Cisco Secure Endpoint alternatives and competitors

Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case. 

When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.

It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.

Its version is usually up to date. It is a cloud solution. 

Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.

You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.

I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.

The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.

The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.

Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.

It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.

It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.

I have been using it for about two years. I've got a couple of customers today with it.

Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.

It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.

It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.

Neutral

It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant. 

We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.

In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.

It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.

The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.

You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.

The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.

A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.

Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.

Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.

I would advise asking yourself:

• What do your endpoints consist of?
• Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
• What is it that you're trying to achieve by taking Defender? 
• Are there more capable XDR-type solutions out there? 

If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.

If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.

I'd give it a cautious six out of ten.

We have several use cases including threat management, EDR, AV, and a SOC with 24x7 monitoring.

The fact that CrowdStrike is a cloud-native solution is very important. We don't have to deal with any upgrades on the appliances or console. The only thing we have to deal with is the upgrade of the agents. The SaaS model works very well for smaller companies like us.

The flexibility and always-on protection that is provided by a cloud-based solution are important to us. The cloud is everywhere. So, with the agent on the laptop, wherever the user may go, including home, office, or traveling, it's protected 24x7, all the time. That's what we require and this is what we got.

We haven't had cases where we have quarantined any material stuff yet, because we are relatively small and we don't see a lot of malware in our environment. In this regard, it has been relatively quiet.

In terms of its ability to prevent breaches, if you look at the cyber kill chain, the sooner you detect malicious activity, the better you are in responding as opposed to waiting for a data breach. I think CrowdStrike is capable of identifying malicious activity throughout the whole cyber kill chain. Step one is establishing when they have a foothold in the environment, and then detect whether they are moving laterally. The sooner they are discovered, the better we are at stopping data breaches.

CrowdStrike has definitely reduced our risk of data breaches. It reduces the risk of ransomware and it gives us comfort that someone is watching our back.

We had some end-of-life workstations that were running Windows 7 and for some reason, related to PCI compliance, CrowdStrike rejected them. This helped us in terms of maintaining our PCI compliance.

The OverWatch is the most valuable feature to me. It's a 24x7 monitoring service, and when they see anything suspicious in my environment, they will investigate. Essentially, they're an extension of my team and I like that. We're a small company and we only have a base of approximately 260 employees. As such, we cannot afford to hire skilled security people. So this makes sense for a smaller company like us.

There is a helpful feature to look into the vulnerability of the endpoint, which allows us to see which PCs have been patched and which ones have not. That helps my team to focus on those PCs that require their attention.

The deployment process is an area that needs to be improved. For some reason, CrowdStrike does not provide any help in terms of how to deploy the agent in a more efficient manner. They just don't provide the support there, which leaves their customers to figure out how to push agents out, either through GPO or through BigFix or through SCCM, and there was no support on that side. Not being able to complete the deployment in an efficient manner is one of the huge weaknesses.

It would be good if they had a feature to remove agents. We're in a transaction processing environment and if CrowdStrike is affecting a transaction processing server, we need to uninstall that agent pretty fast. Right now, the uninstall has to be done manually, which is not great. If we have a dashboard capability to uninstall agents, I think that would be great.

The dashboard seems a little bit too clunky in the sense that it's spread out in so many ways that if you don't log in on a daily basis, you're going to forget where things are. They can do a better job in organizing the dashboard.

I have been using CrowdStrike Falcon for approximately five months.

I haven't had any issues for five months since we've installed it, which is good to know. No users have complained about any CPU spikes or false positives, which we like.

If you have a way to deploy agents in a rapid manner, I think the scalability is there. As we buy and acquire companies, we have to roll out agents to those places. Right now, it's still very manually intensive and it slows down the process a lot. So, I think the scalability can be improved with a rapid deployment feature.

Our strategy right now is just to install CrowdStrike for PCs and laptops. Once we get comfortable with the technology, we can start testing the servers. It's just that we haven't finished the deployment to PCs and workstations yet.

We have approximately 260 endpoints and we're probably about 20% complete in terms of deployment.

We've raised support tickets such as the request for rapid deployment capabilities. However, we only received responses to the effect that they do not support anything like it. In that regard, the support has not been great.

That said, we don't use the support site a lot because we haven't had any issues with CrowdStrike. So, I can't say much about that.

Prior to CrowdStrike, we used Carbon Black Threat Hunter.

There is a huge difference between the two products. CrowdStrike is quiet. I think that Carbon Black Threat Hunter just locks everything that has to do with the endpoint. You generate a lot of noise, but it means nothing. Whereas CrowdStrike is more about real threats and we haven't seen much from it.

On the other hand, with Carbon Black Threat Hunter, we were able to deploy pretty fast and we could uninstall agents pretty quickly from the dashboard.

I had originally heard about CrowdStrike Falcon from my peers. A lot of CSOs that I have roundtable discussions with speak highly about it.

The sensor deployment is a manual process right now, where we have to log into every workstation, every server, and install it manually. It's very time-consuming.

It's an ongoing process across our organization.

