We use it for endpoint protection. It's an active EDR endpoint protection tool. Think of it as an antivirus and endpoint protection solution with machine learning, like McAfee on steroids.
In our company it is deployed in 83 countries and on over 40,000 workstations and servers.
It provides incredible visibility in a single pane of glass. The dashboard gives me visibility over all the endpoints, which are broken down by country, and then broken down within each country by brand and machine type. It provides a very simple way for me to understand if
In addition, it logs to my SIEM tool, cloud-natively, which makes it a very effective weapon to help diagnose and remediate any potential bad actors in my environment.
The Behavioral AI feature for ransomware and anti-malware protection does an outstanding job of identifying abnormal behavior patterns in my environment. Once we allowed it to sit in learning mode for about 30 days, we switched all our endpoints into what is called Protect mode, instead of Detect mode. With Protect mode, we have different functions available to us, such as kill, quarantine, identify, and rollback. Using those features, we are really able to protect our endpoints much better. We take advantage of the fact that we have a machine, or an automated process, governing our endpoint protection. That reduces the total headcount needed to babysit my environment.
Furthermore, Behavioral AI recognizes novel and fileless attacks and responds in real-time. It improves my security, reduces my total cost of ownership and management, and provides enhanced protection for what is now a highly mobile population. Due to COVID-19, we have had to take most of our workforce, and that's over 40,000 people around the world, and give them access to work remotely through a series of different mechanisms. In doing so, we felt much more comfortable because we have this endpoint protection tool deployed. It provides us not only the visibility into what the tool is doing and how it's protecting us, but it allows us to look at what applications are installed, what IP range is coming on, and what network it's sourced from.
And with Ranger we're able to help identify additional networks. Using SentinelOne with Ranger, allowed us to take a look at some of our smaller offices in Asia Pacific where we didn't have exceptional visibility.
We also use the solution’s automatic remediation and rollback in Protect mode, without human intervention. I want to protect mode for both malicious and suspicious, and that is in Protect mode. Having turned that on, we saw no negative impact, across the board, which has been an outstanding feature for us. It does save time on having to go in and identify things, because we allowed it to run in learning mode for so long. It learned our business processes. It learned what's normal. It learned file types. It learned everything that we do enough that, when I did turn that feature on, there were no helpdesk calls, no madness ensued, no people complaining that files were being removed that they needed. It worked out very well for us.
We also use the solution’s ActiveEDR technology. Its automatic monitoring of every OS process, at all times, improves our security operations greatly. There is a learning time involved. It has to learn what processes are normal. But the fact that it's actively engaged with every process—every file that moves across it, every DLL that's launched, whether or not it's automated or process-driven—everything is viewed, inspected, and categorized. And it allows us to have enhanced visibility that ties directly into the Deep Visibility. I can look at and help identify behavior patterns.
For example, yesterday I wrote a series of queries for Deep Visibility that are based on MITRE ATT&CK parameters. Those give me reports, on a daily basis, of how effective this tool really is because I can use MITRE ATT&CK engine parameters to help define what's going on. Even if something is not considered malicious behavior by the tool itself, if I take that information and couple it with information I can pull from Tanium and information I pull from other tool sets, and aggregate that into my SIEM tool, my use case is provided. I get more positive and actionable intelligence on how my endpoints are behaving. If I have somebody out there who is doing testing of software, I can pick that out of a crowd in a second.
We have application control and containers available. Since we have AWS, Azure, and a myriad of cloud platforms, it's been hugely beneficial to us. Considering that we are endeavoring, as an organization, to move into cloud-based solutions, this has been a huge benefit.
Overall, SentinelOne has absolutely reduced incident response time. It's instantaneous. It has reduced it by at least 95 percent.
I use the tool to help me determine how well my other tools are working. For example, we have a role called a RISO, a regional information security officer. Those people are responsible for regions of the globe, whether it be Latin America, Asia Pacific, or AMEA. The RISOs now use the tool because it can help them identify other tools we have rolled out, like Zscaler. They can go into the SentinelOne console and query for Zscaler and look at all the machines in their environment and determine what the delta is. It allows people with different levels of knowledge and different roles in an organization to have visibility. It's been outstanding. That, in and of itself, makes it a better tool than its counterparts and it makes it usable for non-technical and non-security people.
