10 cutting-edge tools that take endpoint security to a new level

The 10 products tested in this review go beyond proactive monitoring and endpoint protection and look more closely at threats

1 2 3 4 5 Page 3
Page 3 of 5

Cybereason's agents are visible in the Windows Control Panel Programs listing, but that is all that an end user can see. Agents can be remotely updated from the management console, and an administrator can disable data collection or restart the agent too. Users can be added in one of several roles such as analyst, sysadmin, or executive: that level of granularity is superior to most of the other products we've tested.

Pricing starts at $75 per endpoint per year, with substantial quantity discounts available. This puts it at the top of the price range of the products we reviewed.

ForeScout CounterAct

ForeScout's CounterAct grew out of its early experience in the Network Access Control (NAC) market and still strongly reflects that history, although you can use the product without ever turning on any of its NAC features and just focus on the endpoint controls. Unlike most of the products that are part of this review, you can operate CounterAct without installing agents, although they are available for Windows, Mac and Linux endpoints. Because it doesn't exclusively rely on agents, it is good for monitoring headless IoT and other embedded types of devices. It is now used in several very large installations, including one with managing more than a million endpoints.

CounterAct comes in two pieces. First is either a dedicated rack-mounted appliance or as a physical server or VM that can run on ESX or Hyper-V. This is running its own version of Linux. Second is a dedicated Windows-based management server. Getting both to work together is somewhat involved. There are dozens if not hundreds of options to get the product working correctly, and easy to miss a checkbox here or there: this is definitely a product for experienced consultants on a professional services contract to help get you started.

The management console is where you apply updates -- and there are more than a dozen software modules that needed updating on our box. This took several hours to download and install. Once this is done, you create specific protection features and other administrative tasks. Then you need to start setting up your protection policies, which are written in XML and can be downloaded from the ForeScout support site to get started before you customize them for your own purposes. These policies are the heart of the product, and where the meat of its activities takes place. Policies can be mapped to particular network segments, or types of endpoints (such as embedded devices or guest smartphones).

CounterAct works best when authenticating users through Active Directory or some other LDAP service. Being a NAC product, it also would like to connect to a network span port and managed your switches so it can keep track of what is running on which switch port for further network protection. But even if you don't set these features up, there is still a lot that you can control and manage on your network.

If you already have a solid idea of what your network compliance rules are or have a high confidence that you have a properly documented network, this is a great product that can encode these rules directly into its protective features. If your network has grown or changed since you last attempted a compliance audit, then this product will force you into cleaning up your act and that could be very painful.

+ ALSO ON NETWORK WORLD Conventional IT security is failing: Continuous monitoring and mitigation can help +

Once you have your policies, you can start examining your network. If your PCs aren't compliant, you can remediate each PC, run a script to force an update to install a piece of software, send a notification email, and dozens of other actions. All of this is available via a series of choices with a right mouse click.

This product is a user interface nightmare, mainly because of the numerous controls and methods that you need to access its various pieces. There are actually two separate menu displays. First are icons across the top labeled NAC, Inventory, Threats, Policy, and the main dashboard display. Second are the series of text-based menus (such as File, Reports and Tools), some of which duplicate the icon-based menus. Then there is the appliance, which has a web-based interface: this is where you access some of the various reports -- others are in the previous menu.

Agents (which ForeScout calls its secure connectors) can be installed from the web interface of the appliance as permanent applications or as dissolvable, meaning they don't survive a reboot. What makes this product impressive is the level of control that you have even if you use agentless operations. As evidence of this, the documentation runs to more than 750 pages.

Forescout has designed this product more for enforcing network policies and orchestration with other network security tools. There are more than a dozen extra cost integrations with Palo Alto Networks, Bromium, FireEye and numerous others documented here. On that link are a long list of other vendors of anti-virus tools and network switches that it integrates with. Sadly, each of these integrations is specified in a different part of the product, which adds to its configuration complexity. Some of these integrations carry additional fees.

ForeScout CounterACT appliances are available in a range of sizes starting from $4,995 to $182,000. 

Guidance Software Encase Endpoint Security v5.12

Guidance Software's Encase has been around in the forensics business for more than a decade, and has a product that is both mature (for functionality) and still needs work (for its usability). It is a crazy quilt collection of both web-based and Windows dashboards and controls, software routines and seemingly endless menus-within-menus.

