We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x
Private

Anti-Malware & Ransomware Protection for End Points

High Priority
113 Views
Last Modified: 2020-05-01
We have Trend Mirco endpoint protection but we also want to have separate and dedicated Antimalware/Ransomware protection on the endpoints and servers.

We are looking to add something like Cisco AMP, Malwarebytes, Sophos Intercept X for all our clients and servers. We have total 2000 clients and 95 servers. We don't want just another traditional AV solutions

Looking for some feedback about products they use and how hard these tools are effective on the endpoints

Thanks in advance for any suggestions
Comment
Watch Question

David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Since most Malware + Ransomware occurs via email infections + these infections have constantly evolving signatures, so can never by 100% caught.

The only hope is to have rock solid backups, so if someone does infect their machine (clicking on an email attachment), restoring the machine from a backup is a trivial operation.

Said another way, you can never stop 100% of all Malware/Ransomware infections.

You can cure 100% of these infections by restoring a backup.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You can reference the Gartner Endpoint security Magic Quadrant PDF, not the latest ones but give you some sense among these solutions. It looks to be Sophos and Malwarebyte are better off, and if you are a Cisco user then better to go with it for better integration

CISCO AMP - threat intelligence and analysis  is the strength
The main strength of Cisco AMP is in threat intelligence and exploit prevention as a means of reducing the attack footprint available for compromise. Its AMP Cloud technology detects known threats, and uses threat intelligence data from Threat Grid and Talos security researchers for exploit prevention. However, Advanced malware protection requires access to the Cisco AMP Cloud to perform advanced analysis. Cisco's AMP solution is part of a "better together" product ecosystem. Organizations that do not leverage other Cisco security solutions will realize fewer of the integration bene€ts, such as intelligence sharing and automated blocking of new threats at all control points

MalwareBytes - Investigative capability is the strength
The new EDR module included in Malwarebytes' cloud-based platform provides advanced investigation capabilities that are rarely seen outside of a dedicated EDR tool. For example, the Active Response shell provides remote access to interact with processes, view and modify the registry, send and receive €files, and run commands and scripts remotely. Ransomware rollback can be initiated remotely, including €file recovery. Although the endpoint agent implements strong protection against exploits, there is no vulnerability discovery or reporting capabilities within the Malwarebytes administration console. There are no role-based access controls or directory-based access controls available for the management console. Larger organizations may €nd the lack of case and incident management work‚ow a challenge. 

Sophos Intercept X - Ransomeware prevention approach is the strength 
Intercept X clients report strong con€fidence in not only protecting against most ransomware, but also the ability to roll back the changes made by a ransomware process that escapes protection.  The exploit prevention capabilities focus on the tools, techniques and procedures that are common in many modern attacks, such as credential theft through Mimikatz. Root Cause Analysis is not available in Intercept X for clients that use the on-premises version of Sophos Endpoint Protection. Sophos does not provide vulnerability reporting; rather, it relies on its mitigation and blocking technologies, so organizations will need to €nd other ways to prioritize their patch management program. 

madunixExecutive IT Director, MVE
CERTIFIED EXPERT
Most Valuable Expert 2019

Commented:
I recommend to use good infrastructure with Defense in Depth (DiD) and education to deal with it. Keep malware protection up to date. Regularly backup and patch operating systems. Check the Center for Internet Security (CIS) lists 20 general control categories, also called the Critical Security Controls. Example categories include data protection, malware defenses, and wireless access control. CIS provides specific security procedures and action items for each control category in a checklist format.

https://controls-assessment-specification.readthedocs.io/en/latest/control-8/
https://www.experts-exchange.com/questions/29143630/Ransomware-on-my-network-what-to-do.html#a42850139
https://www.experts-exchange.com/articles/33451/Building-a-Robust-Security-Awareness-Program.html
https://www.gartner.com/reviews/market/endpoint-protection-platforms 


Author

Commented:
@btan: We have Sophos XG firewall on the internet edge, Barracuda SMTP gateway, hence we thought to have to Cisco AMP or Malwarebytes incase if an attack is bypassed by firewall/IPS and that is Sophos
Just thinking about multi vendor approach
However, we are looking for products specialized for anti-malware and ransomware protection. Trendmicro is already available as AV.