We get the long-term strategic benefits of having enhanced visibility and the more short-term tactical benefits of knowing that our endpoints are protected, the visibility is there, and that no matter what lands on top of it, it's going to get taken care of.
The most valuable feature of the solution is its ability to learn, the fact that once you tune it correctly, it knows how to capture and defeat malicious activity on the endpoints. It's not set-it-and-forget-it, but it does give me a much more comfortable feeling that my endpoints are secure and protected from malicious behavior.
SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's. The latest Mac OS X that's coming out is already supported and in test for our organization. The complete coverage of every OS that we have in our environment has been a huge benefit because I don't have to have different tools to support them. There are cost savings not only on licensing but because I don't have to have different people managing different consoles. For me, having single pane of glass visibility is incredibly important because we run a very lean team here. We are a skeleton crew governing all 83 countries. In doing so, it provides us the ability to do a lot more with a lot less.
I use the Deep Visibility feature every single day. It is outstanding because I just create hunting cases and then I can load them. I can figure out what queries I want to run and I can go digging. And with the queries that I have built for the MITRE ATT&CKs, it makes it very simple to identify something. And now that I have reporting set up based on those queries, I get emails every day.
Using Deep Visibility I have identified a threat and figured out information about it. I've also used Deep Visibility to be proactive versus reactive as far as my alerting goes. I know that SentinelOne will protect my endpoints, but there's also a case where there isn't specific malicious behavior but the patterns look malicious. And that's really what I'm writing these queries for in Deep Visibility.
Here's an example. You can do a lateral movement in an organization. You can RDP to one server and RDP to another server, depending on how your software defined perimeter is configured. Unless you do something malicious, SentinelOne will look at it, but it won't necessarily stop it, because there is no malicious activity. But I can write a query in Deep Visibility to show me things. Let's say somebody breached my secure remote access solution. With the Deep Visibility queries that are being run, I can see that that one machine may have RDPed to a server and RDPed to another server and been jumping around because they may have gotten compromised credentials. That can be reported on. It might not have been malicious behavior, but it's an activity that the reporting from Deep Visibility allows me to pursue and then do a deeper dive into it.
If they would stop changing the dashboard so much I'd be a happy man.
Also, if it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit.
The nice thing about SentinelOne is that I get to directly engage with their leadership at any time I want. That allows me to provide feedback such as, "I would like this function," and they've built a lot of functions for me as a result of my requests. I don't really have much in the way of complaints because if I want something, I generally tend to get it.
I have been using SentinelOne for about 14 months now.
It's incredibly stable. We really haven't had any significant issues. There have been a couple of things here and there where certain versions of the product weren't disabling Windows Defender effectively. I think that was predicated on a GPO that we identified that had been accidentally linked and that kept turning Defender back on again. The issues were very trivial things.
I talk to my TAM once a week, minimum. I think I have the best customer support in the business.
I had an issue that I raised a couple of weeks ago and within minutes I had an army of engineers working on it. By the end of the week, I had senior management calling me asking me what else I want, what else I need, and how else they could help me.
They go all-in. I have never had to wonder or concern myself with whether I will be getting adequate support? Will the support be on time? Will the support be effective and accurate? Not once, not ever.
I have such a close relationship with the team, not only the team that sold it to me but the team that supports me. We call each other on a first-name basis and we talk about how we're doing. It's that kind professional relationship. That's how good it is.
Before, we had a mix of dozens of different solutions across the enterprise. We didn't have any one, ubiquitous solution. We had a mix of McAfee and Panda and Kaspersky. You name it, we owned a copy of it, and that didn't provide a unified field of view. It also didn't provide the best protection that money can buy and, in my opinion as a professional in this industry for 25 years, this is the best protection money can buy.
The initial setup of SentinelOne was very simple. I packaged the executables into MSIs, including the token ID, I created a package in Tanium, and I dropped it on all the workstations. I was able to deploy it to over 40,000 endpoints in 35 days.
