Endpoint security is still dominated by traditional anti-virus solutions, with Gartner ranking Symantec, Sophos, Trend Micro and Kaspersky as leaders in the field. But new next-generation endpoint security solutions are generating buzz as either replacements or supplements to existing security investments. These new solutions promise to stop zero-day attacks and ransomware, two big security threats that often slip by traditional anti-virus solutions.
The endpoint security solutions featured here use a variety of emerging approaches and technologies. In general, though, next-generation endpoint security relies on one of two methods to stop new attacks. Many use some form of advanced analytics — whether from a pre-determined analysis of malware or by learning your network — that monitors endpoint behavior and stops unusual events. Others leverage virtual sandboxes, whitelists or containers to ensure insecure endpoint activity remains cut off from the network.
To help cut through the hype, we’ve focused on how each endpoint security solution works and what’s unique about the company. We’ve also identified whether the solution tries to replace or complement existing security tools. You’ll find information on which endpoint OSes each supports and whether the tool can provide security analytics.
How it works: Bufferzone creates a virtual container around any applications you deem insecure. This can include browsers, email, Skype, FTP and removable storage devices. Essentially, it segregates the corporate network into two zones: trusted and untrusted domains. The tool creates a virtual sandbox around the entire application environment, including related files, registries and network access that your administrator deems insecure. This allows the solution to contain malware, protecting not only your network but the rest of the end user’s computer.
What’s unique: Bufferzone does not attempt to detect or block malware but instead focuses on containing all “untrusted” sources. Any infections are automatically confined to the container. The upside is it doesn’t require maintenance of a blacklist or whitelist and, unlike traditional endpoint detection solutions, it doesn’t need to learn to detect new, suspicious behaviors. “It simply isolates threats like ransomware and zero-days so that they cannot do any harm,” the company notes.
Replace or complement: Bufferzone integrates existing SIEM solutions and Big Data analytics tools to identify targeted attacks.
Supports: Windows devices
Analytics: Bufferzone provides data to enterprise solutions that analyze endpoint data, such as Splunk and McAfee.
Big brag: Bufferzone is effective in blocking ransomware and preventing it from encrypting files on the endpoint or spreading to other computers on the network. It is fully integrated with McAfee ePO and with Landesk LDMS.
• Transparency to end users and their applications
• Scanning removable storage
• A free home edition is available for download
How it works: Barkly relies on proprietary behavioral analytics to detect techniques and behaviors common to all malware. An agent called Rapidvisor is installed locally on your endpoints and managed via a cloud-based portal. The agent watches in real-time across multiple levels of the system, including user space, operating system functions and CPU instructions. When Barkly detects something malicious, it stops the process and blocks the attack, notifying the end user and administrators.
What’s unique: Barkly says it is the only solution to stop advanced attacks by applying sophisticated behavioral analytics on the endpoint. It monitors processes across all levels of the system and instantly blocks malicious behaviors on the endpoint, even without an internet connection. This enables Barkly to stop new and never-before-seen attacks that traditional solutions miss.
Replace or complement: Barkly is designed to work with traditional solutions, offering another layer of protection.
Supports: Barkly supports Windows 7 on 64-bit system machines. Support for more operating systems, including Windows 10 and Windows 8.1, is coming soon.
Analytics: Barkly leverages real-time behavior analytics to identify malware while avoiding false positives.
Big brag: When CryptoWall 4.0 was released in November 2015, its signature changed, leaving millions of devices unprotected until anti-virus vendors could release an update. Barkly recognized this behavior and stopped CryptoWall 4.0 with no updates needed.
• A free, 60-day Early Access program is available, but spots are limited. Register here: https://www.barkly.com/early-access
• Rapidvisor updates automatically on every connected endpoint each time a new version of Barkly is released.
How it works: Carbon Black Endpoint Security Platform is another system that combines advanced analytics and behavior recognition to stop attacks. The platform incorporates three components: an advanced analytics, data science and behavior recognition core; a lightweight endpoint sensor that records all critical activity on the endpoint, flagging malicious activity for your security team; and an element that can thwart attacks by locking down critical systems using multiple levels of application control. Each of these elements is powered by Carbon Black’s Collective Defense Cloud, which aggregates security data from more than 7 million endpoints to strengthen the entire customer base.
What’s unique: Carbon Black’s platform approach combines next-generation endpoint security with security policy controls, including the ability to whitelist applications. It also records all endpoint activity, and supports search so your team can gather security forensics and respond to attacks.
Replace or supplement: Carbon Black is a replacement for traditional anti-virus and other endpoint security solutions, but can integrate with existing SIEMs.
Supports: Windows, Mac and Linux
Analytics: Carbon Black has built-in analytics. It also integrates with existing SIEM, network security and threat intelligence solutions so you can perform user-behavioral analytics and other forms of analysis.
Big brag: Carbon Black was named “Best Endpoint Protection” in the SANS Institute’s Best of 2014 Awards.
• Offers an evaluation period before purchase
• Support for whitelisting applications
How it works: CrowdStrike’s Falcon platform is a SaaS solution that’s built on top of a massive graph database. This allows CrowdStrike to couple machine learning with behavior-based detection and prevention to detect attacks on endpoints. It delivers both detection and response in a single endpoint agent.
What’s unique: CrowdStrike is a fully cloud-based solution. And it analyzes massive numbers of security incidents — more than 15 billion events a day, according to the company.
Replace or supplement: CrowdStrike replaces traditional anti-virus solutions.
Supports: Apple, Windows and Linux endpoints
Analytics: CrowdStrike analyzes security events, then delivers findings immediately so customers can stop an attack while it is actually happening.
