gartner-epp-comparisonIf you work in IT, it is only a matter of time before you will be involved in a group trying to figure out which EPP (Endpoint Protection Product) security software to buy.

The trend today is to get away from signature based AntiVirus which is great at stopping last weeks viruses.  Most companies want/need a Next Gen Anti Virus product like Carbon Black Defense, Invincia/Intercept X, or Cylance) because they are evaluating the BEHAVIOUR of the computer.  For instance, it is a rare day that files should be in the process of encrypting so software like Carbon Black Defense will block any unauthorized encrypting.

I have gone through this process numerous times over the last 20 years and have developed the following evaluation grid to help me determine which AntiVirus (Defender, SCEP, Sophos, Trend, McAfee, Symantec…) or Next Gen AntiVirus (i.e. Cylance, Carbon Black, Trusteer, Invincia, Dell Secure…) you should choose.

Gartner-Magic-Quadrant-for-Endpoint-Protection-Platforms-2018There us much more to an anti-malware package than just the performance, or price, or management.  All of these factors must be combined when making a decision.  You can easily copy the table from below to an Excel sheet and add columns for each of the products you are considering.  Some will fall off your list before you test just as a result failing some key aspect in this grid (i.e. cannot whitelist filenames).

All that being said, the most important thing you need to do with any security products is test it in a lab and then in a small production group BEFORE you go live.  For testing in a lab we highly recommend you download todays zero day malware and run them against a test PC to see what is blocked and what is not.

There are always more options to evaluate than are shown on any list so add the extra items you care about (i.e. Personal Firewall, Full Disk Encryption, new features scheduled in the immediate future …)

 

Feature

Explanation

Hosted Management Console (SaaS)vs On Prem Install
Initial Deployement Methodvia .exe, .MSI, web based..
Update Deployment Methodvia their console or do you have to push the updates
Initial Deployment Require RebootYes or No
Client Updates Require RebootYes or No
Frequency of Client UpdatesWeekly, Monthly, Quarterly, random
Registered as the AntiVirus in Windows Security CenterDoes it play nice with existing Anti Virus or does it replace it
Whitelisting AlertsKeep block behaviour but stop sending alerts -not many can do this
Corproate Password ProtectionBlock reuse of corporate PW on Non-corporate websites
Injection Protection Memory ScramblingGoogle ASLR
RTLO (Right To Left) ProtectionGoogle RTLO attack
Cryptoware Blocking & Zero DaysThey will all say YES, but you should download and run some zero day infection tests to confirm
Java ScanningShockingly, not all do check Java (i.e. Cylance and Dell)
Detect VSS Shadow Copy DeletionYes or No – almost all malware does this
DNS FirewallBlock URLs from known bad list – see www.d-zone.ca
Sand Boxing Apps in VMWas very popular but caused many problems – most companies have droped this
Whitelisting Path’si.e. C:\dev-work\*
Whitelisting Path’s with Wild Cardsi.e. *\dev-grooup\dev-work\*
Whitelisting File Namesi.e. my-internal-app.exe
Deploy By Groupsi.e. Hostnames or IP Ranges
Can Desktop Agent Be Disabled By a Local AdminYes or No
Branded User Alertsi.e. Company Logo and Call Helpdesk Text
Combined Admin Email Alertsor do admins receive an email storm – causes IT staff to ignore email alerts
Desktop Performance HitAll will SAY is is minimal – benchmark your testing
Lag Time Between OS Release and Supporti.e. After Win10  1803 was released in April – how long did it take so support it
Corporate PC VersionYes or No
Corporate Server VersionYes or No
Android VersionYes or No
iOS VersionYes or No
Home PC VersionYes or No
Email Support Typical Response Time30 mins, 4 hours, Next Day…?
Phone Support – 24 HoursHow Much Additional Cost
Phone Support – Local Business HoursHow Much Additional Cost
Aggressively Negotiated Price$ ??? – Prices are VERY negotiable regardless of what a sales rep tells you
What was it called 3 years agoThere have been many mergers and acquisitions resulting in new names for old products (i.e. Invinica is now Sophos Intercept X, and Trusteer is now IBM)
Forester Overall ScoreCheck Forester Ratings and comments
Gartner Magic Quadrant RatingCheck Gartner Ratings and comments – search for EPP MAGIC QUADRANT
Comments
Useful Links

 


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published.