Endpoint Security Review

Endpoint security review:

Crowdstrike, Sentinelone, Cisco AMP, Microsoft Defender, FireEye and Symantec have been some of the popular endpoint security products i happened to work with and had to opportunity to deploy in full scale starting from scratch to both Onprem and cloud infrastructure.

From a features perspective barring Symantec, the others Crowdstrike, Sentinelone, AMP, FireEye and MS Defender have comparable features as follows.

• Transitioning from detection?through?static signatures?(single threats), toward?definitions?(threat families), and offering more robust as well as less resource-intensive protection?using?heuristics?(probability scoring)
• The introduction of client-side ML models, helping to identify and block malware that was never?observed before.
• Behavioral monitoring, using context to increase the confidence to incriminate specific binaries through observing a sequence?of events.
• Cloud-based ML models, which serve to constantly support clients in making determinations, increasing precision, and helping to identify more?emerging malware.
• Rapid delivery of?new definitions.
• Breadth of signal, leveraging inputs from a vast network?of sensors.
• In most cases, a simple request to the cloud helps to get a verdict on most malware if local models cannot make an?accurate determination.
• As a final resort, automatic sample submission is used as a?fallback option.
• Block at first sight?(BAFS) can?then even hold unlocking of the file on the endpoint until the cloud analysis pass has completed, preventing patient zero in?many cases.

Common Deployment Methods.

• Group Policies.
• Intune.
• Microsoft endpoint configuration manager, SCCM or relatable tools.

Deployments are mostly one time manual these days, then it can all be managed through the cloud portals provided by the vendors.

Here is the fun part post deployment of SOC,

• Tier 1 – Triage: SOC triage?analysts focus on monitoring and mitigation of well-known, high-fidelity alerts. When an issue falls outside the scope of their skills and responsibilities, the issue is typically escalated to the?next tier.
• Tier 2 – Investigation: Mid-level?experts are given more responsibility and are expected to ascertain the exact nature of a threat. They are expected to determine a threat’s origin, the extent of the damage it has caused, and how deeply it has infiltrated the affected systems – then guide the response. High-impact threats that are sufficiently widespread or cause critical damage are escalated to?Tier 3.
• Tier 3 – Threat Hunting: Threat hunters are responders to the most complex threats?across the entirety of the organization’s estate. When they are not dealing with immediate threats, they are hunting for and reviewing data forensics and telemetry for threats that have not been flagged as malicious. The latter is so that they can improve detection logic and thus?security posture.

The level of threat hunting capabilities, sandbox features can help us delve into process and even packet level for troubleshooting and threat analysis.

Even if you find one or two features missing here and there between these Security endpoint products, like say a USB control, they will have an answer that it is coming in the next quarter. So my top favorite products are Crowdstrike, SentinelOne, FireEye and Cisco AMP with no particular order. With Microsoft Defender also adding more analytics features making EDR now an XDR which is an Extended Defense and Response the level of endpoint security is not only on the local machine but also providing holistic view extending to email and cloud applications.

I think the next level feature they probably need to come up with is Micro-segmentation along with Endpoint security. That will be really cool.

This article is more of my experience with the products have worked with. There are many other comparable ones in the market. A Gartner report can be referred to make an initial assessment, then a vendor RFO can be done to review the latest demos & based on the budget, skillset of employees, security features the organization is looking for, a call can be made to choose the right endpoint security product.