This GigaOm Research Reprint Expires: Sep 23, 2023

GigaOm Radar for Endpoint Detection and Responsev1.0

1. Summary

The endpoint is, in some ways, an unusual problem forced upon organizations and security teams. Endpoints are portals through which sensitive data is accessed and manipulated by staff. They are often mobile devices, moving from location to location and sometimes operated by multiple users. In addition, endpoint telemetry can be cryptic or completely absent, compounding the security problem.

Endpoint detection and response (EDR) addresses the risks unique to endpoints through enhanced visibility of the endpoint landscape and by correlating individual anomalous events into a unified series and prioritizing potential security threats. Once anomalous events are detected, EDR solutions deploy automated responses to mitigate risks. Automated response features not found in legacy antivirus (AV) tools include the ability to remotely isolate an endpoint until security staff can address the risk, forensic data collection, automated response workflows, and cross-device event correlation.

EDR is often delivered as part of a managed solution wherein a trusted third party handles some or all of the investigation and triage work. This is a popular service model for organizations with small security teams or business units responsible for their own security operations. EDR is also sold stand-alone as a technology-only solution, which is often a more popular choice for larger organizations with mature security operations.

With the emergence of advanced persistent threats, the burden of regulatory compliance requirements, staff and skills shortages, and the proliferation of highly distributed work-from-home environments, EDR has evolved to address new challenges.

This shift in capabilities and priorities can be viewed in terms of the fracture between groups of vendors in the space. On one side, there are vendors that see a future in which EDR transforms into extended detection and response (XDR), which supports telemetry from the endpoint as well as from software as a service (SaaS), identity providers, firewalls, VPNs, and so forth. Vendors on the other side see EDR as a separate discipline, one that will stand the test of time much the same way legacy antivirus did for decades.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

2. Market Categories and Deployment Types

To better understand the market and vendor positioning (Table 1), we assess how well EDR solutions are positioned to serve specific market segments.

  • Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
  • Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category will have a strong focus on flexibility, performance, data services, and features to improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.
  • Managed service provider (MSP): These are EDR solutions that are designed with multitenancy in mind and licensing models that accommodate resellers. Sometimes the opportunity to white label the service also exists, along with seamless support for the MSP client.

In addition, we recognize two deployment models for solutions in this report: cloud-delivered and on-premises.

  • Cloud-delivered: Often designed, deployed, and managed by the service provider, they are available only from that specific provider. The big advantages of this type of solution are simplified deployment and reduced operational overhead.
  • On-premises: These solutions are meant to be installed on-premises, allowing the client to operate the solution’s infrastructure. This model also lends itself to the greatest amount of data security, as the client controls the data throughout its lifecycle. These solutions can be deployed in the form of virtual appliances or on commodity operating systems through installable applications.

Table 1. Vendor Positioning

Market Segment

Deployment Model

SMB Large Enterprise MSP Cloud-Delivered On-Premises
Bitdefender
BlackBerry
CrowdStrike
Microsoft
Trellix
VMware Carbon Black
WatchGuard
Xcitium (Comodo)
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

3. Key Criteria Comparison

Building on the findings from the GigaOm report “Key Criteria for Evaluating Endpoint Detection and Response Solutions,” Table 2 summarizes how each vendor included in this research performs in the areas that we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization.

The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Application Discovery Compliance Reporting Data Security Device Isolation with Remote Access Intrusion Framework Mapping Investigation Enablement Runbook Management
Bitdefender 2 1 2 3 3 3 1
BlackBerry 2 1 2 3 2 3 1
CrowdStrike 3 1 2 2 3 3 2
Microsoft 2 1 2 2 3 3 2
Trellix 2 1 2 2 2 3 1
VMware Carbon Black 2 1 2 3 2 3 1
WatchGuard 3 1 2 2 2 3 3
Xcitium (Comodo) 2 1 3 1 2 2 3
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Integration Maturity Visibility Platform Compliance Openness
Bitdefender 2 2 2 3
BlackBerry 2 2 2 2
CrowdStrike 3 2 2 2
Microsoft 2 2 2 1
Trellix 3 2 2 1
VMware Carbon Black 3 2 2 2
WatchGuard 2 2 2 2
Xcitium (Comodo) 2 2 2 2
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Endpoint Detection and Response

As you can see in the Radar chart in Figure 1, this is a market segment dominated by the Platform Players, with only one Feature Player. From a practical perspective, this should drive decision makers to consider purchasing EDR solutions from vendors whose products they already use. That choice can both simplify acquisition and provide another source of telemetry for security operations teams that helps them keep tabs on their environments.

