Endpoint Security Products: Part 1

In a sphere that changes as rapidly as security, it's no surprise that 'endpoint' as a definition is fluid. It is so new a sphere in the IT arsenal that not even the players who field endpoint products can agree on where the borders begin an end -- though naturally it encompasses their own core competency.

As a literal definition an endpoint is the end in the communication chain, and as it applies to your average organisation, it will typically encompass desktop PCs and devices such as printers, tablets, and smartphones. And, from a security perspective, an endpoint is an entry point to your network, and thereby critical to manage and secure to prevent intrusion, corruption or theft of data on your network.

Which is why endpoint software, as vague as the definition itself, comprises all manner of security stalwarts: anti-malware, application control, auditing, reporting, permissions and access rights, physical device security and more. There's no one category or selection of categories that represent the endpoint solution market, and so every vendor has their own take on it.

So when we went looking to round-up endpoint software solutions we found a wide mix of products, services, and solutions. We found 37 in all, and so in this special two-part series we explore your options, concisely covering the key strengths and detailing notable features of the majority of the players in the market.

With viruses and malware being a primary attack vector on any network, it's no surprise that the majority of endpoint products include anti-malware functionality. And so in this first part we'll look at products and vendors who specialise in or expand on anti-malware as a core service. In part two we'll look at more wide-ranging but just as important solutions with strengths that lie in application control, encryption, and physical device security among others. After all, while some endpoint products will claim to cover all your bases, it's possible to use multiple products that focus on different aspects well. Indeed, many of the solutions covered here are modular, allowing you to pick and choose the services you need.

McAfee Endpoint Protection

McAfee sports two core products in its Endpoint Protection suite aimed at business and enterprise respectively. Covering the gamut of desktops, tablets and smartphones it integrates McAfee's trusted anti-malware engine with a range of products starting with 'Deep Defender' to detect and prevent rootkits and similar stealth attacks, to its own firewall solution, SiteAdvisor URL filtering, and email anti-malware/anti-spam.

It also boasts support for device control to restrict and manage physical devices such as USB keys, as well as provide for disk, file and folder encryption policies.

A centralised console provides access to manage compliance and report on any immediate security risks for monitored endpoints. Finally, McAfee's product taps into its crowd-sourced cloud-based threat management system to react to new threats as they appear.

The Enterprise version adds to this by providing application control functionality to blacklist known risks and a risk assessment module to determine possible vulnerabilities.

In terms of platform support the majority of the components are Windows-only, with the exception of the Endpoint Protection of Mac module and McAfee VirusScan for Linux.

TrendMicro Enterprise Security for Endpoints

Another big name in the anti-malware space, TrendMicro similarly leverages its core competency to deliver an end-point anti-malware product that incorporates its OfficeScan product for desktops, laptops, mobile devices and virtual machines. This includes a 'Data Loss Prevention' module that aims to control physical media like USB drives and removable media, and a host-intrusion firewall module to patch or block vulnerabilities in software until official patches are deployed. An optional 'Mobile Security' plugin offers MDM features such as password enforcement and remote wipe capabilities for Android, iOS, Windows Mobile and Symbian.

Desktop endpoint support is predominantly Windows with a plug-in for Mac OS that works to protect Macs and prevent them being used as nodes for forwarding Windows malware. Linux desktops are not supported, however TrendMicro's File Server Protection product included in Enterprise Security for Endpoints supports Windows, Netware and Linux servers and throws in both anti-malware protection and comprehensive reporting facilities for admins on servers. Finally all these are wrapped up in a web-based management console.

There are other products in TredMicro's security range, including an Endpoint Encryption product for full-disk and removable media devices, again just for Windows, and which oddly isn't included in the core Endpoint Security for Endpoints suite.

Sophos Enduser Protection Suites

Sophos has a clean web-based interface

Showing how endpoint is a malleable term, Sophos provides Endpoint Antivirus as a focused anti-malware product for endpoint devices, and a modular range of security products also for endpoints covering MDM, encryption, and secure web proxying under Enduser Protection Suites. Of course this does allow you to plugin Sophos' anti-malware product if you have the other bases already covered,to save on deployment costs.

Sophos offers the ability to manage server components for its products locally, or alternatively make use of its Sophos Cloud platform to save on hardware costs and administration headaches. However, while Mac OS and Linux are supported for its local solution, its Cloud-based product only supports Windows clients.

Two other products exist under Sophos' Enduser moniker -- Mobile Control and Safeguard Encryption. The former supports typical MDM features with the benefit that licenses are user-based, such that multiple devices (desktop, phone, tablet et al.) can be covered by one license. The latter provides typical full disk or file-based encryption with the added benefit of supporting Mac OS, along with Android and other smartphone OSes, making it useful to prevent access to data on mobile devices even if commands like remote wipe don't get received in time.

