Cisco App Firstsec Competitive

Cloud-Native and
Competitive Landscape
App-first Security
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner and Internal use only. Not for public distribution.
Cisco cloud-native and application-first security
solution
Stealthwatch DUO
Tetration AppDynamics
Cloud Beyond
Closer Continuously Adaptive

to the application automates security for the application
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco application-first security solution
Partners
Cisco Services
CSPM: Threat
Zero Trust: APM: Application
CWPP: Application visibility and detection
Enable secure performance
segmentation and for private
workforce access t monitoring to
risk management networks and o stay complaint reduce risk
public cloud
Solutions
Stealthwatch DUO
Tetration AppDynamics
Cloud Beyond
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Acronyms
CWPP – Cloud Workload Protection Platform
"The future of most enterprise data centers is a hybrid, multicloud architecture. Require CWPP
offerings to protect physical machines, VMs, containers and serverless workloads — all from a
single console and managed from a single set of APIs, regardless of location."
Market Guide for Cloud Workload Protection Platforms, Neil MacDonald, Tom Croll 2020
CSPM – Cloud Security Posture Module

Gartner recommends CSPM tools as building blocks for cloud security:
“Almost all successful attacks on cloud services are the result of customer misconfiguration,
mismanagement and errors. Leaders in security and risk management must invest in cloud
security posture management processes and tools to identify and remedy these risks proactively
and reactively.”
Gartner also states that by 2025, 99% of cloud security incidents will be the responsibility of the customer.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner and Internal use only. Not for public distribution. 4
Acronyms
IDaaS – Identity as a service
Gartner describes the difference between IAM Managed Service and IDaaS as follows: “IAM managed
services are distinct from identity as a service (IDaaS): managed services provide only
management and operation of customer-owned IAM software and infrastructure, while IDaaS
bundles the software and operation into a commoditized service that is provided on a subscription
basis.”
APM – Application performance monitoring

According to Gartner, “Adoption of APM for monitoring microservices in production went up, from
61% to 78% as compared to the prior year. In addition, 49% of respondents deployed their APM-
monitored environments in the cloud. This was up from 36% the prior year.”
Competitive Landscape (App-First Security)
CWPP/ Zero Trust (IDaaS/Access)
Micro-segmentation
CSPM APM
*Based on Analyst classification

Cloud Workload Protection Platform
(CWPP) Competitors
Guardicore Workload Security
Differentiators Weaknesses
• Ability to block processes with their own firewall
• Blacklist model (keeps only the known "bad" out)
• Nice and simple GUI, ability to modify policies in the

• Does not scale for large deployments like Tetration (can
APP view. No ACL like view provide for environments with 1M+endpoints)
• Hardware resources needed for on-prem is small

• Can't keep flows for long period of time
• nano segmentation at the Process level

• Need to modify kernel in order to block process, causing
operational issues with the OS team
• process-based segmentation for dynamic
port application
• Lack of integration with ACI, F5, Citrix, AnyConnect, ISE,
etc
Why Cisco?
• Tetration v Guardicore: Segmentation
• Tetration does not have nano segmentation at the Process level
• Guardicore does not enforce policy using native host • We rely on process information to define
firewall segmentation policy, but do not rely on process to enforce
• Native firewalls are extensively tested by the OS policies. Policy discovery is key in our case.
vendor and used in production by numerous existing
applications. Performance characteristics and
• Tetration does not have process-based segmentation for
functionality are well understood and easily verifiable dynamic port application
• We do not rely on known process identity for dynamic ports.
• Tetration does not require loading vendor code into Kernel We derive port ranges through machine learning from ADM
• Tetration agent runs in user space, significantly which is as effective and a more general solution
reducing risk of kernel panics and system instability.
Loading binary Kernel modules can introduce security
risks, and may cause support issues with upstream
Why We Win
Linux distributions. Agent qualification time may be
increased, suffer compatibility issues or stronger 1. Tetration is better for large scale environments
pushback from app owners 2. Tetration is a allow list model, only lets in the known "good"
3. Keeping flows for a long time ensure policies are great
4. Automatic policy creation compared with more manual process
5. Customer installed base and local support from partners
Illumio Workload Security
• Limited Automation in segmentation- Cannot automate