Just barely in the Mature, Platform-Play quadrant, WatchGuard is an Outperformer, rapidly innovating its EDR solution with the help of its acquisition of Panda Security, and bringing capabilities to the space that are valued by both large and small organizations. CrowdStrike is a key player in this space and has been for years, though it seems to be slowing development of its EDR solution and focusing instead on bringing new features to market in other solutions, such as XDR. Trellix is in a similar position but under different circumstances. With the McAfee and FireEye merger, then the rebrand to Trellix, the Trellix EDR solution is in a period of consolidation, focusing more on unifying features and branding and less on innovation.

Microsoft’s EDR solution brings together many key capabilities in a mature package, but it lacks breadth of integration when compared to other solutions. VMware’s Carbon Black offers great investigative capabilities—a standout feature for advanced security teams—but its integrations also lack breadth. BlackBerry’s acquisition of Cylance brings an AI-powered EDR solution into the BlackBerry service catalog; however, it appears the Cylance solution is not yet integrated with other BlackBerry technologies.

Xcitium (formerly Comodo), taking the only spot in the Innovation, Platform-Play quadrant, has been working in the EDR space since 2018 under the Comodo brand and rebranded to Xcitium in July 2022. Xcitium Advanced Endpoint Protection, using its patented ZeroDwell Containment, preempts detection and response maneuvers with instant virtualization of unknown malware as it enters the endpoint.

Bitdefender—the lone Innovation, Feature-Play vendor—offers a good EDR solution that can be coupled (for an additional cost) with its managed detection and response (MDR) service.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights

Bitdefender

Bitdefender delivers both EDR and XDR solutions for businesses, as well as home products and products that can be resold by MSP partners. This report focuses on the business suite, specifically the GravityZone Business Security Enterprise, which is Bitdefender’s EDR and XDR solution. Delivering both EDR and XDR solutions through the same technology provides organizations with an easy path towards broader adoption of “detection and response” technologies like XDR. However, for the purposes of this report, only EDR capabilities are reviewed.

The solution can be delivered in either of two models, SaaS or on-premises. The SaaS model follows the traditional deployment methods in which a SaaS portal is instantiated and agents are deployed to the organization’s endpoints. The on-premises model requires one or more virtual appliances (depending on the size of the organization) and the deployment of agents. For organizations with stringent data security requirements, the on-premises model will likely deliver greater control over organizational data. This solution is sold per agent per year, with an average annual per agent cost of around $50 USD.

Bitdefender’s EDR solution scored very well in the MITRE ATT&CK Engenuity evaluation in 2021, landing ahead of Microsoft, CrowdStrike, and others in the evaluation with a total of 366 “detections.” This means the solution was able to correctly identify an attacker tactic or technique 366 times, indicating mature, class-leading detection capabilities.

Support documentation is well-organized and freely accessible without registration through the Bitdefender website. However, Bitdefender’s integration capabilities are less than is typical of solutions in this space. Currently, the only integrations available are with Amazon Web Services (AWS) to support enhanced EC2 visibility, Microsoft’s Active Directory (AD), Microsoft Windows Defender ATP, and Veeam.

The compliance reporting capabilities of this solution are average; this isn’t a strong area yet among most vendors. If proving compliance through reporting is required, a security information and event management (SEIM) or other solution will be required. Bitdefender offers device isolation capability and an interactive full shell functionality that enables users to connect remotely with administrative rights to endpoints across all three major operating systems: Windows, Linux, and Mac. Additionally, by using the Investigation Package capability, GravityZone users can instruct any endpoint across Windows, Linux, and Mac to automatically trigger the collection of forensic evidence without the need for an endpoint to be involved in an incident. For privacy conscious organizations, it is important to know that the Investigation Package could collect data considered to be personal identifiable information (PII).

