Denys Rudyi - Fotolia
Organizations must rely on endpoint security software to protect their devices from the many threats, such as fileless malware, Trojan horses and ransomware, that come with conducting business.
These products can vary significantly, however. They support different device types and offer varying cybersecurity capabilities. Even different editions within the same product family can offer significantly different feature sets.
This article examines six endpoint security platforms that are some of the most popular products on the market: Bitdefender GravityZone, Kaspersky Endpoint Security, McAfee Endpoint Security, Microsoft Defender for Endpoint, Sophos Intercept X Endpoint and Symantec Endpoint Security. Although there are many other endpoint security products available, these six provide a good cross section of the factors that IT decision-makers should take into account when they evaluate their organization's needs.
Before exploring the endpoint security market, it's important to define what these offerings are and what they provide.
What is endpoint security software?
Endpoint security products protect devices from various security threats and vulnerabilities. Endpoints can include servers, desktops, laptops, tablets, smartphones and IoT devices. These products can also include virtual environments running guest operating systems such as Windows or Linux. The extent of protection that a system provides and the way it implements protection vary widely from one product to the next.
Endpoint security software often takes a multi-layered approach to safeguarding devices, relying on both traditional and modern technologies to address a wider range of threats. Some might also incorporate machine learning (ML) and other artificial intelligence (AI) technologies to predict and mitigate sophisticated attacks.
These products often come in multiple editions, each offering a different set of features. Some products are also part of larger security suites that deliver comprehensive protections. An endpoint security product might provide threat analytics, firewall protection, antimalware and antivirus capabilities, endpoint detection and response (EDR) or other features. Some products have additional types of safeguards, predicting potential threats, protecting against fileless or network attacks or providing email and disk encryption. Only by understanding each product's full capabilities can IT admins compare one against the other.
Editor's note: This article does not rank the products; instead, it lists the notable features, integrations and shortcomings of each.
The GravityZone security suite provides multi-layered protections that incorporate ML, advanced heuristics and other technologies. Bitdefender's multiple editions suit organizations of various sizes as well as managed service providers (MSPs). Depending on the edition, IT admins can deploy GravityZone on premises or hosted in the cloud by Bitdefender. Bitdefender supports features such as anti-exploit, anti-ransomware and smart centralized scanning as well.
Many features are available only for specific editions or offered as add-ons. For example, every edition can protect physical and virtual systems, including Windows servers and workstations, Linux servers and macOS workstations. However, only some editions also protect mobile devices running Android and iOS. And editions with the mobile security features are limited to on-premises management. Patch management and full-disk encryption are available to all editions as optional add-ons. Some capabilities, such as root-cause analysis or incident visualization, are standard features in some editions and add-ons to others.
GravityZone integrates with security information and event management (SIEM) systems such as Splunk, and enterprise IT software including VMware vCenter, Citrix Hypervisor and Microsoft Active Directory.
Bitdefender only publishes prices for GravityZone products fitting small and midsize organizations, with additional fees that depend on the number of devices and length of subscription. For example, GravityZone Business Security, the most basic edition of this platform, costs $518 for a three-year license that covers up to three servers and up to 10 laptops, desktops or file servers. Enterprise organizations and MSPs must contact Bitdefender directly for pricing and licensing information of advanced editions.
Kaspersky Endpoint Security
Kaspersky offers an assortment of endpoint security systems that target organizations of diverse sizes. At the small end, Kaspersky Small Office Security protects up to 50 desktops. On the other end of the scale, Kaspersky Integrated Endpoint Security is a unified platform that incorporates Kaspersky EDR Optimum, Kaspersky Sandbox and Kaspersky Endpoint Security for Business. Other editions include Endpoint Security Cloud, Endpoint Security Cloud Plus and three standalone editions of Endpoint Security for Business.
Features vary significantly between products and editions. For example, Endpoint Security Cloud Plus and Endpoint Security for Business Advanced provide patch and encryption management, along with Microsoft 365 security. These features are not available with Endpoint Security Cloud or Endpoint Security for Business Select. However, all four of these products offer device protection and management for Windows, macOS and iOS and Android devices and integration with professional services automation (PSA) systems and remote monitoring and management platforms. The Endpoint Security for Business editions also integrate with Active Directory, SIEM products and enterprise mobility management platforms.
Kaspersky pricing depends on the specific product and edition, with licenses offered for one, two or three years. The vendor licenses cloud platforms on a per-user basis. A user, in licensing terms, can be a computer or file server, plus two mobile devices. The on-premises platforms are licensed on a per-device basis. A device can be a PC, server or mobile device. As one pricing example, a three-year license for Endpoint Security for Business Select runs $675 for up to 10 devices. Organizations must contact Kaspersky or one of its partners for pricing and licensing details about more advanced products.
McAfee Endpoint Security
McAfee Endpoint Security takes a simple approach to product and edition structure. McAfee offers a single endpoint security platform that includes four security modules: Threat Prevention, Firewall, Web Control and Adaptive Threat Prevention. McAfee integrates the modules into a single interface and organizations choose which modules to deploy on their endpoints. The modules operate independently from each other to provide multiple security layers; however, they rely on common McAfee components.