A single management console is Windows-based but administers all Sophos products and for all platforms.

Kaspersky Endpoint Security

Kaspersky provides a range of products under its Endpoint Security banner, ranging from 'Core' to 'Total'. Like Sophos this allows you to purchase only the products you need to fill a gap in your current portfolio -- Core for example is just the anti-malware component, while the Total product bundles in everything including the kitchen sink: anti-malware for servers, mobile security and MDM, encryption, application control, web filtering, asset management, and gateway and mail server security bundles. While predominantly Windows-based, clients for Linux and MacOS X are provided for the anti-malware component.

A number of modules take advantage of Kaspersky's cloud-based protection network, including anti-malware protection for desktops and mobile devices, web filtering, and patch management. One of Kaspersky's strong points is its Security for Collaboration module, providing anti-virus protection for Sharepoint servers and storage while optionally providing tools to set policies for content filtering.

A unified management console provides simple control over most modules with the exception of gateway, mailserver and the collaboration security products which are managed separately.

ESET Endpoint Protection Advanced

ESET has perhaps the nicest admininstration interface

ESET also draws on its cloud-based anti-malware solution to provide anti-virus for Windows, MacOS X, and Linux clients. The anti-malware component of Eset's endpoint suite also includes physical device control to prevent the use of removable media and USB devices on client machines, as well as host-based intrusion prevention on Windows clients to prevent tampering with the registry or key system files.

MDM features include remote lock and wiping of devices and security auditing in addition to anti-malware support for mobile devices which cover Android, Windows Mobile and Symbian. The anti-malware support is extended to servers through Windows Server and Linux, BSD and Solaris modules.

Management is through a unified console for all the core features, while a web-based dashboard provides customised real-time feedback. To minimise network load system scans can be staggered across clients and mobile devices, while a roll-back features allows virus signatures of Eset module updates to be reverted in the case of compatibility issues.

Eset expands on the Endpoint Protection Advanced product with its Business and Enterprise levels which add mail server and gateway protection respectively. A Standard version is also available as a lighter implementation of the Advanced product.

Webroot SecureAnywhere Endpoint Protection

Webroot and its web-based management interface

Webroot's Endpoint solution comprises its established anti-malware suite with popular endpoint services including cloud-based collective threat detection, policy control and enforcement, virtualised environment support, and the ability to roll-back an endpoint client to a previous state before infection.

While the core product is fully-featured as far as anti-malware is concerned, and includes application black/whitelisting, advanced web-based administration control, and a self-remediation structure for users to solve their own issues, this is the only focus of Webroot's endpoint product. More advanced mobile device control and web filtering features are provided as separate, complimentary, modules in its Mobile Protection and Web Security Service products.

Webroot likes to point out that its solution is faster, smaller and uses less memory than competing products making it easier on system resources (and takes particular aim at Kaspersky and McAfee), however unlike some of its competitors Webroot supports Windows clients and servers only. In its favour there's a clear pricing structure dependent on the number of devices and seems reasonably priced compared to some of the other suites covered here.

Comodo Endpoint Security Manager

Comodo's interesting panoramic systems overview

Comodo takes a slightly different approach with its anti-malware endpoint product by using what it calls 'Default Deny Protection' that, as the name implies, uses a whitelisting system to allow applications to run, thereby preventing any infections by new viruses that don't yet have signatures out in the field. Of course this may not help if a whitelisted application is infected, but the principle seems sound.

Untrusted programs are automatically executed in a virtualised sandbox to prevent intrusion should these become infected, with files exhibiting suspicious activity automatically uploaded to Comodo's malware labs for analysis.

Comodo's product also includes its popular Comodo Firewall for clients, as well as its wireless internet connectivity product TrustConnect, which uses encryption and VPNs to hide data for mobile devices when using public hotspots.

Comodo has an interesting panoramic browser-based console, based on Microsoft's Silverlight, for administration and supports all of Windows, MacOS X and Linux.

To encourage trialling its product, Comodo currently offers 10 licenses free or 60 licenses for 60 days at no cost.

Symantec Endpoint Protection

Symantec's entry into endpoint protection covers a wide gamut of features, including what Symantec claims is the largest cloud-based threat identification network that's standard among anti-malware vendors today. Symantec touts its SONAR product that aims to detect zero-day threats by analysing application behaviour, and bundles this with browser-based filtering, limiting access to network resources via application control, whitelisting/blacklisting known good or bad programs, and Symantec's own rule-based firewall in addition to its well-known anti-virus scanning and malware-removal engine.

