10 cutting-edge tools that take endpoint security to a new level
The 10 products tested in this review go beyond proactive monitoring and endpoint protection and look more closely at threats
By David Strom
The days of simple endpoint protection are over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of potential infections.
Nowadays there are numerous advanced endpoint detection and response (EDR) tools, all claiming to find and block the most subtle attacks, even ones that don't leave many fingerprints.
As we wrote last fall, there are two basic approaches: hunting (looking for some odd behavior) and sifting and gathering particular trends or activities (which has its roots in traditional anti-virus).
The 10 products we tested in this review go beyond proactive monitoring and endpoint protection and look more closely at threats. They evaluate these threats in a larger ecosystem, combining the best aspects from network intrusion detection and examining the individual process level on each computer. That is a tall order, to be sure.
Evidence of how important this product category has become is Microsoft's latest entry, called Windows Defender Advanced Threat Protection. Announced at the RSA show in March, it will be slowly rolled out to all Windows 10 users (whether they want it or not, thanks to Windows Update). Basically what Microsoft is doing is turning every endpoint into a sensor and sending this information to its cloud-based detection service called Security Graph. No remediation feature has been announced to work with this yet.
+ MORE IN THIS PACKAGE: 7 trends in advanced endpoint protection | How to buy endpoint security products | Top 10 advanced endpoint protection tools +
Besides Microsoft, there are many products to choose from. We looked at Outlier Security, Cybereason, Sentinel One, Stormshield SES, ForeScout CounterAct, Promisec PEM, CounterTack Sentinel, CrowdStrike Falcon Host, Guidance Software Encase, and Comodo Advanced Endpoint Protection. (BufferZone, Deep Instinct, enSilo, Triumfant, ThreatStop and Ziften declined to participate.)
The best products combine both hunting and gathering approaches and also look at what happens across your network, tie into various security event feeds produced by both internal systems and external malware collectors, work both online and offline across a wide variety of endpoint operating systems and versions, and examine your endpoints in near real-time.
The good news is that as these EDR tools become more capable, the sensor or agent that is placed on the endpoint has remained small in size and low in terms of consumed system CPU resources. What is also impressive is that three of the products -- ForeScout, Outlier Security and Promisec -- are agentless.
As you might suspect, no one product does everything. You will have to make compromises, depending on what other security tools you already have installed and the skill levels of your staff. Because of this, we weren't able to score each product numerically or award an overall winner.
Advanced endpoint protection products
| Vendor/Product Name | Delivery form factor for server | Endpoint agents available | Pricing |
|---|---|---|---|
| Comodo Advanced Endpoint Protection | Windows server or SaaS | Windows (XPSP3, Vista, Server, 7, 8, 10), Mac | $31-$54/user/year |
| iOS, Android | |||
| CounterTack Sentinel | CentOS-based server | Windows (XPSP3, Server, 7SP1, 10), Linux | $50-$125 |
| /endpoint/year | |||
| CrowdStrike Falcon Host | SaaS | Windows, Mac, Linux | $30/user/year |
| Cybereason | Linux server or SaaS | Windows (7, 8,10), Mac, Linux | $75/endpoint/year |
| ForeScout CounterAct | Linux Appliance and Windows management server | Windows, Mac, Linux (agents and agentless) | Starting at $5,000 |
| Guidance Software Encase Endpoint Security | Windows server | Windows, Mac, Linux | Starts at $44,000 |
| Outlier Security | Windows and SaaS | Agentless but Windows only | $40/endpoint/year |
| Promisec PEM | Windows server | Agentless | $60/user/year |
| Sentinel One Endpoint Protect Platform | Windows server or SaaS | Windows, Mac (>10.9), Linux | $45/user/year |
| Stormshield Endpoint Security | Windows server | Windows (XPSP3, Servers, 7SP1, 8.1, 10) | $15/user/year |
Here are the individual reviews:
Comodo Advanced Endpoint Protection v 5.1
Comodo Advanced Endpoint Protection (AEP) grew out of the company's anti-malware line of products. It comes with the broadest collection of agents (including Windows, Mac and smartphones), with support for Linux desktops coming later this year. It is part of an overall software suite called Comodo One, but is still sold separately.
