dcsimg

FireEye vs Symantec: Top EDR Solutions Compared

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  

Endpoint detection and response (EDR) solutions from FireEye and Symantec made eSecurity Planet's list of top EDR solutions, and each product has distinct benefits to offer enterprise customers. What follows is a look at some key features of each solution, along with an examination of each product's strengths and weaknesses.

The Bottom Line

Both solutions get high marks from both users and industry analysts. FireEye's offering benefits from threat intelligence provided by Mandiant and from its new MalwareGuard detection and prevention engine, while Symantec's Targeted Attack Analytics technology leverages machine learning to offer similar capabilities. Recent testing by Forrester gave FireEye's offering a slightly higher rating in general than Symantec's. FireEye came out on top in detection capabilities, while Symantec beat FireEye in response capabilities. Both products present some management challenges and thus might be a better fit for more sophisticated security teams.

FireEye EDR Highlights

Overview: FireEye Endpoint Security leverages a single agent with three detection engines (signature-based and behavioral-based engines as well as intelligence-based indicators of compromise) to minimize configuration and maximize detection and blocking, offering fully integrated malware protection with anti-virus defenses, machine learning, behavior analysis, indicators of compromise, and endpoint visibility.

Recent developments: Recent releases have included a signature-based prevention engine to filter out known malware, viruses and worms, along with the advanced machine learning-based MalwareGuard detection and prevention engine. The latter is a result of a two-year research project from FireEye data scientists, leveraging testing in real-world incident responses. The machine learning model is trained with data gathered from over 15 million endpoint agents, attack analyses based on more than a million hours spent responding to attacks, over 200,000 consulting hours each year, and adversarial intelligence collected from a global network of analysts. That collection of data trains MalwareGuard to make malware classifications without human involvement, reducing the amount of time required to move from alert to fix.

Other recent additions including Policy Manager, supporting varying levels of access to help administrators balance the needs of security and performance; Alert Workflow Update, providing the necessary context for organizations to respond rapidly to alerts that matter; and Cloud Identity and Access Management, enabling a higher level of authentication for cloud-based deployments.

Analysts' take: Gartner notes that FireEye benefits from threat intelligence from Mandiant's breach investigation team and iSIGHT Threat Intelligence service, as well as from FireEye products' shared threat indicators. FireEye also offers a global managed detection and response service, FireEye as a Service, to help clients that are short on resources. Still, the research firm says a few clients report that the solution produces high false positive rates when first implemented, and that most of the EDR data is stored on the endpoint, making it challenging for incident responders to perform a full root cause analysis involving compromised endpoints that are offline.

Symantec EDR Highlights

Overview: Symantec EDR leverages precision machine learning and global threat intelligence to minimize false positives and help security teams maximize productivity. The solution helps incident responders quickly search, identify and contain all affected endpoints while investigating threats using on-premises and cloud-based sandboxing. Behavioral analysis at the endpoint and AI-based analytics in the cloud are leveraged to detect advanced attacks.

Recent developments: Symantec recently announced support for Targeted Attack Analytics (TAA), collecting and correlating Symantec Endpoint Protection telemetry in a massive cloud data lake and then leveraging AI algorithms to detect suspicious activity and emerging threats. As TAA finds attack groups and suspicious attack patterns, real-time incidents are created and streamed down to the EDR console, providing customers with a detailed incident that includes attacker profile, impacted systems and remediation guidance.

The company also added support for MITRE ATT&CK tactics and techniques and MITRE Cyber Analytics, providing visibility into how attacks progress and helping investigators see and respond to tactics used to target endpoints. Investigators can search and filter events and incidents by MITRE ATT&CK tactic and technique to quickly map events to the ATT&CK matrix.

Symantec EDR also now implements over a dozen detections from the MITRE Cyber Analytics Repository (CAR) as automated investigation playbooks. Supported MITRE CAR analytics playbooks include autorun differences, suspicious run locations, DLL injection load library, PowerShell execution and SMB events monitoring.

Analysts' take: Gartner says Symantec is the most successful of the traditional EPP vendors in the EDR space and continues to be the leading vendor mentioned by other vendors as their main competition. Still, the research firm says Symantec is perceived as more complex and resource-intensive to manage than other vendors, and the company's managed security services are expensive when compared to other options from newer vendors that focus on a narrower set of services or features.

See user reviews of FireEye Endpoint Security vs. Symantec EDR

NGFW Product Ratings

Here are eSecurity Planet's ratings of each solution's key features.

Performance

FireEye – Very Good

Symantec – Good

Customers of both vendors report solid performance, with minimal impact on endpoints. The most recent Forrester Wave report on EDR solutions gave FireEye a rating of 3.08 out of five and gave Symantec 2.72 out of five. The rating is based on a range of criteria including configurability, agent effectiveness, forensic capabilities, deployment options and response actions.

Detection and Response

FireEye – Good

Symantec – Good

In recent testing, Forrester rated FireEye's detection capabilities at 3.0 out of five, with Symantec following behind at 2.0 out of five. The tables were turned regarding response capabilities, however, with Symantec rated at 4.2 out of five and FireEye behind at 3.4 out of five.

Value

FireEye – Good

Symantec – Good

Customers of both companies report satisfaction with pricing and value for the money. Symantec offers managed services, but those services are more expensive than those from other providers.

Implementation and Management

FireEye – Good

Symantec – Good

Users of both solutions report relatively easy deployment experiences. Both solutions require skilled technical staff to manage, though managed detection and response services are available.

Support

FireEye – Very Good

Symantec – Fair

FireEye users report positive experiences with customer support. While some reviewers say the same of Symantec, Gartner says Symantec customers report inconsistent support experiences.

Cloud Features

FireEye – Good

Symantec – Good

Both companies offer cloud-based solutions, though neither is focused primarily on cloud functionality.

FireEye vs Symantec EDR

Deployment

FireEye Endpoint Security supports cloud, on-premises and hybrid deployments. Agents are available for Windows, Mac and Linux.

Symantec EDR offers cloud, on-premises and hybrid deployment models, and supports Windows, Mac and Linux systems.

Pricing Structure

FireEye Endpoint Security is purchased through a subscription model based on the level of protection and investigation tools available – the Essential Edition starts at $39 per endpoint, and the more advanced Power Edition starts at $58.50 per endpoint, with volume discounts available for both. Free trials are available.

Symantec EDR is priced per user per year, with volume discounting. Trials are available. CDW's website provides some pricing information.

Other EDR product comparisons

 

Submit a Comment

Loading Comments...