Deep Instinct Review

Removes the need to strike a security-productivity balance, while finding numerous risks that competitors miss

What is our primary use case?

The primary use case is advanced endpoint protection in the context of prevention.

How has it helped my organization?

Take, for example, EMOTET. It is a really nasty piece of malware. I joke with my clients that it's like the evil party-planner. It gets a foothold and then it pulls in all its bad-guy buddies. EMOTET is exceptionally dangerous because it's multifaceted: botnet, cryptocurrency mining, and ransomware. Being able to prevent threats such as EMOTET, which was originally intended to attack the banking industry, is among the best successes we've had with DI. And it's just one of many. It's been so substantial that I don't even know how to quantify it.

To put it in context, when we review a security product, everything we do is weighed against three criteria: security, reliability, and a positive user experience. Within any cybersecurity solution is the need to strike the balance between security and productivity. When you take a product like Deep Instinct and remove the overhead while allowing the organization to function as though there were no security inhibitors - yet still provide that high level of security - to me that's a huge win because we’re not sacrificing productivity. We are allowing the organization to still function at a high level without the burdens of so many controls that choke the machine from unnecessary overhead.

In terms of CPU consumption, it is exceptionally low. We've been running the product for over a year internally, and we have zero issues. I am aware that in some environments, when first deployed, because it literally scans the entire machine, it can consume resources. But after the initial scan is complete, we don't even notice it's there. From a pure user-perspective, in comparison to some of the traditional "bloatware" that some of the legacy, traditional AV guys have become over time, it's a substantial difference on the positive side in the sense that you just don't notice it. I literally notice no impact on my day-to-day actions. It's somewhat amazing. The footprint is so light that you wonder, "Where's the 'gotcha' in this?" Light footprint and super effective? Okay, sign me up.

What is most valuable?

We provide managed security services to our clients and my belief is the best threat is the one that never happens or is mitigated before it's given an opportunity to establish a foothold. We were approached by a peer of ours about two-and-a-half years ago, right before we met Deep Instinct, and discussed partnering with them to resell our infrastructure solutions, and us support and be the West Coast coverage for a competing endpoint solution. We didn't move forward with our peer, though it became clear, coming out of our discussions with them, that our infrastructure services that were our core competency were going to need to be complemented with an endpoint solution, because these folks were now a competitor.

We started looking at different options. This is around the time that a lot of players were starting to come up, such as Cylance, SentinelOne, and Carbon Black. We worked through the gauntlet of these products and others. Interestingly, within a month I was introduced to Deep Instinct which had just come out of stealth mode. It was a differentiator. Of all the products, what I saw that intrigued me most were the prevention capabilities, where instead of focusing on features like rollback, the whole premise and the context of the solution is to actually prevent these malicious attacks from happening to begin with.

As a service provider who is responsible for the wellbeing of our client base, that's a much more appealing approach than the ability to roll back, because in any rollback situation there is always an opportunity that it's not going to roll back exactly how you wanted it. So it aligned with our core business values. The ability to prevent threats is the most appealing aspect.

Deep Instinct absolutely, 100 percent helps with real-time prevention of unknown malware. That's the strength of the product. We've just surpassed 20,000 endpoints under our purview, and over 75,000,000,000 files scanned. We had an event this past summer where there were some environments that hadn't fully migrated over to Deep Instinct. Within those environments, the machines that were defended by Deep Instinct continued without issue, whereas user machines that were not defended by Deep Instinct had substantial issues that were not resolved until we actually were able to get Deep Instinct on them.

We have a running list of all the competitive products we run over the top of or concurrently with Deep Instinct. At one milestone, Deep Instinct had discovered over 5,000 existing threats that were present on existing workstations, across 32 different competitive products that were defending these workstations, though provided zero visibility into the fact that the risks were present. This number was at the 7,500 endpoints defended milestone and has grown significantly as deployments have expanded. It is worth mentioning, included in that list are all the aforementioned competitors we had considered.

Deep Instinct provides classification of unknown malware without human involvement. Our analysts and engineers use that data as part of the validation and remediation process. The feature is tremendously insightful and tremendously helpful. As an operator, anything that shortens the path to clarity is a value.

Finally, one of the most important things that we haven't highlighted yet is that it has a very low false-positive ratio. That is important because it means we're are maximizing our efficiency. Because the false-positives are so low, our need to carry excessive staffing is minimized by not requiring headcount to filter through the noise. In our assessments of other products, we learned some of the competing products literally have teams of hundreds of analysts breaking down threats that their tools are detecting due to excessively high false positives. Because of this, those solutions were not considered. We're able to support the entire 20,000-endpoint base with just a handful of engineers. The time savings are substantial, and impact on morale positive. We’re seeing false-positives at about 5 for every 10,000,000 files scanned. There's one company that comes to mind and I know they have more than a couple of hundred analysts filtering through what they're flagging. I actually don't know if Deep Instinct has any analysts because the detection rates are so high.

