Maybe you’re getting a little bored with endpoint protection. Truth be told, it does seem more than a little reminiscent of the cold war. On the one side are malware producers, basically the bad guys, working hard at evolving their techniques to find and exploit even the smallest of vulnerabilities. On the other side are the endpoint protection developers, also working ceaselessly while looking for ever more intelligent ways to identify, block, and destroy malicious code in all its forms. The conflict is a never-ending struggle and, worse, it’s one that’s happening mostly in the background. At least until something awful happens.
That’s when endpoint protection becomes exciting real quick. But while those days tend to hit the headlines when they affect Fortune 500 companies and their clients, never forget that small to midsized businesses (SMBs) are just as vulnerable and subject to all the same exploits and attacks. And because they tend not to have the fat security budgets of larger organizations, SMBs actually seem like easier targets or low hanging fruit for hackers. This means that SMBs need sophisticated and responsive endpoint protection just as badly as enterprises, if not more so.
What Is a Hosted Endpoint Protection Solution?
A hosted endpoint protection solution amounts to a business-grade antivirus and anti-malware platform, the guts of which are hosted entirely in the cloud. That means administrators log into a web console to perform scans, register users, manage licenses, and perform other daily management tasks as well as reporting. This is a natural evolution as the benefits of a cloud-managed security service are just too many to ignore.
Sticking with an old fashioned endpoint protection suites means IT must create a server-based back-end on premises, then deploy scanning software and agents to every device they want to protect manually while taking on responsibility for scanning engine updates. Contrast that against a cloud managed service and most of those headaches are taken on by the service provider. The back-end is entirely managed by the vendor and your users get their device software and updates automatically, all while providing IT with clear reporting of any exceptions, problems, and threats. The cloud even helps vendors deploy more advanced solutions for the more difficult threats.
The challenge all these tools face is the ever-changing landscape of cybersecurity threats. They need to figure out exactly what’s malicious and clamp down on it without flagging so much that protecting the business actually grinds it to a halt. This is a difficult problem to solve since maliciousness can be a very hazy thing. False positives, therefore, are an ongoing issue and handling them is one of the major aspects of how developers differentiate their products and compete for market share.
This is where the cloud has proven a boon in recent years. Any hosted endpoint protection solution will have at least part of its overall architecture resident in the cloud. With that comes the ability to leverage Big Data science and advanced analytics on the server side. This lets service providers build machine learning (ML) models that can significantly enhance detection rates, something that wasn’t nearly so achievable when vendors had to rely on their customers’ on-premises computing power. While signature-based detection certainly still plays a major role in clearing the field, machine learning is where most of our vendors see the future going and we saw big strides made here during this year’s testing. Our reviews clearly surfaced ML as the year’s hottest security component, driving many of the newest features, especially behavior-based detection. While these engines can still be fooled, that’s rapidly becoming more difficult to do.
Still, with the right amount of tweaking, malware developers are still more than capable of cleverly disguising their malicious payloads and sneaking them past an IT department’s defenses. Bad applications use all kinds of tricks to accomplish this, from digital disguises all the way to social engineering. For this reason, performing due diligence before deciding on an endpoint protection solution is critical. To help with that, this roundup puts ten of the top endpoint protection players through their paces. First, we examine deployment and management capabilities from an IT professional’s perspective, and then we perform a four-part suite of detection tests to see just how these tools match up against one another.
How We Test Hosted Endpoint Protection Solutions
With threats and countermeasures constantly evolving, testing endpoint protection has become a tricky thing. The ML algorithms we saw vendors deploy are great at picking out known problems, which makes using known malware batches something of a token gesture. Everyone’s prepared for it, so how effective of a test can it really be? Well, it’s certainly a necessary test to establish a baseline of competence for every vendor, but it’s also a good reason to take a multi-pronged approach to testing these solutions.
As a rule of thumb, the weakest security link in any organization’s defense chain is always going to be the people that work there. So, PCMag Labs starts by testing phishing detection. Sometimes the fastest way to shut down an attack is to simply stop users from handing over their credentials, even if they’re doing so innocently. To do this, we leverage a website called PhishTank, which posts an ever-growing list of validated phishing websites. There we randomly pick 10 sites that are still active, and use those as a barometer to check how well phishing detection works in our test candidate. We just navigate to all ten sites using a test machine running the candidate’s software and recording what happens.
Another very popular attack vector is to trick users into downloading a seemingly legitimate application that’s then used for nefarious purposes or even just waits for a time, behaving normally, and then detonating some kind of malicious payload. Being able to look under the hood of apps that may be carrying rogue code must be a significant area of focus for any winning endpoint protection solution. We focus on how each candidate performs such analysis, how those results are reported, what countermeasures can be taken, and how easily they might be defeated.