Automation through either machine learning (ML) or runbooks is a growing capability in all tech spaces, especially within security, but Bitdefender instead guides clients to consider its MDR solution, which is sold separately from the EDR solution. Moreover, this solution doesn’t offer the same depth of forensic data gathering as others in the space. This isn’t necessarily a downside because it’s a result of designing a solution that is meant to be easily operated by smaller organizations that may not have the right expertise on staff and by larger organizations looking to augment their teams and capabilities.

Strengths: Bitdefender offers exceptional detection capabilities in either SaaS or on-premises architectures for enhanced data security at a very low cost.

Challenges: This solution doesn’t offer features that larger organizations may desire, like runbook management or a broad range of integrations.

BlackBerry (Cylance)

With BlackBerry’s acquisition of Cylance, the Cylance security solution is now a part of the BlackBerry Cybersecurity Platform, a broad set of solutions that covers endpoints, network, cloud, identity, and more. We evaluated only the endpoint security solution, called CylanceOPTICS.

This solution is offered in a Saas architecture, with agents deployed to the organization’s endpoints and the administrative workload running in the BlackBerry managed cloud. For organizations looking to reduce the burden on security operations, leveraging automations like those found in this solution will pay dividends.

This solution aligns itself with the MITRE ATT&CK framework, meaning tactics, techniques, and procedures (TTPs) are mapped for security events. The TTPs are mapped, then correlated to identify the scope of potential security threats. This scoping exercise is often left up to security operations teams and is a time-consuming task. However, it should be noted that this scoping doesn’t benefit only large skilled security teams but also smaller organizations that may lack the knowledge to perform such tasks.

This solution includes a hunting enablement feature called InstaQuery that allows security teams to gather forensic information across the deployed agent fleet using prebuilt queries. This query feature leverages purpose built features like mapping query language objects to MITRE ATT&CK. The data collected from this feature includes indicators of compromise (IOCs) such as files, executables, and hash values.

The BlackBerry solution doesn’t offer robust compliance reporting and instead focuses on the operational aspects that are improved by EDR solutions, such as detections within the environment, frequency of IOCs, and other common security operations concerns. Because this solution uses AI automations, runbook management capabilities are not present. For organizations that have existing runbooks or procedures, bespoke development leveraging the open API that is fully documented will be required.

The maturity level of existing integrations is quite high, and this makes it easy to integrate popular SIEM solutions like Splunk into the solution. Other integrations, like tying into service desks and notification services, are somewhat limited but still average for the space. Like most offerings in this space, the BlackBerry solution can be coupled with an MDR service should an organization deem it necessary.

Strengths: This solution includes class-leading AI technology deployment that results in effective security improvements. Strong investigation enablement is provided through the InstaQuery feature.

Challenges: Compliance reporting and runbook management are not available.

CrowdStrike

CrowdStrike’s EDR solution, Falcon, is a staple in the EDR space with a reputation for reliability and ease of use. The solution is offered only via a SaaS platform; no onsite or private cloud version exists. The main components of Falcon are the SaaS operator portal and the Falcon agent that can be deployed to supported operating systems, which include macOS, Linux, and Windows.

The Falcon platform is sold in modules. Those evaluated in this report include Falcon Insight, Falcon Prevent, Falcon Discover, Falcon OverWatch, and the CrowdStrike Threat Graph. When combined, these modules form CrowdStrike’s most complete EDR solution.

The Falcon Discover module, which provides deep insight into applications and services installed on endpoints, is a good starting point for building an understanding of the Falcon solution. The data collected by this module is used to identify vulnerabilities on endpoints as well as provide metadata to enable investigative processes.

Falcon OverWatch is the managed threat-hunting module for this EDR solution and provides a human threat detection engine to operate as a seamless extension of the customer’s team. Falcon OverWatch takes data from Falcon Discover as well as real time event data from the endpoints to identify known and unknown threats. The threat data gathered in this module is mapped to the MITRE ATT&CK framework. Each threat then lists the specific TTPs used. Additionally, as threats are recorded, the specific TTPs are tracked and presented on dashboards. This can make identifying trends easier and, more to the point, identify mitigations that need to be prioritized to thwart these TTPs.

