Modern endpoint security systems

In order to protect their data and infrastructure from increasingly complex cyber threats, companies have to use multi-tier solutions. Endpoint security systems continue to play an important role in handling this task. It is no secret that some enterprises rely on the built-in Windows Defender feature to protect their systems. However, its capabilities are not sufficient to ensure protection from cyber threats. At the end of the day, a modern high-quality Endpoint Protection complex will provide a much more complete and reliable protection at each phase of an attack.

Let us consider, for example, how a typical cyber attack proceeds. During the intrusion phase the application and device control modules, the firewall and the intrusion prevention system are triggered. During the phase of infection, an attack is staved off with tools of behavioral analysis (behavior monitoring), machine learning and file reputation (web reputation). The system of white and black lists, protection against memory exploits and signature antivirus are also triggered. At this stage, an important role can be played by a sandbox emulator, a virtual machine for detecting threats hidden by the object wrapper.

At the stage of impact, the threat is staved off by the behavior monitoring system and the System Lockdown. Malicious code can also be destroyed by antivirus software. If an exfiltration phase occurs, a firewall is triggered, which filters the traffic and blocks malicious code.
But in addition to high-precision threat detection, the Endpoint Protection complex must meet requirements such as lower endpoint device load and easy operation (usability).

Components of a typical endpoint protection system and application of each component during the different phases of a cyber attack
Below is a brief description of the most popular endpoint security systems.

*image source - Symantec website

ESET Endpoint Protection Advanced

Antivirus: included
Sandbox: included
Device and port control: not included
DLP (Data Loss Prevention): not included
Disk Encryption: not included

ESET offers two endpoint security versions: ESET Endpoint Protection Standard and ESET Endpoint Protection Advanced. The second version offers more options for protection and is generally preferred.
ESET Endpoint Security provides anti-virus protection for workstations running under Windows and OS X operating systems. In addition, the product includes additional features such as two-way personal firewall, web control, protection from botnets and more.
Anti-phishing protects users from visiting fake websites through which cybercriminals try to obtain passwords, banking data, and other confidential information.
An easy-to-use management console provides an overview of local or remote workstations in real time, as well as full reporting of ESET solutions on all operating systems. All functions can be controlled from a single console.
Like any other modern solution, ESET Endpoint Protection uses proactive malware detection technology. ThreatSense technology provides high-quality protection against known and previously unknown threats in real time. As a result, your computer will remain safe even in  the critical time span when the vulnerability of a certain product has just been discovered and the developer has not yet released an update that fixes it.
One of the important advantages of ESET Endpoint Protection is the minimum load on the system. Because of the very moderate consumption of system resources the product can be used even on old low-power systems.

Kaspersky Endpoint Security for Business Advanced

Antivirus: included
Sandbox: included
Device and port control: included
DLP (Data Loss Prevention): included
Disk encryption: included

Kaspersky Endpoint Security for Business ADVANCED includes several anti-malware technologies: signature-based, proactive and cloud. In a complex, they create a powerful multi-level security system. The Kaspersky Security Network, located in the cloud, provides automatic updates and quick response to new threats.
It is important that the product features provide the opportunity to manage centrally vulnerabilities in the software applications and operating systems with subsequent installation of fixes.
Powerful encryption algorithms are provided to protect critical business information in the event of data or computers falling into the wrong hands. Furthermore, the data encryption module is easily deployed and does not require a separate management console. All security features are managed by a single console, as a result, less effort and cost are needed to guarantee security.
A lot of employees now use personal devices to access corporate systems and this can pose danger to data. Thanks to security features protecting mobile devices and  their operation via Kaspersky Endpoint Security for Business Advanced, members of staff can use mobile devices to access corporate data without compromising business security.

McAfee Endpoint Security

Antivirus: included
Sandbox: included
Device and port control: not included
DLP (Data Loss Prevention): not included
Disk Encryption: not included

McAfee Endpoint Security combines a large number of different technologies that address all phases of the threat protection life cycle and the use of single agent architecture and a centralized management console allows you to maintain the flexibility of your organization and your protection at an adequate level.
McAfee Endpoint Security has replaced several of the outdated McAfee products that focused on isolated tasks: VirusScan Enterprise, McAfee SiteAdvisor, McAfee Host Intrusion Prevention, McAfee Host IPS and others. McAfee Endpoint Security has single agent architecture and integrated advanced protection, such as machine learning analysis, threat containment and endpoint detection.
The product uses machine learning to classify application behavior, which allows zero-day threats to be detected in near real time. Threats are analyzed through analysis and comparison with previously added malware attributes. Then an advanced behavioral analysis and memory content analysis are performed. Executable files are unpacked to detect complex threats with intricate code algorithms that usually go unnoticed if only static detection methods are used.
In addition, the product offers the following tools:
Malicious attack deterrence: prevents the propagation of malicious applications and processes on offline endpoints.
Behavior Monitoring: Records behavior at the process level during the analysis of the procedure and technique of the attack.
EDR: Integrated and easy to use incident response technology.
Migration Assistant: A tool for existing customers that makes migration easier. Performs automated tasks and moves your existing policies to McAfee Endpoint Security.

