10 cutting-edge tools that take endpoint security to a new level

The 10 products tested in this review go beyond proactive monitoring and endpoint protection and look more closely at threats

1 2 3 4 5 Page 2
Page 2 of 5

We tested Sentinel on a series of VMs, both running the server and various Windows endpoints. The collection server will need a very hefty 64GB of RAM and two separate gigabit network cards. When you install the server on a CentOS machine, it sets up a web-based dashboard and management console. The console is very cleanly designed with a series of menus for intelligence summary, searches, configuration and reports.

There is a separate dashboard to manage its Cloudera-based cluster, which is used to scale up for larger network collections. The cluster is used for analysis: information from a local collection server is de-duplicated and compressed and sent to the cloud automatically.

Sentinel's executive dashboard shows a summary of what has been detected and the severity of the infection or errors it has found. Threats are grouped by OS type and have other customizable filters, and you can drill down to examine what set off its detector.

It has the ability to automatically correlate threats by such factors as business unit or patch level, so you can manage a collection of endpoints with similar circumstances. Like other products, you can view the entire malware execution chain, showing various processes and steps that an infection took to compromise your endpoint. It can also look at DNS queries and map them to particular running processes for easier identification.

Its search feature is powerful and can span many security events to get an entire picture of what happened. Searches can be saved in a "favorites" queue for quick reference. The search screen is probably where you will spend most of your time, as you uncover network events and try to remediate them. Remediation includes being able to quarantine various offending endpoints, terminate specific processes, deny network access to a particular endpoint, or set up whitelists to exclude any known and benign processes from further observation.

Almost everything about Sentinel is customizable. The bad news is that you will have to learn the Cyber Observable Expression (Cybox) XML open-source scripting language. This is used by a variety of vendors to help in the automated exchange of threat data and managed by the US government contractor MITRE Corp., so as you might imagine it has widespread support in that community.

For example, you can characterize a series of security events in an email that can contain a hash file or a description of a Windows Registry key that has been tampered with. These events can then be shared across a variety of threat management systems. All of Sentinel's detection profiles are written in this language, and several sample ones are included by default. You can add your own oddball behaviors and SIEM and feed integrations using these scripts.

There are two different sensors: the basic one is less than 2MB, a more advanced one is smaller, more comprehensive and stealthier. Neither of them show up on the running Programs list in the Windows Control Panel, nor have any user-accessible controls or any other desktop icons.

The basic one supports a wider collection of OS's because it uses the Windows API rather than the Sentinel API set. Both communicate by default on SSL Port 443 to the collection server. The server can be installed on a physical PC or via an OVA file on a VMware ESX hypervisor.

Sentinel has a number of integrations available. It has an option to automatically query VirusTotal with hash data collected from your endpoints and report the number of antivirus engines that consider the associated file to be malicious. You can also export its data to various SIEM tools for further analysis. And their analytics can integrate with Blue Coat's security analysis tools. Finally, you can export various on-screen reports to CSV files.

Pricing for Sentinel is relatively simple: there is a starter pack for up to 250 endpoints. Beyond that, collection prices will vary depending on a regular endpoint for $50 per year or a server at $100 to $125 per year. There are quantity discounts and specials for management service providers who want to deploy their solution.

CrowdStrike Falcon Host

CrowdStrike's Falcon Host combines several functions into a very attractive package, both from the perspective of the user and IT administrator. It is one of the easiest products to install: you start off with a web-based console to operate a cloud instance of its server. From there you download agents or sensors for a variety of Windows, Mac and Linux endpoints. The Windows sensors come in 32- and 64-bit MSI files: once these are installed they automatically connect with the server instance. There is no interface on the desktop, and nothing shows up other than an entry in the installed programs screen in Control Panel. You don't even have to reboot your computer to start using the software's protective features.

Falcon's core technology is very hash-based. Instead of concentrating on scanning your endpoint for an infection, it tries to first classify if it has seen this hash before and what it is doing to your machine. They update their database from the hashes found in VirusTotal, and when any of its sensors find a new hash in the wild. When it finds a matching hash, the executable is immediately blocked. Unlike some of the other products, you don't adjust the threat thresholds that kick off the blocked action: CrowdStrike does this in its cloud-based management tool.

The company claims some large installations of 80,000 endpoints that were installed in less than a few hours. This seems accurate, and we were up and running within minutes with our first couple of endpoints.

The main console has a very clean design: main menu strip is on the left side and sub-menus are spread across the top of the screen. The main menus are broken into three dashboards, a news feed about product updates and release notes, a consolidated security events feed called actors, a summary of what has been detected across your endpoint collection, a screening tool that can be used to evaluate any hash or file using drag and drop, an investigation console and a series of configuration settings. This seems very logical and keeps switching back and forth among screens to a minimum.

The settings screens are shown in the Response sub-menu and have a series of on/off switches to enable various features, such as blocking particular exploit categories, sensing Cryptowall or other ransomware or Windows login bypasses. They have beefed up the ransomware detection in subsequent updates too and have a demo video of this up on YouTube. There is an accompanying FAQ that explains what each switch accomplishes.

