The days of simple endpoint protection are over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of potential infections.
Nowadays there are numerous advanced endpoint detection and response (EDR) tools, all claiming to find and block the most subtle attacks, even ones that don’t leave many fingerprints.
As we wrote last fall in our review of Carbon Black and Cylance, there are two basic approaches: hunting (looking for some odd behavior) and sifting and gathering particular trends or activities (which has its roots in traditional anti-virus).
The 10 products we tested in this review go beyond proactive monitoring and endpoint protection and look more closely at threats. They evaluate these threats in a larger ecosystem, combining the best aspects from network intrusion detection and examining the individual process level on each computer. That is a tall order, to be sure.
Evidence of how important this product category has become is Microsoft’s latest entry, called Windows Defender Advanced Threat Protection. Announced at the RSA show in March, it will be slowly rolled out to all Windows 10 users (whether they want it or not, thanks to Windows Update). Basically what Microsoft is doing is turning every endpoint into a sensor and sending this information to its cloud-based detection service called Security Graph. No remediation feature has been announced to work with this yet.
Besides Microsoft, there are many products to choose from. We looked at Outlier Security, Cybereason, Sentinel One, Stormshield SES, ForeScout CounterAct, Promisec PEM, CounterTack Sentinel, CrowdStrike Falcon Host, Guidance Software Encase, and Comodo Advanced Endpoint Protection. (BufferZone, Deep Instinct, enSilo, Triumfant, ThreatStop and Ziften declined to participate.)
The best products combine both hunting and gathering approaches and also look at what happens across your network, tie into various security event feeds produced by both internal systems and external malware collectors, work both online and offline across a wide variety of endpoint operating systems and versions, and examine your endpoints in near real-time.
The good news is that as these EDR tools become more capable, the sensor or agent that is placed on the endpoint has remained small in size and low in terms of consumed system CPU resources. What is also impressive is that three of the products – ForeScout, Outlier Security and Promisec – are agentless.
As you might suspect, no one product does everything. You will have to make compromises, depending on what other security tools you already have installed and the skill levels of your staff. Because of this, we weren’t able to score each product numerically or award an overall winner.
Advanced endpoint protection products
|Vendor/Product Name||Delivery form factor for server||Endpoint agents available||Pricing|
|Comodo Advanced Endpoint Protection||Windows server or SaaS||Windows (XPSP3, Vista, Server, 7, 8, 10), Mac||$31-$54/user/year|
|CounterTack Sentinel||CentOS-based server||Windows (XPSP3, Server, 7SP1, 10), Linux||$50-$125|
|CrowdStrike Falcon Host||SaaS||Windows, Mac, Linux||$30/user/year|
|Cybereason||Linux server or SaaS||Windows (7, 8,10), Mac, Linux||$75/endpoint/year|
|ForeScout CounterAct||Linux Appliance and Windows management server||Windows, Mac, Linux (agents and agentless)||Starting at $5,000|
|Guidance Software Encase Endpoint Security||Windows server||Windows, Mac, Linux||Starts at $44,000|
|Outlier Security||Windows and SaaS||Agentless but Windows only||$40/endpoint/year|
|Promisec PEM||Windows server||Agentless||$25/user/year|
|Sentinel One Endpoint Protect Platform||Windows server or SaaS||Windows, Mac (>10.9), Linux||$45/user/year|
|Stormshield Endpoint Security||Windows server||Windows (XPSP3, Servers, 7SP1, 8.1, 10)||$15/user/year|
Here are the individual reviews:
Comodo Advanced Endpoint Protection (AEP) grew out of the company’s anti-malware line of products. It comes with the broadest collection of agents (including Windows, Mac and smartphones), with support for Linux desktops coming later this year. It is part of an overall software suite called Comodo One, but is still sold separately.
Its consumer focus shows: Comodo has the easiest and one of the fastest setups of any of the products we looked at: you can literally be up and running within 10 minutes. Its Web-based control console is simply laid out, with the sequence of steps you need to accomplish shown right on the front page, and the workflow steps listed on the main menu down the left-hand side of the screen. You can bulk setup your endpoints, or force an MSI package to them once the agent is installed.
That being said, we still needed some help to get our first full install to properly work on a Windows endpoint. However, this could be because the date/time service was not synchronized properly with an Internet time server on our VM. AEP sends out an email with several links embedded for installation on Windows or smartphones. Once your user clicks on the appropriate link, for the most part the installation happens quickly and without a lot of operator intervention.
AEP comes in two different forms: as an online service or as an application running on a Windows server. For the latter you will need a variety of components, including SQL Server and .Net Framework. Once that is up and running, you access its console via a Web browser. The features are the same whether on or off premises.
AEP’s heritage combines an “anti-virus-plus” product with that of a basic mobile device manager for the smartphone set. Most of its controls revolve around setting up a traditional malware prevention product, although there are lots of other features, including a host-based firewall, a set of policies to automatically move any unknown executable or other suspicious file into its cloud-based sandbox to prove its provenance, and a series of host-based intrusion prevention rules. All of these controls are contained in a series of web-based policy menus that can be organized into different policy groups.