When you govern as much real estate as I do, meaning the number of endpoints and the number of different business units that those endpoints comprise, there had to be a deployment strategy for it. I broke it down into countries, and in each of those countries I broke into brands and I broke it into asset types, whether they be servers or workstations, whether they're mobile or localized. It's not difficult to push out there, as long as you create exclusions. I used my legacy tools in parallel with this for a month and still never faced any issues.
For any organization, if you have any kind of deployment mechanism in place, you could put your entire workforce on this and it wouldn't matter how many endpoints. If they're online and available and you have a deployment solution, you could do it in a month, easily, if not less. I could've done it much faster, but I needed to do a pilot country first. I did all the testing and validations and then, once we went into production mode, it was very fast.
I got a really good deal so I'm very happy with the pricing.
I looked at everything. I looked at CrowdStrike, Cylance, Carbon Black, and I had McAfee as the largest of the incumbents. I tested them all and I validated them all and I pushed every malware virus—everything in my collection—at them. I built a series of VMs to test and validate the platform. I tested against multiple operating systems. I tested against downloads, I tested against uploads. I tested visibility. I did this entire series of tests and listed out 34 or 35 different criteria. And at the end of the day, SentinelOne came out on top.
One of the huge benefits of SentinelOne is the Full Remote Shell. That has been an incredibly useful tool for me.
Cylance came in second. It has very similar functionalities, very similar builds, but not a full remote shell. It had the single pane of glass dashboard, but the visibility I get out of SentinelOne, as well as the protection and the capability to run the Full Remote Shell pushed it over the top.
Carbon Black was nice, but I had to run two different dashboards, one cloud and one local. I couldn't get single pane of glass visibility from that.
When I tested SentinelOne against all the engines, they all pretty much found everything. Mimikatz was the deciding factor. A couple of the solutions flagged it but didn't remediate it. SentinelOne just rolled everything back as it started to discover it. It actually pulled the installer out, so that was nice.
A lot of new technologies that are out there are very similar. They are pulling from public threat feeds and other learning engines. But if you compare and contrast all the features available, SentinelOne is just going to edge everybody else out. And they're constantly evolving the product to make it more efficient and to have a smaller footprint too. When they came out with Ranger, we were still doing some network discoveries around our environment to try to figure out exactly what was still out there. That came to be a very useful tool.
It really just shines. If you compare it to everybody else there are a lot that come close, but nobody else can really quite get to the top. SentinelOne really gives you the best overall picture.
Do your homework. I would encourage everybody, if you have the capabilities, to do what I did and test it against everything out there. If you don't have those capabilities and you want to save yourself a lot of time, just go straight to SentinelOne. I cannot imagine any organization regretting that decision. With the news stories you read about, such as hospitals under attack from malware and crypto viruses—with all the bad actors that exist, especially since the pandemic took over—if you want to protect your environment and sleep soundly at night, and if you're in the security industry, I highly encourage you to deploy SentinelOne and just watch what it's capable of.
I don't use the Storyline technology that much simply because I'm really turning this into a more automated process for my organization. An example of where we may use Storyline is when we download an encrypted malicious file. Let's say that email was sent to 500 people. If it gets through our email gateway, which is unlikely, I can not only identify those users quickly, but I can also use the Storyline to determine where it came from, how it got there, and what it was doing along the way. And while it killed it, it will tell me what processes were there. It helps us create and identify things like the hash, which we then summarily blacklist. Overall, Storyline is better for identifying what had happened along the way, but after the fact. For me, the fact that it has actually taken care of it without me having to go hunt it down all the time is the real benefit.
The only thing we don't take advantage of is their management service. We do have a TAM, but we don't have Vigilance.
For top-down administration, there's only about six of us who work with the solution. For country level administration, we have one or two in every country in those 83 countries.
We run a myriad of different front office and back office environments. SentinelOne had to learn different environments in different countries. It had to understand the business processes that are surrounding those. We did a substantial amount of tuning along the way, during the deployment. And then, of course, there are agent updates and there are considerations when you get a new EA version and are creating test groups. But, as an organization, we have reduced our total cost of ownership for our EPP platform, we have improved our visibility a hundred-fold, and we have maintained our data integrity. It really is the one end-all and be-all solution that we needed.
