to be “locked” device control. It’s possible to configure full access or block
at a point in time, with whatever applications exist different types of USB devices, but not possible to restrict
(an ongoing management challenge). No granular access based on the type of data.
control of applications, whereas Trend Micro has a very
comprehensive application control capability.
 BATTLECARD

APEX ONE VS. MICROSOFT ™ ®

Apex One™ can take on Microsoft: term financial viability. Microsoft doesn’t offer any gateway email protection such as
Trend Micro™ Hosted Email Security™ or Trend Micro™ InterScan™ Messaging Security. It
Apex One is a strong contender against Microsoft, with its powerful blend of modern pre-
™
lacks the effectiveness Trend Micro™ Cloud App Security for Office 365® delivers, and
execution and runtime threat detection techniques. Relative to Microsoft, Apex One™ shines
any protection for Microsoft® Sharepoint®, Microsoft® Lync®, or the gateway. Smart
with its breadth of threat detection functionality, SaaS and on-premises parity, MDR service
Protection Suites with Apex OneTM provide all of this functionality and more, at a
option, strong centralized management, competitive pricing, and high-quality support. Many
competitive price point relative to Microsoft.
of the advanced protection capabilities Microsoft offers are only available as part of the E5
offering, which is significantly more expensive than the more limited E3 offering, and needs Microsoft background: Microsoft provides an array of protection capabilities integrated
to be factored in to any pricing comparisons. Additionally, Microsoft still lacks a true central into the operating system. However, currently, the full breadth of its capabilities are
management console, meaning administrators have to patch together Group Policy Objects only available to customers running a homogenous Windows 10 environment that have
(GPOs), Microsoft® Intune®, and Microsoft System Center consoles to effectively manage standardized on certain components such as the Microsoft® Edge® browser. Support
security controls. for some Windows 7 and 8.1 components (EDR) of Windows Defender® Advanced Threat
Protection (APT) are in public preview currently, but not generally available. In order
Differentiation:
to support these older operating systems, however, additional agents are required and
Apex One™ stands out from Microsoft with its unique virtual patching advantages, not every feature of Windows Defender ATP is available on older operating systems.
centralized management, built-in data protection, and SaaS and on-premises options. Trend For instance, Windows Defender® Application Control (WDAC), Windows Defender®
Micro complements its EDR capabilities with a powerful MDR service, not available from Application Guard (WDAG), Windows Information Protection® (WIP), and Windows
Microsoft. Defender® Exploit Guard (WDEG) are not available on Windows 7 and 8.1.
Sales motion: We can displace Microsoft by offering the best of both worlds: modern
threat detection and EDR on par with “next gen” solutions, as well as stability and long-