CrowdStrike Falcon offers full device isolation with operator remote access. This feature enables organizations to stop nascent attacks as they occur and to collect forensic data to assist the investigative process and accelerate the detection process.

Runbooks—or workflows, as they are called in the Falcon solution—are fully customizable using the built-in no-code workflow-creation feature. Workflows within Falcon can perform both simple and complex tasks, interact with third-party technologies, gather additional information, or simply notify security staff of specific events.

As with any technology that monitors and collects data from sensitive environments, the overall level of risk is elevated. To combat this situation, the CrowdStrike solution is designed to collect only metadata from endpoints, such as IP addresses, hostnames, usernames, MAC addresses, serial numbers, and public IP addresses. However, in some circumstances, it can collect command-line parameters should a command line be used to launch a process. These parameters can contain sensitive data, and although it’s unlikely, that data could be exposed to an operator of the platform.

Although some solutions provide robust compliance reporting to assist in evidence collection during audit and to demonstrate compliance with frameworks, Falcon’s execution on this feature is weak.

Strengths: Crowdstrike Falcon is a mature, well-rounded EDR solution with very capable detective and preventive features. The solution references the MITRE ATT&CK framework often and features easy-to-create automations via its workflow feature. Falcon also brings remote isolation capabilities with remote access and deep insight into endpoint applications via its Discover module.

Challenges: The Falcon solution doesn’t provide much support for compliance framework reporting or evidence collection.

Microsoft

Microsoft Defender for Endpoint (MDE) is Microsoft’s flagship offering for endpoint-focused security. The naming initially created some confusion because Defender is also the name of the desktop AV solution, Microsoft Defender Antivirus. But MDE is the EDR solution for macOS and Linux as well as Windows, with a breadth of features that exceeds the Defender AV.

MDE is offered in three deployment packages: a cloud native, SaaS-style solution; a co-managed solution purchased through a Microsoft partner; and an on-premises deployment. MDE can be deployed leveraging basic methods, including scripts and group policy where possible, as well as integration with Microsoft or other incumbent endpoint management solutions.

Telemetry collected by MDE is mapped to the MITRE ATT&CK framework. Additionally, MDE allows operators of the platform to remotely isolate endpoints while continuing to maintain a connection for forensic data gathering via scripts and command-line interface (CLI)-based interrogation.

When investigating a security incident, the requisite skill necessary to identify not only all related security events but the order in which they occurred is immense. This is a challenge for even the most skilled security professionals. MDE addresses this challenge by allowing users to replay the attack “story,” a representation of the security events strung together in a way that both illustrates the attacker’s behaviors and defines the scope of the incident. This feature facilitates many security operations tasks from investigation to remediation and more.

While not one of the key criteria that is tracked in this report, the vulnerability and misconfiguration capabilities offered by this solution are robust. The value an organization can derive from these features will vary based on the maturity of its security program. However, with vulnerabilities and misconfigurations providing a perennial treasure trove of opportunities for attackers, it never hurts to have another set of eyes looking for these issues.

Integration maturity is relatively strong for Microsoft products but average or slightly below average relative to integration opportunities provided by other EDR solutions. Moreover, compliance reporting is sub-par, although Microsoft indicates that improvements might be coming.

This solution includes a module called the automated investigation and response (AIR) feature, which provides automated responses through the use of playbooks. There are three severity levels associated with various response activities, all of which can be tailored to the organization’s needs by adjusting the level of automation. This is an important feature because, despite a vendor’s best efforts, there are inherent risks associated with automated actions and the risk appetite of each organization varies.

Finally, it’s worth mentioning the maturity of the support documentation. Typical of Microsoft, the support documentation is very rich in detail and thoughtfully laid out. Users can navigate either by expanding topic trees or by simply searching for keywords. Having support documents both freely available and easily accessible is a differentiating factor in this space where some vendors lock away support or provide limited documentation.

Strengths: This solution delivers a range of deployment models and OS support, complete security incident visibility with the story replay feature, and great automated responses capabilities. It also makes good use of MITRE ATT&CK TTPs through event mapping.

Challenges: Compliance reporting capabilities are quite weak, and integrations are limited outside of the Microsoft ecosystem.