It's a home run. I've been doing this a long time and I've done this in over 48 countries around the world. Given what we do with this product and the visibility it has given us and the protection it has given us, I feel very comfortable with my security right now.
We have several use cases including threat management, EDR, AV, and a SOC with 24x7 monitoring.
The fact that CrowdStrike is a cloud-native solution is very important. We don't have to deal with any upgrades on the appliances or console. The only thing we have to deal with is the upgrade of the agents. The SaaS model works very well for smaller companies like us.
The flexibility and always-on protection that is provided by a cloud-based solution are important to us. The cloud is everywhere. So, with the agent on the laptop, wherever the user may go, including home, office, or traveling, it's protected 24x7, all the time. That's what we require and this is what we got.
We haven't had cases where we have quarantined any material stuff yet, because we are relatively small and we don't see a lot of malware in our environment. In this regard, it has been relatively quiet.
In terms of its ability to prevent breaches, if you look at the cyber kill chain, the sooner you detect malicious activity, the better you are in responding as opposed to waiting for a data breach. I think CrowdStrike is capable of identifying malicious activity throughout the whole cyber kill chain. Step one is establishing when they have a foothold in the environment, and then detect whether they are moving laterally. The sooner they are discovered, the better we are at stopping data breaches.
CrowdStrike has definitely reduced our risk of data breaches. It reduces the risk of ransomware and it gives us comfort that someone is watching our back.
We had some end-of-life workstations that were running Windows 7 and for some reason, related to PCI compliance, CrowdStrike rejected them. This helped us in terms of maintaining our PCI compliance.
The OverWatch is the most valuable feature to me. It's a 24x7 monitoring service, and when they see anything suspicious in my environment, they will investigate. Essentially, they're an extension of my team and I like that. We're a small company and we only have a base of approximately 260 employees. As such, we cannot afford to hire skilled security people. So this makes sense for a smaller company like us.
There is a helpful feature to look into the vulnerability of the endpoint, which allows us to see which PCs have been patched and which ones have not. That helps my team to focus on those PCs that require their attention.
The deployment process is an area that needs to be improved. For some reason, CrowdStrike does not provide any help in terms of how to deploy the agent in a more efficient manner. They just don't provide the support there, which leaves their customers to figure out how to push agents out, either through GPO or through BigFix or through SCCM, and there was no support on that side. Not being able to complete the deployment in an efficient manner is one of the huge weaknesses.
It would be good if they had a feature to remove agents. We're in a transaction processing environment and if CrowdStrike is affecting a transaction processing server, we need to uninstall that agent pretty fast. Right now, the uninstall has to be done manually, which is not great. If we have a dashboard capability to uninstall agents, I think that would be great.
The dashboard seems a little bit too clunky in the sense that it's spread out in so many ways that if you don't log in on a daily basis, you're going to forget where things are. They can do a better job in organizing the dashboard.
I have been using CrowdStrike Falcon for approximately five months.
I haven't had any issues for five months since we've installed it, which is good to know. No users have complained about any CPU spikes or false positives, which we like.
If you have a way to deploy agents in a rapid manner, I think the scalability is there. As we buy and acquire companies, we have to roll out agents to those places. Right now, it's still very manually intensive and it slows down the process a lot. So, I think the scalability can be improved with a rapid deployment feature.
Our strategy right now is just to install CrowdStrike for PCs and laptops. Once we get comfortable with the technology, we can start testing the servers. It's just that we haven't finished the deployment to PCs and workstations yet.
We have approximately 260 endpoints and we're probably about 20% complete in terms of deployment.
We've raised support tickets such as the request for rapid deployment capabilities. However, we only received responses to the effect that they do not support anything like it. In that regard, the support has not been great.
That said, we don't use the support site a lot because we haven't had any issues with CrowdStrike. So, I can't say much about that.
Prior to CrowdStrike, we used Carbon Black Threat Hunter.
There is a huge difference between the two products. CrowdStrike is quiet. I think that Carbon Black Threat Hunter just locks everything that has to do with the endpoint. You generate a lot of noise, but it means nothing. Whereas CrowdStrike is more about real threats and we haven't seen much from it.
