The purpose of this article is to provide an overview of the top 10 EDR solutions. Endpoint Detection and Response (EDR) solutions have risen in popularity due to their advanced capabilities over traditional antivirus and endpoint protection software. According to an Allied Market Research report, EDR has a compound annaul growth rate (CAGR) of 25%. Comparatively, antivirus solutions have a negative CAGR (-0.83%), according to a July, 2022 MarketWatch report.
Not every EDR solution is made the same. You should find an EDR solution that fits your specific needs. The list of top 10 EDR solution is an unordered list. Each solution has unique value to their ideal customer profile. Your job in evaluating EDR solutions is to understand the best fit for your organization. An EDR specialist can take an inventory of your goals and environment to help find the right solution for you.
Table of Contents
- EDR Overview
- Top 10 Functions of an EDR Solution
- Contact an EDR Specialist
- 2022 MITRE ATT&CK ENGENUITY Evaluation
- Top 10 EDR Solutions
- Top 10 Reasons for an EDR Solution
EDR Overview
EDR solutions are different than traditional antivirus and endpoint protection solutions. Antivirus solutions only identify and quarantine malware and potentially unwanted programs (PUPs). They do this by identifying the signature of known malware and ransomware. Endpoint protection or next-gen antivirus solutions go a step further by identifying malicious files and executions by looking at the behavior of files (e.g. a word document executing a PowerShell command). They look at registry entries that were modified and potentially unwanted programs (PUPs).
EDR solutions differ because they collect and record events. They answer these questions that antivirus and endpoint protection solutions cannot:
- How did an attacker get into the endpoint?
- Where did the attacker go in the environment?
- What processes and data were modified or accessed by an attacker?
You need to manage EDR solutions differently than traditional antivirus or endpoint protection solutions. Antivirus will tell you if you have malware or not; it’s binary. An EDR solution requires that you have an understanding about legitimate operating system processes and activities.
You or your team needs to have an understanding of how to investigate or drill down into suspicious artifacts generated by the EDR. Experienced analysts will know the difference between a false positive and a real threat and be able to save a lot of time and effort. For that reason, many choose to outsource the management of an EDR platform with Managed Detection and Response services, which is recommended if you do not have a dedicated full-time employee to manage it. An example of this is ACE Managed EDR, which is a partnership between Ace Cloud Hosting and CrowdStrike Falcon Insight EDR.
Top 10 Functions of an EDR Solution
- Detect malware and other malicious payloads on an endpoint
- Quarantine and isolate endpoints
- Restore endpoints to a prior state
- Provide a wholistic view of the security events happening on your endpoints
- Record events for analysis and forensics
- Provide a playbook for automatically responding to policy violations or incidents
- Feed log data into a SIEM (Security Incident Event Manager)
- Integrate with third party security tools (e.g. tell the firewall to blacklist a malicious IP or turn off a port)
- Deliver Threat Intelligence reports that provide intelligence such as enriched IOCs, Yara rules and hunting queries to help hunt, detect and respond to threats faster
- Provide an application inventory and CVEs (vulnerabilities)
Contact an EDR Specialist
If you prefer to talk to an EDR specialist who can help you find an EDR solution based on your goals and environment, please fill out the form below (U.S. based only).
2022 MITRE ATT&CK ENGENUITY Evaluation
The MITRE ATT&CK Engenuity Evaluation is the gold standard for evaluating the effectiveness of EDR solutions. The Mitre ATT&CK Engenuity is unbiased but interpreting the results can help identify the top 10 EDR solutions out there. The evaluation is a test against the scenario of a real-world cyber-attack. This year (2022) presented an attack from two theoretical attack groups, Wizard Spider and Sandworm. The purpose of Wizard Spider is to plant ransomware in order to ransom high value targets. Sandworm’s goal is to just encrypt and destroy data.
Both “adversaries” will leverage several attack techniques from the MITRE ATT&CK framework and attempt to move up and laterally within the organization. The evaluation does not present a bias, only raw data, so it requires some interpretation to understand the results. Perhaps one of the most valuable data points for EDR solutions in this evaluation criteria is the visibility count. The visibility count describes a products ability to see steps taken by an adversary. It describes the detection quality of the security engine of the product. You can read more about interpreting the MITRE Engenuity Evaluations here.