There are also two supplemental services: The first is Viruscope, which automatically analyzes running processes and records their activities. You turn this on with a few toggle switches. If it detects something that it hasn’t seen before – which could be malware – it flags it as unknown and then sends the file to the second service, called Valkyrie, which is Comodo’s online file analysis tool.
Valkyrie looks at suspicious files and rates them based on dozens of various behaviors and other analyses, both human and machine-based. The whole process takes less than a minute, but is designed to provide the least impact on end users in terms of flagging false positives. The basic analysis engine is included in the entry-level subscription.
For smartphones, AEP provides basic MDM services: it tells you which apps are installed on your phone (and you can de-select those that you don’t want your users running), the version of software and other general settings. You can remotely wipe your phone, reset its screen PIN, turn off the camera, and several dozen other settings. If you already have a MDM or other management profile downloaded on your phone, you will need to remove it before installing AEP’s profile. (It would be nice to get a warning from Comodo when this situation happens.)
Unlike some of the other products reviewed here, it doesn’t allow you to specify any particular security feeds or log files. There is an “Applications” tab that does have some of the same roles as an IDP: you can white/blacklist specific applications, exclude specific software publishers and examine if any files have been uploaded to Comodo’s sandbox for further analysis.
Under the Settings/roles management tab, AEP has the largest collection of granular roles, allowing you to enable full device management or set up read-only access to security policies, among more than 30 other parameters.
On the profile list there are various templates: Windows, iOS and Android. Mac doesn’t have a full profile yet but should have in the next version. Each policy has a series of sections, such as antivirus or file analysis, which in turn have their own specific parameters. As you construct your policy, each section shows up as a separate tab on a bar across the top, making it easier to find and modify a specific element.The Windows policies are more complete: the smartphone policies omit the firewall, Host IPS and other sections that aren’t relevant to mobile devices.
AEP’s biggest weakness is that it has just a few canned reports: an earlier version had just a single inventory report; this has been augmented in the latest version. Reports can be downloaded either in Excel or PDF formats.
AEP isn’t just for malware hunting, it’s also a complete patch management tool. On our sample Windows 7 and 10 VMs, it found more than 370 and 35 patches respectively to bring up the original installation to current patch levels. You can very quickly group them by severity (critical, important or low) and install the ones that are most essential to your operations.
There are three pricing tiers: Basic, Premium and Platinum. The basic tier is free and intended for free trials. This will bring up a cloud-based management console and allow you to setup 100 users for 30 days. At the end of the trial, you pay anywhere from $31 to $54 per user per year and can opt for the use of a locally based server. The Platinum level includes Valkyrie and adds human screening to its automated procedures. There are volume and yearly discounts that can reduce these prices substantially.
CounterTacktack Sentinel v5.5
Sentinel performs real-time threat analysis of your endpoint collection. The added twist is that it integrates with various Big Data analytics tools, both its own and various third parties, and can be almost infinitely customized to work with security feeds.
+ ALSO: The Endpoint Security Continuum +
Sentinel can manage both Linux and Windows endpoints and supports a wide range of them, going back to XP Service Pack 3 and including Windows Server versions. They are working on sensors for point-of-sale and embedded systems, along with Mac OS support later in the year.
We tested Sentinel on a series of VMs, both running the server and various Windows endpoints. The collection server will need a very hefty 64GB of RAM and two separate gigabit network cards. When you install the server on a CentOS machine, it sets up a Web-based dashboard and management console. The console is very cleanly designed with a series of menus for intelligence summary, searches, configuration and reports.
There is a separate dashboard to manage its Cloudera-based cluster, which is used to scale up for larger network collections. The cluster is used for analysis: information from a local collection server is de-duplicated and compressed and sent to the cloud automatically.
Sentinel’s executive dashboard shows a summary of what has been detected and the severity of the infection or errors it has found. Threats are grouped by OS type and have other customizable filters, and you can drill down to examine what set off its detector.
It has the ability to automatically correlate threats by such factors as business unit or patch level, so you can manage a collection of endpoints with similar circumstances. Like other products, you can view the entire malware execution chain, showing various processes and steps that an infection took to compromise your endpoint. It can also look at DNS queries and map them to particular running processes for easier identification.
Its search feature is powerful and can span many security events to get an entire picture of what happened. Searches can be saved in a “favorites” queue for quick reference. The search screen is probably where you will spend most of your time, as you uncover network events and try to remediate them. Remediation includes being able to quarantine various offending endpoints, terminate specific processes, deny network access to a particular endpoint, or set up whitelists to exclude any known and benign processes from further observation.
Almost everything about Sentinel is customizable. The bad news is that you will have to learn the Cyber Observable Expression (Cybox) XML open-source scripting language. This is used by a variety of vendors to help in the automated exchange of threat data and managed by the US government contractor MITRE Corp., so as you might imagine it has widespread support in that community.
For example, you can characterize a series of security events in an email that can contain a hash file or a description of a Windows Registry key that has been tampered with. These events can then be shared across a variety of threat management systems. All of Sentinel’s detection profiles are written in this language, and several sample ones are included by default. You can add your own oddball behaviors and SIEM and feed integrations using these scripts.