Trellix

The Trellix EDR solution—a rebrand from FireEye after the Mandiant and FireEye split—is a combination of the FireEye and McAfee Enterprise EDR solutions (both owned by STG). Trellix is offered as a SaaS service. It leverages a single agent for all EDR capabilities and is deployable across macOS, Linux, and Windows.

Mandiant was, for a long time, the MDR provider for FireEye, and Mandiant services can still be leveraged with Trellix EDR. However, this report includes only the technology and not the managed services offered by vendors. In this regard, the Trellix solution provides both a high-level overview of security incidents and very detailed technical telemetry.

The high-level overview is a visual representation of the security events that comprise the security incident in a tree-style graph that builds a sequential understanding of the events as they occurred. The technical details include IOCs like file names, executables, command-line parameters, and hashes. These indicators reference the likely MITRE ATT&CK TTP, allowing solution operators to better understand where they are in the attack lifecycle. Trellix also includes a guided investigation capability that gathers, summarizes, and visualizes all relevant telemetry for each security incident. This is a feature that will provide value across many organization types and sizes.

Application discovery is handled through the forensics capabilities of the solution. This allows operators to see installed applications and versions, and identify risks associated with vulnerabilities. The execution of this capability is average for the space, no better nor any worse than most solutions. However, Trellix’s integration maturity is a strong point for the solution, with numerous out-of-the-box integrations. While the maturity of each integration varies, Trellix is one of a few vendors that includes prebuilt use cases for some integrations as well as the ability to customize the way the integration is used.

As is the case with most of the EDR solutions, though not all of them, compliance reporting is a weak spot for the Trellix EDR. Reporting is focused almost exclusively on the needs of a security operations team, and data is retained for 30 days by default, which isn’t suitable for any compliance needs.

Support documentation is important for this space, and unfortunately, the Trellix documentation appears to be in a transitory phase. References to McAfee and Trellix are sprinkled throughout documentation, which can create some confusion.

Strengths: The Trellix EDR solution provides good support for common operating systems and is SaaS-delivered, which enables rapid deployment. The investigation capabilities will complement on-staff security operations for larger organizations.

Challenges: The solution lacks compliance reporting capabilities. Moreover, the ongoing unification of McAfee Enterprise and FireEye EDR technologies creates a situation in which integration activities are possibly prioritized over features and enhancements.

VMware Carbon Black

VMware Carbon Black offers EDR in both SaaS and on-premises deployment models. With the on-premises option, the client must provide a Linux server with a Postgres database, as well as internet access for the on-premises Carbon Black server to communicate via API calls to the Carbon Black Cloud. With the SaaS model, the client is responsible only for the Carbon Black Cloud agent deployment, as VMware controls the rest of the infrastructure.

This solution lets users isolate one or more endpoints from network activity from within the Carbon Black console. Though remote access capabilities are limited when an endpoint is in an isolated state, a unique aspect of Carbon Black’s isolation feature is the ability to create an isolation exclusion group for hosts that should never be isolated. This feature addresses a common concern of some organizations that a security control, like EDR, could create an outage of a critical service.

The Carbon Black Live Query feature is built on top of the popular open-source Osquery project. With Osquery, operators are able to interact with remote systems in much the same way as you would query a database. This interaction enables rapid identification of IOCs across an organization, a task that would be time consuming and error prone without this capability. Thus, this feature effectively enables investigations through rapid acquisition of critical forensic data.

Integrating other technologies with the Carbon Black EDR API is a straightforward affair thanks to the ample documentation provided by VMware. Data flows that work from this solution to other technologies leverage a RESTful API as well as the ability to have events pushed via a streaming message bus API, which shifts some of the resource usage back to the Carbon Black infrastructure, potentially reducing spend on other technologies. Other integrations with technologies like a SIEM or ticketing service exist and rely on relatively simple integration methods. These integrations are about average for the space, but the well-developed API documentation is a standout feature.

This solution provides TTP mapping to the MITRE ATT&CK framework with coverage of the ATT&CK framework that is about average for the space. The ability to identify and map events to the ATT&CK framework provides immense value to operations teams that are dealing with skills shortages.

