Endpoint Protection Forum

Rhea Rapps
Content Specialist
IT Central Station
Jul 31 2018
We all know that it's important to conduct a trial and/or proof-of-concept as part of the buying process.  Do you have any advice for the community about the best way to conduct a trial or POC? How do you conduct a trial effectively?  Are there any mistakes to avoid?
James CarlsonYou might want to start out with business cases ... ensuring that your endpoint solution begins to address those. some ideas might include: * antivirus * antivirus updates via automation * antivirus updates via cloud or on premise automation * antivirus reporting to central on premise management server * do you want to rely upon static signatures? * do you want to find the zero days? * what about polymorphic / variants of previously known malware? * will your antivirus mechanism share with other machines / computer their discoveries? * do you want to share your information with the manufacturer (via cloud) or keep your discoveries in house / on premise? * DLP -data loss protection * DLP reporting to central management server * DLP - how easily configurable? * DLP -what type of additional work will this entail for analyses, etc * Host Intrusion Prevention (HIP) * HIP - will it report to a central management server? * How will all the central management servers communicate with each other / other computers? * Do you have to tier the solution due to network segmentation / geographic considerations / size of deployment? * Will the endpoint product talk to or receive from other security devices (email, web filters, etc at the perimeter?) * has Gartner developed some frameworks that are used for testing endpoint solutions? * has Gartner at least testing the solution you are looking at? * potentially check firecompass.com for endpoint solution comparisons? * does endpoint protection support all operating systems you are using? * does endpoint protection interface with other security products on the endpoint? * logging ... is it detailed enough? * do you want to automatically quarantine computer if malware is found? * go through vendors data sheet and ensure you check all capabilities and test them * what things did the vendor promise? test those. * talk to a couple of their customers (same size organization if possible using similar if not same endpoint protection capabilities). discuss roll out, problems faced, vendor assistance, etc. A couple of ideas - certainly not exhaustive. ___________________
Wim WiltsSome suggestions: 1. Some products you can test for a restricted period with a trial license. 2. It is possible to test in a virtualized environment (VMware, VirtualBox) 3. Today I have tested myself a new version on a new server (nb: not live). 4. I made a mistake to install SQLEXPRESS 14 on a 2016 domain controller. 5. After trial and error, I solved it with an extra instance on a SQL Server 2017. 6. Kaspersky Support was very fast and helpful with clear tips and tricks.
Eric RiseConsult with several VARs with any product being looked at. If possible work directly with the vendor of the product to avoid the VAR pressing you in any one direction. The product vendor can then point you to the proper/ best fit VAR offering the best price for the product as this will vary based on VAR choice. Provide the VAR with a list of what things you need and then things you might want in a product. Have a set of hardware and users that will be the test group for your product(s) being tested then have a proper plan in place to document every step all the way through to end result for each and every product being tested. Apples to apples as close as possible for all products to make a decision. It's not always about price either, expensive solutions hurt one time, cheap ones will hurt for a long long time. Don't be afraid to contact the vendor either if you're not happy with a price or a VARs service... that vendor will or should always be happy to accommodate your request as a customer/ possible lead to become one. All other suggestions above here are all valid as well.
Sanjai Sivasankaran
User with 10,001+ employees
May 07 2018
We recently moved our AV solution from McAfee VSE to the new next Gen Cb Defense and I would like to know thoughts on running Windows Defender along with it? Like a fall back option that runs a traditional AV.
Rhea Rapps
Content Specialist
IT Central Station
One of the most popular comparisons on IT Central Station is MS Windows Defender vs Symantec EP.  People like you are trying to decide which one is best for their company. Can you help them out? Which of these two solutions would you recommend for endpoint protection? Why? Thanks for helping your peers make the best decision! --Rhea
Andre BarnettIf you have to choose between Symantec or MS, It would have to be Symantec. That is as long as you are willing to adopt more of their eco-system of solutions. I is more heavily geared torwards file protection (can be good or bad, pending the use case) but not dynamic enough in its policy creation capability. However the same can be said for MS Defender. MS Defender has one major shortcoming as it has tunnel vision on the windows platform. It leaves exposures with other operating systems. Also policy capabilities are not quite as effective and granular as one would think given the proximity to the Active Directory / Azure origin. I believe CarbonBlack is a superior solution. The breadth of its detection and response capabilities reside within the context of its primary solution. That said if you are looking for a heavier AV solution, Symantec is the way to go.