On the other hand, with Carbon Black Threat Hunter, we were able to deploy pretty fast and we could uninstall agents pretty quickly from the dashboard.
I had originally heard about CrowdStrike Falcon from my peers. A lot of CSOs that I have roundtable discussions with speak highly about it.
The sensor deployment is a manual process right now, where we have to log into every workstation, every server, and install it manually. It's very time-consuming.
It's an ongoing process across our organization.
One of our security engineers is in charge of deployment. However, we don't have someone on it full time. He works on this when he has time available, so we probably only have one-third of a person working on it.
We completed a PoC using the trial version, and it was pretty easy to do. It took us less than an hour to deploy. It was just a matter of downloading a trial agent and setting it up.
Having the trial version was important because the easier the PoC is, the better the chances are of us buying the tool.
At approximately 40% more, Falcon is probably too expensive compared to Cisco AMP and Cylance, although that is because of the OverWatch feature. If you took out the OverWatch feature then they should be about the same. There are no costs in addition to the standard licensing fee.
We evaluated other products including Cisco AMP and Cylance. Neither of these products has the Overwatch feature that CrowdStrike has. The reason why we chose CrowdStrike was that we need to have 24x7 monitoring of our endpoints. That's the main difference.
In terms of ease of use, CrowdStrike is not so great. Cisco AMP has a better, cleaner dashboard and they're more mature in the way that you navigate. It's as though they have spent time getting customers to click on features and then figured out which is the quickest way to get to what you want, whereas CrowdStrike is not there in that sense.
Cylance is even better in terms of ease of use. They dumb it down to only a small number of menus and dashboards. There are probably only five dashboards that I look at on Cylance, whereas with CrowdStrike, I have to look at many.
My advice for anybody who is considering CrowdStrike is definitely to start with a PoC, and then definitely to subscribe to OverWatch. I think that OverWatch is the main benefit to it.
The biggest lesson that I have learned from CrowdStrike is about the different threats that are out there. They have a nice dashboard with information about threats, and you can read it and learn from it.
I would rate this solution a seven out of ten.
We have it on our endpoints, and the main purpose is to protect them from all the things that can happen: phishing emails, USBs installed, links downloaded, malicious third-party tools being downloaded through patches, etc.
Deep Instinct has helped us to be a lot more proactive on the security front, rather than reactive. We still have to address the threats that it finds, but because it's proactive it stops things before they occur. Instead of spending time trying to investigate what happened, we spend the time on the front-end determining if it's something we should allow or not. It has saved us a lot of time in incident response.
It has also reduced our SOC’s endpoint protection management time and resulted in a significant reduction in false positives. And while we haven't seen a drastic reduction in operational disruption with Deep Instinct, because the solution we had before was working pretty well, I'm sure the fact that it has detected and prevented things has helped people work a whole lot more effectively.
As far as we know it has helped prevent the newest threats and that is very important. There's always something new coming out and trying to stay ahead of that is always a challenge. Compared to the solution we had previously, Deep Instinct is way more thorough in its analysis of the files and memory.
I really like the behavioral analysis feature, because it looks at all the different things, like arbitrary shellcode and reflective DLL. It looks at a lot of things that threat actors use as threat vectors to get into the environment.
It's also very easy to use and very intuitive. That was one of the reasons we picked it. The console is really simple and easy to figure out, as is creating policies. Every policy just needs a group and you can break out the policies per group. That means when you need to make changes, you can do it pretty easily. I can change a group's settings by just opening up a window and selecting dropdown options.
You can also select what you want things applied to. You can be very granular with your application of it.
I've also been very impressed with Deep Instinct's prevention-first approach to stopping unknown ransom and malware. We had another solution that took a very similar approach—prevention first rather than reactive. This was another one of the reasons we picked Deep Instinct. So far it has been very good at catching things before they execute, which is what we wanted it to do. It's very quick. As soon as it sees something, it quarantines it.
