Buyers looking for an endpoint security solution often compare CrowdStrike and Symantec, and while both vendors made our top endpoint detection and response (EDR) product list, they’re very different security products that will likely appeal to buyers with different goals in mind. Here’s a look at both EDR products, how they compare, and their ideal use cases.
The Bottom Line
CrowdStrike didn’t score the highest in raw security in our analysis, but its management and response capabilities are so popular with end users that CrowdStrike Falcon came out on top of our best EDR products list. As breaches seem all but inevitable these days, security analysts have come to value the products that make their stressful jobs easier, and part of that is automating as much as possible and cleaning up breaches quickly. That’s a sad statement on the security of software and operating systems, but that’s the reality that security teams face.
Broadcom’s Symantec business is one of the oldest companies in the security market – thanks to an engineer named Peter Norton, its roots go back nearly 40 years – yet the company continues to innovate, as evidenced by a top three score in the most recent round of the difficult MITRE testing. We give it the edge over CrowdStrike in raw security while CrowdStrike has the lead in management and response. Still, with a large installed base, broad security portfolio and familiar interface, Symantec remains a comfortable choice for any security buyer.
The EDR market is a strong one, with a number of good choices, so also visit our full EDR product list for other options that might be right for you.
Security Testing
Security is an obvious place to start because, after all, these are security products. And it’s also one area where we have actual head-to-head data between CrowdStrike and Symantec, so let’s use it.
Both vendors have participated in two rounds of the rigorous MITRE ATT&CK evaluations together, the toughest testing a cybersecurity product can face.
In last year’s APT29 evaluation – designed to mimic the Russian group behind the 2016 DNC and 2020 SolarWinds hacks – both vendors’ EDR products fared well, with CrowdStrike stopping 86% of attacks and Symantec stopping 85%. The difference is that about 25% of Symantec’s detections were made by the vendor’s managed services team only and not by the EDR product, so we have to give CrowdStrike the edge there. That said, Symantec has no doubt used that information to improve their EDR product, so their users are likely covered.
As proof of that, we offer MITRE’s Carbanak+FIN7 testing released earlier this year, where Symantec bested CrowdStrike and many other top EDR vendors, including in the new protection tests.
Symantec’s services business raises another point: Both vendors have good services teams, so your security staffers have backup if needed. That’s particularly good news for small businesses and other organizations that may not have 24-7 security staff.
One recent Symantec innovation we like: The company in June unveiled Adaptive Protection, which automatically shuts down processes and features that aren’t in use. In an ideal world that would be a default function of every operating system, but until we live in that world, Symantec’s cool new feature will have to do.
And when it comes to security, age isn’t just a number – older vendors have often dealt with problems that newer vendors are just facing for the first time. One example: Symantec was prepared for last year’s SolarWinds hack because it long ago faced attacks when hackers tried to disable endpoint agents, a primary vector for the Sunburst malware. Experience still counts for something in cybersecurity, and long-time vendors have an edge in product depth because of that.
Management and Response
Symantec has the edge in the all-important security category, which is a good thing because CrowdStrike users are generally happier in other areas.
CrowdStrike has the edge in response capabilities, while both vendors score well for investigation tools. While response is one area CrowdStrike users lavish praise, they also like the product’s rich data, visibility into endpoints, and ability to deploy fixes quickly.
Symantec users praise the product’s ease of use, advanced detection capabilities and integration with other Symantec products, and some even praise its rich response features. There have been a few complaints about performance degradation on endpoints, but many Symantec users say they have experienced no performance hits. Both vendors offer advanced features like vulnerability management and threat hunting.
CrowdStrike clearly has some advantages here, but given how comparable user comments are between the products in many areas, we have to wonder if Symantec users are perhaps simply more familiar with their product’s flaws because of the amount of time they’ve used it. Familiarity breeds contempt, or something like that. CrowdStrike has a nice interface, but once you’ve learned your way around a product, it’s the capabilities that matter most.
Pricing, Deployment and Support
We’ll lump these things together because they’re secondary to product performance, in our opinion, but still important considerations.
CrowdStrike publishes its basic endpoint security pricing. Symantec pricing is harder to come by, but a recent Forrester analysis (PDF) quoted a price of $16 per endpoint per year for 25,000 endpoints for the newer Symantec Endpoint Security (SES) Complete, which combines EPP and EDR (that Forrester study also quantifies the significant cost savings that comes from a good security product). Vendors typically offer volume discounts for large customers, so small businesses can expect to pay significantly more. We’d note that users perceive both products as more expensive than average; as more Symantec users migrate to the new SES Complete, that perception is likely to change. The pricing edge goes to Symantec.
The deployment advantage goes to CrowdStrike; users are significantly more likely to report shorter deployment times there. Symantec users report more integration challenges, but generally don’t seem to be unhappy with deployment times.
Support from both vendors gets pretty good ratings from users. CrowdStrike gets the advantage for faster response times, but otherwise they’re even here.
The Final Word
You actually can’t go wrong with either product. CrowdStrike and Symantec both offer strong security and good management and response. Both also offer a lot of advanced features for your money. And both vendors are likely to continue to innovate, so you can have some confidence in the future too.