One of our security engineers is in charge of deployment. However, we don't have someone on it full time. He works on this when he has time available, so we probably only have one-third of a person working on it.

We completed a PoC using the trial version, and it was pretty easy to do. It took us less than an hour to deploy. It was just a matter of downloading a trial agent and setting it up.

Having the trial version was important because the easier the PoC is, the better the chances are of us buying the tool.

At approximately 40% more, Falcon is probably too expensive compared to Cisco AMP and Cylance, although that is because of the OverWatch feature. If you took out the OverWatch feature then they should be about the same. There are no costs in addition to the standard licensing fee.

We evaluated other products including Cisco AMP and Cylance. Neither of these products has the Overwatch feature that CrowdStrike has. The reason why we chose CrowdStrike was that we need to have 24x7 monitoring of our endpoints. That's the main difference.

In terms of ease of use, CrowdStrike is not so great. Cisco AMP has a better, cleaner dashboard and they're more mature in the way that you navigate. It's as though they have spent time getting customers to click on features and then figured out which is the quickest way to get to what you want, whereas CrowdStrike is not there in that sense.

Cylance is even better in terms of ease of use. They dumb it down to only a small number of menus and dashboards. There are probably only five dashboards that I look at on Cylance, whereas with CrowdStrike, I have to look at many.

My advice for anybody who is considering CrowdStrike is definitely to start with a PoC, and then definitely to subscribe to OverWatch. I think that OverWatch is the main benefit to it.

The biggest lesson that I have learned from CrowdStrike is about the different threats that are out there. They have a nice dashboard with information about threats, and you can read it and learn from it.

I would rate this solution a seven out of ten.

Our company uses the solution for endpoint protection, detection, and response. The solution has antivirus and EDR capabilities. Our SOC analysts use it to investigate incidents. We currently have 300 to 400 users with two admins for management. The solution is installed on all user laptops to protect workstations.

We also implement the solution for customers as a service. Most customers buy the solution for registry reasons and compliance standards. It gives you all the compliance points and improves how your SOC functions because it provides comprehensive visibility over the entire network and endpoints. It is called XDR because it not only looks at endpoints but also network traffic. 

The solution is offered on Palo Alto's private network. I think the underlying provider is Google Cloud, but that doesn't really matter. You are asked the region of your instance for connection such as Europe or the Middle East. 

The solution perfectly correlates with Palo Alto's Networks Firewall to perform XDR capabilities such as network traffic plus endpoint security. This is what distinguishes the solution from other products. 

From a single pane of glass, you can easily manage all of your endpoints.

The dashboard is intuitive so you can easily investigate or track incidents. 

The solution has a fair amount of integrations with certain intelligence tools or third-party products. 

The solution should force customers to integrate with network traffic to see the full benefits of XDR. If you are not integrating it or feeding in your network traffic, then you are just buying a normal antivirus which doesn't make any sense. You are paying double the price to use the antivirus feature or to say you have XDR, but in reality you are not using it. 

The solution should include an on-premises option because some customers want only on-premises. It would be hard, but good to do if possible. 

Open XDR would be beneficial in the future. Right now, the solution is Closed XDR so cannot communicate with the few new vendors in the Open XDR market. 

I have been using the solution more than two years. 

The solution used to be called Traps when it was on-premises only. It was rebranded as Cortex XDR when it became a cloud solution. 

The solution is stable so I rate stability a nine out of ten. 

The solution is very scalable. You can have 500 users and scale tomorrow to 10,000 with no extra work but just purchasing the licenses needed. 

I rate scalability a ten out of ten. 

The level of support fluctuates but on average is rated an eight out of ten. 

Positive

The setup is very easy because it is a cloud solution. You just log in and use it immediately. I rate setup a nine out of ten. 

We are a third-party integrator and implement the solution for customers. One staff person can handle an implementation. 

As a customer, you receive a link which is your tenant for login. From there, deployment time is just how long it takes to get the installer agent and put on all of your endpoints. For example, if you are a corporation that has 300 laptops, then you install the agent on each and every server. 

You will need about three hours to configure the solution and then it is up to your admins to install the agent on all endpoints. There is usually a way to automatically install agents from the Active Directory or other tools.

You need to integrate your network traffic to the XDR itself. If you have a Palo Alto Firewall, it is easy to navigate through integration. If you have FortiGate or Cisco firewalls, then you can configure the firewall to send the log to the cloud. It is sometimes hard to convince customers to send or keep their logs on the cloud. 

The solution has one subscription for endpoint protection and one subscription for detection and response. The two licenses combined give you the BRO version. 

The solution is neither inexpensive nor expensive, so I rate pricing a three out of ten. 

Nowadays, CrowdStrike, Cortex XDR, and the solution are rebranding and selling their products as XDR. Everyone hears about antivirus but now XDR is available to protect endpoints and get intelligence from the network. 

Most customers who have an XDR product only use the antivirus features. They are not correlating the network traffic with the XDR itself, so they are not getting the full benefit. 

The solution does not force you to correlate so you can use it without integrating with your network. But again, this is not how XDR is supposed to work. 