And the predictive and prevention capabilities for shellcode and fileless-based attacks are very important. Yet another reason we picked it was because of how thoroughly it looks through files. It's also very helpful that the predictive and prevention capabilities are built into the 3.0 release and don't require special rules or configuration. When an update comes out, it doesn't require us to reconfigure the device or the policies. It just follows along with what happened before. And if something is a brand-new feature, it comes out in "detect only," and that gives us an opportunity to test it before actually doing any prevention.
The interface on the endpoint could be a little more descriptive and more valuable. It doesn't always tell you the data you need to see. Improvement there would be very helpful.
I've been using Deep Instinct for about two years.
It's very stable. We've had no issues with that.
It works well as long as you have an automatic way to deploy it, like SCCM or GPO, which they have provisions for.
We use it throughout the environment as our endpoint solution. It is our only endpoint solution. We have it rolled out as far as we're going to at this point.
Tech support helped me with a very complex problem that took a lot of digging and research, beyond the norm. They helped figure it out. Whenever I open a ticket, they respond within a couple of hours.
Positive
We were using another artificial intelligence solution, Cylance, that actually worked really well, but it lacked some of the features that we were looking for, including granularity and configuration options. Both Deep Instinct and Cylance are pre-execution and both work well.
One of the differentiators between the two at the time was that Deep Instinct had so much configurability compared to Cylance. We could be very specific with how we set up our exclusions and allowances. I think Cylance has caught up, but at the time there was a difference.
The initial setup was pretty straightforward. We just had to configure the console, and the professional services were a big part of getting that set up. Once you get the console configured, you deploy the agents. Once we got the automated deployment down, it was really easy. We deploy it through SCCM.
Our deployment took about four months. We have a little over 5,000 users. For deployment we have two desktop staff, which is a redundancy as one person can actually do it. And there are two of us who watch the console every day.
We used Deep Instinct professional services to help us. We did it ourselves, but they were there to help us when we needed assistance.
The return on investment is in the time saved and being able to be more proactive. It's given us a lot more insight into the environment, which we didn't have before. It has definitely been a big help.
We evaluated four others solutions. A lot of them were new and maturing as they went, but the big difference between Deep Instinct and everyone else was the pre-execution portion. Almost everything else we looked at was all post-execution or machine learning or artificial intelligence. Deep Instinct was the only one that uses deep learning and the only one that was consistently working on pre-execution.
And with the other solutions that were pre-execution, sometimes something would get through and run. They would say, "Yeah, sometimes you want to watch it first," but Deep Instinct doesn't do that. Deep Instinct just blocks it first.
During testing and evaluation, Deep Instinct performed very well. And their professional service engineer was very helpful in answering our questions and explaining how things work when we asked why things worked a certain way. And the performance has been better in our deployment than it was in the PoC, which is unusual.
Test it thoroughly with all your use cases, and even on use cases you don't usually think about. Do your own testing. Don't rely on the vendor testing at all. The vendor testing was good and they did a demo, but definitely do your own testing. With every product we test, not just Deep Instinct, we do our own testing and that raises a whole lot of questions that normally might not be raised.
Do your homework on the solution and how it works. Understand it. Go through the training materials they have. They suggested doing that initially but I did that toward the end, after deployment. I should have done it earlier. The lesson learned would be to become as familiar with the tool as possible. That sounds obvious, but sometimes in IT we just like to run with something and go.
There's been a little bit of impact initially, here and there, on our endpoints, as far as performance goes, but once it gets tuned in, that seems to settle down.
Overall, it's doing a really good job of reducing our organization's overall risk. What it picks up and blocks on a regular basis seems to be very effective.
We currently have around 50 servers. We aren't really a big company but we have 50 servers which we manage. We use McAfee for the web filtering portion of it. For example, if a user is doing a search on Google, there's a risk-rating web content filter built into McAfee. This alerts us if there are any threats present.
We have licensed McAfee ENS on a per-server basis. As of now, from memory, I think we have 56 endpoints running McAfee — 56 servers in total.
From the McAfee side, I really like the ePolicy Orchestrator software that allows us to manage all of our endpoints. You can create the deployment policies and whenever there is a new update — a new version of the ENS Agent, or threat protection — we could test it out in the evaluation branch, and even test it on some of our servers.
