What is our primary use case?
The solution should be able to provide next-generation security for endpoints and should be able to monitor, detect, mitigate, and block attacks, as well as provide complete visibility in terms of the chain of events so that forensics can be performed accordingly.
All of the security features should be provided on a single agent and it should be lightweight and should not have a performance impact on the endpoint.
Provide required/relevant logs on the console and also should be able to forward to the SIEM solution. So accordingly, a use case can be created.
The agent should be tamperproof and the admin should not be able to shut down or stop services without the security team concerned, or by using a password.
We should be able to integrate and share IOC with other security devices.
How has it helped my organization?
The Check Point SandBlast solution, also known as Harmony Endpoint, is able to detect, block, monitor, and respond to any malicious activity that happens on the endpoint. With a single agent deployed on the endpoint, it's able to provide complete EDPR functionality, with help of multiple security features and modules.
This agent can be pushed either from the Check Point management console or by using other patch management solutions such as SCCM.
It is able to provide a consolidated security posture for all Windows endpoints on a single dashboard and also provide threat hunter visibility for any security threat on the endpoint, and able to mitigate the same.
Provide capability of reproducing any security threat and also provide RCA/attack tree.
File/hash can be swiped across the network using the security console, which provides visibility on the endpoint according to its priority.
What is most valuable?
Harmony Endpoint provides complete EDPR functionality using multiple modules and features that are available with the solution. These include Compliance, Anti-Malware, Media Encryption, Port Protection, Firewall, Application Control, Full Disk Encryption, Remote access VPN, Capsule DOC, URL Filtering, Anti-Bot, Anti-Ransomware, Behaviour Guard, Forensics, Threat Emulation, and Anit-Exploit. This group of features is able to protect the endpoint from any next-generation attack. Any of the modules can be enabled or disabled based on the organization's requirements.
Harmony Endpoint is able to detect, monitor, block, and mitigate attacks on the endpoint and it builds and maintains relevant logs for later inspection. The agent sends telemetry/metadata to the centralized console for forensic purposes.
Policies for endpoints can be created based on the username or endpoint.
Integration with the Threat intel platform is helpful for blocking any attack at an early stage.
The complete solution can be hosted on-premises or SaaS on the cloud.
Remote access VPN is provided as default in the base license.
A different Policy Server can be configured and hosted at each location so that the agent does not have to reach a central location to receive policy updates. Policy servers are created using an OVF file, which can be installed on any Virtual Platform such as VMware.
It has secure communication between the Policy Server and the Management Console using Certificate/SIC communication.
The agent footprint is small on the endpoint.
It supports integration with other security solutions for sharing threat intel within an organization or over the cloud.
The anti-ransomware module is very strong; it's able to detect any ransomware attack at a very early stage.
Host-based firewall policy configuration is simple, which helps to access an endpoint if the machine is not in the organization's network.
What needs improvement?
The Threat Hunting module is not available for on-premises deployment.
The user has to connect using the VPN to take Policy Server updates when the solution is hosted on-premises. This adds overhead, as the user has to connect to the corporate network to get the policy.
In the case of a hybrid setup where the Policy and Management Server is on the cloud, the Sandbox appliance has to be on-premises.
Policy configuration and deployment are complex.
The application control and URL filtering features are not very strong.
Application Control databases are generated locally and it does not provide any visibility to the admin on which applications are installed on the endpoint.
The solution is supported only on Windows and MAC and not any other platform.
What do I think about the stability of the solution?
So far, the solution is stable.
What do I think about the scalability of the solution?
The solution is scalable we can add multiple policy servers based on requirement and it will be integrated with the central management server (Primary/Secondary).
In the case of the SaaS offering, it is managed by Check Point.
How are customer service and technical support?
Technical support is excellent.
Which solution did I use previously and why did I switch?
We used McAfee AV but it was not able to provide the next-generation capability that we were looking for.
How was the initial setup?
The solution required the Management Console and Policy server for initial setup and it can be increased based on the requirements.
What about the implementation team?
We had assistance from the vendor during deployment and the service is excellent.
What's my experience with pricing, setup cost, and licensing?
There are three different licensing models including basic, advanced, and complete, and it needs to be selected according to the endpoint. For example, it matters whether it is only required for a Windows endpoint as opposed to providing support for BYOD/Mobile devices.
Which other solutions did I evaluate?
We evaluated Windows ATP and CrowdStrike.
What other advice do I have?
In case you want to set up the solution on-premises and you want to deploy multiple policy servers, it is complicated. You will need an OVF to be deployed at each location and sometimes, organizations don't have the compute or supporting platform for deployment.
Also, for connecting remote users there is a dependency on the VPN, hence it's again a challenge for users to connect to the policy server for updates.
Which deployment model are you using for this solution?