The days of simple endpoint protection are over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of potential infections.
Nowadays there are numerous advanced endpoint detection and response (EDR) tools, all claiming to find and block the most subtle attacks, even ones that don’t leave many fingerprints.
As we wrote last fall in our review of Carbon Black and Cylance, there are two basic approaches: hunting (looking for some odd behavior) and sifting and gathering particular trends or activities (which has its roots in traditional anti-virus).
The 10 products we tested in this review go beyond proactive monitoring and endpoint protection and look more closely at threats. They evaluate these threats in a larger ecosystem, combining the best aspects from network intrusion detection and examining the individual process level on each computer. That is a tall order, to be sure.
Evidence of how important this product category has become is Microsoft’s latest entry, called Windows Defender Advanced Threat Protection. Announced at the RSA show in March, it will be slowly rolled out to all Windows 10 users (whether they want it or not, thanks to Windows Update). Basically what Microsoft is doing is turning every endpoint into a sensor and sending this information to its cloud-based detection service called Security Graph. No remediation feature has been announced to work with this yet.
Besides Microsoft, there are many products to choose from. We looked at Outlier Security, Cybereason, Sentinel One, Stormshield SES, ForeScout CounterAct, Promisec PEM, CounterTack Sentinel, CrowdStrike Falcon Host, Guidance Software Encase, and Comodo Advanced Endpoint Protection. (BufferZone, Deep Instinct, enSilo, Triumfant, ThreatStop and Ziften declined to participate.)
The best products combine both hunting and gathering approaches and also look at what happens across your network, tie into various security event feeds produced by both internal systems and external malware collectors, work both online and offline across a wide variety of endpoint operating systems and versions, and examine your endpoints in near real-time.
The good news is that as these EDR tools become more capable, the sensor or agent that is placed on the endpoint has remained small in size and low in terms of consumed system CPU resources. What is also impressive is that three of the products – ForeScout, Outlier Security and Promisec – are agentless.
Sign up for CIO Asia eNewsletters.