Magazine Article | April 13, 2016

Product Comparison: Endpoint Security Solutions 2016

By The Business Solutions Network

We evaluate eight different endpoint security solutions. Which is best for you and your customers?

LogosSecurity has never been more important. Business Solutions has increased its coverage of endpoint security solutions in recent years because the threats have increased. Many solutions providers have latched onto this opportunity by building solutions, if not their entire business, around security and peace of mind.

At the same time, malware authors are only getting sneakier and complex with their nasty apps. Ransomware variants continue to evolve and create agile moving targets for security software solutions. To combat the criminals, security software providers have had to get creative. Updates and enhancements are common, as vendors are doing their best to create software that’s smarter than the bad guys.

The challenge for many IT solutions providers is knowing which product is right for you and your customers. To that end, we examined business-class versions of products including AVG CloudCare, Bitdefender Cloud Security for MSPs, Kaspersky Endpoint Security for Business (KESB), LogicNow MAX Remote Monitoring & Management, Sophos Central, Symantec Endpoint Protection 12.1.6, Trend Micro Worry-Free Business Security Services, and Webroot SecureAnywhere — Business Endpoint Protection.

As we did with last year’s comparison, we decided to identify a few key areas readers would find important. As a primer, we hope to give you a shortcut in your research and help you make the best decision.

Platforms Supported

As we mentioned in last year’s comparison, today’s business users use a variety of devices, which can create security weaknesses if not addressed. Of those products we compared, all protect Windows environments. However, you will need to dig a little deeper when it comes to the exact versions of Windows supported. All support the majority of 32- and 64-bit versions of Windows, including Windows 10 at this point. Many also support retired versions of Windows. While Microsoft surely doesn’t want users still on Server 2003, it’s clear that many customers aren’t in the position to upgrade. The security products here all account for those customers unable to upgrade their systems to the most current versions.

If you need to protect Linux boxes, Bitdefender, Kaspersky, Sophos, and Symantec are the only vendors who indicated their support in this round-up. If you’ve got virtualized environments, the majority in this comparison support a variety of platforms.

If your customers are using an embedded version of Windows, such as POSReady 2009 or POSReady 7, Bitdefender, Sophos, and Webroot are the only platforms that clearly state their compatibility. Symantec does support various embedded Windows versions. Others might work with embedded versions of Windows but aren’t clear in their support for POSReady versions.

Today, Macs have entered the workplace. While many claim Apple devices aren’t prone to security threats like PCs, protection is still a necessity. All of the products here do protect Mac OS X, although you’ll want to look closely at what versions are covered.

Mobility is another key factor in securing today’s networks. Last year, AVG told us that support for Android-based devices was forthcoming. It’s good to see that the company followed through on that promise and addressed the need. Additionally, Kaspersky, Sophos, and Trend Micro cover mobile Android and iOS devices as part of their core offering. It’s important to note that the others do offer mobile protection; it just comes through one of their other products.

PSA/RMM Integration

As the backbone of an MSP’s operation, PSA (professional services automation) and RMM (remote monitoring and management) tools are instrumental at making solutions providers more efficient. With that in mind, you should heavily weigh the value in an integration between the automation tools you use and the endpoint security solution you rely upon. As mentioned last year, since AVG acquired Level Platforms a few years ago, the two products are tightly integrated into the AVG Business Managed Workplace RMM solution. The software can be accessed and administered via a cloud-based console.

Bitdefender Cloud Security for MSPs is integrated with ConnectWise for streamlined ticketing and billing. The solution is also integrated with Amazon Web Services (AWS), allowing MSPs to manage protection for physical, virtual, and AWS-hosted instances from the same console. Bitdefender also has dedicated plug-in solutions that are integrated with Kaseya and with ConnectWise/ LabTech RMM platforms giving MSPs the possibility of managing all security tasks from the same console they use to manage their other services.

Kaspersky Endpoint Security for Business has no integrations at this point.

LOGICnow’s security solution is part of its MAX Remote Monitoring & Management platform. It’s also important to note that much of the company’s security functionality is through a Bitdefender integration.