For example, if you buy a Bugatti but only drive it at 80 kilometers per hour, then you should just go and buy a Nissan. If you buy XDR but do not integrate it with your network traffic, then you just have a Nissan antivirus. 

I recommend the solution and rate it a ten out of ten. 

FortiClient is for the VPN. FortiClient is used with FortiGate. We have 100 users across both North America and Europe. We created a rule with the firewall to authorize the countries we are in, and we have rules to authorize specific IPs. We have to link to the internet.

The incidents in the log have been very useful. Some projects are really a pain to investigate. This helps.

The solution is user-friendly. It’s really easy to use. It is not like Cisco where GUI is really bad.

I don't have really issues with them. In terms of features, everything is easier.

When you want to find any information, you have documentation on hand that is easy to use.

You have good support and the price is good.

The solution is very easy to set up.

I’m not sure what exactly can be improved.

It would be interesting if the solution offered a way to try to investigate and create a use case to trace vectors.

I’ve used the solution for more than two years.

We don’t have any issues with stability. It’s been fine. There are no bugs or glitches and it doesn’t crash or freeze. We don’t have any issues with the internet or power supplies.

We have about 100 users on the solution currently. We don’t really scale it.

Technical support has been excellent. They are fantastic.

Positive

I used a different solution. However, it does not cover the same responsibilities.

Sometimes, for SOCs, I’ve looked at WatchGuard, Palo Alto, Cisco, and Check Point.

The initial setup was simple and straightforward. It wasn’t difficult at all.

I wasn’t a part of the initial setup and we tried to switch since the first time the person deployed it. In FortiGate, he used the wrong setting and the wrong methodology. We had to try to make some changes without creating any issues with the production.

It is very easy when you start at the beginning. It is not long to deploy.

We handled the setup ourselves in-house. However, when I leave the company, likely they will try working with a third party as they don’t have the time and have a contract with other clients.

I don’t deal with anything related to pricing or costs or ROI.

I don’t know the exact pricing of the solution. It’s not an aspect I worry about.

To compare every project on FortiClient you have and compare it with Palo Alto. Palo Alto offers a few more powerful new features. You can automate the use case. You have internet analysis and endpoint analysis. I would like to see the same options in FortiClient.

I administrate FortiGate.

Within my new job, I am trying to be a partner with FortiGate and FortiClient to sell it to other clients. I have to get my certification just to be expert

I’d advise users to just look into best practices. Maybe try to join a training session. You can also simply go on the internet and try to find the best practices that make sense for you.

I’d rate the solution eight out of ten.

The primary use case of ESET Endpoint Security is the antivirus.

The most valuable features of this solution are, of course, the IPS/IDS, Intrusion Prevention, Intrusion Detection, and Antivirus.

I believe I can find it in the most recent version in a sandbox. Network Security in a Sandbox It includes seven different tools, including network security, IPS/IDS, and ESET which is also valuable.

It is easy to use.

The user interface is very easy. 

API integration is good. 

They have an iteration tool that makes the API connection flawless.

I don't see changing EDR in the cloud's future. Tool for being proactive. The proactive feature is excellent, but I do not believe ESET will make any changes to this feature in the future. But, proactive is excellent.

I would like to see ESET include the Proactive feature. The process is killed by decision support. Unplug the endpoint book station from the network.

If you do not use Cynet, it must be added to ESET Endpoint.

I have worked with ESET Endpoint Security for five years.

I have a three-year service agreement with ESET to sell green. It's been three years, and I believe it's near the end of the year. 

 I have no issues with ESET; it's the workstation's ESET and Cynet. I believe are perfect solutions.

I am working with EDR, it's a full version. We have updated it to the latest version.

It is a central update, it's cloud maintenance.

Because I do not have any sensitive data, it is sufficient to use the public cloud.

ESET Endpoint Security is very stable.

All of the update releases are very established.

I would rate the stability a nine, or ten out of ten.

I have not experimented with scalability.

With servers, we have approximately 3, 000 users in my department. This includes the hardware and virtual servers.

We have no issues with the local technical support team that we use in Israel.

I would rate them a five out of five.

They are excellent. 

They respond quickly and speak the language, which is beneficial.

I am working with a new Endpoint Security Company, and the name of the product is Cynet.

I am still working with Cynet.

Instead of Cynet, it is an EDR. It is now extended XDR. It is an extended response.

For Endpoint Security, I use both ESET and Cynet. However, unlike ESET, Cynet is a proactive tool. MDR is included. It is also paired with SOC.

One of the companies I oversee is one of the Mator company's branches, and they use Cisco Endpoint Security, which is a terrible tool when compared to ESET or Cynet.

The initial setup is very simple.

We require one person a few hours per month for maintenance.

I have about 3,000 endpoints and a three-person IT team.

I have purchased the full version.

I would rate the pricing a three out of five.

It is not expensive, but it is also not inexpensive. There is room for improvement, and the price could be lower.

I would rate ESET Endpoint Security an eight out of ten.