Top 10 EDR Solutions
- SentinelOne
- Cybereason
- Carbon Black
- CrowdStrike Falcon
- Cylance
- FortiEDR
- BitDefender
- ESET Enterprise Inspector
- Trend Micro
- Cisco Secure Endpoint
SentinelOne EDR Overview
SentinelOne was founded in 2013 and is headquartered in Mountainview California. The value SentinelOne provides in their EDR platform is in their security operations center and the platform itself. You can have them manage the EDR platform for you, or your security team can manage it. SentinelOne maps to the MITRE ATT&CK framework and recently lead the MITRE Engenuity ATT&CK® Evaluations. This is an agent-based solution that supports AWS, Azure, Google Cloud (GCP), containers and Kubernetes, and 12 Linux distributions. SentinelOne also supports Windows Server 2022 all the way back to Windows Server 2003 SP2.
The offerings are bundled in three packages: Core, Control, and Complete. You can also choose add-on options like Ranger which can detect indications of compromise against Active Directory and network appliances like enterprise switches and firewalls.
There are some limitations with SentinelOne regarding DLP but it does have an option for a honey pot. The Singularity Hologram option sits in the network pretending to be a high-value target which lures a threat actor. Once the threat actor exploits the honey pot, they become exposed.
Pros
- Mature EDR solution with range of options to compliment core EDR functions
- 24×7 Managed Detection and Response from SentinelOne Security Operations Center
- Broad support for a multitude of operating systems and cloud environments
- Strong acceptance from leading industry analysts
- Strong customer reviews for customer support and deployment services
- Competitively priced
- Light footprint
- Very scalable for at least up to 10,000 endpoints
Cons
- Requires fine tuning and work to learn your environment
- Has been known to cause performance issues with some workloads, which require exclusions
- Extended logging needs to be requested/included in pricing
- Requires a higher-level tier for process tree / timeline of the attack
- Can be CPU intensive
2022 MITRE ATT&CK Engenuity Visibility Count: 108 of 109 sub-steps
Contact an EDR Specialist
If you prefer to talk to an EDR specialist who can help you find an EDR solution based on your goals and environment, please fill out the form below (U.S. based only).
Cybereason
Cybereason focuses specifically on endpoint protection and endpoint detection and response. They were founded in 2012 and are headquartered in Boston, Massachusetts. Their goals are to detect indications faster, triage faster, and remediate faster. The Cybereason SOC and Defense platform (EDR) tool drives the Cybereason solution. The MalOps Severity Score and Extended Response are the unique value that Cybereason has over its competitors. The MalOps Severity Score is based on 1) behavior, 2) expert analysis, and 3) customer/endpoint criticality (how valuable the endpoint is to the organization). Based on those criteria, experts will look at it and decide whether to begin an incident response activity. Cybereason claims that their goal is to detect an incident in under a minute, triage it within 5 minutes, and remediate it under 30 minutes. Cybereason claims to protect workloads on any cloud.
Pros
- Unique value proposition with MalOps Severity Score
- 24×7 Managed Detection and Response from SentinelOne Security Operations Center
- Broad support for a multitude of operating systems and cloud environments
- Competitively priced
- Light footprint
Cons
- Limited visibility and centralization of the dashboard
- Reports of compatibility issues with PowerShell
- No sandbox functionality
- Only recently (December 2021) started supporting Linux
- Limited integrations with other security tools
Cybereason 2022 MITRE ATT&CK Engenuity Visibility Count: 109 of 109 sub-steps
VMware Carbon Black EDR Overview
Carbon Black can trace its roots back to 2002 when Bit9 was founded. Boston-based Bit9 acquired the Texas-based Carbon Black in 2014 and ultimately the name was changed to just Carbon Black. Carbon Black was then acquired by VMware in 2019.
One of the value-adds from Carbon Black is its claim to supremacy in VMware integration due to its acquisition by VMware. Users who have rated Carbon Black like the fact that they can see anything that happens on an endpoint from within the dashboard. You can easily detect an infection or malicious activity and automatically quarantine an entire system or set of systems from the dashboard. Like SentinelOne, Carbon Black also has a security operations center that can manage the EDR tool for you. You can also manage it yourself or have a third party manage it for you.
Carbon Black has some dependencies on cloud connectivity which is a limitation for environments that cannot have access to the internet. It also has limitations around firewall control and operating system support.