Big brag: “Virtually limitless” scalability, thanks to the cloud architecture. A leading financial institution deployed 77,000 endpoint sensors globally within two hours – a task that would typically take a traditional security vendor 18 months to complete, the company notes.
• Offers a free proof-of-value trial
• Deployed in more than 170 countries
• No updates required, since it’s deployed via the cloud
How it works: Secdo’s OS Mirroring technology proactively records all OS-level events. It also incorporates a causality engine, which uses advanced analytics to find connections between other security system alerts and endpoint events. This allows the tool to determine whether an event is suspicious behavior or a false positive. The thread-level endpoint monitoring coupled with causality analytics allows analysts to visualize the attack chain, so your security team can understand the context of any unusual activities.
What’s unique: Secdo’s solution includes an anti-ransomware deception tool that forces ransomware to reveal itself early. Once ransomware is exposed, Secdo’s proprietary technology, IceBlock, automatically freezes the ransomware before files are encrypted, thus preventing further damage. It then pinpoints the root cause for the attack, as well as the entire attack chain, including the presence of ransomware on an organization’s endpoints. Once the root cause is identified, the security team is alerted, allowing analysts to perform a forensic analysis on any of the endpoints and servers in an organization.
Replace or supplement: Secdo is an enhancement to traditional security solutions.
Supports: Windows, Mac, Linux and virtual machines
Analytics: The solution supplies detailed endpoint and server data to other systems so your security team has the full context of an attack.
Big brag: Named a Gartner Cool Vendor in 2016.
• Free 30-day trial for each of the company’s solution modules
• Leverages existing SIEMs and threat intelligence investments
• Has been tested on over 50 ransomware families and over 300 variants, including common types of ransomware such as CryptoWall, TeslaCrypt and CryptoLocker
How it works: Morphisec takes what is typically a hacker tool — a polymorphic engine for encrypting or scrambling code — and turns the technology into a security shield for an application. It calls this Moving Target Defense technology; essentially it conceals vulnerabilities and web browsers by making memory space unpredictable to attackers. This stops attacks from running, according to the company, and is managed with a Dynamic Link Library (DLL) agent that sits on endpoints. This means it doesn’t require signature updates or learning algorithms.
What’s unique: Its use of a polymorphic engine as a security tool. Morphisec says it’s also proven popular in companies with a big usage of VDI, Citrix and Xenapp.
Replace or supplement: Morphisec augments endpoint security, offering protection against advanced attacks such as zero-day attacks, ransomware, APTs and unpatched vulnerabilities.
Supports: Windows-based endpoints and servers, both virtual and physical
Analytics: Protector Morphisec Dashboard supports role-based views so users can view attacks, view and filter attack information, and obtain insights for conducting forensic analysis. The company is also developing a real-time crowdsourced investigation and threat intelligence product to help identify and stop attacks faster.
Big brag: Morphisec was named a 2016 Gartner Cool Vendor in Security for Technology and Service Providers.
• Currently offers a free trial
• Offers proof of concepts
• Protects against file-less attacks, which inject malicious code into legitimate operating system services like Windows PowerShell
• Installs without requiring a reboot
How it works:SentinelOne learns normal registry behavior and then monitors for specific deviant behaviors, such as attempting to maintain persistence, modify a registry or interject code into processes. This allows it to protect against all major attack vectors, including file-less malware and insider attacks. It does this using a lightweight agent that sits on the endpoint. SentinelOne also eliminates threats upon detection with fully automated, integrated mitigation and remediation capabilities and real-time forensics.
What’s unique: Sentinel’s Dynamic Behavior Tracking engine uses machine learning and sophisticated pattern-matching algorithms to detect threats on the endpoint itself.
Replace or supplement: SentinelOne Endpoint Protection and Critical Server Protection platforms are complete and certified replacements for anti-virus, the company states.
Supports: Windows, iOS, OSX, Android and Linux endpoints
Analytics: SentinelOne offers integration with popular SIEM solutions, with support for standard data export formats.
Big brag: A global cosmetics company deployed SentinelOne Endpoint Protection (EPP) across 3,000 endpoints, replacing a legacy AV product. It caught every subsequent ransomware threat and saved the company 72 man-hours per week spent on desktop support, re-imaging infected laptops. The customer now plans to deploy SentinelOne’s Critical Server Protection Platform across 5,000 servers.
Bonus points for:
• Includes a rollback capability that can restore any files modified or deleted by ransomware or other attacks
• Detects insider attacks
• Already certified by third-party AV testing organization AV-TEST
How it works: TrustPipe compares its approach to DNA markers. After analyzing terabytes of data on malicious attacks and harmless traffic, the company identified a template of about 1,000 markers for malware. It distilled these markers into a lightweight client that sits on the endpoint and maps every digital conversation against those markers. If a marker set is a match, the attack is stopped while the code is still being transmitted — and before the attack can launch. It also looks for unique indicators that show when a machine has been compromised and automatically stops the endpoint from transmitting that the attack worked, seals off the compromised instance of the services and creates a new marker set so the endpoint won’t fall to that attack again.
What’s unique: TrustPipe relies completely on the endpoint agent without additional software. Because it uses common attack markers, it can go months without requiring an update. Trustpipe also goes to market through partners, rather than selling as a standalone solution.
Replace or supplement: It is marketed as a supplement to existing solutions because it does not collect forensics or identify attacks.
Supports: Linux, Macs and Windows OSes, including XP
Big brag: TrustPipe was one of 33 cybersecurity companies out of more than 450 secretly-nominated candidates to present at the Office of the Secretary of Defense’s Rapid Reaction Technology Office (RRTO) DoD-Cyber Solutions Meeting in July.
Bonus points for:
• Low maintenance approach