There are two different sensors: the basic one is less than 2MB, a more advanced one is smaller, more comprehensive and stealthier. Neither of them show up on the running Programs list in the Windows Control Panel, nor have any user-accessible controls or any other desktop icons.
The basic one supports a wider collection of OS’s because it uses the Windows API rather than the Sentinel API set. Both communicate by default on SSL Port 443 to the collection server. The server can be installed on a physical PC or via an OVA file on a VMware ESX hypervisor.
Sentinel has a number of integrations available. It has an option to automatically query VirusTotal with hash data collected from your endpoints and report the number of antivirus engines that consider the associated file to be malicious. You can also export its data to various SIEM tools for further analysis. And their analytics can integrate with Blue Coat’s security analysis tools. Finally, you can export various on-screen reports to CSV files.
Pricing for Sentinel is relatively simple: there is a starter pack for up to 250 endpoints. Beyond that, collection prices will vary depending on a regular endpoint for $50 per year or a server at $100 to $125 per year. There are quantity discounts and specials for management service providers who want to deploy their solution.
CrowdStrike’s Falcon Host combines several functions into a very attractive package, both from the perspective of the user and IT administrator. It is one of the easiest products to install: you start off with a web-based console to operate a cloud instance of its server. From there you download agents or sensors for a variety of Windows, Mac and Linux endpoints. The Windows sensors come in 32- and 64-bit MSI files: once these are installed they automatically connect with the server instance. There is no interface on the desktop, and nothing shows up other than an entry in the installed programs screen in Control Panel. You don’t even have to reboot your computer to start using the software’s protective features.
Falcon’s core technology is very behavior based. Instead of concentrating on scanning your endpoint for an infection, it tries to first classify if it has seen this behavior before and what it is doing to your machine. They update their rules in real-time from the cloud. When it finds a matching behavior, it is immediately blocked. Unlike some of the other products, you don’t adjust the threat thresholds that kick off the blocked action: CrowdStrike does this in its cloud-based management tool.
The company claims some large installations of 80,000 endpoints that were installed in less than a few hours. This seems accurate, and we were up and running within minutes with our first couple of endpoints.
The main console has a very clean design: main menu strip is on the left side and sub-menus are spread across the top of the screen. The main menus are broken into three dashboards, a news feed about product updates and release notes, a consolidated security events feed called actors, a summary of what has been detected across your endpoint collection, a screening tool that can be used to evaluate any hash or file using drag and drop, an investigation console and a series of configuration settings. This seems very logical and keeps switching back and forth among screens to a minimum.
The settings screens are shown in the Response sub-menu and have a series of on/off switches to enable various features, such as blocking particular exploit categories, sensing Cryptowall or other ransomware or Windows login bypasses. They have beefed up the ransomware detection in subsequent updates too and have a demo video of this up on YouTube. There is an accompanying FAQ that explains what each switch accomplishes.
The three dashboards include an executive summary of what is going on, a summary of what has been detected across your network, and what has been resolved either by the product or by manual intervention. All have a nice series of graphs and charts that are actionable: if you find a particular threat, you can click on it and drill down to get more information about what Falcon found and what it did with it. In many cases, if it finds something objectionable, it will take care of it quickly and automatically.
The detection screen is where you will spend most of your time. It’s where you can see who has been infected, decide what to do to remove any infection or analyze the exploit with additional tools. There is a more detailed event search screen to track down similar events. A connection to Splunk’s process chain diagram is built-in, which shows you how the exploit moved through your endpoint. There are also search screens where you can cut and paste a hash value of your exploit and drill down further.
While we were conducting our review, CrowdStrike added a new feature called network containment to Falcon. This is similar to its competitors, where you can essentially turn off a PC’s network connectivity, allowing communications with the Falcon host to block any suspected activity and perform any necessary remediation. It can whitelist particular IP addresses and work with several incident response systems.
The investigate screen has search fields for user and computer names and a time range. When you locate your particular endpoint you can view an entire history of what has happened with that particular endpoint, where it has connected across the Internet, what zip and other compressed files have been downloaded, if any removable media has been attached and other information. Entries are all hot-linked so you can drill down further and see what has caused the behavior to be flagged by Falcon.
One small limitation is that users can only be added from the same network domain.
Falcon has a lot of depth and that is both a good and bad thing. If you have an active network with a lot of potential infections, you might be overwhelmed with its various responses and summary screens. But it also takes care of the most common infections automatically, without any operator intervention. CrowdStrike also provides a free host data collection tool called Crowd Response. This can gather system information, describe running processes and work with YARA rules for incident responders and can output reports to HTML for further analysis.
CrowdStrike has a separate connector that is installed on-premises and hands over information about exploits to various SIEM tools. They currently work with IBM QRadar, HP ArcSight, RSA Security Analytics, McAfee (formerly Nitro Security), TrustWave, and LogRythm products. They also work with various other security partners, including ThreatConnect, TripWire, Zscaler, ThreatQuotient, ThreatStream, Infoblox, RiskVision, Check Point and Centripetal Networks. These integrations are through a well-documented API.