Pros
- Light-weight
- Highly customizable
- 24×7 Managed Detection and Response from Carbon Black’s security operations center
- Very mature product but requires a lot of time tuning and properly deploying it
- Very little performance issues if and only if deployed correctly and fine tuned
Cons
- Higher cost
- Has had some issues with some workloads
- Needs management from a mature security operations center
- Professional deployment services are recommended
- Can be CPU Intensive
Carbon Black 2022 MITRE ATT&CK Engenuity Visibility Count: 90 of 109 sub-steps
CrowdStrike Falcon EDR Overview
CrowdStrike Falcon is perhaps the quintessential EDR solution. It has all the features and more you could want out of an EDR solution and it can scale to meet requirements of very large enterprise organizations. That is not the case with other EDR solutions. Not only are you building custom policies for remediating attacks, but the console gives you insight on remediation action items to solve vulnerabilities within the environment. You can patch systems directly from the console.
CrowdStrike is a SaaS solution that provides a light-weight agent to protect workloads across physical, virtual, and cloud servers. It protects Windows, Mac, Linux, Android, and iOS operating systems as well as containers. The agent includes the capability to do threat hunting, vulnerability management, zero-day assessment, and IT hygiene checks.
The CrowdStrike Falcon remote access tool can remediate almost all types of malicious activity directly from the console and can easily restore protective services that have been disabled by a threat actor back to normal.
Pros
- Robust and mature feature set
- Scalability to 100K+ endpoints
- Cloud dashboard
- 24×7 Managed Detection and Response from CrowdStrike’s security operations center
- Robust and mature integrations to AWS, Azure, Linux, Windows, virtual environments
- Intuitive and easy to use compared to others
- Granularity of drill-down into indications of compromise
- Cloud discovery to find all workloads under the organization in the cloud
Cons
- Expensive compared to others
2022 MITRE ATT&CK Engenuity Visibility Count: 105 of 109 sub-steps
Contact an EDR Specialist
If you prefer to talk to an EDR specialist who can help you find an EDR solution based on your goals and environment, please fill out the form below (U.S. based only).
Cylance (aka BlackBerry Cybersecurity)
Cylance was acquired by BlackBerry in 2019 and is headquartered currently in Irvine, California. The solution is now known as BlackBerry Cybersecurity. Cylance was founded with the mission of being proactive. Many who have deployed Cylance have either claimed that it is working very well for them; it is heuristics based antivirus; and that it requires a lot of tuning. That’s according to this Reddit thread discussing Cylance vs SentinelOne. The research firm G2 claims that it is mostly prevalent in mid-market sized companies vs enterprise organizations.
Pros
- Cloud enabled, not cloud dependent. Can operate both on-premise or in the cloud. Does not require internet to function
- Provides device and application control
Cons
- According to some reviews, Cylance has been more expensive than other solutions. Prices may vary.
- According to some reviews, Cylance requires just as much tuning as other solutions but may not have as many features
- Cylance may be more of a mid-market solution rather than an enterprise solution
2022 MITRE ATT&CK Engenuity Visibility Count: 89 of 109 sub-steps
FortiEDR
In 2019, Fortinet acquired EDR company enSilo. This acquisition has lead to Fortinet advancing on its vision of creating an end-to-end cybersecurity fabric from network to endpoint. Part of enSilo’s (or FortiEDR now) value is their patented code-tracing tracing technology used to prevent data exfiltration (i.e. DLP) and the spread of malware. FortiEDR does some of the traditional EDR services like forensics and incident response. It can be deployed on premise or in the cloud and does not require other Fortinet products although there is a claim that there is strong integration between their product sets. For example, FortiEDR can as part of its Playbook automatically create rules for FortiGate firewalls, Sandboxing, and FortiNAC (network access control). It also has the ability to add third party connectors for integration with other vendor solutions. You can read more here FortiEDR Integration Guide.
Pros
- Strong vision for integration with other Fortinet products to create a security fabric
- Includes DLP aspect
- Deployed on premise or in the cloud
- Intuitive Interface
- Easy setup and implementation
Cons
- Does not offer 24×7 managed EDR. Requires third party.
FortiEDR 2022 MITRE ATT&CK Engenuity Visibility Count: 87 of 90 sub-steps
Contact an EDR Specialist
If you prefer to talk to an EDR specialist who can help you find an EDR solution based on your goals and environment, please fill out the form below (U.S. based only).
Bitdefender
Bitdefender is an agent-based cloud only SaaS EDR solution that continuously records events. The Bitdefender Control Center allows administrators to visualize, investigate, and respond to indications of compromise (delete, isolate, blacklist, and/or kill). Bitdefender has grown their business largely through MSPs with their MSP cloud console which allows MSPs the ability to manage multiple tenants at a single time. Bitdefender has a strong presence within SMB and mid-market customers but seem to lack a presence in the large enterprise space (10,000+ endpoints). Their customer case studies can be found here.