@David. Thanks for the feedback. How to backup all end user computers ?
We do have servers backup on prem.
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
Dear Techno IT

we used before a few months forti ems , it is really powerfull system but you should have fortigate firewalls for good integration .
The Fortinet Security Fabric brings end-to-end security to organizations of all sizes to prevent ransomware across all points of entry. Powered by intelligence from FortiGuard Labs, Fortinet combines market-leading prevention, detection and mitigation with top-rated threat intelligence to combat today’s most advanced threats.

https://www.fortinet.com/solutions/small-business/stop-ransomware-phishing.html 

good luck
Mohammad R.

Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Can understand the multi vendor approaches though it gives the diversity, it also present additional operational efforts to manage all different vendor patching and configuration. It is alright if you have a team that is agile to relearn the management. If you scale to have a central monitoring SIEM and vulnerability management, the integration may be another area to work on. 

Thought it doesn't made a very big difference as the protection layer is different. You are looking at host protection. May be worth to hear out from Sophos and Malwarebytes as endpoint security goes beyond the traditional physical machine to now more container and runtime security. Will be good these solution has a ready package for these. The complication comes when you have different OS running at client and server as these solution may not necessary support all flavours.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT
Commented:
Dear Techno IT ,

Every product has strength points and weakness points , if you have enough time i would suggest if you can check with partners in your country for examples ( sophos / Cisco / Fortinet ..etc ) and get demo  and try each product  for few days also you can do ransomware test just to be in safe also to check the product it self after that you can decide what is the product will fit your business :)

Stay Safe and Good Luck
Mohammad R. 
WORKS2011Managed IT Services, Cyber Security, Backup
Commented:
I was going to respond with more detail but @btan is pretty much saying everything I would say. Whats left for me to say is we use Sonciwall but only for port control, NAT, VPN, etc. It slows down substantially when you use their services so we refrain from doing so. It also creates more areas to manage.

We use Malwarebtyes on all devices including servers. Several times when there was a false positive the ability to remove the device immediately, place it in a state where on the end users screen it notifies them to contact their administrator. While at this time we're already managing the threat.

Author

Commented:
We are going to evaluate a few products as mentioned by the experts here.
However, I just wonder how can I reach the conclusions that one product sucks or another product is amazing. How can we do actual testing ?
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT
Commented:
Dear TECHNO.IT ,

I would suggest if you have vm or device  out of your network and full isolated from your local network  and try different ways to download ransomware on your testing machine and check  ( i prefer PC not VM )
in my experience with Forti , fortinet has testing procedure to evaluate your product and installation and weakness that you have .
i think another vendors like cisco / sophos ..etc have the same .
https://www.reddit.com/r/sysadmin/comments/6ienpl/how_to_do_a_ransomware_test/ 
https://malwaretips.com/threads/how-to-set-up-vm-for-malware-testing-my-method.40159/ 

Stay Home / Stay Safe .
BR
Mohammad R.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
best is to get the real malware to validate effectiveness and also simulator 
https://zeltser.com/malware-sample-sources/ 
https://www.knowbe4.com/ransomware-simulator 

Author

Commented:
As per the Gartners report, Crowdstrike is ranked as leader. Anybody have experience with CS Falcon ?
Can we trust Gartner reports ?
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
Gartner report not trusted, it is used for  marketing
Before 1 year I took training and as per instructor he told us that companies paid money to do device test to be listed in Gartner , our question what if the X company didn't asked for test (nss labs for example) and not interested with this test, so X company will not listed...
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
https://www.quora.com/How-reliable-are-Gartner-reports

Check this link, the same what I commented before

Author

Commented:
Thanks Mohammad.
Which source can be trusted to check authentic reviews about products?
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
In my opinion, I prefer to check over internet with technical people feedback for examples
Quora.com
You need to look for neutral websites :)

Author

Commented:
I think for better security we would look for EDR solution such as Crowdstrike, Sophos Intercept X, Carbon black etc, which will work on top with our current Trendmicro Antivirus Solution

Any thoughts ?
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
EDR can be acceptable for handling fileless malware but you should be aware they detect on breach action and try to seize the action to response. Typically EDR is for remote forensics team to come in besides just the protection aspect.

I would not say that EDR take overs the AV or HIPS role as the nature of response intended are different. AV is signature based and suggest that as the baseline, and HIPS comes from the FW and system integrity checks that it is not tampered. EDR check on attack attempts to try block it otherwise a aftermath forensics analysis. 

