10 cutting-edge tools that take endpoint security to a new level

The 10 products tested in this review go beyond proactive monitoring and endpoint protection and look more closely at threats

1 2 3 4 5 Page 4
Page 4 of 5

Outlier Security v2.1.2

Outlier Security has an interesting twist on EDR: they combine the best of both the SaaS and on premises worlds. The company has some very large installations, including a customer with more than 50,000 protected nodes. It can be brought up and run within a few minutes.

You first connect to its SaaS portal with your web browser: before doing so you will need to install both Microsoft Silverlight and .Net framework. Then you download its "Data Vault." This resides on a local Windows computer that is used to launch scans across your network using Windows networking services. The vault is provisioned by the SaaS portal and can be on any machine as long as it is joined to a Windows domain and is running .Net. The vendor recommends each vault contain information on no more than 10,000 endpoints for performance reasons.

Once you have a Data Vault installed, you next setup different "channels" that are used to delineate your various endpoint scans. These channels define your network IP address range, what you wish to scan for and automated schedules. You can setup different channels for particular classes of devices, such as all PCs in a specific department, or endpoints that handle sensitive data, or so forth. The scans take some time to complete, particularly on larger and more complex networks.

There are eight targets that are part of a scan, including processes, registry elements, network elements, users, and other items. Once these are specified, the software will begin looking for malware. It scores each item according to built-in weighting algorithms and presents them in a series of on-screen reports. You will want to spend some time understanding its filtering abilities, because it presents a lot of information to sift through.

Outlier starts out with a dashboard that is more a launch pad for particular actions, such as showing alerts, a summary of endpoint conditions, what malware has been discovered, and actions involving lateral movement or data loss. Once you get into one of these activities there are two sets of menu controls: First is a high-level series across the top of the screen that divides the actions among the main dashboard, results, investigations and administrative tasks. Then there is an interesting circular menu for other more specific actions: to run reports, to remediate the endpoint, and to filter information. When you run the remediation task, it asks you which files and Registry entries you wish to remove from your endpoint. These all will require endpoints to be rebooted, a somewhat cumbersome process but understandable given that there isn't any agent software.

Outlier is impressive, given that it is agentless, but only available for Windows computers. Because you perform its scans on a regular basis, it is best used for longer-term detection rather than real-time analysis. They have recently beefed up their series of APIs and Python SDK that allow you to scan an endpoint on demand through either Splunk or AlienVault.

Pricing is $40 per endpoint per year, with quantity discounts available.

Promisec PEM v4.1.2

Promisec has a slightly different approach: The product consists of its endpoint manager (PEM) server running a series of modules, along with the Sentries. This means there is no agent or sensor software installed directly on endpoints. Instead, it uses Windows-based (Server 2008 or above) Sentries on each network segment that you wish to monitor.

+ MORE: Endpoint security still inadequate despite growing threats +

This means it can be more comprehensive in its analysis, since you don't have to wait for them to support a particular OS version or embedded device. The endpoints can be running any Windows, Linux and Mac OS. They are monitored through the SSH Port 22 and NMAP.

When you first bring up PEM, there are up to five modules: compliance, management, automation, power manager and inventory. Each has its own Windows-based console (there are no web versions, unfortunately). The inventory console will show you the current status of your endpoint collection, what kind of hardware and software applications the detection server found, and a nice listing of what is new since you last took stock. You can search by computer name, IP address, OS, and a dozen other parameters, and save these queries for easy access later.

The compliance console will show software that isn't up to spec, and particular processes that look suspicious. You can right-click on a particular entry and run additional forensics on it, whitelist the entry to avoid it showing up again, take over control of a particular endpoint and install software on it, send a message to that machine, perform an NMAP port scan, or view what else is running on that particular machine.

Further automated remediation actions can be launched from that particular console, such as install software, run scripts, or update anti-virus protection. Finally, the power management console can set up a coherent power savings policy across all your endpoints and have it calculate the overall energy savings. Given that there isn't any agent installed on the endpoint that is pretty impressive list of actions.

Each console has its own series of pre-set reports: the compliance manager for example, comes with more than 60 pre-set reports, such as endpoints missing patches and not running host-based firewalls, among numerous other things. There is also a link to download a PDF of the entire user guide.

Clicking on the top-level management tab will bring up the active duty roster. This will show you general status of PEM, and where you can set up audit trails, schedule overall network inspections, show which sentries are operating and how you can deploy new sentries on additional network segments. You can set up a series of duty rosters that cover different portions of your network if you have different staff people assigned that way.

PEM has three roles: administrators who have full access to setup policies can make changes, users who can view system status, policies and reports, and viewers who can only see the reports.