Illumio is a big marketing company and their claims on policy generation due to limited and predefined
the product all amplify their strengths below: tagging/risk analysis methods, requiring
manual intervention to create/enforce policies.
• Big advocate to throw away Firewall and only use
workload security • Cannot Scale readily or you lose
forensics– Illumio makes customers
• Policy Risk Analysis - Illumio says they can sacrifice visibility/context of their environment to get
understand risks to create policies, which enables to scale. Illumio recommends reduction in visibility when
move quicker. Claim to "Scale with DevSecOps" policy is enforced--Low Detail provides record of Blocked
traffic only, no detail provides ANY record of ANY traffic
• Policy work center - "global policy map" lets flows
customers quickly glance at overall policies for their
enterprise without much training • Deployment limitation: No viable production SaaS
offering , cannot serve customer needs in this area. On-
Prem is heavily dependent on manual intervention.
Why Cisco?
Marketing Overview
SaaS and On-Prem
• Illumio calls itself an Adaptive Security Platform -
Tetration security for application and workload by segmentation
• SaaS: Fully automatic and transparent • Illumio plays on the smaller end while Tetration is able to scale
to operationalize segmentation for large numbers of workloads.
• On-premise: Redundant appliance configured as a hot-
standby. Configure once automatic replication. Current • Illumio cannot meet the needs for larger businesses
RTO 4 hours. Enhancing to 15 minutes in future releases
with automatic failover of agents. Why we win
Illumio 1. Automation – Micro-segmentation is hard; we
automatically recommend white-list policies to enforce across
• SaaS: No viable production SaaS offering at scale. all workloads by mapping application dependencies with
automated tagging.
• On-premise: Highly manual.
2. Scale, visibility– Have more options to scale as you'd like
SaaS
3. Visibility & Control – Security posture data of dynamic

environment (hybrid) and end user context data at any given
time, historically #1 challenge to overcome
VMware NSX-T
• It takes the capabilities of 2 of their products
(NSX and AppDefense) to compete with Tetration
• NSX-T is making progress towards multi-environment
but it’s still early days. Customers need to be ready got
Cloud Native Services
• AppDefense: Social assurance for Threat requires a
large number of customers to make sense. We have
been doing this through Talos for a long time. (They
won't have as much social assurance data as Cisco has)
• First company to really market micro-segmentation • AppDefense will only work in a VMW environment – no
with NSX, customers view them as a leader in the cloud, no bare metal
space often
• They offer a solution which is easy to implement in a
virtualized environment, doesn’t require network
changes
Why Cisco?
1. Tetration is better for large scale environments

2. AppDefense has limited deployment which means their social
assurance model is hardly a draw compared to Tetration's customer
data
3. AppDefense will only work in a VMW environment – no cloud, no bare
metal
Top Differentiators & Weaknesses
• PAN acquired a slew of interesting companies like • Prisma Cloud is not integrated with the rest of the PAN
Twistlock which was already a leader in cloud security solution. There is an external integration option
workload protection to build out Prisma Cloud. with Cortex XDR for analytics but there is no correlation
Easy to deploy and manage with events from other PAN products. It would be similar
to any other integration like a Splunk.
• Prisma cloud offers cloud-native protection for a
wide range of workloads including serverless • The on-prem compute edition is a standalone edition and
(covered by PureSec) and applications. does not correlate or integrate with the Prisma Cloud
edition and does not share the policies either.
• Prisma cloud also offers compliance (via Redlock)
integrated and as part of the basic sku. The • The logging of Prisma Cloud is separate from the rest of
compliance framework is very well put together the solution and so is suitable for cloud native customers
mapping each policy to a standard based but not large enterprises who have multi cloud hybrid
compliance rule. deployments.
• There is a compute edition available for on-prem • Pricing is expensive
workloads.
Why Cisco?
Why We Win
1. Tetration is better integrated with the rest of the Cisco security solution compared to Prisma Cloud which does
not integrated with the rest of the PAN portfolio. For example, SecureX orchestration could be used to enforce
policy across events correlated from Tetration, Stealthwatch cloud and Cisco NGFW (FTD) delivered through a
singular efficient workflow whereas Prisma Cloud has nothing to this effect. The same applies to visibility of
events ingested from across the breadth of the security portfolio.
2. Multi cloud and hybrid cloud deployments cannot be secured by Prisma Cloud vs Tetration which provides a
unified view of on-prem and cloud workloads and unified policy framework for all workloads irrespective of
where they reside.
3. When it comes to applications, Cisco Tetration offers App discovery, Application dependency mapping (ADM)
and app centric policy definition unlike Prisma Cloud which merely maps processes for analytics. The ADM
and app discovery also results in faster deploy and time to buy metrics for customers.
4. With Tetration, microsegmentation is a breeze and easily configurable. Tetration also uniquely positions itself
as a central component of the Cisco Zero Trust solution. Prisma cloud on the contrary would eventually cater
to the microsegmentation use case with its Aporeto acquisition but today, Aporeto is not part of Prisma Cloud
and it is not supported.
CSPM (Cloud Security Posture
Module) Competitors
CSPM delivered features
Compliance Policy Asset Inventory Threat Detection Correlation
PALO ALTO NETWORKS Prisma Cloud
Cisco Security Stealthwatch Cloud
AWS Security Hub
1. Prisma Cloud Compliance (RedLock) is designed as
a compliance tool, so threat detection and alerting is
very limited.
2. RL Alerts are focused on violation of pre-defined