Falcon will cost $30 per endpoint per year, with quantity discounts available.
Cybereason comes either as a SaaS-based service or as a series of Linux servers packaged as a VMware ESX-based OVA file. It has agents that support Windows, Linux and Mac endpoints that are downloaded directly from the Web-based management console. It is designed for real-time malware hunting and has a nice series of visualizations to understand what is invading your network.
The console has a small pop-out menu on the left side that will direct you to a dashboard of discovered attacks, a “malops inbox” which is used by analysts to fix the problems, an investigation tab where you can examine in more detail what is going on with your endpoint, and a system tab where you can look for particular endpoints, see summary statistics, assign users and download agents and more than a dozen server logs. Compared to other products, this console is pretty lean and clean.
The top-level “discovery board,” which is what the company calls its dashboard, will show you a summary of infected endpoints, when the activities first hit your network, and classifies them by specific activity: pure infections, privilege escalation, file scanning, lateral movement, connections to command and control servers, and any data theft. While these classifications are nice to see, you need to click on the specific infections to go to a more detailed analysis screen.
Here you can drill down with most entries to explore what is going on: for example, view all your network interfaces of an infected PC, examine running processes, and see why the endpoint was tagged as infected. There is a nice graphical representation of the infection chain, similar to other products that show the progress of the malware.
There are four sections of this display: an overview, a section that dives deeper into the infected processes, and more details about users and machines that are linked to a particular exploit. For each endpoint you can observe disk, CPU and memory usage as small graphs to help flag oddball behavior. Rather than have its own reporting modules, some of this information can be exported as CSV files where you will need to process them further to understand your behavior.
Once you find some exploit, you just have to click on a small “remediate” button on the lower right corner of the screen: this is done for each infection. It is easy to first miss this button. You can select all the running processes that are misbehaving, or just select one in particular.
To help with evaluations, Cybereason has developed a sandbox that contains some pre-set malware along with instructions on how to use its product to identify these infections. That can be very helpful in getting started, as the management console is so sparse and without any help or other documentation.
Like other products, you can disconnect the endpoint via a newly added feature called Attack Blocker. And you can add your own security intelligence feeds to help with identifying infections through the TAXI format. One drawback: once a PC is disconnected from the network or the probe is disabled, you can’t manage it either.
Some other issues: Cybereason requires a large resolution monitor (1920x1200 is best) to view its console; it would be nicer if the software had responsive design to fit into smaller screens. And the listing on the System/Probes screen that shows healthy PCs doesn’t really mean that they are infection-free, but that their agents are up and running and can communicate back to the management server. That is somewhat confusing. These drawbacks show that Cybereason is still adding features and abilities that most of the competition have. While its console is nicely designed, it still needs some work.
Cybereason’s agents are visible in the Windows Control Panel Programs listing, but that is all that an end user can see. Agents can be remotely updated from the management console, and an administrator can disable data collection or restart the agent too. Users can be added in one of several roles such as analyst, sysadmin, or executive: that level of granularity is superior to most of the other products we’ve tested.
Pricing starts at $75 per endpoint per year, with substantial quantity discounts available. This puts it at the top of the price range of the products we reviewed.
ForeScout’s CounterAct grew out of its early experience in the Network Access Control (NAC) market and still strongly reflects that history, although you can use the product without ever turning on any of its NAC features and just focus on the endpoint controls. Unlike most of the products that are part of this review, you can operate CounterAct without installing agents, although they are available for Windows, Mac and Linux endpoints. Because it doesn’t exclusively rely on agents, it is good for monitoring headless IoT and other embedded types of devices. It is now used in several very large installations, including one with managing more than a million endpoints.
CounterAct comes in two pieces. First is either a dedicated rack-mounted appliance or as a physical server or VM that can run on ESX or Hyper-V. This is running its own version of Linux. If you have a single server, you will need to run a separate management console that can be installed on any computer running Windows or Linux. If you have multiple servers, you will need the Enterprise Manager, which also comes as a dedicated physical appliance or a VM and which we didn’t test. A single Enterprise Manager can support up to 200 servers. Getting all to work together is somewhat involved.
The management console is where you apply updates – and there are more than a dozen software modules that needed updating on our box. This took several hours to download and install. Once this is done, you create specific protection features and other administrative tasks. Then you need to start setting up your protection policies, which are written in XML and can be downloaded from the ForeScout support site to get started before you customize them for your own purposes. These policies are the heart of the product, and where the meat of its activities takes place. Policies can be mapped to particular network segments, or types of endpoints (such as embedded devices or guest smartphones).
CounterAct works best when authenticating users through Active Directory or some other LDAP service. Being a NAC product, it also would like to connect to a network span port and managed your switches so it can keep track of what is running on which switch port for further network protection. But even if you don’t set these features up, there is still a lot that you can control and manage on your network.
