SAN FRANCISCO — There are a lot of different endpoint protection technologies an enterprise can choose from. NSS Labs has tested 20 of them, and in an interview at the RSA Conference 2018, CTO Jason Brvenik explained what organizations should look for.
First off – a few definitions. Advanced Endpoint Protection (AEP) is different than Endpoint Detection and Response (EDR), according to Brvenik.
“Advanced endpoint protection really includes host resident software that can interdict and also provide some level of visibility into the endpoint,” Brvenik told eSecurity Planet. “AEP requires visibility and some forensic capabilities, while EDR is mostly forensics with a post-response capability.”
Brvenik added that forensics are fundamentally answering the questions: what happened, when, how and from what. He noted that threat hunting is a use of forensics.
NSS Labs tested the following AEP products:
- Bitdefender GravityZone Elite v220.127.116.115
- Carbon Black Cb Defense v18.104.22.168
- Cisco AMP for Endpoints v6.0.5
- Comodo Advanced Endpoint Protection v3.18.0
- Cylance CylancePROTECT + OPTICS v2.0.1450
- Endgame Endpoint Security v2.5
- enSilo Endpoint Security Platform v2.7
- ESET Endpoint Protection Standard v6.5.522.0
- FireEye Endpoint Security v4
- Fortinet FortiClient v5.6.2
- G DATA Endpoint Protection Business v22.214.171.124
- Kaspersky Lab Kaspersky Endpoint Security v10
- Malwarebytes Endpoint Protection v126.96.36.199
- McAfee Endpoint Security v10.5
- Palo Alto Networks Traps v4.1
- Panda Security Panda Adaptive Defense 360 v2.4.1
- SentinelOne Endpoint Protection Platform (EPP) v188.8.131.5248
- Sophos Endpoint Protection 10.7.6 VE3.70.2
- Symantec Endpoint Protection and Advanced Threat Protection (ATP) Platform v14.0.3876.1100
- Trend Micro Smart Protection for Endpoints v12.0.1864
At least seven of those vendors wasted no time in trumpeting their “recommended” rating from NSS Labs: Endgame, Palo Alto, Fortinet, Cylance (with a 99.1% effectiveness rating), SentinelOne, Trend Micro, and enSilo.
How to buy an AEP product
Among the surprises across the 20 vendors NSS Labs tested was that some vendors are very good at protection, but then have no visibility features.
“Your shortlisting should start with what you believe to be your core requirements,” Brvenik said.
Those requirement will include whether the organization just needs prevention or if it also requires visibility. Depending on the amount of visibility needed, there might be a need to move to an EDR solution.
“Do you just want something that stops bad things from happening, or do want something that will allow you to find other compromises that might exist?” Brvenik asked.
Watch the full video interview with Jason Brvenik, Chief Technology Officer at NSS Labs, below:
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.