Sophos’ Central Partner Dashboard integrates with ConnectWise on the PSA side and will add more PSA vendors in the coming months. On the RMM side, MSPs can create scripts to deploy Sophos Endpoint agents across their customer base.

Symantec Endpoint Protection 12.1.6 has integrations with Kaseya, Connectwise/LabTech, AVG, and Solarwinds N-able.

Trend Micro currently integrates with ConnectWise. A Kaseya plugin is being released in conjunction with Kaseya Connect in May 2016. Additionally, a ConnectWise/LabTech plugin is under development with a projected launch date in late Q2/early Q3 2016.

Finally, Webroot currently supports Autotask, ConnectWise/LabTech, Continuum, Kaseya, and Spiceworks (partially). Later this summer, Webroot will be launching a new API aimed at making integrations of its Global Site Manager (GSM) console with any third-party software straightforward.

Zero-Day, Ransomware Threats

It’s one thing for your security software to respond well to everyday threats, but another for it to adequately cope with new and unknown malware.

AVG CloudCare’s AntiVirus 2016 scanning engine implements AVG’s most advanced algorithms, providing better protection and shorter scanning times. It is also driven by new cloud-based detection technologies that leverage the majority of AVG’s 200 million endpoints to recognize new and emerging threats and deliver virus updates in as close to real time as possible. AVG also leverages real-time out-break detection, which uses crowd intelligence technology to identify the newest malware variants and outbreaks in real time. Finally, advanced artificial intelligence has been added to proactively identify new threats in real time before the company’s team has catalogued the threats.

There are several non-signature-based technologies that detect zero-day threats in Bitdefender (and therefore LOGICnow), but two of the most important are Active Threat Control and the Bitdefender Global Protective Network. Bitdefender Active Threat Control technology continuously monitors processes and applications for suspicious behavior. When a threshold of suspicious activity is reached, the zero-day threat is flagged and blocked without use of AV signatures. With a network of 500 million machines, Bitdefender’s Global Protective Network (GPN) performs 11 billion queries per day and uses reflective models and advanced machine learning algorithms to extract malware patterns, ensuring real-time protection against any threat.

As Kaspersky’s approach is multilayered protection, the company has implemented a set of layers that helps prevent zero-day infection. Kaspersky Systems Management analyzes systems for vulnerabilities and simplifies patch management and deployment, closing the gap between the time a zero-day is discovered and a patch is deployed. Advanced Exploit Prevention system monitors all the processes running on a host and flags any malicious interaction between processes that stops exploitation of vulnerabilities. Behavioral Stream Signatures analysis engine prevents dangerous behavior and thus is able to prevent a wide range of yet-to-be-discovered threats.

For Sophos, the software detects and remediates memory-based threats as well as those that attempt to send outbound traffic to malicious sites. The company also has behavior analytics and heuristics analysis that prevent zero-day techniques and behaviors from executing. As most new malware involves variations on previous versions of the malware, the detection models from Sophos allow for significant variation in malware families to accurately capture current and future variants of the family without the need for exact signature matching.

The intrusion prevention system in Symantec Endpoint Protection can block many of the exploits from zero-day vulnerabilities. For those unknown threats, the software’s technology tracks the file reputation and identifies whether they are suspicious. But sometimes the only way to discover a threat is to catch it doing something bad, and that’s where the company’s SONAR comes in. It monitors what programs are doing on a computer by tracking more than 1,400 actions a program can take. It correlates the behavior, and if it figures out that the behavior is suspicious, SONAR blocks it immediately.

Trend Micro provides in-product, pattern-based, heuristic, and behavior monitoring techniques. Additionally, the company relies on Big Data analysis within its “Smart Protection Network” along with the help of threat researchers. Finally, the company now has the asset of the Zero Day Initiative (ZDI), which was recently acquired by Trend Micro with the acquisition of TippingPoint.

Lastly, Webroot was designed to examine all new files and changed processes and to categorize them into known good or known bad categories. It also can classify them as unknown/undetermined, which can occur with a zero-day threat. Files and processes that cannot be immediately classified (0 seconds dwell-time infection) are treated as suspicious and subject to close and controlled execution monitoring and journaling until a known good or known bad categorization can be accurately made. During the decision time, the device is protected from the impact of the malware, and any malware system changes are normally (administrator choice) autoremediated.