Martin CarnegieBetween Symantec and Defender, the best of the two is Symantec for detections and false/positive rates. Couple sites to check https://www.av-test.org/en/ https://www.av-comparatives.org/dynamic-tests/ One thing you will notice is that the first site does not even consider Defender as a corporate solution, so take that for what it is. One thing I will say about Symantec is the horrendous support. I find that every ticket I work on is pure frustration. Tickets are closed without actually solving the problem, constant debating around what the issue is and what the solution is. It has been driving me nuts! But that being said, the product is fairly easy to manage and has kept us pretty clean. Our worst issue is spear-phishing attacks, but these cannot be prevented by malware software that well. Symantec does offer a cloud connection for the agents now. My big issue right now is that you cannot have an internally managed server connect to the cloud (or reverse) to provide information in a consolidated view. I am told that this is coming though. I could move everything to the cloud I guess, but that is something for the future.
Bruce BadingSymantec Endpoint Protection and Windows Defender both have their strong points. Microsoft has made great progress in its free edition of Windows Defender in Windows 7 and improved version in Windows 10. Its no cost feature is its strong point. Symantec Endpoint Protection is a purchased product, but the cost is worth the price. SEP is always near or at the top of Gartner’s Magic Quadrant both in execution and completeness of vision. In my 25 years as an IBM lead security engineer, I observed that SEP was chosen by IBM to protect its mobile workforce and also was the leader in Endpoint Protection chosen by the world’s largest banks, retailers and organizations. Powered by Sonar and now a Machine Learning Cloud interface in SEP 14.1, it is in most expert’s options the leader in Endpoint Protection. My current experiences have also show that Symantec detects a far greater number of the zero-day threats than Windows Defender. However, the number of zero-day threats that can bypass the total of all anti-virus solutions has risen in recent years and the problem is that even though solutions such as SEP 14.1 are moving to machine learning detection engines, the number of data breaches continues to increase exponentially as the malicious actors are beginning to use AI to create and distribute Advanced Persistent Threats and it is a lucrative industry being run by organizations with a corporate structure mimicking the actual corporate structures of legitimate business. Today only a holistic approach toward a foundational implantation of fundamental security controls at all levels will decrease the growing number of data breaches, reputational damage and monetary losses. Threat Hunting is the new norm and every organization should look beyond Endpoint Protection to an early detection and reduction in infection time by implementing an advanced Threat Hunting posture. Beyond that, Governance, Risk Management, Compliance and an increase in security awareness from the boardroom to the ground floor is making the more mature organizations leaner, agiler and less likely to suffer a data breach.
Ariel Lindenfeld
Sr. Director of Community
IT Central Station
Let the community know what you think. Share your opinions now!
it_user400131evaluation of endpoint protection should look at what the product offers for prevention, detection and remediation. On prevention does the product provide basic exposure prevention, the ability to prevent the end users device from navigating to known malicious sites, or to insert an unauthorized external media (usb). Does the product prevent the execution of malware, either through heuristics matching, emulation, downlaod reputation or signatures. If exposed to malware does the product provide robust malicious action detection, run time behaviors, exploit detection, malicious command and control beaconing etc. Last the product needs to include robust remediation capabilities, not simply malware removal but the ability to understand the root cause of the threat and what led to the detection of malicious activity. With that last bit of information you should be able to scan the network for other similar indicators of compromise, so you can fully remediate the detected activity. Often malware today involves the exploit of running applications with no payload delivery, in these situations it is critical that the endpoint product can detect/block and take action on memory resident threats. It gets fairly complex, but the key evaluation criteria are what does it do to Prevent, Detect and Remediate malicious activity. Any vendor without a good story for all of this is just a point solution in the overall security posture for your company.
Gareth BrownKey points for me are speed, scale & reporting, and I generally classify my toolkit into these compartments.

Sign Up with Email