Its consumer focus shows: Comodo has the easiest and one of the fastest setups of any of the products we looked at: you can literally be up and running within 10 minutes. Its web-based control console is simply laid out, with the sequence of steps you need to accomplish shown right on the front page, and the workflow steps listed on the main menu down the left-hand side of the screen. You can bulk setup your endpoints, or force an MSI package to them once the agent is installed.
That being said, we still needed some help to get our first full install to properly work on a Windows endpoint. However, this could be because the date/time service was not synchronized properly with an Internet time server on our VM. AEP sends out an email with several links embedded for installation on Windows or smartphones. Once your user clicks on the appropriate link, for the most part the installation happens quickly and without a lot of operator intervention.
AEP comes in two different forms: as an online service or as an application running on a Windows server. For the latter you will need a variety of components, including SQL Server and .Net Framework. Once that is up and running, you access its console via a web browser. The features are the same whether on or off premises.
AEP's heritage combines an "anti-virus-plus" product with that of a basic mobile device manager for the smartphone set. Most of its controls revolve around setting up a traditional malware prevention product, although there are lots of other features, including a host-based firewall, a set of policies to automatically move any unknown executable or other suspicious file into its cloud-based sandbox to prove its provenance, and a series of host-based intrusion prevention rules. All of these controls are contained in a series of web-based policy menus that can be organized into different policy groups.
There are also two supplemental services: The first is Viruscope, which automatically analyzes running processes and records their activities. You turn this on with a few toggle switches. If it detects something that it hasn't seen before -- which could be malware -- it flags it as unknown and then sends the file to the second service, called Valkyrie, which is Comodo's online file analysis tool.
Valkyrie looks at suspicious files and rates them based on dozens of various behaviors and other analyses, both human and machine-based. The whole process takes less than a minute, but is designed to provide the least impact on end users in terms of flagging false positives. The basic analysis engine is included in the entry-level subscription.
For smartphones, AEP provides basic MDM services: it tells you which apps are installed on your phone (and you can de-select those that you don't want your users running), the version of software and other general settings. You can remotely wipe your phone, reset its screen PIN, turn off the camera, and several dozen other settings. If you already have a MDM or other management profile downloaded on your phone, you will need to remove it before installing AEP's profile. (It would be nice to get a warning from Comodo when this situation happens.)
Unlike some of the other products reviewed here, it doesn't allow you to specify any particular security feeds or log files. There is an "Applications" tab that does have some of the same roles as an IDP: you can white/blacklist specific applications, exclude specific software publishers and examine if any files have been uploaded to Comodo's sandbox for further analysis.
Under the Settings/roles management tab, AEP has the largest collection of granular roles, allowing you to enable full device management or set up read-only access to security policies, among more than 30 other parameters.
On the profile list there are various templates: Windows, iOS and Android. Mac doesn't have a full profile yet but should have in the next version. Each policy has a series of sections, such as antivirus or file analysis, which in turn have their own specific parameters. As you construct your policy, each section shows up as a separate tab on a bar across the top, making it easier to find and modify a specific element.The Windows policies are more complete: the smartphone policies omit the firewall, Host IPS and other sections that aren't relevant to mobile devices.
AEP's biggest weakness is that it has just a few canned reports: an earlier version had just a single inventory report; this has been augmented in the latest version. Reports can be downloaded either in Excel or PDF formats.
AEP isn't just for malware hunting, it's also a complete patch management tool. On our sample Windows 7 and 10 VMs, it found more than 370 and 35 patches respectively to bring up the original installation to current patch levels. You can very quickly group them by severity (critical, important or low) and install the ones that are most essential to your operations.
There are three pricing tiers: Basic, Premium and Platinum. The basic tier is free and intended for free trials. This will bring up a cloud-based management console and allow you to setup 100 users for 30 days. At the end of the trial, you pay anywhere from $31 to $54 per user per year and can opt for the use of a locally based server. The Platinum level includes Valkyrie and adds human screening to its automated procedures. There are volume and yearly discounts that can reduce these prices substantially.
CounterTacktack Sentinel v5.5
Sentinel performs real-time threat analysis of your endpoint collection. The added twist is that it integrates with various Big Data analytics tools, both its own and various third parties, and can be almost infinitely customized to work with security feeds.
+ ALSO: The Endpoint Security Continuum +
Sentinel can manage both Linux and Windows endpoints and supports a wide range of them, going back to XP Service Pack 3 and including Windows Server versions. They are working on sensors for point-of-sale and embedded systems, along with Mac OS support later in the year.