10 cutting-edge tools that take endpoint security to a new level

The 10 products tested in this review go beyond proactive monitoring and endpoint protection and look more closely at threats

1 2 3 4 5 Page 5
Page 5 of 5

Matrix Partners' Stormshield Endpoint Security v7.204

Stormshield Endpoint Security (SES) is deeply involved in the Microsoft universe: you'll need a Windows Server (2008 R2 or 2012 R2), IIS and SQL Server, .Net Framework, and several other bits of Microsoft software to get it to work. You will also need to open a series of ports in the 16000 range to communicate with the server. Documentation (including a 400-page administration guide) and software updates are available from a cloud-based portal.

A separate Windows program is used to produce agents for your endpoints. The agents are downloaded directly from the server via a simple web link. There are three options: Professional, Secure, and Server-Side edition that offer a mixture of security policies, adding local disk and file encryption for the Secure edition and adding Windows Servers (2003-2012) protection for the latter edition. Once these are installed, you can see their status in the system tray and open up logs to determine if there are any issues or infections. You can set a specific parameter in the security policies to prevent agents from being terminated or uninstalled unless allowed by the site administrator, a nice feature.

Note that this web link is the only thing you can access remotely from the server's console; everything else happens inside the Windows-based management program. It would be nice if Stormshield opened its product up to a more comprehensive web access.

When you first launch its management console, there are several window panes on the left, including an environment manager, and various management and monitoring tools. The former includes agent and server configuration information, security certs, and setup for various encryption, anti-virus, file protection and other policies. These are the heart of what SES offers, and these protection policies can get very complex to setup properly.

There are three kinds of protection mechanisms: rule-based policies, automatic protection of various system and network activities, and behavioral profile-based policies that monitor running applications and block any odd behaviors. Any policy created by an administrator takes precedence over any automation routines. Think of this as an advanced firewall rule set where the rules are processed in the order that they are specified, only on a grander scale and you'll get the picture.

Each policy category has dozens of parameters and several tabbed screens to fill out. For example, the antivirus policy has sections for what files to scan and how often, what email settings, and whether to enable real-time protection. There are also policies to handle network protection, such as limiting Wi-Fi connections to a particular authentication and encryption level, looking for firewalls and IDS, allowing or blocking particular removable media, and lots more detail.

From the above description, you can see that SES is somewhat of a mixture of a traditional malware endpoint protection tool and a network-based intrusion prevention tool. SES handles both with its protection policies to provide comprehensive mechanisms to keep attacks from invading your infrastructure, including some additional anti-ransomware features that were added after our review.

The behavioral profiles cover how SES watches over your network to see which apps open particular ports or load specific DLLs or read Registry keys. A good example of this is how you would set up SES to prevent ransomware from entering your endpoint by looing at what is running in each endpoint's memory and what those programs are doing. The idea is to set up SES in a special "learning mode" where it memorizes what is actually going on across your network when it is operating properly. After it learns this information, SES will then report when something deviates from these routines. You can set up weighting factors to trigger alerts when something more significant happens. The administrator can set up the learning period start and stop dates in the management console.

There was some tricky synchronization with the agents when we first installed them, but that wasn't an issue as we used the product subsequently. As you choose your particular policy, the details and options are shown in the right-hand window on the management console. There are also status and error messages that scroll across a separate window at the bottom of the console screen.

SES comes with numerous default security policies, including those that are specific to each Windows OS version. Speaking of which, SES supports all Windows versions back to XP with SP3, and added Windows 10 in late April. There are also a series of policies that can prevent executable files from being created, keyloggers from being deployed, memory overflows and privilege escalation. These latter situations are simple on/off switches.

Before you set up your policy, you first have to check it out of the SES repository to make any changes or additions, then check it back in. This avoids multiple administrators working concurrently, but it also somewhat cumbersome initially to get used to this workflow.

One other drawback: SES doesn't support adding security RSS feeds like some of its competitors, although they are planning on including this at some future point.

As we mentioned earlier, SES offers the ability to encrypt removable devices, this feature is accessed from the endpoint agent menu with a simple right-click. There is also the ability to provide temporary web access, so a user can authenticate to a public Wi-Fi hotspot, such as a hotel, before bringing up their VPN connection.

Pricing starts at $15 per user per year for the basic modules and Professional Edition of agents. This is one of the lowest priced products in this review but the true cost of the product will be in learning how to deploy it and configure its numerous features.

How we tested endpoint security products

We brought up the products on a network running both physical and virtual Windows machines (of various vintages stretching from XP to Windows 10), Macs and various smartphones and tablets.

We looked at how they track down malware and other exploits that we downloaded from VirusTotal.com. We also examined how the products responded and how they recorded what happened across our network infrastructure as an infection spreads. If possible, we also looked at how a product would playback the infection to examine it further.

We also determined if the product could isolate an infected PC or PCs, or stop a particular process or executable program, or otherwise quickly remediate the machines and return them to a clean state. We also determined if a product could incorporate external security feeds, and work both online and offline. Finally, with each product, we connected our endpoints to their management servers and examined reports and manipulated the configurations and settings to see how easy it was to use from a network administrator's point of view.

Secdo offers another approach

Secdo is an Israeli startup that tries to reduce incident response time and neutralize threats in near-real time. It has a very interesting process view where you can segregate what it sees into hardware, network, file and user activities so you can further analyze the potential threats and reduce the number of false positives.

Like many of the other products reviewed here, you have a very graphical display of the attack chain of events, and which endpoint PCs it has infected. We liked the clean screens that were very graphical and easy to review. By clicking on the data, you can get further explanations of what is happening and links to the particular attack methods. Secdo is just getting started with a few customers and is worthy of a closer look.

Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis. 

This story, "10 cutting-edge tools that take endpoint security to a new level" was originally published by Network World.

Copyright © 2016 IDG Communications, Inc.

1 2 3 4 5 Page 5
Page 5 of 5
How to choose a low-code development platform