About the only thing missing is mobile device support. Instead Symantec bundles this into its Mobile Management Suite which includes standard MDM features for policy, app control, and centralised management along with its own Android and Windows Mobile based anti-malware solutions (also known as Symantec Mobile Security). There is no iOS support however for anti-malware or standard MDM components. Considering the ubiquity of mobile devices in the workplace, this means the Mobile Management Suite is all but essential to be paired with its Symantec Endpoint Protection product, so keep the additional cost in mind.

That said Endpoint Protection supports the full Windows family including being optimised for Windows 8, along with MacOS X and Linux support, and provides integration for virtual machines through VMware's vShield endpoint service.

Invincea Endpoint Security

Invincea's solution isn't as wide-reaching as some of the other products covered here, but takes a different approach to preventing data loss due to a malware-breach: applications are placed in a virtualised sandbox (especially and for example browsers and email clients as key attack vectors), and no malware signatures are used at all. Instead, as with some other of the other vendor's solutions covered here, infected programs are identified based on behaviour heuristics, at which point the virtualised environment containing the infected software is destroyed and a known-good copy of the offending application re-loaded into a new virtualised environment.

Invincea is quick to point out how its product differs from the competition -- rather than risk an intrusion from new malware that might escape detection, Invincea simply stops it from ever setting foot on your network. Of course, this depends on the accuracy of the behavioural detection mechanism, but it's an innovative take on containing malware that sets Invincea apart.

A separate Threat Data Server product, installed locally as a physical server or run as a virtual appliance, can collect all manner of data about thwarted attacks and feed it to other security tools such as Splunk or Arcsight, but the value of this depends on how proactive you want to be with reported attacks.

Note that for Invincea's product only Windows desktops are covered, and only up to Windows 7. There's no Windows Server equivalent, MacOS X or Linux clients, and no support for mobile device operating systems (which is not unsurprising, given the overheads of virtualising applications).

ThreatTrack VIPRE Business Premium

VIPRE's console has an excellent reporting dashboard

ThreatTrack integrates all of anti-malware, patch management, mobile device management, automated removable device scanning, and MacOS X support into a single product. It also touts a feature we haven't seen in others here -- the ability to automatically remove a competing product during install. This is ostensibly to prevent conflicts with multiple agents trying to do the same thing, but it's still somewhat humorous if seen in another light.

Unlike some the other players in this market, ThreatTrack doesn't draw on a crowd-sourced cloud-based malware signature resource, but it does claim zero-day protection via its own ThreatTrack Security Labs and partner sources, and multiple threat definition updates per day as required.

And, while some other vendors covered here lack mobile device support, ThreatTrack includes clients for Android and iOS for both its anti-virus suite and core MDM features including device locate, lock and wipe as well as an activity-monitoring service that can log browsing, messaging and call history. In addition to the VIPRE's scanning and malware removal engine, email filtering, phishing protection, and known-bad website blocking can also be enabled to lock down common attack vectors.

Lumension Endpoint Management and Security Suite

Lumension's unified console showing an at-a-glance view

Lumension has garnered a name for itself as a comprehensive solution provider, and with good reason. Its endpoint product combines anti-malware, patch management, power management, application control and device control into a single solution.

For its anti-malware module Lumension uses a variety of methods including classic signature matching, exploit detection and behavioural analysis. It also provides the option to CPU throttle anti-virus scanning, though most of the products covered here claim minimal CPU usage for malware-detection.

Backing this up is a framework for application whitelisting, a patch management engine to ensure clients are up-to-date, device-control to manage removable media and USB devices to prevent data theft, and optional full-disk encryption including swap and hibernation files.

Its administration console also sports asset discovery and inventory management, while the integrated reporting dashboard can be upgraded with a free Reporting Services module to delve deeper into assets and vulnerability analysis of endpoints.

While the patch management component covers Windows, MacOS X and Linux the remaining components, including the anti-malware module, are Windows-based only.

Total Defence

The Total Defence Endpoint Security product is part of a three-tier selection platform that also includes a Web Security and Email Security product. Endpoint can be used standalone, or integrate with the other two for a more comprehensive solution.

The anti-malware protection is based off signatures and behavioural analysis and pairs this with application control to whitelist programs, removable media scanning such as USB devices, and a localised 'distribution centre' service to download updates and distribute to endpoints rather than each endpoint updating its signatures to save bandwidth.

A cloud service allows protection policies to be applied automatically for devices connecting remotely, which can include smartphones and other mobile devices for URL filtering and email security if these modules are installed by piping these requests through the secure cloud-service. Application updates and anti-virus signatures are also distributed this way.

Management is through a centralised web-based console and, while the anti-malware engine only applies to desktops and not portable devices like smartphones, it does sport a full house with Windows, MacOS X and Linux client support.

Finally, similar to ThreatTrack's product, Total Defence can ease upgrading devices running older versions of the product by removing legacy versions of itself during installation to ensure there are no conflicts with endpoint agent components.