If you already have a solid idea of what your network compliance rules are or have a high confidence that you have a properly documented network, this is a great product that can encode these rules directly into its protective features. If your network has grown or changed since you last attempted a compliance audit, then this product will force you into cleaning up your act and that could be very painful.
+ ALSO ON NETWORK WORLD Conventional IT security is failing: Continuous monitoring and mitigation can help +
Once you have your policies, you can start examining your network. If your PCs aren’t compliant, you can remediate each PC, run a script to force an update to install a piece of software, send a notification email, and dozens of other actions. All of this is available via a series of choices with a right mouse click.
This product is a user interface nightmare, mainly because of the numerous controls and methods that you need to access its various pieces. There are actually two separate menu displays. First are icons across the top labeled NAC, Inventory, Threats, Policy, and the main dashboard display. Second are the series of text-based menus (such as File, Reports and Tools), some of which duplicate the icon-based menus. Then there is the appliance, which has a Web-based interface: this is where you access some of the various reports – others are in the previous menu.
Agents (which ForeScout calls its secure connectors) can be installed from the web interface of the appliance as permanent applications or as dissolvable, meaning they don’t survive a reboot. What makes this product impressive is the level of control that you have even if you use agentless operations. As evidence of this, the documentation runs to more than 750 pages.
ForeScout has designed this product more for enforcing network policies and orchestration with other network security tools. There are more than a dozen extra cost integrations with Palo Alto Networks, Bromium, FireEye and numerous others documented here. On that link are a long list of other vendors of anti-virus tools and network switches that it integrates with. Sadly, each of these integrations is specified in a different part of the product, which adds to its configuration complexity. Some of these integrations carry additional fees.
ForeScout CounterACT appliances are available in a range of sizes starting from $4,995 to $182,000.
Guidance Software’s Encase has been around in the forensics business for more than a decade, and has a product that is both mature (for functionality) and still needs work (for its usability). It is a crazy quilt collection of both Web-based and Windows dashboards and controls, software routines and seemingly endless menus-within-menus.
With millions of instrumented endpoints, including some very large installations, it is a worthy contender. However, installing this product on a Windows Server is more a professional services situation: you have a series of different servers, including a license for Tableau for its analytics, and bits and pieces of Microsoft infrastructure including IIS and SQL Server and .Net framework. It will take days if not longer to get your arms around the product, and get everything tuned up and functioning. Overall, the goal of Encase is to provide context to your security events and understand what is going on with your endpoints.
On the upside, Encase has a full complement of endpoint agents for Windows, Mac, and Linux machines. These endpoints are mostly passive elements and only called up to provide details very infrequently. If you are looking for a real-time security monitor, this isn’t the tool for you. Encase assumes that an infection spreads gradually and can be contained with careful analysis, rather than set off a fire drill and near-immediate response. It isn’t designed to be watching every millisecond over your endpoints, or even daily. What it does well is be able to reach deep inside your collection of endpoints to understand what has been changed as a result of a bad actor or a piece of malware.
The Guidance folks have put together assessment tools that mimic the underlying OS so closely that you can see exactly what kind of “residue” is left behind by a piece of malware: what Windows Registry items have changed, what is now in your browser or file cache, what has been added to the file system, and so forth. As one support engineer told me, “We don’t trust the underlying OS to tell us anything that we can’t verify on our own.” Unlike some other tools that try to run malware in a sandbox, they run malware in their own OS simulators, with the hope that they can catch what is going on by using their various instruments and analyses.
In addition to the endpoint behavior collection, Encase also culls security alerts and log files from a large group of appliances and applications, including FireEye, SourceFire, Radar, ArcSight, BlueCoat, Palo Alto Networks, Splunk and McAfee – just to name a few. But what is missing from this is a way to interact with a series of threat feeds that other products offer. That isn’t their strength either.
The Encase product is actually an amalgam of three previous products that do very different things and have been bolted together:
- Alert triage, where you can discover and prioritize handling of security events and make sure you are tackling the biggest issues first.
- Incident response, where you can bring the full collection of tools to prevent an infection from spreading or continuing to confound your network.
- Threat detection and remediation, where you can visualize what is happening to your network. This is still a work in progress.
These three products have a series of menus and tasks that bring up separate tabbed dialogs in the Encase Windows client. In addition to this are a series of Web-based reports. That is a lot of information to absorb, which is one reason why you will be spending a lot of time in training initially to understand the scope of the product.
We mentioned the analytics portion of the product. The ideal use case is to run these weekly on a large network, and start working through the indicated changes that are flagged. The Tableau business intelligence analysis schema means customers can integrate their own tools around it, and write your own analysis routines to complement what Guidance has already done.
One irony of Guidance Encase is because few of its competitors have the trifecta of Mac/Windows/Linux coverage, you notice that it doesn’t have agents for non-desktop operating systems such as iOS, Android and embedded devices. Those are in the works but not yet available.
To begin your investigation, you would first start with a snapshot of your network, and start making simple queries of your domain. This polls the endpoint agents and delivers about 10kbytes of information per agent. You can then proceed to look at processes that are running on each endpoint, and gather hashes for anomalies.