With millions of instrumented endpoints, including some very large installations, it is a worthy contender. However, installing this product on a Windows Server is more a professional services situation: you have a series of different servers, including a license for Tableau for its analytics, and bits and pieces of Microsoft infrastructure including IIS and SQL Server and .Net framework. It will take days if not longer to get your arms around the product, and get everything tuned up and functioning. Overall, the goal of Encase is to provide context to your security events and understand what is going on with your endpoints.   

On the upside, Encase has a full complement of endpoint agents for Windows, Mac, and Linux machines. These endpoints are mostly passive elements and only called up to provide details very infrequently. If you are looking for a real-time security monitor, this isn't the tool for you. Encase assumes that an infection spreads gradually and can be contained with careful analysis, rather than set off a fire drill and near-immediate response. It isn't designed to be watching every millisecond over your endpoints, or even daily. What it does well is be able to reach deep inside your collection of endpoints to understand what has been changed as a result of a bad actor or a piece of malware. 

The Guidance folks have put together assessment tools that mimic the underlying OS so closely that you can see exactly what kind of "residue" is left behind by a piece of malware: what Windows Registry items have changed, what is now in your browser or file cache, what has been added to the file system, and so forth. As one support engineer told me, "We don't trust the underlying OS to tell us anything that we can't verify on our own." Unlike some other tools that try to run malware in a sandbox, they run malware in their own OS simulators, with the hope that they can catch what is going on by using their various instruments and analyses.

In addition to the endpoint behavior collection, Encase also culls security alerts and log files from a large group of appliances and applications, including FireEye, SourceFire, Radar, ArcSight, BlueCoat, Palo Alto Networks, Splunk and McAfee -- just to name a few. But what is missing from this is a way to interact with a series of threat feeds that other products offer. That isn't their strength either. 

The Encase product is actually an amalgam of three previous products that do very different things and have been bolted together: 

  • Alert triage, where you can discover and prioritize handling of security events and make sure you are tackling the biggest issues first.
  • Incident response, where you can bring the full collection of tools to prevent an infection from spreading or continuing to confound your network.
  • Threat detection and remediation, where you can visualize what is happening to your network. This is still a work in progress. 

These three products have a series of menus and tasks that bring up separate tabbed dialogs in the Encase Windows client. In addition to this are a series of web-based reports. That is a lot of information to absorb, which is one reason why you will be spending a lot of time in training initially to understand the scope of the product.

We mentioned the analytics portion of the product. The ideal use case is to run these weekly on a large network, and start working through the indicated changes that are flagged. The Tableau business intelligence analysis schema means customers can integrate their own tools around it, and write your own analysis routines to complement what Guidance has already done. 

One irony of Guidance Encase is because few of its competitors have the trifecta of Mac/Windows/Linux coverage, you notice that it doesn't have agents for non-desktop operating systems such as iOS, Android and embedded devices. Those are in the works but not yet available.

To begin your investigation, you would first start with a snapshot of your network, and start making simple queries of your domain. This polls the endpoint agents and delivers about 10KB of information per agent. You can then proceed to look at processes that are running on each endpoint, and gather hashes for anomalies. 

This is a tool that can be used by both an incident responder and to monitor security operations. It supports both feeds from Virus Total and the open-source YARA rules to match malware patterns, as an example of one such discovery tool available, which you can also import en masse too. This is where the UI issues that we mentioned earlier are a real hindrance. If you are going to get good at using Encase you are going to have to spend a lot of time inside its various interfaces and understand its peculiar workflows. 

Once you figure out what is wrong with your endpoint, there are numerous remediation options available, including being able to back out of a particular endstate, wipe various Registry keys or kill particular processes. Encase also has tons of pre-set incident response reports that are very detailed, yet hard to parse.

We tested Encase on a sample network of about 100 machines that Guidance had mostly setup for us in advance. We examined its analysis and reports that covered a variety of typical infections and exploits.

The product has a very complex pricing scheme but it starts at $44,000, including some professional services installation and consulting. There is also a wide array of training resources, both classroom and online, available here. Most of these will cost several thousand dollars per student.

1 2 3 4 5 Page 3
Page 3 of 5
How to choose a low-code development platform