Magazine Article | February 1, 2017

Product Comparison: Endpoint Security

By The Business Solutions Network

We compare five endpoint security solutions to see what steps each is taking to stay ahead of malware.

Today, security is at the top of most business owners’ minds. Every business has important data, and criminals know it. The number of threats has increased, and the methods of attack have become more complex. As the threat landscape has changed, so too have the applications created to address those threats. For the past couple of years, Business Solutions has featured product comparisons of the various solutions available to address malware and endpoint security. This year, we take a look at a handful of the solutions available today and see that these vendors have been very busy altering their strategies and building solutions that keep businesses ahead of the malware.

As with past comparisons, we reached out to numerous vendors for their participation in this roundup. As usual, not every company responded in time for our print deadline. As this article shouldn’t serve as a definitive buying guide for you or your customers, having an incomplete list of the field isn’t a problem. Rather, what we strive to do is continually update readers on some of the latest strategies from a variety of security vendors. Frankly, we couldn’t fit every product in these articles anyway. In this comparison, we take a look at Bitdefender, Quick Heal (new to our comparisons), Sophos, Symantec, and Webroot. To read about other endpoint security solutions not listed here, visit bsminfo.com for past comparison articles.

While some of the companies in this comparison were in last year’s article, there are many differences worth noting immediately. For example, in September 2016, Sophos launched Sophos Intercept X, what the company refers to as a next-generation endpoint security product that stops zero-day malware, unknown exploit variants, and stealth attacks, and includes an advanced anti-ransomware feature that can detect previously unknown ransomware within seconds. Additionally, in November 2016, Symantec launched its Symantec Endpoint Protection 14 (SEP 14) software, which uses artificial intelligence/machine learning to detect mutating malware and other unknown threats. Also, whereas last year we took a look at Bitdefender Cloud Security for MSPs, in this article we’ll be examining the company’s GravityZone business and enterprise lines.

Regardless of the products being compared here, we’ll see that each vendor has been very busy rolling out next-generation threat detection capabilities and adding features that help MSPs. Without further delay, let’s take a closer look.

Platforms Supported
Gone are the days of having to support only Windows-based PCs. Today, customers can throw a variety of OSs at you, including mobile. Without listing all the various systems supported here, know that all of the software in our comparison here can support Windows. Your best bet is to check the system’s compatibility before making any decisions. All of the products except for Sophos Intercept X and Quick Heal Seqrite Endpoint Security (EPS) 7 have support for Mac. Sophos plans to have support for Mac by mid-2017. Additionally, all of the vendors other than Quick Heal Technologies have some level of mobile support, although it might come through an additional product other than those referenced here.

MSP Management, Integrations
It doesn’t take long before it becomes a challenge to manage all of your customers and their security environments. Management burdens can be reduced and even eliminated in a few ways. First, management consoles are ideally webbased, allowing you to access a customer site from anywhere at any time. Second, a “single pane of glass console” that combines all customers into one login for you makes administration much easier. Third, integration with your professional services automation (PSA) and remote monitoring and management (RMM) tools can bring everything together, increasing your efficiency and allowing you to best serve your customers.

Symantec provides a single management console across physical and virtual platforms with policy control (customized policies depending on users and their location), support for remote deployment and client management, reporting, and updates. There is one console per customer, however. Integrations include Kaseya, LabTech, Level Platforms, and N-able.

Intercept X can be installed and managed remotely through the Sophos Central cloud-based management console, a dashboard that allows MSPs to distribute licenses, add new customers on demand, cross-sell and upsell services, and have a clear, real-time perspective on all customer activity. Sophos Central allows MSPs to manage all Sophos products from one single interface. Currently, Sophos has a PSA integration with ConnectWise and also publishes a security information and event management (SIEM) API for integration into third-party systems. This API offers command line, file, or syslog output in CEF, JSON, or key-value pair formats.

GravityZone has a centralized management console that can be hosted on-premises or as cloud-managed. This integrated management console can centrally manage endpoint security in a heterogeneous and hybrid environment, including physical, virtualized, and public cloud. There is a unified console for all MSP customers or multitenant console with role-based management. Integrations include ConnectWise, Kaseya, LabTech, N-able, Naverisk, LogicNow, and AWS.