This is a tool that can be used by both an incident responder and to monitor security operations. It supports both feeds from Virus Total and the open-source YARA rules to match malware patterns, as an example of one such discovery tool available, which you can also import en masse too. This is where the UI issues that we mentioned earlier are a real hindrance. If you are going to get good at using Encase you are going to have to spend a lot of time inside its various interfaces and understand its peculiar workflows.
Once you figure out what is wrong with your endpoint, there are numerous remediation options available, including being able to back out of a particular endstate, wipe various Registry keys or kill particular processes. Encase also has tons of pre-set incident response reports that are very detailed, yet hard to parse.
We tested Encase on a sample network of about 100 machines that Guidance had mostly setup for us in advance. We examined its analysis and reports that covered a variety of typical infections and exploits.
The product has a very complex pricing scheme but it starts at $44,000, including some professional services installation and consulting. There is also a wide array of training resources, both classroom and online, available here. Most of these will cost several thousand dollars per student.
Outlier Security has an interesting twist on EDR: they combine the best of both the SaaS and on premises worlds. The company has some very large installations, including a customer with more than 50,000 protected nodes. It can be brought up and run within a few minutes.
You first connect to its SaaS portal with your Web browser: before doing so you will need to install both Microsoft Silverlight and .Net framework. Then you download its “Data Vault.” This resides on a local Windows computer that is used to launch scans across your network using Windows networking services. The vault is provisioned by the SaaS portal and can be on any Windows machine running .Net. The vendor recommends each vault contain information on no more than 10,000 endpoints for performance reasons.
Once you have a Data Vault installed, you next setup different “channels” that are used to delineate your various endpoint scans. These channels define your network IP address range, what you wish to scan for and automated schedules. You can setup different channels for particular classes of devices, such as all PCs in a specific department, or endpoints that handle sensitive data, or so forth. The scans take some time to complete, particularly on larger and more complex networks.
There are eight targets that are part of a scan, including processes, registry elements, network elements, users, and other items. Once these are specified, the software will begin looking for malware. It scores each item according to built-in weighting algorithms and presents them in a series of on-screen reports. You will want to spend some time understanding its filtering abilities, because it presents a lot of information to sift through.
Outlier starts out with a dashboard that is more a launch pad for particular actions, such as showing alerts, a summary of endpoint conditions, what malware has been discovered, and actions involving lateral movement or data loss. Once you get into one of these activities there are two sets of menu controls: First is a high-level series across the top of the screen that divides the actions among the main dashboard, results, investigations and administrative tasks. Then there is an interesting circular menu for other more specific actions: to run reports, to remediate the endpoint, and to filter information. When you run the remediation task, it asks you which files and Registry entries you wish to remove from your endpoint. These all will require endpoints to be rebooted, a somewhat cumbersome process but understandable given that there isn’t any agent software.
Outlier is impressive, given that it is agentless, but only available for Windows computers. Because you perform its scans on a regular basis, it is best used for longer-term detection rather than real-time analysis. They have recently beefed up their series of APIs and Python SDK that allow you to scan an endpoint on demand through either Splunk or AlienVault.
Pricing is $40 per endpoint per year, with quantity discounts available.
Promisec has a slightly different approach: The product consists of its endpoint manager (PEM) server running a series of modules, along with the Sentries. This means there is no agent or sensor software installed directly on endpoints. Instead, it uses Windows-based (Server 2008 or above) Sentries on each network segment that you wish to monitor.
This means it can be more comprehensive in its analysis, since you don’t have to wait for them to support a particular OS version or embedded device. The endpoints can be running any Windows, Linux and Mac OS. They are monitored through the SSH Port 22 and NMAP.
When you first bring up PEM, there are up to five modules: compliance, management, automation, power manager and inventory. Each has its own Windows-based console (there are no Web versions, unfortunately). The inventory console will show you the current status of your endpoint collection, what kind of hardware and software applications the detection server found, and a nice listing of what is new since you last took stock. You can search by computer name, IP address, OS, and a dozen other parameters, and save these queries for easy access later.
The compliance console will show software that isn’t up to spec, and particular processes that look suspicious. You can right-click on a particular entry and run additional forensics on it, whitelist the entry to avoid it showing up again, take over control of a particular endpoint and install software on it, send a message to that machine, perform an NMAP port scan, or view what else is running on that particular machine.
Further automated remediation actions can be launched from that particular console, such as install software, run scripts, or update anti-virus protection. Finally, the power management console can set up a coherent power savings policy across all your endpoints and have it calculate the overall energy savings. Given that there isn’t any agent installed on the endpoint that is pretty impressive list of actions.
Each console has its own series of pre-set reports: the compliance manager for example, comes with more than 60 pre-set reports, such as endpoints missing patches and not running host-based firewalls, among numerous other things. There is also a link to download a PDF of the entire user guide.
Clicking on the top-level management tab will bring up the active duty roster. This will show you general status of PEM, and where you can set up audit trails, schedule overall network inspections, show which sentries are operating and how you can deploy new sentries on additional network segments. You can set up a series of duty rosters that cover different portions of your network if you have different staff people assigned that way.
