How to choose an endpoint protection suite

Studies show that CSO readers are most likely to know that endpoint protection is the modern iteration of the antivirus tools of previous generations. Okay, I made that first part up, but the second part is, of course, true. Antivirus, more appropriately known as antimalware, has matured significantly since the days of dedicated antivirus servers, daily signature updates, and manually managed policies.

Endpoint protection covers much more than antimalware. As attack methods and the technology behind them have become more diverse and sophisticated, so too must the security tools tasked with protecting what are often the most vulnerable devices on the corporate network: those your users access daily. Threat vectors for end-user devices include browser-based attacks, phishing attempts, malicious software, or spyware. Because of the diverse array of attack vectors a variety of protection methods must be leveraged to protect endpoint devices from compromise.

The term endpoint protection also speaks to the modern network architecture, which could include various device types spread across multiple corporate locations, potentially even connected to the corporate network through a virtual private network (VPN) or outside the bounds of corporate control entirely such as employee-owned devices.

Modern endpoint protection features

What features make up a modern endpoint protection suite? For starters you should prioritize a solution that fully embraces a modern hybrid cloud architecture. This could mean customer devices spread across disparate networks including those under corporate control, home networks, and public Wi-Fi connections.

To maintain security for these endpoints your endpoint protection suite needs to communicate with these devices on a semi-regular basis. This communication typically involves receiving log information about scan results and blocked threats, receiving software and policy updates (or even instructions to roll back these updates), and remotely initiating management tasks. More advanced endpoint management solutions may even leverage cloud-based machine learning to protect against zero-day attacks (more on this later).

While cloud-based solutions may make the most sense for many customers, don’t assume that they are the only option. Several vendors (particularly those that have been around a while) still offer on-premises solutions with many of the benefits found in a cloud-hosted suite.

The first and perhaps most important management task is the initial deployment and enrollment of endpoint devices. Most endpoint protection solutions generate an installer that automatically enrolls the device (at least for Windows and Mac). Some solutions allow you to customize this installation package, defining which components are installed and enabled. In most cases existing infrastructure such as mobile device management (MDM) solutions or policy-based administration tools can also be leveraged to facilitate mass deployments.

Integration with, or even the inclusion of, an endpoint detection and response (EDR) solution is something you should consider, particularly for large deployments. EDR enhances your endpoint protection correlating, alerting and automating mitigation steps when endpoint-based attacks are identified. This not only enhances the initial protection provided to your endpoints but helps limit the damage if an initial attack is partially successful (such as a phishing attempt).

The other big reason to look for EDR is for those situations where an attack is successful. EDR can help identify the successful attack, measure the breadth and impact to your network, and even identify the root cause. Some endpoint protection solutions even take things a step beyond EDR with options like managed detection and response (MDR), which is typically a service where the provider or a partner provides 24×7 monitoring, threat hunting, and analysis services, working closely with your organic security staff. Another option is extended detection and response (XDR), an evolutionary step more focused on automating aspects of the investigation process and empowering workflow-based remediation.

Basic endpoint protection features

Endpoint management frequently defends against multiple attack vectors including phishing attempts, browser-based attacks, email attachments, and worms. These attack vectors require different protection methods, which come in the form of modules such as antimalware, personal firewall, or even host-based intrusion detection system (HIDS). HIDS is particularly compelling on modern devices because it can monitor system state and critical components to prevent unauthorized system changes such as additions to startup applications or system services, registry changes, or even changes to the system directory. Combined with traditional preventive security services like antimalware and firewall, HIDS can provide a last line of defense for cases where your endpoint protection suite is initially defeated.

Securing endpoint devices involves more than just multiple components. There are always new malware variants and techniques designed to circumvent security, meaning that antimalware solutions must mature and become more sophisticated as well. For example, a polymorphic virus can change its signature dynamically, making it difficult to identify with traditional signature-based protection methods. Heuristic scanning has been around for some time and provides some protection from polymorphic malware, and behavior-based detection also lends a hand, but endpoint protection with machine learning capabilities empowered by big data provides enhanced protection over either of these methods.

Endpoint protection solutions

Most of the endpoint protection suites listed here have significant history in the computer security world. This is not a comprehensive list, however, and inclusion does not signify an endorsement nor exclusion a criticism.

Bitdefender Endpoint Security

I’ve always thought of Bitdefender as more of a solution for protecting home devices, but a few minutes browsing its product catalog shows that isn’t the case. Bitdefender Endpoint Security comes in three flavors, offering progressively sophisticated protection. Bitdefender’s GravityZone solution offers endpoint protection as well as tools for securing servers, Exchange mailboxes, and mobile devices, all from a single pane of glass.

Its GravityZone Control Center console can be installed on-premises and enables management of devices across your infrastructure. Bitdefender also offers add-ons that bring additional value, such as patch management, an EDR solution, and security optimized for virtual environments.

Kaspersky Endpoint Security for Business

Kaspersky Endpoint Security is exactly what you’d expect from one of the industry heavyweights: endpoint protection for a range of device types, pre-built security policies to get you started quickly, and the option for EDR-based attack detection (with root-cause and kill chain analytics). Kaspersky also brings vulnerability scanning (helping identify missing system patches), outright patch management, and device control (restricting access to connected storage devices). Kaspersky Endpoint Security can even discover unauthorized cloud service usage such as personal cloud storage or email and offers tooling to monitor time wasted on social networking and messaging services.

Malwarebytes Endpoint Protection

Malwarebytes Endpoint Protection comes from another vendor I’d previously relegated (unfairly) to the home defense category. Employing tools to evaluate and whitelist properly signed code from popular software vendors and those that pass the Malwarebytes inspection process (they’ve coined the term “goodware”) helps eliminate false positives and optimize the scan process to reduce the hit to performance. The Malwarebytes management dashboard is another key feature, showing you real-time device health and the status of any events. The dashboard also allows you to prioritize threat response with filters based on severity, physical location, and other factors.

McAfee Endpoint Security

McAfee has been around pretty much since the idea of a computer virus became a recognized threat, and McAfee Endpoint Security is the modern culmination of their decades of experience. Incorporating all the components you would expect in an endpoint protection suite, McAfee brings a cloud-based architecture, AI-based threat detection, and actionable reports that facilitate quickly progressing through the investigation phase and transitioning into remediating and eliminating the threat. If this wasn’t enough, McAfee offers both an MDR service and an XDR platform.

Sophos Intercept X Advanced

Sophos Intercept X Advanced uses machine learning and real-time threat data to protect your endpoints from zero-day attacks. Sophos also uses exploit prevention to identify potential attack vectors (such as VBScript executing in an Office document, or DLL hijacking), block the attack before it even starts, and even provides a breakdown of the attack, walking it back to the root cause. Sophos is another vendor that offers various levels of EDR, XDR, and even its MDR solution: Sophos Managed Threat Response.

Symantec Endpoint Security Complete

Symantec is now a division of Broadcom, but they’re still heavily invested in the computer security arena, and Symantec Endpoint Security Complete (SESC) is its Endpoint Protection offering. Symantec looks to slow or prevent attacks at every step in the attack chain, whether it’s minimizing the attack surface by limiting connected devices and hardening applications, preventing attacks through behavior detection and machine learning, or tracking threats and attacks as they materialize to help you triage and remediate devices.