Runbooks are largely left up to VMware to manage through future releases, with no apparent method for operators of the platform to customize runbooks.

Strengths: The solution provides great flexibility with its fully documented API that will be valuable to larger enterprises. Its built-in Live Query feature enables investigation at scale, and it includes good MITRE ATT&CK mapping for security events.

Challenges: There is no remote access capability when a device is isolated from the network. Runbook management is weak.

WatchGuard

WatchGuard, a key player in the network security space, acquired Panda Security in 2020 and has since completed the integration of the endpoint-focused security technologies. WatchGuard wants to become a unified security platform for MSPs to provide managed security services to organizations of all sizes, offering specific platform capabilities to manage them efficiently.

Note that this report focuses on WatchGuard Advanced EPDR, which is important to remember as WatchGuard offers other endpoint-focused solutions. The solution is offered as a SaaS model, with agents deployed to an organization’s servers, desktops, and laptops. It supports macOS, Linux, and Windows.

The EDR space is mature, and at times, it can be difficult to identify key differentiators between solutions. The WatchGuard solution’s standout feature is its ability to identify previously unknown malicious applications. This capability is achieved through its Zero-Trust Application Service (ZTAS). Every time an application loads on an endpoint, it is run through four checks, which include lists of known-good and known-bad applications. If an application’s intentions are still unknown, ML is employed to identify the application’s behaviors and, finally, human-led expert analysis comes into play if necessary. This results in a claimed 100% efficacy at detecting and stopping malicious applications.

WatchGuard leverages Osquery to facilitate rapid forensic evidence collection across the environment from deployed agents. Osquery enables analysts to interrogate endpoints as if they were databases, sending queries and receiving results back nearly instantaneously. The integration of Osquery makes sense because with it comes years of publicly available queries that an organization can easily make use of.

Runbook management is critical for security operations, and to meet this challenge, WatchGuard has integrated Jupyter Notebook, a popular web-based interactive environment for developing code and runbooks. While WatchGuard doesn’t employ Jupyter’s code-management capabilities, it does make great use of its intuitive runbook management, which greatly simplifies the process of creating and managing runbooks. Integrating Jupyter Notebook, like Osquery, adds capabilities that are not only elegant but also accelerate the process of learning to operate the EDR solution from Watchguard.

A staple of the EDR space is the ability to remotely isolate a potentially infected endpoint and then access it remotely to determine whether an event is a true positive or false positive. The WatchGuard solution provides those capabilities as well as the ability to remotely restart the endpoint and collect digital forensic data through Osquery.

EDR solutions enable threat hunting activities for security teams. Watchguard recognized that many organizations lack the required expertise to perform effective threat hunting activities and for this reason includes a managed threat hunting service with its EDR solution. This is often an add-on license from other vendors.

Compliance reporting is a weak point for this solution, with reports focused on security operations needs instead. With that said, this solution does store security events for 365 days, which could be useful for some compliance activities during evidence collection through screen shots. Retaining data for this length of time is a standout feature, as most EDR solutions retain data for a much shorter period of time.

Strengths: WatchGuard’s application identification feature eliminates the risk presented by truly unknown malicious applications and suspicious activities. That, coupled with powerful runbook management features and the integration of Osquery for threat hunting and other powerful endpoint security features, makes this solution very well rounded and capable. It also retains events for 365 days, far longer than most EDR solutions, and includes managed threat hunting.

Challenges: This solution lacks built-in compliance reporting.

Xcitium (Comodo)

Xcitium, previously known for its SSL certificate services under the Comodo brand, has been working on endpoint detection and response since 2018. Although the company has a full unified endpoint solution (security, management, and deployment), EDR is a different technology. The solution is purpose-built to meet the demands of the EDR space and isn’t just rejiggered AV technology with detection capabilities bolted on.

For this report, we looked at Xcitium’s ZeroThreat Advanced EDR bundle, which contains all of the components of its EDR technology stack, including ZeroThreat Essentials containment technology. Although ZeroDwell Containment is a novel technology that offers practical security prevention capabilities, it’s not an EDR solution. Instead, it’s designed to complement an existing EDR offering. Note that this Xcitium solution is offered in both self-managed and managed models. The managed model provides complete 24x7x365 security operations coverage for the client.