Ransomware is its own beast to be reckoned with. AVG explained that dozens of active ransomware variants such as CryptoWall, TeslaCrypt, and Crypt0L0cker continue to extort victims daily, and now a Ransomware-as-a-Service model threatens to make matters worse. The most common infection methods are via exploit kits and phishing emails (as links or attachments). AVG has noticed many different approaches to creating ransomware, such as the programming language used. While C, C++, C#, and Delphi are very popular among malware authors in general, the company has seen ransomware created in JavaScript, Java, and even purely in Windows .bat files. All of the products in this lineup use a variety of methods, including those mentioned above, to curb the infection and spread of ransomware.

Licensing And Other Cost Factors

AVG provides CloudCare to partners per a subscription- based model and pricing per device. The company is also putting a distributor model in place to extend AVG CloudCare to distributors and their reseller networks. With monthly, annual, and two-year subscriptions offered, pricing tiers are based n the number of services chosen and devices/endpoints. For example, a customer would pay about $25 per month for the full range of solutions (excluding server backups) for 100 to 501 devices.

Bitdefender’s cost is per number of devices. MSPs using the monthly licensing model receive a pool of seats that they can use to deploy protection across any number of customers. The product reports the total number of computers that were active and protected by the MSP in the previous month, and an invoice is issued based on this number. The MSP has access to reports in the console showing how many seats were used per each of its customers. If an endpoint is offline during one month, it is not considered active and therefore not included in the invoice. There is no minimum spend or endpoint requirement.

For Kaspersky, MSP pricing is dependent on quantity and term of subscription. Kaspersky Endpoint Security is licensed per endpoint. According to the company, the majority of benefits of the Kaspersky MSP program are opened at 500 managed endpoints.

LOGICnow is per-device and pay-as-you-go. There is a $50 platform fee plus $1 core agent (includes patch management), $3 vulnerability scanner, $1 managed antivirus, and $1 Web protection. This equates to $56 for the first workstation, $6 per next workstation.

Sophos pricing is based on a per-user basis for endpoints and a per-device basis for servers. For MSPs, the partner owns the license and can distribute the license across their customer-base. Licensing is handled based on the total number of licenses deployed across endpoint products (endpoint security, Web protection, mobile, and email). This allows MSPs to quickly receive volume-based discounting. There is no minimum.

Pricing for Symantec Endpoint Protection is offered on a per-user model. Licensing for Symantec Endpoint Protection is perpetual and offered in 12-, 24-, or 36-month SKUs. There is no minimum spend for MSPs. However, Symantec does require that the MSP become a member of the Symantec Secure One partner program and complete relevant training requirements.

Trend Micro products are licensed per device. MSP Partners are provided access to Trend Micro’s License Management Platform, which facilitates self-provisioning of product licenses. MSPs provision and use whatever licenses they need and then pay in arrears for licenses consumed in the previous month. MSPs have complete control over licensing, including provisioning, increasing, and decreasing, without having to contact Trend Micro or their distribution partners for assistance. Trend Micro’s MSP Program has no minimums, no term commitments, and no up-front costs.

Webroot is priced per device per year. For MSPs, the company also offers annual billed monthly and utility billed monthly (no commitment). Licensing to MSPs is under the control of the MSP from within their GSM console. The MSP can issue licenses as needed, and Webroot looks at their usage as necessary. Licensing is also volume-tiered so an MSP pays less per license when it achieves the next license tier level. With the introduction of utility monthly billing with no commitment, there is no minimum spend. For annual committed contracts, there is an overall minimum of 100 device licenses per year.

Final Thoughts

An important factor for you to consider when reviewing these security solutions is the “weight” of the applications. That is, how they affect the systems that they protect. Are they memory hungry, processor hungry? Do they slow down machines? These are certainly important factors, so we urge you to make use of the various benchmark studies that have been done. As you’re doing this research, one thing to keep in mind is the methodology. As you can see by reading how these solutions use different methods to protect systems, certain testing methods are inherently better or worse for certain products. Therefore, you should be sure to look at a variety of tests or, better yet, take advantage of free trials to test these products for yourself. Only you will be able to determine which is best
for you and your customers.