Download our free EDR Vendor Report based on nearly 300 real user experiences.
Endpoint Detection and Response (EDR) is a cybersecurity technology that addresses the need for continuous monitoring and response to advanced threats. It is a subset of endpoint security technology and a critical piece of an optimal security posture. EDR differs from other endpoint protection platforms (EPP) such as antivirus (AV) and anti-malware in that its primary focus isn't to automatically stop threats in pre-execution phase on an endpoint. Rather, EDR is focused on providing the right endpoint visibility with the right insights to help security analysts discover, investigate and respond to very advanced threats and broader attack campaigns stretching across multiple endpoints. Many EDR tools, however, combine EDR and EPP.
- Product features comparison chart
- FireEye Endpoint Security
- Carbon Black Cb Response
- Guidance Software EnCase Endpoint Security
- Cybereason Total Enterprise Protection
- Symantec Endpoint Protection
- RSA NetWitness Endpoint
- Cisco Advanced Malware Protection for Endpoints
- CrowdStrike Falcon Insight
- CounterTack Endpoint Threat
- Product vs. Product Comparisons
The EDR market is booming, and with good reason. Security breaches are more prevalent than ever, and most enter networks via endpoints. All it takes is one gullible user and the bad guys can sneak inside.
EDR revenues more than doubled in 2016, reaching $500 million, according to Gartner. Four vendors account for more than half of that total – Tanium, FireEye, CrowdStrike and Carbon Black. But there are others worthy of inclusion. This guide also examines Guidance, Symantec, Cyberreason, RSA, Cisco, and Countertack. But that list is destined to become shorter.
"We expect to see considerable consolidation in the endpoint security market going forward," said Avivah Litan, an analyst at Gartner. "Endpoint security products need to elevate the information and alerts they provide to the user and data level and further automate their response and remediation capabilities."
Despite that consolidation, Gartner's forecast is for almost 50% annual growth for EDR at least through 2020. That puts it way out in front of most areas of IT, where the overall growth rate is only 7%. Another factor in EDR's explosive growth is the fact that only 40 million EDR endpoints are currently installed, compared to the estimated 711 million desktop, laptop and other devices that can utilize the software.
The features that most EDR solutions have include:
- The ability to detect and prevent hidden exploit processes that are more complex than a simple signature or pattern and evade traditional AV
- Threat intelligence
- Visibility throughout endpoints, including applications, processes and communications, to detect malicious activities and simplify security incident response
- Automation of alerts, as well as defensive responses such as turning off specific processes when an attack is detected
- Forensic capabilities, because once an attacker is inside, you need the ability to take a deep dive into their activities so you can understand their movements and minimize the impact of the breach
- Data collection to build a repository used for analytics
Here, then, are 10 top EDR solutions worth considering. Gartner named each of these vendors as the top ten providers in terms of market share in its report "Competitive Landscape: Endpoint Detection and Response Tools." That document also laid out the various required features for EDR solutions that are considered here.
We summarize the EDR solutions below and link to a deeper analysis of each product, and at the bottom of this article is a chart comparing EDR product features.
FireEye serves organizations with anywhere from 250 to 350,000 endpoints, and is also beginning to penetrate smaller companies with a network security endpoint product called CloudHX. The company has more than 1,000 experts responding to incidents and researching attacks, and its network scanning appliances have boosted throughput to more than 1,000 Mbps.
Carbon Black boasts a CIA and NSA cybersecurity pedigree and supports 150,000 endpoints per cluster with unlimited scalability. It can be deployed as software or in the cloud, with a one-year subscription starting at $30 per endpoint.
EnCase boasts a majority of the Fortune 500 as customers. The EDR solution can scale to hundreds of thousands of nodes and has also been used to secure ATMs, POS systems and manufacturing devices.
Cybereason was launched by Israeli cyber intelligence professionals and is aimed at companies of any size with little IT security expertise. It has no limit in number of endpoints supported and can process 8 million questions a second.
Symantec stops nearly all advanced threats, and the company's EDR add-on adds incident investigation and response. It can scale to hundreds of thousands of nodes and is supported by the world's largest threat intelligence network.
NetWitness offers more than 300 behavioral indicators that users can customize. The EDR solution uses behavior analytics, machine learning and threat intelligence to detect and prioritize threats.
Cisco AMP boasts rapid detection capabilities and a 100% score from NSS Labs for malware and exploit detection. Its 14 integrated detection techniques can block 20 billion threats a day.
Tanium EDR boasts more than $400 million in funding from top-tier venture capital firms and more than doubled its sales last year. Its architecture can scale to millions of endpoints without requiring additional infrastructure. Twelve of the top 15 banks are customers.
Falcon Insight is a cloud-based platform that collects and analyzes more than 30 billion endpoint events per day from millions of sensors deployed across 176 countries. It performs analysis of more than 70 adversaries, their tactics, techniques, procedures and campaigns.
CounterTack uses a strategic partnership with SAP's HANA in-memory analytics platform to perform billions of scans per second. CounterTack applies a combination of behavioral analysis, machine learning and reputational techniques to counter threats.
See these pages to compare two EDR products against each other:
- CrowdStrike vs. Symantec
- FireEye vs. Symantec
- FireEye vs. Carbon Black
- CrowdStrike vs. Carbon Black
- Carbon Black vs. McAfee
Top EDR Solutions
|FireEye||From 250 to 300,000 endpoints; cloud for SMBs||1,000+ researchers; 1,000 Mbps throughput||Automated threat detection and prevention for known and unknown threats||Cloud or appliance||Starts at $30 per endpoint, plus intelligence feeds and appliance costs|
|Carbon Black||All markets and sizes, but strongest in high-risk industries||Up to 150,000 endpoints per cluster, with unlimited dusters||Defense Cloud analytics engine identifies malicious activity||Software or cloud||Starts at $30 per endpoint per year|
|Guidance Software||Large organizations||Can scale to hundreds of thousands of nodes||Automated alert response, validation, triage and incident response||Software||Starts at $57,995 for up to 2,000 nodes on a perpetual license|
|Cybereason||Organizations of any size or vertical with little security talent||Can render 8 million questions per second with unlimited scalability||Machine learning and analytics||Cloud or on-premises||Starts at $50 per endpoint before volume discounting|
|Symantec Endpoint Protection with EDR||Boasts 25% of all deployments worldwide and 350,000 customers||Scales to hundreds of thousands of endpoints||AI and world's largest threat intelligence network||Physical or virtual appliance||Starts at $40 per seat per year|
|RSA NetWitness Endpoint||Strongest in finance, healthcare, government, energy, telcos||More than 300 behavioral indicators can be customized||Behavioral-based analytics engine and machine learning||Agents deployed across multiple form factors; management console on-premises||Pricing on a per-endpoint basis|
|Cisco AMP for Endpoints||Strong in high-risk verticals||Top score from NSS Labs; 20 billion threats blocked per day||Adaptive intelligence, automated detection and response||Cloud, private cloud, or on-premises appliance||Pricing is based on length or subscription and number of endpoints|
|Tanium||Large organizations||Millions of endpoints and 15-second visibility across all endpoints||Automation workflows data collection and corrective actions||Appliance, virtual machine, or standalone server||Company doesn't disclose pricing|
|CrowdStrike||Large organizations||More than 30 billion events per day from millions of sensors across 176 countries||APls and feeds for integration with SIEM, IDS, and Threat Intelligence platforms||Cloud||Subscription-based pricing|
|CounterTack||From SMBs to enterprises||Can complete billions of scans per second||Via a strategic partnership with SAP||Platform or cloud||$14,000 per perpetual seat; $7,500 annual subscription seat|