Pros
- 24×7 Managed Detection and Response from Bitdefender’s security operations center
- Attractive for MSPs, Small businesses, and under 10,000 endpoints
- Small footprint
Cons
- Cloud Only
- According to this report, the control panel needs improvement.
- Need to work with an experienced partner for setup, support and licensing questions. Bitdefender relies heavily on their channel partners (VARs, Resellers, and MSPs) to fulfill, deploy, and support customers.
BitDefender 2022 MITRE ATT&CK Engenuity Visibility Count: 106 of 109 sub-steps
ESET EDR
ESET was founded in 1992 in Slovakia and has garnered a strong reputation amongst U.S. customers for its endpoint protection offering. Their current U.S. headquarters is in San Diego. ESET has received numerous awards for its endpoint protection platform including those from AV-TEST and AV-Comparatives, as well as being a Challenger on the Gartner Magic Quadrant. ESET’s EDR solution includes the ability for full disk encryption and cloud sandboxing. ESET as a company boasts having large customers like Canon, Allianz, and Mitsubishi; however it unclear if any of these companies have ESET’s EDR product. ESET has an MSP partner program where they offer their products on a consumption based model.
Pros
- Centralized console for endpoint and cloud management
- Strong endpoint product with lots of options for add-ons
- 24×7 Managed Detection and Response from ESET’s SOC
Cons
- Lacks strong multi-tenancy option for MSPs
- Lack of peer reviews on EDR product, especially in the enterprise and midmarket space
- Seems geared more towards MSPs and SMBs
ESET 2022 MITRE ATT&CK Engenuity Visibility Count: 75 of 90 sub-steps
Contact an EDR Specialist
If you prefer to talk to an EDR specialist who can help you find an EDR solution based on your goals and environment, please fill out the form below (U.S. based only).
Trend Micro XDR (EDR)
TrendMicro is a globally recognized cybersecurity leader having made its reputation off of its antivirus and endpoint protection solutions. It has since evolved its product line to include EDR and XDR. The EDR solution is part of a broader XDR solution that provides a single platform for responding to threats. TrendMicro has a strong presence in the SMB, midmarket, and enterprise space with its traditional endpoint protection product and has expanded into these customer segments with EDR and XDR.
Pros
- Ease of global deployment
- Virtual patching
- Customizable e-mail notifications
Cons
- Only supports Windows and Mac operating systems
- Management interface could use improvement
- Heavy CPU/memory cost
Trend Micro 2022 MITRE ATT&CK Engenuity Visibility Count: 105 of 109 sub-steps
Cisco Secure Endpoint (EDR)
Cisco is globally known for its enterprise network and security products. They have garnered a strong reputation for great support and making acquisitions in the security space that provide a boon for them and their customers. Examples of that include Duo and Umbrella. Cisco Secure Endpoint evolved out of AMP for Endpoint, which came from Cisco’s Sourcefire acquisition. Cisco’s Secure Endpoint product includes several capabilities like blocking signature-based malware and suspicious behaviors. It also has threat hunting and device analysis capabilities. You can read more about the core technologies here.
Pros
- Strong integration with other Cisco products
- Ease of deployment
- Strong support
Cons
- High cost on CPU and memory
- Limitations on Linux operating systems
- Non-intuitive interface
Cisco 2022 MITRE ATT&CK Engenuity Visibility Count: 90 of 109 sub-steps
Contact an EDR Specialist
If you prefer to talk to an EDR specialist who can help you find an EDR solution based on your goals and environment, please fill out the form below (U.S. based only).
Top 10 Reasons for an EDR Solution
- EDR solutions significantly reduce the mean time to resolution (MTTR) when a security incident occurs.
- You are required to have it by your cyber insurance provider
- Required by large customers/vendors in order to do business
- You need the ability to quickly identify malicious activity on an endpoint
- You need a playbook to automatically respond to policy violations
- Previously had ransomware and have been targeted by hackers / threat actors
- You have mission critical applications, workloads, and data
- The industry you work for is highly regulated (i.e. Financial Services, Healthcare, Government)
- You have no ability to identify or respond to a threat today other than to see if you have malware or not
- You need to perform forensics on a device that has been compromised