Sophos Endpoint Protection

Antivirus: included
Sandbox: not included
Device and port control: not included
DLP (Data Loss Prevention): not included
Disk encryption: included

Sophos Endpoint Protection is the undisputed leader in terms of a number of protected platforms - a total of 36, including Android, iOS, Red Hat, VMware, Amazon Web Services, etc.
The next-generation engine uses behavioral detection which allows you to deter threats that are spread through websites, USB-drives and emails. The solution allows you to encrypt sensitive user data, no matter where they are, as well as to control access to USB-drives and other removable storage.
Sophos’s endpoint security system allows you to block specified sites and applications or deny access to predefined categories using simple rules.
Data protection modules, firewalls, servers, desktops, and mobile devices — all modules of the system are managed via a single console.

Symantec Endpoint Protection

Antivirus: included
Sandbox: included
Device and port control: included
DLP (Data Loss Prevention): not included
Disk Encryption: not included

Symantec Endpoint Protection has been the market leader in endpoint protection for years. And although the market share of the application has recently declined, it still is the most popular system in this area of information security.
Symantec Endpoint Protection (SEP) is a powerful, comprehensive system that offers several levels of security. The most important tools of such a system are anti-virus and preventive protection. In addition, SEP provides protection against online threats, zero-day exploits, and an intrusion prevention module. It should be highlighted that in order to counter new and unknown threats, the Insight and SONAR technologies are applied.
Symantec Insight technology analyzes millions of files in thousands of computer systems to identify threats immediately after they occur. Insight detects encrypted software applications with recently modified code and assigns each of them a level of risk depending on the novelty, a degree of distribution, source type and other features.
According to a number of experts, Insight significantly increases the speed of detection, performance, and promptness of safety feature actuation. Moreover, compared to standard solutions, the technology significantly reduces the consumption of resources during scanning (up to 70%), which makes an operation of the security system invisible to the user.
SONAR is yet another in-house designed security technology of Symantec which determines the degree of danger of threats based on behavior analysis. SONAR is the core of behavior-based protection technology, created on the basis of artificial intelligence, behavioral patterns, and policy-oriented behavioral blocking mechanisms. All of these components work together and provide reliable protection against threats.
Other benefits of Symantec Endpoint Protection include antivirus scanning (Intelligent Threat Cloud Service), advanced machine learning technology (AML), which improves static detection, Generic Exploit Migration functionality, which blocks attacks on Windows-based computers and a sandbox for packaged malware. In order to improve performance in virtual environments, SEP can integrate with VMware vShield Endpoint.

Trend Micro OfficeScan

Antivirus: included
Sandbox: included (with McAfee Threat Intelligence Exchange module)
Device and port control: included
DLP (Data Loss Prevention): included
Disk Encryption: not included

Trend Micro OfficeScan antivirus solution with integrated XGen Endpoint Security technologies — a powerful suite of protection against cyber threats for file servers, PCs and Mac platforms, PoS, ATMs and virtual desktops. OfficeScan provides the following malware protection tools: high-precision behavioral analysis, file reputation evaluation, blocking of different versions of known malicious code, protection against exploits, etc. In order to minimize system and network load, the control module uses an optimal detection technique at the right time.
An important feature of Trend Micro OfficeScan is the high-performance machine learning functionality. The bottom line is that this product automatically exchanges threat information with other systems on the company's network and continuously adapts based on the data received. It is worth pointing out that in order to effect a more precise check at each level, Trend Micro was the first to implement high-quality machine learning by analyzing files both before launching them and in the process of execution. This approach reduces the number of false positives.
The upgraded protection against ransomware (encryption software) monitors all unauthorized actions related to encrypting files on the end device, and, if necessary, blocks them. In addition, OfficeScan recovers encrypted files, if possible. The rapid exchange of information about suspicious network activity and file operations prevents new attacks. In addition, an emulator for running packaged malware and real-time updates enhances the level of protection.

Summary

This article presents only some of the characteristics of endpoint protection systems. The more detailed information you can find in the Endpoint Security comparison table
In conclusion, it should be noted that all of the above endpoint protection products are characterized by outstanding protection features, low consumption of computer resources and ease of operation. At the same time, on account of the complex and not always optimal design of modern corporate networks, experts recommend that prior to actual implementation preliminary testing of the chosen solution should be performed.

Author: Oleg Pylypenko, for ROI4CIO