Author

Commented:
@btan: What is recommended solution, you would advise?
We dont want to remove our existing Trendmicro AV solution, we need to have NG-AV along with Trendmicro to add more protection layer.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Thus Carbon Black and Crowd strike are EDR to look at. But I believe Trend Micro has EDR capability so may be worth have a talk to the technical team on such portfolio.

https://www.trendmicro.com/en_my/business/products/user-protection/sps/endpoint/detection-response.html

Author

Commented:
It would be wise to have EDR solution alongside Trendmicro instead of having another AV solution like Cisco AMP.
Please advise.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I see it as alright and better to go with one common security if Trend Micro meet also the EDR. The other option with AMP is an option if you want to go for layered augmentation but more from agentless approach as you already has TM. 

Agentless Detection – AMP for Endpoints delivers agentless detection, a unique capability that detects compromise across customer environments, even if a host does not (or cannot) have an agent installed. Using Cisco’s Cognitive Threat Analytics (CTA) technology, AMP inspects web proxy logs to uncover things like memory-only malware and infections that live in a web browser only. 
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Another important consideration for protection is permissions.

If you only allow user level (never admin level) email interaction, then any Ransomware/Malware executed out of an email only runs with user privilege, so only files a user has privilege to write/update can be encrypted or destroyed.

This will allow system level files to survive.

Also files with read only access will survive.

Tight consideration of file privilege is another simple way to reduce effects of nefarious software.

Note: This also means, if you're making backups onto backup media where normal users have access, best ensure all backups are made at the system (admin) level, where users can't write these files... or better... can't even see these files... till they elevate their privilege to admin level.

Author

Commented:
@btan: Sure, I will check with TM. We currently have Apex One Subscription but EDR is not included.
Any feedback on Crowdstrike or Carbon black? Are they reallly good as the technical engineers claim on internet forums?
WORKS2011Managed IT Services, Cyber Security, Backup
Commented:
I just wonder how can I reach the conclusions that one product sucks or another product is amazing. How can we do actual testing ? 
Install it, call support, uninstall it. Put it into production on a select group of computers to check performance. What about apps, how does it perform with the apps you use? There is no way of knowing 100% until you do this.

In my opinion, I prefer to check over internet with technical people feedback for examples, Quora.com.You need to look for neutral websites :) 
Would you buy a car under this same premise? I'm hoping and assuming no. If you're in charge of IT installing, uninstalling, checking false positives, creating other test situations are all part of your job. Doing so with new products (in my opinion) is the best way to learn what's best for you.

Agree with the ideas above regarding sales and bias. Why would I go to Quora if I have to log into it only to receive bogus newsletters after. Who's in charge of these.


Author

Commented:
How will you rank these products from 1-5  
1-Poor ,2- Excellent

1. Crowdstrike
2. CarbonBlack
3. Sophos Intercept-X
4. Cisco AMP
5. Trendmicro
6. Sentinel
7. Cyclane
8. Symantec Endpoint
9. Kaspersky
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Have not played with them. But for EDR, I do still see Carbon Black as leading with Crowd strike and TM. Just have to be wary that Crowdstrike is a cloud based solution meaning the end point information will go out beyond your on premise..other should still have the on premise version. 

Author

Commented:
Any feedback on Malwarebytes ?
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Not aware but well recognised for anti ransomware 

Author

Commented:
I have just prepared an small brief  explanation to management, please correct me if I am wrong at any point:

In regards to the Endpoint Protection project, we need an EDR ( Endpoint Detection and Response) and EPR ( Endpoint protection and response) next-Generation solution on top with the Trendmicro AV we have in place.
 
Basically, our current antivirus solution only offers the ability to act on known virus signatures. EDR tools can detect anomalous behavior on an endpoint indicating a ransomware or malware attack, quarantine the endpoint, encrypt the files and shared, lock down network access, and automatically stop malicious processes.
 
It does look for software vulnerabilities on endpoints as well. EDR is a AI-Driven and Machine Learning and Threat intelligence solution. It will provide us the full visibility of endpoints in the network.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Probably consider using End point protection platform EPP instead of EPR. The former consist of the host AV, FW, IPS which is a traditional EPP that largely depends on signature based know threats while the EDR added visibility on top of EPP with anomaly detection and alerting, forensic analysis and endpoint remediation capabilities. But note EPP has advanced to include data loss prevention tool though it still different from EDR. 
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.