It's quite easy to manage. Quite intuitive. I would say the dashboard of ePolicy Orchestrator software is quite intuitive and quite easy to understand and manage.
I have been using this solution for 15 to 20 years.
We have had some issues from the performance side of things, especially when we were deploying new types of software. Sometimes the consumption of resources from McAfee was a bit high. Afterward, these problems were resolved gradually in future versions of McAfee. From what I've read from the release notes, in regard to the handling of memory, McAfee has been doing a better job, which wasn't really the case in the early years.
It's easily scalable. If I need to deploy the Agent over 800 endpoints, I just have to script it and run a group policy to deploy it to all of our computers on the network — it's quite easy.
For day-to-day management and ongoing queries, if ever I didn't have the solution to queries, I would just raise the case to the case management section of the McAfee website. Then the McAfee support team would help me out.
I was definitely satisfied with the support team. I really can't complain. They always sent me the correct knowledge-based article and they provided really insightful information to help me find a resolution to the issue.
At the previous company that I worked for, we used Symantec Endpoint Protection. Now, we are working with CylancePROTECT and OPTICS.
The main reason that we moved from McAfee to Cylance is that McAfee is still a signature-based product. We moved to Cylance, a signatureless-based product, where everything is updated. What I was doing, from an ENS product point stance, I had set reminders to myself and my team to update the Agent and look into the software repository to see if there were any updates every month.
Indeed, every month we had software updates and fixing restrictions. It wasn't good but I now have less of a hard time looking into this from a Cylance perspective as the Cylance library doesn't push one-minute software updates per year. I would say at most, two or three software updates a year, which is very, very small from a software update perspective in comparison to McAfee.
They're both good products. I'm not saying McAfee is a bad product. It's a very, very good product. It's mainly for these reasons that we moved to Cylance.
The ePolicy Orchestrator console is good, but from my side, I would say Cylance has a better artificial intelligence module — the OPTICS module which I would say is the way to go. I haven't really seen the trend in terms of what other companies other than McAfee or Symantec are doing, but Cylance is doing a really good job with this artificial intelligence module. It's great when it comes to notifying the team when it detects something malicious.
With McAfee, if there is a zero-day vulnerability, you have to download the patch for it from the McAfee website, then apply it to your endpoint. With Cylance, it's not like that. Each agent does it by itself — it's like a self-healing application. This is something that signature-based antivirus solutions like McAfee and Symantec didn't have until now, unfortunately. That's why we moved towards Cylance.
It's quite easy to install agents. Deployment and product updates are quite easy, as well. It goes without saying that it comes with some, I would say, low-level training and upscaling but these are easily retrievable from the knowledge base of McAfee.
We manually downloaded their AMCore versions to keep all our endpoints up to date. This way, whenever we troubleshoot the root cause of an issue, we still keep our endpoints as updated as possible and keep our environment safe.
When we installed the Agent — let's say I am building a new VM and new server. When you run the frame package, it's really intense. I would say it takes roughly two minutes to install, then afterward, to install the ENS modules, like the threat protection and web filtering packages, you've got to go through the ePolicy Orchestrator management console. I would say, all in all, it takes roughly 10 minutes.
To get it up to date, to download everything, all the packages, the software updates, and all of the AMCore DAT files as well as the virus definitions, it's quite easy. It doesn't take much time at all.
For deployment, I worked with one external consultant.
Initially, when I came to the company, I didn't really have a background or any experience managing McAfee. I came from more of a Symantec background but I gained some knowledge from one of our external consultants who really had a deep understanding of McAfee products and their deployment. We had some training sessions and then I could manage the McAfee forum on my own. After a week's worth of training, I could manage McAfee on my own.
We had McAfee on a year renewal. We purchased it initially and then we renewed it on a yearly basis. I think the only reason we are renewing the license is for support reasons.
I would definitely recommend this solution to others. McAfee is a good product. I worked with Symantec, but personally, I think McAfee is better.
However, in my opinion, now having worked with CylancePROTECT and OPTICS, I think CylancePROTECT and OPTICS are on another level. Still, we have been working with McAfee for nearly 10 years and I feel it's a very good product.