The three dashboards include an executive summary of what is going on, a summary of what has been detected across your network, and what has been resolved either by the product or by manual intervention. All have a nice series of graphs and charts that are actionable: if you find a particular threat, you can click on it and drill down to get more information about what Falcon found and what it did with it. In many cases, if it finds something objectionable, it will take care of it quickly and automatically.

The detection screen is where you will spend most of your time. It's where you can see who has been infected, decide what to do to remove any infection or analyze the exploit with additional tools. There is a more detailed event search screen to track down similar events. A connection to Splunk's process chain diagram is built-in, which shows you how the exploit moved through your endpoint. There are also search screens where you can cut and paste a hash value of your exploit and drill down further.

While we were conducting our review, CrowdStrike added a new feature called network containment to Falcon. This is similar to its competitors, where you can essentially turn off a PC's network connectivity, allowing communications with the Falcon host to block any suspected activity and perform any necessary remediation. It can whitelist particular IP addresses and work with several incident response systems.

+ ALSO: Three ways to use the cloud to regain control over network endpoints +

The investigate screen has search fields for user and computer names and a time range. When you locate your particular endpoint you can view an entire history of what has happened with that particular endpoint, where it has connected across the Internet, what zip and other compressed files have been downloaded, if any removable media has been attached and other information. Entries are all hot-linked so you can drill down further and see what has caused the behavior to be flagged by Falcon.

One small limitation is that users can only be added from the same network domain.

Falcon has a lot of depth and that is both a good and bad thing. If you have an active network with a lot of potential infections, you might be overwhelmed with its various responses and summary screens. But it also takes care of the most common infections automatically, without any operator intervention. CrowdStrike also provides a free host data collection tool called Crowd Response. This can gather system information, describe running processes and work with YARA rules for incident responders and can output reports to HTML for further analysis.

CrowdStrike has a separate connector that is installed on-premises and hands over information about exploits to various SIEM tools. They currently work with IBM QRadar, HP ArcSight, RSA Security Analytics, McAfee (formerly Nitro Security), TrustWave, and LogRythm products. They also work with various other security partners, including ThreatConnect, TripWire, Zscaler, ThreatQuotient, ThreatStream, Infoblox, RiskVision, Check Point and Centripetal Networks. These integrations are through a well-documented API.

Falcon will cost $30 per endpoint per year, with quantity discounts available.


Cybereason comes either as a SaaS-based service or as a series of Linux servers packaged as a VMware ESX-based OVA file. It has agents that support Windows, Linux and Mac endpoints that are downloaded directly from the web-based management console. It is designed for real-time malware hunting and has a nice series of visualizations to understand what is invading your network.

+ RELATED: Cybereason up-ends cybersecurity by hunting for suspicious activity in real-time  +

The console has a small pop-out menu on the left side that will direct you to a dashboard of discovered attacks, a "malops inbox" which is used by analysts to fix the problems, an investigation tab where you can examine in more detail what is going on with your endpoint, and a system tab where you can look for particular endpoints, see summary statistics, assign users and download agents and more than a dozen server logs. Compared to other products, this console is pretty lean and clean.

The top-level "discovery board," which is what the company calls its dashboard, will show you a summary of infected endpoints, when the activities first hit your network, and classifies them by specific activity: pure infections, privilege escalation, file scanning, lateral movement, connections to command and control servers, and any data theft. While these classifications are nice to see, you need to click on the specific infections to go to a more detailed analysis screen.

Here you can drill down with most entries to explore what is going on: for example, view all your network interfaces of an infected PC, examine running processes, and see why the endpoint was tagged as infected. There is a nice graphical representation of the infection chain, similar to other products that show the progress of the malware.

There are four sections of this display: an overview, a section that dives deeper into the infected processes, and more details about users and machines that are linked to a particular exploit. For each endpoint you can observe disk, CPU and memory usage as small graphs to help flag oddball behavior. Rather than have its own reporting modules, some of this information can be exported as CSV files where you will need to process them further to understand your behavior.

Once you find some exploit, you just have to click on a small "remediate" button on the lower right corner of the screen: this is done for each infection. It is easy to first miss this button. You can select all the running processes that are misbehaving, or just select one in particular.

To help with evaluations, Cybereason has developed a sandbox that contains some pre-set malware along with instructions on how to use its product to identify these infections. That can be very helpful in getting started, as the management console is so sparse and without any help or other documentation.

Like other products, you can disconnect the endpoint via a newly added feature called Attack Blocker. And you can add your own security intelligence feeds to help with identifying infections through the TAXI format. One drawback: once a PC is disconnected from the network or the probe is disabled, you can't manage it either.

Some other issues: Cybereason requires a large resolution monitor (1920x1200 is best) to view its console; it would be nicer if the software had responsive design to fit into smaller screens. And the listing on the System/Probes screen that shows healthy PCs doesn't really mean that they are infection-free, but that their agents are up and running and can communicate back to the management server. That is somewhat confusing. These drawbacks show that Cybereason is still adding features and abilities that most of the competition have. While its console is nicely designed, it still needs some work.

1 2 3 4 5 Page 2
Page 2 of 5
How to choose a low-code development platform