Quick Heal Seqrite EPS 7 has a cloud-based management console that can be used to access a single customer site. An MSP console, available in EPS 8, is due at the end of 2017. There are currently no PSA or RMM integrations.

Webroot has a unified global site manager console that scales to managing up to 100,000 user devices. The console manages at MSP sites/customers at a global level and/or site/ customer levels of policy management as needed for flexibility. Current integrations include Atera, Autotask, ConnectWise (LabTech), Continuum, Kaseya, and Ninja.

Zero-Day, Ransomware Threats
As mentioned in our introduction, the threat landscape is ever changing. Therefore, today’s endpoint protection solutions must be able to cope with previously unseen threats that pop up on a daily basis. Each of these products has its own way of dealing with such occurences.

SEP 14 uses a multilayered approach to combat zero-day threats. Advanced machine learning, intrusion prevention, and memory exploit mitigation are a few of the technologies used. Symantec says memory exploit mitigation is particularly effective in neutralizing zero-day memory attacks and Java exploits in popular software that have not been patched by the vendor.

For security against ransomware, SEP 14 utilizes multiple technologies. Intrusion prevention blocks threats that traditional virus definitions alone cannot stop. Insight reputation analysis and machine learning blocks rapidly mutating malware. Behavioral protection and memory exploit mitigation protect against memory exploits and block suspicious files while they execute. Finally, Symantec uses application control and “system hardening” to reduce the attack surface.

In the unfortunate event something bad gets through, SEP 14 supports rollback of malicious activity through a built-in behavioral monitoring technology. This feature does not support network shares.

Sophos Intercept X also incorporates signatureless threat and exploit detection which block zero-day, unknown, and memory-resident attacks and threat variants without the need for file scanning. With its CryptoGuard feature, ransomware activity is identified and intercepted, and can roll back maliciously encrypted files to their preattack state. CryptoGuard protects files on the device or files mapped as a local drive from a network share. Additionally, Sophos Clean will run when malware is detected, restoring registry and system files to pretamper states while also removing the malware.

GravityZone also uses machine learning to examine neverbefore seen malware and predict its malicious intent. The software also performs real-time process monitoring, essentially operating on the “zero-trust assumption.” The software continuously monitors all running processes and assesses intent and has the ability to terminate processes it deems malicious. This helps detect non-file-based advanced attacks.

For ransomware, Bitdefender uses an anti-ransomware vaccine to evade know ransomware. Additionally, machine learning and an anti-exploit feature prevent malware/ransomware from taking advantage of vulnerabilities. Even if a piece of ransomware evades the prevention layer and is running, real-time process monitoring will continuously monitor the process’ behavior for anomalies and can terminate the process.

Finally, Bitdefender’s clean-up capability can roll back most of the changes made by malicious processes should they occur. The company’s endpoint protection has the ability to scan network shares for malicious files, track modifications made on network shares, and roll back changes.

For Seqrite EPS 7, ransomware, zero-day, and unknown threats are handled with a combination of heuristics/behavior blocking, file activity monitoring, and URL filtering. The product also includes a “Secure Silent Backup” feature that provides a last line of defense against ransomware that gets through all other layers. Secure Silent Backup enables users to restore their data securely and easily from the backup, without paying any ransom.

Webroot examines all files and processes and categorizes them in real time. If something is new or unknown, as we’d see with a zero-day threat, the files are treated as suspicious and subject to controlled execution. A journaling and rollback feature runs silently, in the event processes or file changes need to be undone. This feature runs only on the drive of the host machine, not network shares.

Ransomware is handled using the same identification methods as for all malware. However, Webroot also has specific proprietary ransomware exploit identification built in at the agent level, which is constantly updated to counter new forms of ransomware attacks.

Final Thoughts
When asked to share what makes its products unique, each vendor gave a compelling story about its latest solutions. None are relying on outdated architecture or processes. To remain competitive and address the needs of the market, these vendors have had to stay as busy as the criminals they protect against. If you’re in the market for an endpoint security solution to offer your customers, consider all of the above, but also make sure you test the solution for yourself. There are many nuances to these products that can only be understood through first-hand experience.