compliance policy, not behavioral threat detection.
1. Feature rich with asset monitoring across all 3. Focus remains on (mis)configuration, not on actual
cloud workloads including containers, breach detection
serverless, PCF etc.
4. While the term “AI” is tossed around a lot, RedLock
2. Rich compliance policy framework with support has a hard time explaining how they are actually
for all major compliance standards able to detect threats using AI and behavioral
analytics
3. Integrated offering with Cloud Workload
Protection capabilities (containers and 5. Very limited context around alerts and detections;
serverless) investigations are limited to surface information
4. Rich reporting with integrated alerts 6. No on-prem capability for compliance.
Why Cisco?
Why We Win
1. Stealthwatch Cloud is better integrated with the rest of the Cisco security solution compared to Prisma Cloud
which does not integrated with the rest of the PAN portfolio. In particular, SWC logs and Cisco Security
analytics and logging (SAL) logs reside in the same data lake and the outcome from this unified data set
provides far better and informed analytics as compared to siloed cloud native only offering.
2. Stealthwatch cloud is a Network Performance monitoring and Analytics tool which has superior threat
detection and alerting capabilities when compared to Redlock (Prisma Cloud CSPM) built only on certifications
and compliance. When integrated with a compliance offering and CWPP (Tetration), the Security benefits
brought to the customer far outweigh the threat intelligence that Prisma Cloud could offer.
3. Multi cloud and hybrid cloud deployments cannot be secured by Prisma Cloud vs Tetration which provides a
unified view of on-prem and cloud workloads and unified policy framework for all workloads irrespective of
where they reside.
1. Only offered for AWS assets. Does not scale multi

cloud.
1. Cloud-native and high attach-rate with AWS
being the cloud service provider 2. No correlation across physical and cloud data
centers.
2. GuardDuty does address some of the gap in
DNS visibility, because DNS traffic is not 3. No segmentation at the AWS guard duty level. Need
included in VPC flow logs. Customers will still to rely on VPC rules.
not be able to directly see DNS traffic but now
at least can get an alert if AWS determines a 4. No Lambda support
DNS call is suspicious.
5. No native advance threat integrations for analytics.
3. Easy sell-in and simple onboarding for AWS Relies on 3rd party + additional $$ unlike
customers CTR/SecureX integrations with SWC.
Why Cisco?
Why We Win
1. The AWS offering is not a true CSPM but multiple features delivered via individual services and the customer
needs to pay for each service usage. The parts of this would be AWS Guard Duty + AWS Config + AWS KMS
+ AWS Security Hub.
2. Usage based metrics and accounting are cumbersome.
3. No advanced threat detection unlike Cisco.
4. Limited to the AWS Cloud DC/tenant. Does not cater to multi cloud use case.
5. No AWS native workload protection offering for unified visibility and seamless security analytics.
Zero Trust Competitors
Cisco DUO vs Microsoft
Cisco Microsoft
1. Duo MFA - included in all editions

1. Azure MFA - included with Azure AD
2. Adaptive Access policies - included in Duo Access
2. Conditional Access - included in Azure P1/P2
and EMS bundles 3. Duo Network Gateway (DNG) - included in
Duo Beyond
3. Application Proxy - included with Azure AD
4. included in Duo Access/Beyond
4. Intune - included in EMS bundles
Cisco Competitive offer to MSFT EMS E5
Duo+ Cisco Email Security + AMP + Umbrella + Webex in an EA
DUO vs Okta Summary
OKTA is an IDaaS (Identity as a service) offering. Shown below are few differentiators of DUO vs an IDaaS offering
IDaaS vs. Duo