MICROSOFT

Pre-execution: Provided by Microsoft Threat Intelligence management is painful. Has extensive system requirements, services (Microsoft Office 365, Microsoft® Azure®, and etc).
and Advanced Analytics. Hasn’t demonstrated a track record including Intune or GPOs to manage effectively.
Data protection: No DLP. WIP (only available on Windows
of effectiveness in independent testing, although has been
Runtime: Provided by Windows Defender®, with no track 10) provides information rights management (IRM) based
improving recently.
record of effectiveness as the technology is relatively new. on the location of data and not on the type of data or the
Virtual patching: WDEG (only available on Windows 10) transmission of that data.
EDR: Requires E5 license to enable Windows Defender ATP,
provides generic protection capabilities to prevent exploits,
which is the component that provides EDR. Currently, only Single agent: Built-in approach, no need to deploy additional
but does not protect against specific threats like Apex One™
available on Windows 10 and Windows Server, although agents to gain functionality
does with its virtual patching capabilities. Microsoft does
support for older versions of Windows (7 and 8) is in public
provide visibility of patching status, but does not provide SaaS/on-premises parity: Microsoft doesn’t offer on-
preview. EDR for macOS requires licensing and use of a
protection specifically against exploits, outside of deploying premises version of Windows Defender ATP. Customers don’t
third-party partner product e.g. SentinelOne.
specific patches. Apex One™ provides virtual patching, which have the same flexibility they have with Trend Micro, when it
gives users more rapid protection during outbreaks, ahead MDR: Customers with a premier support agreement have comes to deploying on-premises or SaaS.
of regular Windows patching. on-demand access to highly specialized security support
engineers and on-site incident response teams, but unlike
Application control: WDAC (only available on Windows
Trend Micro’s MDR, this is not proactive. MSP partners (third-
10) provides a whitelist enforcement functionality, but the
party) provide MDR services for Microsoft products and
Questions to Ask Customers: Remember to
•• Use the Gartner Endpoint Magic Quadrant, and Forrester
•• Is the competition participating in independent third-party testing? There are very few truly independent-party labs for
Wave for Endpoint Security Suites to demonstrate our
testing endpoint security technology (AVTest.org, AV-Comparatives and NSS Labs are the only ones consistently referenced extensive advanced protection capabilities. These reports are
by industry analysts and other thought leaders). Other “third-party” tests are paid for by the vendor, therefore the vendor available on Sales Library and our partner portal.
can dictate the terms of the testing and what specific features to look at versus the competitor(s). Some of the “next-gen” •• Ensure existing customers are aware of our latest product
endpoint players are not participating in the independent testing at all, and enforce licensing restrictions blocking third-party capabilities (including runtime detection, machine learning,
test labs. EDR, MDR, and SaaS).
•• If already with Trend Micro, are you using the latest endpoint product release with our modern threat detection •• Show the latest NSS Labs Advanced Endpoint Protection
features enabled? With older releases of Trend Micro OfficeScan , or optional detection features disabled, protection will
™ ™ Report and AV-TEST (independent testing) that
demonstrates that we are the best at stopping the very
be less effective. Today’s threat environment requires a multi-layered defense, including modern pre-execution and runtime
latest threats.
detection.
•• Tell our Connected Threat Defense story—how they can use
•• Will you need to learn and use security products from multiple vendors, with multiple management consoles to get the and connect breach detection, sandboxing, and email and
security coverage you need? How will the management for those different products work? Will you have visibility across web gateways with the endpoint, to automatically protect
user’s devices and multiple platforms for rapid response? How will you manage cloud and on-premises security? with real-time local signatures for zero-day threats.

•• How are you tackling patch management or zero-day protection against vulnerabilities? How are you ensuring that
network-based vulnerabilities that exploit a specific application are protected? Will virtual patching provide faster time to
protection than other approaches? (yes!) Without virtual patching, would you be dependent on real-time exploit detection on
the endpoint? (typically, yes!).
•• How are you detecting threats and malware that get inside your network? Does your endpoint product look for command
and control traffic or detect lateral movement from one system to another? Does your endpoint integrate with internal
network breach detection technology and investigation and forensic capabilities?
•• How are you providing data protection for your organization? How are you protecting against users sharing confidential
information with DLP (via all the channels today like email, cloud storage, instant message, USB, mobile devices, and web)?
Are there compliance regulations to enforce?
•• What is the competition’s customer service & support coverage model? Does the vendor have 24 x 7 coverage and local
people in your region to provide the best account and technical support for your critical security infrastructure?

The Apex OneTM Advantage

Automated detection and response:

Apex One™ is built upon the XGen™ security techniques, which is a cross-generational blend of threat defense functionality that
intelligently applies the right technology at the right time. The product includes the industry’s most timely virtual patching
capabilities powered by Trend Micro’s Zero Day Initiative, along with a range of modern technologies to detect and block
advanced attacks, including fileless threats.
Actionable insights:
Apex One™ introduces expanded EDR capabilities. It also connects to Trend Micro’s MDR service option that boosts in-house
teams with threat hunting and alert monitoring.
All-in-one: ©2018 by Trend Micro Incorporated, a global leader in cybersecurity
solutions, helps to make the world safe for exchanging digital information.
Apex One offers a breadth of industry-leading capabilities from a single user agent. Apex One offers powerful EDR with
™ ™ Our innovative solutions for consumers, businesses, and governments
provide layered security for data centers, cloud environments, networks,
automated detection and response tools, simplifying deployment and eliminating silos. and endpoints. For more information, visit www.trendmicro.com.
[BC02_Apex_One_181129US]