McAfee Endpoint Security works with Windows, macOS and Linux operating systems. Unlike many endpoint security platforms on this list, McAfee Endpoint Security cannot manage mobile devices.
Administrators can use the same policy configurations to manage both Windows and macOS systems. It incorporates ML to protect endpoints. McAfee Endpoint Security also includes features such as proactive threat detection and response, protection against targeted attacks, dynamic application containment, rollback remediation and intelligent adaptive scanning.
The McAfee Endpoint Security platform is built on an open, extensible framework that integrates with other McAfee systems and third-party products. The McAfee ePolicy Orchestrator console, for centralized management, can integrate with over 150 third-party offerings from vendors such as Cisco, Cloudera, Mimecast and Nutanix. McAfee publishes no pricing information about Endpoint Security. Organizations have to contact McAfee directly for details about cost and licensing.
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint, formerly Microsoft Defender Advanced Threat Protection, is a cloud-based security protection service that prevents, detects, investigates and responds to advanced threats targeting Windows, macOS, Linux, Android and iOS devices. Defender for Endpoint uses Microsoft's cloud security analytics for insights into the Windows ecosystem. The tool uses threat intelligence generated by Microsoft's internal security team, and augments it with partner intelligence, which shares data from fellow Microsoft customers to improve the platform's performance. Although the product supports several non-Windows platforms, its focus is clearly on Windows.
Defender for Endpoint uses technologies built into the Windows operating system and Microsoft's cloud services to safeguard data and provide agentless protection for Windows devices. For example, Defender for Endpoint uses sensors built into Windows 10 to collect and process behavioral data. Support for non-Windows devices depends on the specific OS. Defender for Endpoint offers antivirus and EDR capabilities for macOS devices, but only antivirus capabilities for Linux servers.
Defender for Endpoint integrates with other Microsoft platforms and services such as Microsoft Endpoint Manager, Azure Security Center and Skype for Business. The system also exposes data and actions through a set of APIs that enable automation, data streaming and SIEM integration.
To use Defender for Endpoint, customers require a volume license such as Windows 10 Enterprise E5 or Microsoft 365 E5. Microsoft publishes only a limited amount of pricing information about these licenses. For example, a Microsoft 365 E5 license starts at $57 per user, per month, based on an annual commitment. However, there's a lot of fine print that comes with Microsoft licensing, and organizations should understand the specifics before using Defender for Endpoint to protect their devices.
An organization's data is only as secure as the endpoints accessing it. IT admins must understand how different endpoint security products and services can fit into the overall goal of enterprise cybersecurity.
Sophos Intercept X Endpoint
Intercept X Endpoint is an endpoint security software product that incorporates deep-learning AI to safeguard against malware. The software also protects endpoints from ransomware, viruses and exploits. Sophos offers three Intercept X editions: Advanced, Advanced with EDR, and Advanced with EDR and MTR, which is available at two levels. Features vary significantly between editions because of the EDR and MTR components. However, all editions support endpoint devices running Windows 7 or later or macOS.
The platform provides real-time antivirus and antimalware capabilities and includes features such as automated malware removal, root-cause analysis, web and application control, URL blocking and active adversary detection and prevention. The EDR option makes it possible to detect active adversaries, remotely respond to threats and preemptively block breaches. The MTR option adds threat hunting, proactive threat response and continuous improvement.
Intercept X is integrated into Sophos Central, so users can to manage Intercept X along with other Sophos security products. Sophos Central also supports third-party integrations with product types such SIEM, PSA and remote monitoring and management.
Intercept X Endpoint prices depend on the edition, number of users and length of contract. As one example, the basic Intercept X Advanced edition can protect 500 to 999 users for $28 per user per year with a 36-month contract. For more detailed pricing information, organizations must contact Sophos or one of its partners.
Symantec Endpoint Security
Symantec Endpoint Security is an integrated security platform that IT admins can implement as an on-premises, hybrid or cloud-based platform. The platform uses a single on-device agent for all endpoint operating systems, including Windows, macOS, Linux, Android and iOS. The use of a single agent limits the endpoint security platform's invasiveness and eases the administration overhead. Symantec Endpoint Security integrates features such as EDR, attack surface reduction, and attack and breach prevention, rather than treating them as separate modules like McAfee Endpoint Security.
Symantec Endpoint Security uses ML for exploit and malware prevention as well as for EDR threat hunting, and it uses Broadcom's Global Intelligence Network for threat analytics and data blocking. The platform also provides a cloud-based management system covering all types of endpoints from one console, and it uses AI to guide security management.
Editor's note: We reached out to Broadcom for a screenshot of the platform but have not received any response at time of publication.
Symantec Endpoint Security comes in two editions: Enterprise and Complete. Both editions offer mobile threat defense, device control, secure network connections, firewall, host integrity checks and numerous other features. The Complete edition adds response and remediation capabilities and expands the breach prevention and attack surface reduction available over Enterprise.
Symantec Endpoint Security integrates with other Symantec products and third-party applications, such as Microsoft Graph and Open C2. In addition, the platform integrates with the Symantec Web Gateway, which provides programmable REST APIs for interfacing with on-premises network security infrastructure.
Symantec's parent company, Broadcom, does not publish pricing information about Symantec Endpoint Security. For pricing details, organizations should contact Broadcom or one of its partners directly.