At the heart of PEM is its security policies, which cover a lot of ground. They include both applications that should and shouldn't be present on endpoints, and what should happen if PEM finds anything amiss. These unauthorized items include peer-to-peer software, remote control applications, hacking tools, particular files or network management tools. Each of these items has extensive lists of programs that you can toggle on or off the list of prohibited apps. There is a lot of power in this part of the product, and while it could get tedious, it shows the depth of PEM.

For example, you can specify which Service Pack level is considered acceptable for each version of Windows to pass your compliance policy. There are numerous other options here, including the ability for PEM to detect if an anti-virus program is installed but stopped from running: PEM can attempt to restart the service and set it up to automatically be started in future reboots.

In addition to all of these features, there is also lots of extensibility built-in to the product where you add your own actions to be carried out if something doesn't fit into its existing categories, such as do a DNS lookup on a network segment to see if some piece of malware has tampered with it. The only trouble is that isn't really proactive: generally you don't know what you don't know until you have been hacked in some odd way.

We tested PEM on a Windows 2012 Server. You have to open Port 445 for it to communicate with your endpoints. PEM is priced on the number of endpoints and different protective modules starts at $60 per user per year.

SentinelOne Endpoint Protection Platform v1.6.1

SentinelOne's Endpoint Protection Platform comes in either SaaS or on-premises versions, we tested the SaaS product. There is a web-based management console -- like so many of the other products in this review. It also has a clean collection of tools with primary menus listed down the left side and sub-menus across the top.

+ ALSO: Endpoint security firm SentinelOne challenges traditional anti-virus software +

The main menu categories include a summary dashboard that shows a live news feed from the company's blog along with a world map showing where threats originate. There are other menus for network activity, a series of analysis routines, and black and whitelist of events. Like other products in this review, it offers near real-time event information.

The dashboard is very simple, but if you were running SentinelOne on a large network you could easily be overwhelmed with events. For example, a single, mostly clean endpoint could generate dozens of behaviors within a few days. Unlike its competitors' dashboards, not many elements are actionable or clickable directly.

When SentinelOne finds a piece of malware, it will tell you where it was first seen on your network, and the reputation of the attack vector from dozens of security services. If you want to add feeds, you will have to hire the company to add them as customization, although the company plans on exposing its API to this feature in the second half of the year.

In addition, it connects to VirusTotal where you can view the hash and other metadata of the exploit. And like other products in this review, it offers a graphical "story line" of the attack where you can see which infected processes it used to find its way into your endpoints. Threat information can be downloaded in one of several common formats, including CEF, STIX, and OpenIOC.Additional reports can be downloaded in either JSON or CSV files on the Analyze menu page.

At the top right part of each screen is a simple traffic light icon that changes color when the tool finds an active threat (red) or has mitigated it (yellow). Chances are if you are running an active network it might always be showing a yellow signal.

Its settings sheet has a simple collection of on/off switches to enable cloud-based machine intelligence, whether to turn on its "learning mode" to establish a series of baseline operations. There are other automated actions in the settings screen such as to send alerts, kill a process, disconnect a PC from the network, manually remediate a PC to delete files, rollback to previous versions of files prior to malware execution such as ransomware or quarantine something.

Its network containment feature with a toggle switch has two settings: one is auto-immune, where agents can share new intelligence to proactivity block threats, and a second switch to block all connectivity except from the server's control panel. When you disconnect or contain a PC via these actions, you can still manage it from their console, which is similar to competitor's products.

SentinelOne installed quickly but has some installation limitations. Its agent requires a dual-core CPU and at least 2GB of RAM to operate. For Windows endpoints a reboot is required and the software does show up as a running app in the Control Panel. It supports Windows 7 through 10, including the R2 Windows Server 2008 and 2012 versions.

If you are running the original Windows 7 OS, you need to install this patch. It also supports Macs and CenOS and Red Hat Linux endpoints. Its Linux-based server is available on both SaaS and on premises versions along with several virtual machine packages for Microsoft Hyper-V, VMware and Citrix Xen. That is a nice comprehensive collection of endpoints and VM environments.

Another issue is that there are only two roles for its management users: a full system admin or a help desk role -- the latter can't modify configuration settings, perform system updates or add or remove users. The company will add the ability to customize roles later in the year. Also added to the product after our review is a planned update to include group policy elements. An agent can only belong to a single group but policies can be applied to multiple groups.

SentinelOne's desktop agent has a system tray icon that, when maximized, will show you what threats it has detected and what processes it is monitoring. This is more verbose than most of the agents of its competitors.  

Pricing starts at $45 per endpoint per year, and drops depending on the volume. This price includes all the functionality and various modules of the product.

1 2 3 4 5 Page 4
Page 4 of 5
How to choose a low-code development platform