We need to redirect conversations about identity to security!
Other requirements that should be considered when evaluating an MFA solution:
• Time to deploy or coverage
• End user productivity
• Security efficacy
• Reduce TCO (soft costs)
• Transparent pricing
• Agnostic solution
• Support for existing infrastructure
Duo's Differentiated Value
•Duo not only verifies users, but establishes trust in devices
•Duo provides visibility into all access points without complex add-ons or extensions
•Duo supports BYOD as well as integrates with MDM, and EMM platforms
•Duo's integrations with the rest of the Cisco Security portfolio provides end to end security for organizations
•Duo layers on top of existing infrastructures and is agnostic
Questions to Ask to Redirect to Duo:
•Is security of your applications one of your top concerns?
•What do you use as you existing identity platform?
•Are you concerned about protecting your users against credential theft?
•Do you have a method to protect access to applications from BYOD?
EXTERNAL RESOURCE you can share:
Comparing Duo to IDaas Vendors
Duo Feature Differentiators
•90%+ adoption rate
Duo MFA •Easy to use and administer
•Agnostic integrations with 3rd party enterprise IAM and security

Adaptive Access policies tools.
•Duo provides Device Access Policies
•Support for on-premises websites, web applications, and SSH

Duo Network Gateway (DNG) servers
Device Trust features •Agentless deployment

•Device Insights •Support for BYOD
•Trusted Endpoints •Agnostic 3rd party integrations with MDM/EMM
•Duo Device Health
APM (Application Performance Monitoring)
Competitors
New Relic APM
• Analytics: New Relic has limited analytics capabilities
and requires code changes to utilize it in a business
context.
• APM: New Relic doesn’t provide auto-instrumentation of
custom code, which limits the customer’s ability to have
• Price: NR can be less expensive and is willing to direct code-level visibility without significant developer
sacrifice margin for Enterprise business. Ensure that effort through initial monitoring into ongoing maintenance.
you focus the conversation around value and
product capability to differentiate us. Across the • Browser RUM: New Relic randomly samples and has no
board, we show a higher ROI. intelligent baselining, leaving your ability to identify
issues to random chance.
• Ease of Installation: New Relic seems easier to
install. Limited configuration capabilities get • Mobile RUM: New Relic has no screenshots and only
customers up and running quickly - but at the price partial data capture.
of not being able to adapt and customize the
technology to specific business needs. To dodge • Synthetics: New Relic does not have low-bandwidth
this conversation, position licenses on SaaS and simulation, where most problems occur.
ensure that your SE has done a dry-run of the
installation prior to running the POV. • Security: No at-rest data encryption (unless using their
AWS government solution), and lacking the ability to
scope RBAC by application under one account.
Why Cisco?
Business: Risky Business Technical: We competitively outperform against New Relic (NR) feature-
by-feature in the following areas:
• New Relic spent two years targeting large
enterprise, with limited success, while their • Analytics: New Relic has limited analytics capabilities and requires code
Account rolls actually fell in FY2019. The changes to utilize it in a business context.
average recurring revenue per account
stood at $36,500 (Q3 2020). • APM: New Relic doesn’t provide auto-instrumentation of custom code,
which limits the customer’s ability to have direct code-level visibility
• In the first 9 months since the introduction without significant developer effort through initial monitoring into ongoing
of their “Platform for the Next Decade”, maintenance.
New Relic One, New Relic’s stock dropped
well over 40%. • Browser RUM: New Relic randomly samples and has no intelligent
baselining, leaving your ability to identify issues to random chance.
• New Relic is carrying significant and
growing, long-term debt. This level of • Mobile RUM: New Relic has no screenshots and only partial data
indebtedness may require them to prioritize capture.
debt maintenance over further investment
• Synthetics: New Relic does not have low-bandwidth simulation, where
in their product.
most problems occur.
• Companies like Datadog and Instana are
• Security: No at-rest data encryption (unless using their AWS government
actively targeting New Relic’s historic
solution), and lacking the ability to scope RBAC by application under
sweet spot, the SMB market.
one account.
Datadog APM
• Lack of transaction scoring reduces the support team’s
ability to spot issues in specific transactions and
measure their impact. There is no ability to customize
transaction names or how transactions are detected
without code changes.
• Actionable insights are not provided to drive the
business or alert on critical business metrics (ex:
flagging a mispriced item on an e-commerce site or
contextualizing a spike in sales which has depleted
inventory) and no ability show business metrics in
release comparisons.
• Cost: Datadog has a simpler licensing model and • To instrument custom code (or unsupported
has a significantly cheaper upfront cost. frameworks), developers MUST add API calls to their
code and redeploy their applications. The bigger and
• Infrastructure: Because of their infrastructure-centric more complex the application, the more work developers
