I'd say, unless you have an existing 24x7 SOC, go for a managed solution - EDR is great but if no one is monitoring it and responding to the alerts/isolating you're only really getting 50% of its value.
IT Security Coordinator at a healthcare company with 10,001+ employees
Real User
Sep 20, 2021
I think most of the answers provided will work for you, but you have to take into account your environment, integration with other solutions, firewall, antivirus or even just Windows-native and you have to look at price vs features you want.
How much is good enough? You could spend 1/2 a million or next to nothing.
S1 is a good choice, especially, if you have legacy devices. CSF is also good but a bit more expensive.
You also need to decide: on-prem or cloud; what your needs are and weigh that against the features and costs.
If you are already using Windows 10 for the clients, you may benefit from a native integration by using Microsoft Defender Advanced Threat Protection.
It's robust and pretty easy to manage and understand, and the features are on par with the other leading EDR on the market.
All you have to do is to ensure it's well configured and establish a review schedule to take actions on time even if most actions can be done automatically thanks to its machine learning and AI engine.
I just wanted to know some more details about your environment. I have worked with and tested out multiple products and tools in EDR and NGAV segments.
For an instance, Trend Micro and Sophos Intercept X work well if you are looking for a tool with multiple features - Security and Operational features like EDR, AV, DLP, App Control, etc.
If you are looking for a solution for only EDR (cloud-based), with good efficacy and without impacting the user's system performance, you can go ahead with Crowdstrike's Falcon Platform. If you are planning for a solution that has security-focused capabilities that can integrate with your firewall and help you get RCA, with advanced security features like UBA/UEBA, NTA, custom IOC/BIOC creation, etc along with EDR, you can check out Cortex XDR by Palo Alto Networks.
Each solution has its own limitations and unique feature set that distinguishes and is based on your priorities and budget. You can select one accordingly.
I would confidently recommend SentinelOne, as it is the only EDR that has not been breached, offers up to 1 million USD warranty if it is not able to roll back a ransomware encryption attack, automatically mitigates cyber-attacks without human intervention, uses artificial intelligence and does not require internet to mitigate attacks.
SentinelOne also effectively provides protection against; zero-day, fileless and lateral movement attacks
Thank you for the question. I hope you discover the answers here. First off does this company want to manage the EDR solution on-prem, or would they prefer a hosted solution? Windows-based shop or are the end points Mac, and Linux as well?
EDR's I do prefer Sentenal One(S1), or Sophos as others have suggested here.
I do prefer S1 over Sophos because I tested both in real-world situations and S1 out performed Sophos. AI and machine learning is a huge plus. S1 can be disconnected from it's cloud and still provide you protection. Also provides you the ability to roll back an infected machines providing the VSS on the local machine is working. Installs very easily on Windows and Linux workstations.
Sophos wasn't a bad solution, very nice dashboard. However, like the old Symantec End Point Protection platform, Sophos wants to install and have control of everything. It's become bloated a very thick client. It does a good job of protecting the end point but will impact performance depending on the features you enable. It is cloud-based. I don't recall whether an on-prem version of this being available. If you lose your internet you lose the cloud and your ability to control the EDR solution.
I would recommend (if all devices have at least Windows 10) to choose Microsoft Defender for Endpoint.
It is a family of products focused on detecting attack patterns based on the behavior of users and their devices. It is not only the device that has to be managed, its identities, permissions and applications are also to be managed.
EDR solutions provide advanced capabilities for detecting and responding to threats on endpoints. These tools enhance security teams' ability to detect, investigate, and remediate incidents.EDR solutions offer enhanced endpoint protection by integrating real-time monitoring and advanced analytics. Designed for modern security teams, they facilitate immediate threat detection and remediation, effectively mitigating risks. User feedback highlights their capability to analyze extensive data...
It's been offered in the previous suggestions, Sophos or Crowdstrike Falcon.
The other two excellent points were:
(1) whether they want this running on-prem or in the cloud and
(2) do they have the resources and knowledge base to effectively manage whichever solution is best moving forward?