PEM has three roles: administrators who have full access to setup policies can make changes, users who can view system status, policies and reports, and viewers who can only see the reports.
At the heart of PEM is its security policies, which cover a lot of ground. They include both applications that should and shouldn’t be present on endpoints, and what should happen if PEM finds anything amiss. These unauthorized items include peer-to-peer software, remote control applications, hacking tools, particular files or network management tools. Each of these items has extensive lists of programs that you can toggle on or off the list of prohibited apps. There is a lot of power in this part of the product, and while it could get tedious, it shows the depth of PEM.
For example, you can specify which Service Pack level is considered acceptable for each version of Windows to pass your compliance policy. There are numerous other options here, including the ability for PEM to detect if an anti-virus program is installed but stopped from running: PEM can attempt to restart the service and set it up to automatically be started in future reboots.
In addition to all of these features, there is also lots of extensibility built-in to the product where you add your own actions to be carried out if something doesn’t fit into its existing categories, such as do a DNS lookup on a network segment to see if some piece of malware has tampered with it. The only trouble is that isn’t really proactive: generally you don’t know what you don’t know until you have been hacked in some odd way.
We tested PEM on a Windows 2012 Server. You have to open Port 445 for it to communicate with your endpoints.
SentinelOne’s Endpoint Protection Platform comes in either SaaS or on-premises versions, we tested the SaaS product. There is a web-based management console -- like so many of the other products in this review. It also has a clean collection of tools with primary menus listed down the left side and sub-menus across the top.
The main menu categories include a summary dashboard that shows a live news feed from the company’s blog along with a world map showing where threats originate. There are other menus for network activity, a series of analysis routines, and black and whitelist of events. Like other products in this review, it offers near real-time event information.
The dashboard is very simple, but if you were running SentinelOne on a large network you could easily be overwhelmed with events. For example, a single, mostly clean endpoint could generate dozens of behaviors within a few days. Unlike its competitors’ dashboards, not many elements are actionable or clickable directly.
When SentinelOne finds a piece of malware, it will tell you where it was first seen on your network, and the reputation of the attack vector from dozens of security services. If you want to add feeds, you will have to hire the company to add them as customization, although the company plans on exposing its API to this feature in the second half of the year.
In addition, it connects to ReversingLabs and other feeds where you can view the hash and other metadata of the exploit.And like other products in this review, it offers a graphical “story line” of the attack where you can see which infected processes it used to find its way into your endpoints. Threat information can be downloaded in one of several common formats, including CEF, STIX, and OpenIOC.Additional reports can be downloaded in either JSON or CSV files on the Analyze menu page.
At the top right part of each screen is a simple traffic light icon that changes color when the tool finds an active threat (red) or has mitigated it (yellow). Chances are if you are running an active network it might always be showing a yellow signal.
Its settings sheet has a simple collection of on/off switches to enable cloud-based machine intelligence, whether to turn on its “learning mode” to establish a series of baseline operations. There are other automated actions in the settings screen such as to send alerts, kill a process, disconnect a PC from the network, manually remediate a PC to delete files, rollback to previous versions of files prior to malware execution such as ransomware or quarantine something.
Its network containment feature with a toggle switch has two settings: one is auto-immune, where agents can share new intelligence to proactivity block threats, and a second switch to block all connectivity except from the server’s control panel. When you disconnect or contain a PC via these actions, you can still manage it from their console, which is similar to competitor’s products.
SentinelOne installed quickly but has some installation limitations. Its agent requires a dual-core CPU and at least 2GB of RAM to operate. For Windows endpoints a reboot is required and the software does show up as a running app in the Control Panel. It supports Windows 7 through 10, including the R2 Windows Server 2008 and 2012 versions.
If you are running the original Windows 7 OS, you need to install this patch. It also supports Macs and CenOS and Red Hat Linux endpoints. Its Linux-based server is available on both SaaS and on premises versions along with several virtual machine packages for Microsoft Hyper-V, VMware and Citrix Xen. That is a nice comprehensive collection of endpoints and VM environments.
Another issue is that there are only two roles for its management users: a full system admin or a help desk role – the latter can’t modify configuration settings, perform system updates or add or remove users. The company will add the ability to customize roles later in the year. Also added to the product after our review is a planned update to include group policy elements. An agent can only belong to a single group but policies can be applied to multiple groups.
SentinelOne’s desktop agent has a system tray icon that, when maximized, will show you what threats it has detected and what processes it is monitoring. This is more verbose than most of the agents of its competitors.
Pricing starts at $45 per endpoint per year, and drops depending on the volume. This price includes all the functionality and various modules of the product.
Stormshield Endpoint Security (SES) is deeply involved in the Microsoft universe: you’ll need a Windows Server (2008 R2 or 2012 R2), IIS and SQL Server, .Net Framework, and several other bits of Microsoft software to get it to work. You will also need to open a series of ports in the 16000 range to communicate with the server. Documentation (including a 400-page administration guide) and software updates are available from a cloud-based portal.