We also make sure each candidate is familiar with the current threat landscape. We do this by throwing a fresh database of known malware against our test system that’s running the candidate’s protection client. So far, we’ve not tested a system that doesn’t pick up at least 80 percent, and usually far more, of these known malware variants. However, sometimes there can be a delay until the system is able to perform to its best levels, which is important for potential buyers to know. Also, some systems rely on waiting until the malicious software executes before flagging it and then just aim to clean up the mess afterward. Still others rely on pure signature-based detection algorithms and ML to pick out commonalities. Each of these approaches, or even a judicious mix, means a different level of success, and buyers always want the percentage detected and cleaned to be as high and as early as possible.
Our more advanced testing is looking to see whether or not the system can be penetrated using browser or Microsoft Windows exploits as well as how easy it might be for an active attacker to compromise the system. We accomplish the first part by dropping malicious executables directly on our test system to see how the endpoint protection software reacts. We also enable a dummy website with a specific (and effective) browser-based exploit and also launch that against our test system.
We use the test system’s remote desktop protocol (RDP) password and assume it’s been compromised through a brute force attack. Then download a wide variety of malware samples to the system via RDP. This procedure relies heavily on both the Metasploit framework and the Veil 3.1 framework to generate and encode attacks. How quickly the detection engine catches on is the paramount metric here, since in the wild these kinds of attacks can go undetected for some time. While we found that most systems will catch them on execution, some will allow the process to persist for a disturbing length of time. We score based on the amount of damage that can be done while the system is being compromised. We also attempt to delete documents, alter system files, and even uninstall or disable the antivirus package.
Other Key Features
Raw protective potential is certainly a key buying metric for an endpoint protection solution, but there are other features to consider. For one, support for mobile devices was a key feature, even when we tested hosted endpoint protection solutions last year, we certainly found that trend continuing this year. Making sure your chosen protection suite can protect all the devices in your organization’s stable can mean the difference between having to learn and pay for multiple tools and being able to see your company’s endpoint security health from a single control pane. Mobile features to look for include not only agents that can install on Google Android and Apple iOS, but also basic mobile device management (MDM) capabilities, like automated device registration, remote encryption policy enforcement, and remote device wipe.
Patch management is another heavily-weighted component in this crop of protection products. Many of the issues that come from malware happen because the malicious software exploited a bug left on an unpatched system. Microsoft Windows is probably the most often cited culprit here, but in reality patch exploits happen on all kinds of systems and your endpoint protection solution should address this.That’s especially true now that Microsoft has mostly forced users to automatically update its patches. This has bred a false sense of security among users who figure as long as Windows has its updates installed automatically, they’re safe. But in reality, countless other applications often go unpatched and the bad guys often use one or more of these to accomplish just as much chaos.
Just knowing that the patch exists is the first step in communicating the dangers to the business owners and allowing for a patching process that needs to include not only downloading the patch, but first testing and only then deploying it. Being able to deploy and rollback those patches from a web console is something no business should be without, whether you get it as part of your endpoint solution or as a separate patch management tool.
Another key ability, and one upon which we placed great weight in our testing, is policy management. The ability to set customized policies on large or small groups of users or devices is not only a useful tool to have, it’s practically a necessity in an age when users are commonly using multiple devices, even their own devices, to get work done. Power users and developers might require a bit more leeway with their operations, while standard end users might be locked down a bit more tightly. Having a clean way to do this is not only a management joy, it’s often the only way to avoid significant nightmares in the future.
Evaluate In Your Environment
Finally, while we consider our testing methodology to be sound, we like to validate results against those of third-party resources. This year, that was primarily AV Comparatives and the results of their 2019 testing. Comparing our results against those of AV Comparatives allows us to add an extra point of comparison to better represent the products from multiple viewpoints. It’s also independent verification of our results across factors such as usability, detection accuracy, false positives, performance, and more.
All this adds up to an excellent buying guide for businesses looking for a new or updated endpoint protection solution. However, reading this guide shouldn’t be the end of your research. Once you’ve narrowed down your options, finding out for sure which is best for your company means evaluating the solution in your own environment. This means it’s a good idea to always look for products that provide the ability to initiate an evaluation period, whether that be after some conversation with a sales person or just using a free download link on the vendor’s website.
(Editors’ Note: Vipre is owned by j2 Global, the parent company of PCMag’s publisher, Ziff Davis.)