What needs improvement?

The Achilles heel in our industry is reporting. I would love to see exceptional, outstanding level of reporting. I know that's like asking for a unicorn to leap out of the sky with any of these products. But reporting is always the thing that it is challenging. Fortunately, because as operators we get information through the dashboard, it hasn't been an issue yet. But for us, to really differentiate and really squeeze the full value out of this with our clients, the reporting is critical. Why is that? When everything works, clients began to wonder: "Everything's fine. Why do we need you?" That's where the reporting capabilities would allow us to really demonstrate: "Hey, here's what's actually going on, Mr. Customer."

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Deep Instinct has proven to be a stable and reliable solution. We have had minimal issues with it. We're pushing it to our entire client base and rolling our endpoint protection solution on Deep Instinct.

Our implementation strategy - and we always advise our clients to do this with any product - is to take a subset of the environment and do a limited install on a handful of machines. The purpose is to uncover any existing or potential issues with line-of-business apps or any non-standard elements in the environment. The aspect which most people fail to consider is that when you add a more sophisticated cybersecurity-purposed tool, the more advanced capabilities will expose any existing shortcomings in the environment. Consequently, if you have not architected your environment correctly, these tools tend to expose those shortcomings. Most often, clients want to point a finger at the tool. The reality is that the tool is doing its job and there's some aspect of the network that it just brought to light.

I travel the country speaking at cybersecurity events, and will always remember a specific gentleman because I really had empathy for him. He asked a question out of frustration regarding a competing product, and what do you do when installing “Solution-X” and it blue-screens the entire environment. My first thought was, "Why are you installing into an entire environment without testing?"

Whether it's a premium, next-generation firewall at the edge or a premium solution on the endpoint, if there's an issue with the machine or something in the stack, it's going to have an effect. Why? Because delivering advanced-security services require the margins for error be minimal. They have to be. That's how you close gaps. So that pre-testing by installing in a subset, that proof of concept, is how you get clarity and certainty that you can deploy environment-wide without issues.

What do I think about the scalability of the solution?

The Brain is Cloud-Based, and scalability infinite. We've surpassed 20,000 endpoints and are growing rapidly.

How is customer service and technical support?

Our partners are regional, managed service providers and they source the tool through us. We provide support, design, care and feeding, or we provide training and an escalation point. Recognizing the diversity of environments our offerings are flexibile to work in ways that best support our Partners business.

How was the initial setup?

The initial setup is pretty straightforward, at least on PC. Mac OS has a few curveballs to work around, which Apple has built in to protect the environment. But once it's in - I've had it on my MacBook Air for eight months without issue - it just works.

Deployment takes less than 15 minutes. For the install, the initial scan can take ten hours or more depending on how much data there is to be scanned. But it's typically complete within a day.

For deployment, it takes one of our team members a few minutes on the endpoint, or we have also deployed via multiple RMM tools. For the actual day-to-day maintenance and monitoring, and all the security benefits that we stack on top of it, our team is well north of one. When stuff kicks up that merit’s investigation, to validate whether it's an issue or requires further action and escalation, if needed, to the Deep Instinct team, that's what those staff members are doing. They're also making sure that the environment across those 20,000 endpoints - we are approaching 250 to 300 clients - are running clean and healthy on a day-to-day basis. But in general, the tool is effective and efficient.

What was our ROI?

The ROI is that your people are able to remain productive. You're not paying ransomware, your systems are healthy and operational, and you're not putting out fires. You're being productive.

What's my experience with pricing, setup cost, and licensing?

I think the pricing is a huge value. In comparison to the other products out there, it's exceptionally competitively priced. When you consider the lower administrative overhead that it facilitates, it's an absolute value.

What other advice do I have?

Our partners are regional, managed service providers and they source the tool through us. We provide support and design and care and feeding, or we provide training and an escalation point. We've actually got a lot of flexibility in our offerings to them so that the tool works in a way that best supports their business.

The experience of running over the top of competing products and having such a high detection rate of risk that was present on those machines, and the ability to replicate that whenever we go into a new environment - we traditionally will uncover things that the incumbent had not identified.

I've been around this industry for 20 years and there are just certain things that, when you see them, you know they're going to be a game-changer. It was very clear to me that this product, if we could work with the company to get the functionality out of it that we needed, would be a game-changer.

I don't give anything a ten, so I'd give it a solid nine. The only thing keeping this from being a ten is "wow-me" reporting. If the rating was purely on the product and prevention, it would be an absolute ten.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Reseller.
Add a Comment