Like others in this space, the Xcitium EDR solution maps security events to the MITRE ATT&CK framework. Its application discovery capabilities are excellent, and it provides rich telemetry around installed applications, version information, vulnerability data, and, most importantly, deploying patches to vulnerable endpoints. The ability to deploy patches should be standard in this space, but unfortunately, it is not. This solution executes on that capability quite well.

Remote device isolation is a feature that provides value through its ability to isolate a potentially compromised device while security staff mitigates risks. Essentially, it creates a buffer of time during which the security team can react. This solution is able to remotely isolate not only endpoints but also potentially malicious processes and applications through its novel application virtualization technology. While complete remote isolation can be an effective mitigation, it’s often overkill. Through the surgical approach of application isolation, the Xcitium EDR solution is able to mitigate risks with much less impact on endpoint’s user experience.

Xcitium Enterprise provides almost a thousand automations via the Monitor and Procedure feature. These automations, essentially scripts, can be tailored to suit the operational needs of any organization and are the building blocks on which investigative, operational, and configuration capabilities are developed. In this case, Xcitium Enterprise comes with the ability to use procedures that are designed to gather forensic data from endpoints in support of incident response activities. Xcitium’s capability is extensive, and that should not be taken for granted. As veterans of the space will attest, during incident response activities, time is of the essence and manually collecting forensic data is too time-consuming to be immediately useful.

While this solution executes quite well on most of our key criteria, it fails to provide the same depth when it comes to monitoring for compliance with regulatory requirements and security frameworks. This isn’t unusual for the EDR space, however, which often leaves compliance concerns to other technologies like a SIEM.

Xcitium should be recognized for its efforts to leave data security controls in the hands of its clients. While most vendors in this space provide SOC 2 reports, audit results, and policies to demonstrate the care taken in safeguarding data, Xcitium allows clients to request a “data wipe,” something that is seldom offered. For organizations that strive for the most complete control over their data, this is a feature to look for.

Strengths: A new player in the EDR space, the Xcitium EDR solution contains several desirable features. It maps event data to the MITRE ATT&CK framework and provides hundreds of runbooks for out-of-the box automation capabilities. The zero-threat application isolation technology, though new, has proven to be highly effective.

Challenges: The Xcitium solution doesn’t provide much support for compliance framework reporting.

6. Analyst’s Take

Endpoint detection and response is a mature technology, though that’s a relative term in a space that has evolved as much as endpoint security has. Still, that maturity aids decision makers because most of the capabilities claimed by each solution should have quantifiable evidence either from the vendor themselves or from field reports written by third parties that have experience with the solution.

To choose the best solution, organizations should first consider incumbent vendors that offer EDR solutions. Incumbent vendors likely to merit attention will include Microsoft, VMware, and perhaps BlackBerry, CrowdStrike, and Trellix. Microsoft and BlackBerry have limited integration capabilities compared to CrowdStrike and Trellix, so keep that in mind when determining how the EDR technology might be folded into existing business processes or workflows.

If incumbent security vendors are a concern, however, building a list of capabilities from our Key Criteria report that address the challenges in the organization is the best path forward. For the best guidance, use this information like a shopping list, then compare solutions head-to-head and ask specific questions relating to the unique qualities of an organization’s environment.

If you’re able to come up with a shortlist of solutions based on the activity above, checking on these solutions’ ability to help maintain compliance or drive new business objectives should be the next step in evaluating them. As an example, while almost all EDR solutions are well suited for the “new normal” of remote work, only some are able to deliver higher levels of data security through either on-premises deployments or, in the case of Xcitium, the ability to request a data wipe of its SaaS solution.

Because of the maturity of this space, you’re not likely to find a poor solution. Identifying key capabilities that drive value and align with business needs will provide the best guidance. And remember that carefully considering incumbent vendors and how their EDR solutions can be deployed may be a fast-track approach to a successful EDR project.

7. About Chris Ray

Chris Ray

Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing & tech. More recently he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

8. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

9. Copyright

© Knowingly, Inc. 2022 "GigaOm Radar for Endpoint Detection and Response" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.