Endpoint detection and response (EDR) solutions from FireEye and Symantec made eSecurity Planet‘s list of top EDR solutions, and each product has distinct benefits to offer enterprise customers. What follows is a look at some key features of each solution, along with an examination of each product’s strengths and weaknesses.
The Bottom Line
Both solutions get high marks from both users and industry analysts. FireEye’s offering benefits from threat intelligence provided by Mandiant and from its new MalwareGuard detection and prevention engine, while Symantec’s Targeted Attack Analytics technology leverages machine learning to offer similar capabilities. Recent testing by Forrester gave FireEye’s offering a slightly higher rating in general than Symantec’s. FireEye came out on top in detection capabilities, while Symantec beat FireEye in response capabilities. Both products present some management challenges and thus might be a better fit for more sophisticated security teams.
FireEye EDR Highlights
Overview: FireEye Endpoint Security leverages a single agent with three detection engines (signature-based and behavioral-based engines as well as intelligence-based indicators of compromise) to minimize configuration and maximize detection and blocking, offering fully integrated malware protection with anti-virus defenses, machine learning, behavior analysis, indicators of compromise, and endpoint visibility.
Recent developments: Recent releases have included a signature-based prevention engine to filter out known malware, viruses and worms, along with the advanced machine learning-based MalwareGuard detection and prevention engine. The latter is a result of a two-year research project from FireEye data scientists, leveraging testing in real-world incident responses. The machine learning model is trained with data gathered from over 15 million endpoint agents, attack analyses based on more than a million hours spent responding to attacks, over 200,000 consulting hours each year, and adversarial intelligence collected from a global network of analysts. That collection of data trains MalwareGuard to make malware classifications without human involvement, reducing the amount of time required to move from alert to fix.
Other recent additions including Policy Manager, supporting varying levels of access to help administrators balance the needs of security and performance; Alert Workflow Update, providing the necessary context for organizations to respond rapidly to alerts that matter; and Cloud Identity and Access Management, enabling a higher level of authentication for cloud-based deployments.
Analysts’ take: Gartner notes that FireEye benefits from threat intelligence from Mandiant’s breach investigation team and iSIGHT Threat Intelligence service, as well as from FireEye products’ shared threat indicators. FireEye also offers a global managed detection and response service, FireEye as a Service, to help clients that are short on resources. Still, the research firm says a few clients report that the solution produces high false positive rates when first implemented, and that most of the EDR data is stored on the endpoint, making it challenging for incident responders to perform a full root cause analysis involving compromised endpoints that are offline.
Symantec EDR Highlights
Overview: Symantec EDR leverages precision machine learning and global threat intelligence to minimize false positives and help security teams maximize productivity. The solution helps incident responders quickly search, identify and contain all affected endpoints while investigating threats using on-premises and cloud-based sandboxing. Behavioral analysis at the endpoint and AI-based analytics in the cloud are leveraged to detect advanced attacks.
Recent developments: Symantec recently announced support for Targeted Attack Analytics (TAA), collecting and correlating Symantec Endpoint Protection telemetry in a massive cloud data lake and then leveraging AI algorithms to detect suspicious activity and emerging threats. As TAA finds attack groups and suspicious attack patterns, real-time incidents are created and streamed down to the EDR console, providing customers with a detailed incident that includes attacker profile, impacted systems and remediation guidance.
The company also added support for MITRE ATT&CK tactics and techniques and MITRE Cyber Analytics, providing visibility into how attacks progress and helping investigators see and respond to tactics used to target endpoints. Investigators can search and filter events and incidents by MITRE ATT&CK tactic and technique to quickly map events to the ATT&CK matrix.
Symantec EDR also now implements over a dozen detections from the MITRE Cyber Analytics Repository (CAR) as automated investigation playbooks. Supported MITRE CAR analytics playbooks include autorun differences, suspicious run locations, DLL injection load library, PowerShell execution and SMB events monitoring.
Analysts’ take: Gartner says Symantec is the most successful of the traditional EPP vendors in the EDR space and continues to be the leading vendor mentioned by other vendors as their main competition. Still, the research firm says Symantec is perceived as more complex and resource-intensive to manage than other vendors, and the company’s managed security services are expensive when compared to other options from newer vendors that focus on a narrower set of services or features.
NGFW Product Ratings
Here are eSecurity Planet‘s ratings of each solution’s key features.
Performance
FireEye โ Very Good
Symantec โ Good
Customers of both vendors report solid performance, with minimal impact on endpoints. The most recent Forrester Wave report on EDR solutions gave FireEye a rating of 3.08 out of five and gave Symantec 2.72 out of five. The rating is based on a range of criteria including configurability, agent effectiveness, forensic capabilities, deployment options and response actions.
Detection and Response
FireEye โ Good
Symantec โ Good
In recent testing, Forrester rated FireEye’s detection capabilities at 3.0 out of five, with Symantec following behind at 2.0 out of five. The tables were turned regarding response capabilities, however, with Symantec rated at 4.2 out of five and FireEye behind at 3.4 out of five.
Value
FireEye โ Good
Symantec โ Good
Customers of both companies report satisfaction with pricing and value for the money. Symantec offers managed services, but those services are more expensive than those from other providers.
Implementation and Management
FireEye โ Good
Symantec โ Good
Users of both solutions report relatively easy deployment experiences. Both solutions require skilled technical staff to manage, though managed detection and response services are available.
Support
FireEye โ Very Good
Symantec โ Fair
FireEye users report positive experiences with customer support. While some reviewers say the same of Symantec, Gartner says Symantec customers report inconsistent support experiences.
Cloud Features
FireEye โ Good
Symantec โ Good
Both companies offer cloud-based solutions, though neither is focused primarily on cloud functionality.
Deployment
FireEye Endpoint Security supports cloud, on-premises and hybrid deployments. Agents are available for Windows, Mac and Linux.
Symantec EDR offers cloud, on-premises and hybrid deployment models, and supports Windows, Mac and Linux systems.
Pricing Structure
FireEye Endpoint Security is purchased through a subscription model based on the level of protection and investigation tools available โ the Essential Edition starts at $39 per endpoint, and the more advanced Power Edition starts at $58.50 per endpoint, with volume discounts available for both. Free trials are available.
Symantec EDR is priced per user per year, with volume discounting. Trials are available. CDW’s website provides some pricing information.