Overall, on a scale from one to ten, I would give McAfee a rating of eight.
Some of my client's use cases are typical endpoint protection, telemetry, and threat hunting. We are using all three of the most popular services that point back to the cloud central console.
Some of the valuable features I have found are the online documentation of the solution is well organized and thorough. I like the simplicity of bypass and the visualization of the active components. If I want to know which file is being utilized and what sub-files it is calling, the visualization given is very helpful.
I would like to see them continue to run some of the AI-type comparisons. I know everyone is really secretive about what they do and what they have engineered, but I think Cylance was a good market disruptor years ago with their approach. Now we see SentinelOne and everyone is approaching that piece of the puzzle similarly now. I just would like to see more of a comparison. We have done our own technical comparison but it is fairly expensive. All solutions have pros and cons, if more third-party organizations or teams could evaluate how each product works in pros and cons many people would benefit.
This solution could have greater granular control on how certain applications work. You are able to do the operation of allowing or disallow, or you can block unusual usage of an application, but they do not define it well.
The PowerShell is being called in any way that the threat actor might use it versus an administrator. You are in a way taking this solutions' best guess at it or their understanding of it. They do not clearly tell you in technical terms how they make that determination. They should be more forthright about it, or if they can not tell us, they should just give us the control to make those selections. We are choosing it because at least we have that control where we do not have that same amount of control with other solutions like Cylance. However, they are still not telling us precisely what constitutes suspicious behavior, what actions, or what calls. It is a check box to say, lock if we have inappropriate use, or block if we have suspicious behavior. It would be helpful to tell us what that actually meant.
In the future, I would like to see more granular control of PowerShell and more administrative tools.
I have been using the solution for approximately six months.
The stability of the solution has been good. I like the fact that their call home is a single port, 443, a well-known port with a backup port, 54443. Their architecture, that way is easy for network admin to understand and open up and passing firewalls. In contrast with ATP, ATP has a lot of port requirements, It is much more complex and easy to misunderstand ATP communications until you really dig hard to see how does it work. This solution is much simpler that way. Additionally, performance-wise, user agents seem to hover around 1%-2%, it is fairly efficient and lightweight.
The scalability of the solution has been good. We implemented a couple of large POCs. We have some clients and colleagues that are running it at scale, with more than 5,000 endpoints with great success. We are pleased overall. Most of our clients are mid-cap or small enterprises.
I have found the solution support has been strong.
I would rate the support of Carbon Black CB Defense a seven out of ten.
Companies need to work on the timeliness of support. Getting directed to a strong enough, experienced enough technical person sooner is important. That just is not the way support is currently built. Usually, they start at tier one and move up. I am sure there are a lot of customers that call in support with simpler questions that you do not want to tie up a tier-three person's time. However, I do not think my request for support to improve is not unique to this solution.
We have a very knowledgeable technical team. When we call for support we are wanting to interact with tier two or tier three right away. It is frustrating to have to work through the tiers to get where we want to go.
We previously used Cylance and we are coming off of a direct comparison of the two. In the current version of this solution, they have a stronger AI version or component. The overall general quality of the breadth of the solution is better. To receive the same functionality in Cylance, we needed to add the CylanceOPTICS product and we have not had great success with it.
What I do not like about Cylance is it is very binary. You either allow AST to be a 56-bit hash or you do not. I think there is room for more granular control, which we now receive by using this solution.
Overall this solution is better than Cylance.
The initial setup has been straightforward. I think their user interfaces in mature and understandable, they did a good job in it. I would not say any end-point solution is simple, but I think it is more intuitive than many of them.
My advice to others is to take advantage of the POC and work with your POC rigorously. I think we have good responses on the POC as they get closer and closer to wanting to close. We were able to get stronger and stronger and more timely support. It is a good program and they are very fair about it. In any EDR, I would test them heavily and do not rely on marketing.
When applying an overall rating to this solution I do not think there are any tens in the marketplace. We very pleased and we evaluate this every year or two. In our POC, we had 200 samples including ones that were available but not as popular and we received a 100% efficacy. We were very pleased with the results.
I rate Carbon Black CB Defense an eight out of ten.