approach, Datadog has a strong alignment to are required to put into their Datadog deployment.
Infrastructure and Tools Teams responsible for high-
level monitoring of the systems.
Why Cisco?
Business: Technical:
• Lack of enterprise focus. Well under 10% of 1. Identify Risks: AppD can track, measure, and score 100% of
Datadog’s customers have greater than $100k transactions end to end. DD: Lack of transaction scoring reduces
ARR. Datadog doesn’t have the same the support team’s ability to spot issues in specific transactions and
experience delivering at scale in the enterprise measure their impact. There is no ability to customize transaction
space. names or how transactions are detected without code changes.
• DIY solution. Nearly non-existent professional 2. BiQ is a competitive differentiator, Datadog has no true
services organization, meaning it won’t be equivalent.
easy to execute on advanced use cases, or
derive full value from the solution.
3. AppDynamics securely monitors, at scale, end to end.
• Split focus. The vast majority of Datadog’s Datadog falls short. Datadog is an infrastructure-centric tool that
revenue is derived from its Infrastructure takes a lot of manual effort to get minimal APM value. To
Monitoring and Log Management product instrument custom code (or unsupported frameworks), developers
lines. MUST add API calls to their code and redeploy their applications.
The bigger and more complex the application, the more work
• An unprofitable enterprise. Datadog developers are required to put into their Datadog deployment to
continues to operate at a loss. get the basics you would have out of the box with AppDynamics.
Dynatrace APM
• Troubleshooting: Dynatrace only baselines 3 metrics for
alerting using a maximum of 7 days of data: every other
metric (e.g., disk space, memory usage, CPU usage)
requires setting and tuning a static threshold resulting in
more time tuning, less time troubleshooting.
• Dynatrace provides pieces of the BiQ solution, but lacks
critical features like Business Journeys or Experience
Journey Maps, limiting their ability to understand the
complete end to end journey of critical business processes.
• Scale: DT attempts to capture “all the data all the time,” but
when a system is most under stress, visibility is decreased
for both good and bad transactions alike to manage
Cost: DT has a simpler licensing model and can be
overhead.
less expensive upfront for some customers.
• Dynatrace does not provide any detailed memory analysis
Usability: Dynatrace is easier and faster to install,
tooling within their solution, so identifying and
especially in a POV.
understanding memory leaks requires additional tooling that
would not integrate with the APM solution.
Why Cisco?
Business: Potential Investment Risk Technical:
• As of this writing, Dynatrace has 1. Identify Risks: AppD identifies risks sooner before they turn into
approximately $550M USD of debt that issues that impact the business. With Dynatrace Baselines 3
has a considerable number of metrics for alerting (response time, error, and load) over one week,
restrictions associated with it, including causing customers to be reactive to potential IT issues (e.g.,
limits (in the words of Dynatrace’s SEC memory leaks) and unable to address them until they have already
filings) on “[Dynatrace’s ability to], impacted users.
make investments, including
acquisitions” and “make capital 2. BiQ is a competitive differentiator, DT has no full
expenditures.” equivalent. Provides pieces of the BiQ solution, but lacks critical
features like Business Journeys or Experience Journey Maps,
• This significant indebtedness and the limiting their ability to understand the complete end to end journey
accompanying covenants can restrict of critical business processes.
Dynatrace’s ability to enhance their
product. This could, in the event of an 3. AppDynamics securely monitors, at scale, end to end.
economic downturn, pose a severe risk Dynatrace falls short. DT attempts to capture “all the data all the
to the viability of the business. time, ” but when a system is most under stress, visibility is
decreased for both good and bad transactions alike to manage
overhead.
P

Cisco App Firstsec Competitive

Uploaded by

Copyright:

Available Formats

Cisco App Firstsec Competitive

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco App Firstsec Competitive

Uploaded by

Copyright:

Available Formats

Cloud-Native and

Closer Continuously Adaptive

CSPM – Cloud Security Posture Module

APM – Application performance monitoring

*Based on Analyst classification

• Nice and simple GUI, ability to modify policies in the

• Hardware resources needed for on-prem is small

• nano segmentation at the Process level

• Limited Automation in segmentation- Cannot automate

3. Visibility & Control – Security posture data of dynamic

1. Tetration is better for large scale environments

Compliance Policy Asset Inventory Threat Detection Correlation

PALO ALTO NETWORKS Prisma Cloud

Cisco Security Stealthwatch Cloud

AWS Security Hub

2. RL Alerts are focused on violation of pre-defined

4. Rich reporting with integrated alerts 6. No on-prem capability for compliance.

1. Only offered for AWS assets. Does not scale multi

1. Duo MFA - included in all editions

IDaaS vs. Duo

•Agnostic integrations with 3rd party enterprise IAM and security

•Support for on-premises websites, web applications, and SSH

Device Trust features •Agentless deployment

You might also like