The days of simple endpoint protection based on traditional anti-malware tools are over. There are now advanced endpoint detection and response (EDR) tools that go beyond proactive monitoring and endpoint protection. They evaluate threats in a larger ecosystem, combining the best aspects from network intrusion detection and examining the individual process level on each computer. That is a tall order, and the 10 products tested are all very capable. However, no one product does everything. You will have to make compromises, depending on what other security tools you already have installed and the skill levels of your staff. Here are capsule reviews of 10 advanced endpoint protection products (see the full review):
Comodo Advanced Endpoint Protection v 5.1
Price: From $31 to $54 per user per year
Description: Anti-malware + mobile device management + patch management
Comodo Advanced Endpoint Protection (AEP) grew out of the company’s anti-malware line. It comes with the broadest collection of agents and has the easiest and one of the fastest setups of any products we looked at. Its Web-based control console is simply laid out. Also includes host-based firewall, cloud-based sandbox, and host-based intrusion prevention rules. There are also two supplemental services: Viruscope automatically analyzes running processes and records their activities. Valkyrie looks at suspicious files and rates them based on dozens of various behaviors and other analyses, both human and machine-based. AEP’s biggest weakness is that it has just a few canned reports.
CounterTack Sentinel v5.5
Price: Regular endpoint: $50 per year; server: $100-$125 per year
Description: Real-time threat analysis + Big Data analytics
Sentinel performs real-time threat analysis of your endpoint collection. The added twist is that it integrates with various Big Data analytics tools, both its own and various third parties, and can be almost infinitely customized to work with security feeds. Sentinel can manage both Linux and Windows endpoints. The management console is very cleanly designed with a series of menus for intelligence summary, searches, configuration and reports. Sentinel’s executive dashboard shows a summary of what has been detected and the severity. Its search feature is powerful and can span many security events to get an entire picture of what happened. Almost everything about Sentinel is customizable. The bad news is that you will have to learn the Cyber Observable Expression (Cybox) XML open-source scripting language.
CrowdStrike Falcon Host
Price: $30 per endpoint per year
Description: Automated blocking of executables
CrowdStrike’s Falcon Host combines several different functions in a very attractive package. It is one of the easiest products to install. Instead of concentrating on scanning your endpoint for an infection, Falcon Host tries to determine if it has seen this hash before. When it finds a matching hash, the executable is immediately blocked automatically. The main console has a very clean design, with various dashboards, a consolidated security events feed, a summary of what has been detected across your endpoint collection, a screening tool that can be used to evaluate any hash or file, an investigation console and a series of configuration settings. The detection screen is where you will spend most of your time. It’s where you can see who has been infected, decide what to do to remove any infection or analyze the exploit with additional tools.
Price: Starts at $75 per endpoint per year
Description: Real-time malware hunting
Cybereason has agents that support Windows, Linux and Mac endpoints that are downloaded directly from the Web-based management console. It is designed for real-time malware hunting and has a nice series of visualizations to understand what is invading your network. This console is lean and clean. Once you find an exploit, you click on a small “remediate” button on the lower right corner of the screen: this is done for each infection. Cybereason requires a large resolution monitor (1920x1200 is best) to view its console; it would be nicer if the software had responsive design to fit into smaller screens. Agents can be remotely updated from the management console, and an administrator can disable data collection or restart the agent.
Agents: Not required
Price: Appliances from $4,995 to $182,000
Description: NAC + policy enforcement + orchestration with other security tools
ForeScout’s CounterAct grew out the Network Access Control (NAC) market and still strongly reflects that history, although you can use the product without turning on NAC features. You can operate CounterAct without installing agents, although they are available for Windows, Mac and Linux endpoints. Because it doesn’t exclusively rely on agents, it is good for monitoring headless IoT and other embedded types of devices. CounterAct comes in two pieces -- a Linux-based appliance, physical server or VM, plus a Windows-based management server. Getting both to work together is somewhat involved. This product is a user interface nightmare. But if you have your network compliance rules nailed, this is a great product that can encode these rules directly into its protective features.
Guidance Software Encase Endpoint Security v5.12
Price: Starts at $44,000, including some professional services installation and consulting
Description: Behavior-based analytics + threat detection and remediation
Guidance Software’s Encase is both mature (for functionality) and still needs work (for its usability). It is a crazy quilt collection of both Web-based and Windows dashboards and controls, software routines and seemingly endless menus-within-menus. It will take days if not longer to get your arms around the product. Overall, the goal is to provide context to your security events and understand what is going on with your endpoints. If you are looking for a real-time security monitor, this isn’t the tool for you. What it does well is to reach deep inside your collection of endpoints to understand what has been changed as a result of a bad actor or malware. Encase also culls security alerts and log files from a large group of appliances and applications.
Outlier Security v2.12
Price: $40 per endpoint per year
Description: Windows-focused endpoint scanning and analysis
Outlier Security combines the best of both the SaaS and on premises worlds. You connect to their SaaS portal with your Web browser: before doing so you will need to install both Microsoft Silverlight and .Net framework. Then you download their “Data Vault, which lives on a local Windows computer that is used to launch scans across your network. Outlier is impressive, given that it is agentless, but only available for Windows computers. Because you perform its scans on a regular basis, it is best used for longer-term detection rather than real-time analysis.
Promisec PEM v4.1.2
Price: Starts at $25 per user per year
Description: Policy-based compliance, network segment scans
Promisec’s solution is an endpoint manager (PEM) server running a series of modules. This means there is no agent or sensor software installed directly on endpoints. Instead, it uses Windows-based Sentries on each network segment that you wish to monitor. This means it can be more comprehensive in its analysis, since you don’t have to wait for support for a particular OS version or embedded device. The endpoints can be running any Windows, Linux and Mac OS. There are up to five different modules: compliance, management, automation, power manager and inventory.
There is lots of extensibility built-in to the product. The only trouble is that isn’t really proactive: generally you don’t know what you don’t know until you have been hacked in some odd way.
SentinelOne Endpoint Protection Platform v1.6.1
Price: Starts at $45 per endpoint per year
Description: Real-time event information + deep analysis
SentinelOne’s Endpoint Protection Platform offers near real-time event information. When SentinelOne finds a piece of malware, it will tell you where it was first seen on your network, and the reputation of the attack vector from dozens of security services. In addition, it connects to VirusTotal where you can view the hash and other metadata of the exploit. SentinelOne installed quickly but has some limitations. Its agent requires a dual-core CPU and at least 2GB of RAM. For Windows endpoints a reboot is required and the software does show up as a running app in the Control Panel. There are only two roles for management users: a full system admin or a help desk role – the latter can’t modify configuration settings, perform system updates or add or remove users.
Matrix Partners’ Stormshield Endpoint Security v7.204
Price: Starts at $15 per user per year
Description: Traditional anti-malware + network-based IPS
Stormshield Endpoint Security (SES) is deeply involved in the Microsoft universe: you’ll need a Windows Server, IIS, SQL Server, .Net Framework, etc. A separate Windows program is used to produce endpoint agents. There are three kinds of protection mechanisms: rule-based policies, automatic protection of system and network activities, and behavioral profile-based policies that monitor running apps and block odd behavior. Any policy created by an administrator takes precedence over any automation routines. SES is a mixture of a traditional malware endpoint protection and network-based intrusion prevention. It offers the ability to encrypt removable devices. There is also the ability to provide temporary Web access, so a user can authenticate to a public Wi-Fi hotspot, such as a hotel, before bringing up their VPN connection.