A separate Windows program is used to produce agents for your endpoints. The agents are downloaded directly from the server via a simple Web link. There are three options: Professional, Secure, and Server-Side edition that offer a mixture of security policies, adding local disk and file encryption for the Secure edition and adding Windows Servers (2003-2012) protection for the latter edition. Once these are installed, you can see their status in the system tray and open up logs to determine if there are any issues or infections. You can set a specific parameter in the security policies to prevent agents from being terminated or uninstalled unless allowed by the site administrator, a nice feature.
Note that this Web link is the only thing you can access remotely from the server’s console; everything else happens inside the Windows-based management program. It would be nice if Stormshield opened its product up to a more comprehensive Web access.
When you first launch its management console, there are several window panes on the left, including an environment manager, and various management and monitoring tools. The former includes agent and server configuration information, security certs, and setup for various encryption, anti-virus, file protection and other policies. These are the heart of what SES offers, and these protection policies can get very complex to setup properly.
There are three kinds of protection mechanisms: rule-based policies, automatic protection of various system and network activities, and behavioral profile-based policies that monitor running applications and block any odd behaviors. Any policy created by an administrator takes precedence over any automation routines. Think of this as an advanced firewall rule set where the rules are processed in the order that they are specified, only on a grander scale and you’ll get the picture.
Each policy category has dozens of parameters and several tabbed screens to fill out. For example, the antivirus policy has sections for what files to scan and how often, what email settings, and whether to enable real-time protection. There are also policies to handle network protection, such as limiting Wi-Fi connections to a particular authentication and encryption level, looking for firewalls and IDS, allowing or blocking particular removable media, and lots more detail.
From the above description, you can see that SES is somewhat of a mixture of a traditional malware endpoint protection tool and a network-based intrusion prevention tool. SES handles both with its protection policies to provide comprehensive mechanisms to keep attacks from invading your infrastructure, including some additional anti-ransomware features that were added after our review.
The behavioral profiles cover how SES watches over your network to see which apps open particular ports or load specific DLLs or read Registry keys. A good example of this is how you would set up SES to prevent ransomware from entering your endpoint by looing at what is running in each endpoint’s memory and what those programs are doing. The idea is to set up SES in a special “learning mode” where it memorizes what is actually going on across your network when it is operating properly. After it learns this information, SES will then report when something deviates from these routines. You can set up weighting factors to trigger alerts when something more significant happens. The administrator can set up the learning period start and stop dates in the management console.
There was some tricky synchronization with the agents when we first installed them, but that wasn’t an issue as we used the product subsequently. As you choose your particular policy, the details and options are shown in the right-hand window on the management console. There are also status and error messages that scroll across a separate window at the bottom of the console screen.
SES comes with numerous default security policies, including those that are specific to each Windows OS version. Speaking of which, SES supports all Windows versions back to XP with SP3, and added Windows 10 in late April. There are also a series of policies that can prevent executable files from being created, keyloggers from being deployed, memory overflows and privilege escalation. These latter situations are simple on/off switches.
Before you set up your policy, you first have to check it out of the SES repository to make any changes or additions, then check it back in. This avoids multiple administrators working concurrently, but it also somewhat cumbersome initially to get used to this workflow.
One other drawback: SES doesn’t support adding security RSS feeds like some of its competitors, although they are planning on including this at some future point.
As we mentioned earlier, SES offers the ability to encrypt removable devices, this feature is accessed from the endpoint agent menu with a simple right-click. There is also the ability to provide temporary Web access, so a user can authenticate to a public Wi-Fi hotspot, such as a hotel, before bringing up their VPN connection.
Pricing starts at $15 per user per year for the basic modules and Professional Edition of agents. This is one of the lowest priced products in this review but the true cost of the product will be in learning how to deploy it and configure its numerous features.
How we tested endpoint security products
We brought up the products on a network running both physical and virtual Windows machines (of various vintages stretching from XP to Windows 10), Macs and various smartphones and tablets.
We looked at how they track down malware and other exploits that we downloaded from VirusTotal.com. We also examined how the products responded and how they recorded what happened across our network infrastructure as an infection spreads. If possible, we also looked at how a product would playback the infection to examine it further.
We also determined if the product could isolate an infected PC or PCs, or stop a particular process or executable program, or otherwise quickly remediate the machines and return them to a clean state. We also determined if a product could incorporate external security feeds, and work both online and offline. Finally, with each product, we connected our endpoints to their management servers and examined reports and manipulated the configurations and settings to see how easy it was to use from a network administrator’s point of view.
Secdo offers another approach
Secdo is an Israeli startup that tries to reduce incident response time and neutralize threats in near-real time. It has a very interesting process view where you can segregate what it sees into hardware, network, file and user activities so you can further analyze the potential threats and reduce the number of false positives.
Like many of the other products reviewed here, you have a very graphical display of the attack chain of events, and which endpoint PCs it has infected. We liked the clean screens that were very graphical and easy to review. By clicking on the data, you can get further explanations of what is happening and links to the particular attack methods. Secdo is just getting started with a few customers and is worthy of a closer look.
Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis.