Endpoint security products from CrowdStrike and Symantec both made eSecurity Planet's list of top end point detection and response (EDR) solutions – and while each product has a lot to offer enterprise customers, there are key differences between them. What follows an analysis of each solution's key features, as well as some strengths and weaknesses.
The Bottom Line
Both solutions are rated highly by users as well as industry analysts. CrowdStrike's cloud architecture makes deployment unusually quick and easy, though the fact that it's far less effective offline makes it unsuitable for air-gapped networks. Symantec offers both an on-premises solution and a cloud-based one, providing a wider range of options for customers – but it's generally seen as being more complex to manage than its competitors.
CrowdStrike EDR Highlights
Overview: CrowdStrike Falcon Insight leverages signatureless AI and indicator-of-attack (IOA) based threat prevention to protect users from all types of cyberattacks. Falcon offers contextualized threat intelligence with details on the threat, and a five-second search tool enables teams to discover and investigate current and historic threat activity by going back one second, one day or one year of activity. The solution’s cloud-based architecture is designed to provide speedy response without putting any stress on customers' endpoints.
Recent developments: Improvements over the past 12 months include:
- A Device Control feature for visibility and management of USB devices
- A Vulnerability Assessment feature, identifying vulnerabilities and missing updates on endpoints by automatically tracking and analyzing patches on each system
- Mapping of detection to a framework based on MITRE ATT&CK to accelerate understanding, triage and response
- Real-time response actions
- Docker support, allowing the installation of the Falcon agent on hosts running the Docker container platform so the host can be secured while customers use Docker
- Expanded integration of the Falcon OverWatch managed detection and response service
Analysts' take: Gartner says the combination of Falcon OverWatch with Falcon Insight EDR is particularly compelling for organizations with small or no SOC teams. The Falcon Insight EDR agent provides parity across Windows, Mac OS and Linux systems, and clients report simple and easy deployments, in part due to the solution's cloud architecture. Still, the research firm says Falcon's EDR functionality requires skilled technical staff to use, and its offline protection is greatly enhanced when connected to the cloud-based Falcon platform, making it unsuitable for air-gapped (secure, isolated) networks.
Symantec EDR Highlights
Overview: Symantec EDR uses behavioral analysis at the endpoint and AI-based analytics in the cloud to detect advanced attacks. The solution provides a comprehensive set of detection, investigation and remediation capabilities for all levels of investigators, including automated investigation playbooks and user behavior analytics. Incident responders can quickly search, identify and contain impacted endpoints while investigating threats using a choice of on-premises and cloud-based sandboxing.
Recent developments: Improvements over the last 12 months include:
- Support for Targeted Attack Analytics (TAA), leveraging AI algorithms to detect suspicious activity and emerging threats in Symantec Endpoint Protection data collected and correlated in a massive data lake
- Support for MITRE ATT&CK tactics and techniques and MITRE Cyber Analytics, enabling investigators to search and filter events and incidents by MITRE ATT&CK tactics in order to map events to the ATT&CK matrix
- Added more than a dozen detections from the MITRE Cyber Analytics Repository (CAR) as automated investigation playbooks
Analysts' take: Gartner says Symantec is the first vendor to offer malware protection, EDR, system hardening and deception capabilities in a single agent, and its broad deployment across a very large population of both consumer and business endpoints gives it a very wide view into the threat landscape across many verticals. Still, the research firm says Symantec is perceived as more complex and resource-intensive to manage than its competitors, and its managed security services are more expensive than those from newer providers.
EDR Product Ratings
Here are eSecurity Planet's ratings of each solution's key features.
Performance: Customers of both vendors report solid performance, with minimal impact on endpoints. The most recent Forrester Wave report on EDR solutions gave CrowdStrike the highest rating of all EDR vendors tested – 4.56 out of five – and gave Symantec a rating of 2.72 out of five. The rating is based on a range of criteria, including configurability, agent effectiveness, forensic capabilities, deployment options and response actions.
Detection and response: In recent testing, Forrester rated CrowdStrike's detection capabilities at 4.8 out of 5, and its response capabilities at 4.6 out of 5. Symantec's detection capabilities were rated at 2.0 out of 5, and its response capabilities at 4.2 out of 5. Symantec customers report improved threat detection and containment with the addition of machine learning and other advanced anti-malware features, Gartner noted.
Value: While CrowdStrike is more expensive than many other solutions, cloud data storage and managed detection and response are included. Symantec offers managed services, but those services are more expensive than those from other providers.
Implementation and management: CrowdStrike's cloud architecture makes deployment particularly easy, something users repeatedly cite in reviews. Symantec offers both cloud-based and on-premises options, making it better suited for hybrid environments. Both solutions require skilled technical staff to manage, although managed detection and response services are available.
Support: Gartner says Symantec customers report inconsistent support experiences, even when large organizations are provided with dedicated support personnel. Still, some reviewers said the same of CrowdStrike's tech support.
Cloud features: Both companies offer cloud-based solutions, although CrowdStrike's offering is purely cloud-based, giving Symantec the edge in hybrid environments.
Gartner Peer Insights users give CrowdStrike Falcon an average rating of 4.6 out of 5, with Symantec EDR following at an average of 4.0 stars out of 5. IT Central Station users give CrowdStrike 4.0 stars out of 5, and Symantec 4.1 out of 5.
CrowdStrike reviewers repeatedly cited the product’s ease of deployment, calling it "quick and easy to set up" and reporting that "the sensor is really lightweight and has not been noticeable when running on even resource-constrained computers." Other reviewers wrote that "the routine administration of this solution is manageable," and that CrowdStrike has "a unique proposition with their cloud-based approach as well as the research team."
Symantec reviewers said that "implementation was easy." They cited "quick whitelisting and blacklisting and informative reporting" as key benefits, adding that the solution "has provided visibility insights that we were not receiving from other products." Another reviewer said the product "fits very well with our current processes and procedures," calling it "a great product to protect your environment."
The CrowdStrike Falcon platform is fully cloud-based, allowing it to be deployed within hours, and supports Windows, Mac and Linux systems.
Symantec EDR offers cloud, on-premises and hybrid deployment models, and supports Windows, Mac and Linux systems.
CrowdStrike Falcon Insight is available for an annual subscription fee per endpoint, with a free trial available. AWS provides some pricing info.
Symantec EDR is priced per user per year, with volume discounting. Trials are available. CDW offers some pricing info.