I'd say, unless you have an existing 24x7 SOC, go for a managed solution - EDR is great but if no one is monitoring it and responding to the alerts/isolating you're only really getting 50% of its value.
I think most of the answers provided will work for you, but you have to take into account your environment, integration with other solutions, firewall, antivirus or even just Windows-native and you have to look at price vs features you want.
How much is good enough? You could spend 1/2 a million or next to nothing.
S1 is a good choice, especially, if you have legacy devices. CSF is also good but a bit more expensive.
You also need to decide: on-prem or cloud; what your needs are and weigh that against the features and costs.
Without really knowing what type of system you are running I'm going to stab from what info I've been given and recommend Falcon CrowdStrike.
It's reliable and cloud-based and doesn't take away from system performance; it's easy to install and maintain.
If you are already using Windows 10 for the clients, you may benefit from a native integration by using Microsoft Defender Advanced Threat Protection.
It's robust and pretty easy to manage and understand, and the features are on par with the other leading EDR on the market.
All you have to do is to ensure it's well configured and establish a review schedule to take actions on time even if most actions can be done automatically thanks to its machine learning and AI engine.
Hi @Samy Adel
I just wanted to know some more details about your environment. I have worked with and tested out multiple products and tools in EDR and NGAV segments.
For an instance, Trend Micro and Sophos Intercept X work well if you are looking for a tool with multiple features - Security and Operational features like EDR, AV, DLP, App Control, etc.
If you are looking for a solution for only EDR (cloud-based), with good efficacy and without impacting the user's system performance, you can go ahead with Crowdstrike's Falcon Platform. If you are planning for a solution that has security-focused capabilities that can integrate with your firewall and help you get RCA, with advanced security features like UBA/UEBA, NTA, custom IOC/BIOC creation, etc along with EDR, you can check out Cortex XDR by Palo Alto Networks.
Each solution has its own limitations and unique feature set that distinguishes and is based on your priorities and budget. You can select one accordingly.
Hi @Samy Adel
I would confidently recommend SentinelOne, as it is the only EDR that has not been breached, offers up to 1 million USD warranty if it is not able to roll back a ransomware encryption attack, automatically mitigates cyber-attacks without human intervention, uses artificial intelligence and does not require internet to mitigate attacks.
SentinelOne also effectively provides protection against; zero-day, fileless and lateral movement attacks
@Samy Adel,
Thank you for the question. I hope you discover the answers here. First off does this company want to manage the EDR solution on-prem, or would they prefer a hosted solution? Windows-based shop or are the end points Mac, and Linux as well?
EDR's I do prefer Sentenal One(S1), or Sophos as others have suggested here.
I do prefer S1 over Sophos because I tested both in real-world situations and S1 out performed Sophos. AI and machine learning is a huge plus. S1 can be disconnected from it's cloud and still provide you protection. Also provides you the ability to roll back an infected machines providing the VSS on the local machine is working. Installs very easily on Windows and Linux workstations.
Sophos wasn't a bad solution, very nice dashboard. However, like the old Symantec End Point Protection platform, Sophos wants to install and have control of everything. It's become bloated a very thick client. It does a good job of protecting the end point but will impact performance depending on the features you enable. It is cloud-based. I don't recall whether an on-prem version of this being available. If you lose your internet you lose the cloud and your ability to control the EDR solution.
For your documentation.
Web site: Microsoft 365 Defender.
YooTube video: Evaluation lab in Microsoft Defender for Endpoint - YouTube
I would recommend (if all devices have at least Windows 10) to choose Microsoft Defender for Endpoint.
It is a family of products focused on detecting attack patterns based on the behavior of users and their devices. It is not only the device that has to be managed, its identities, permissions and applications are also to be managed.
The best option, for me, is Microsoft.
Hello @Basil Dange, @Devanand PR, @OmidKoushki and @Darshil Sanghvi. What would your professional advice be to @Samy Adel?
We appreciate your help to the community.