Bitdefender був визнаний Strong Performer в Forrester Wave Endpoint Detection and Response Providers, Q2 2022

CrowdStrike dominates in EDR while building its future in XDR and Zero Trust. CrowdStrike continues to demonstrate excellence in its EDR offering through a context-rich UI infused with high-quality, in-depth threat intelligence. Its strategy stays true to its DNA as an endpoint-first security tool while methodically expanding into XDR and embracing Zero Trust. Its roadmap follows this trend, continuing to prioritize feature enhancements in EDR, prevention capabilities, and an expansion to additional XDR capabilities around identity, data, and third-party ingestion. Reference customers spoke incredibly highly of the support they received through the technical account management program. The offering has characteristically strong coverage for Windows and coverage for the most popular versions of Mac and distributions of Linux. It provides detailed threat intelligence within the investigation as well as more in-depth, threat group-specific reports. All telemetry is mapped to MITRE ATT&CK. The offering has a native sandboxing feature, remote shell capabilities, custom scripting, and a built-in automation feature to generate playbooks. Threat hunters can search by type or through raw data, and search results are also contextualized with threat intelligence. Hunters can create real-time detection rules and scheduled queries based on a hunt. However, the offering provides seven days of data retention by default, less than many in this evaluation, and as such customer references suggest exporting telemetry to another source for longer retention needs. CrowdStrike is best suited for those that want a powerful EDR tool with a plethora of high-quality threat intelligence seamlessly integrated into the offering. It is also a good fit for security teams looking to outsource some capabilities through managed services.

Microsoft has made itself a powerhouse in security innovation and EDR. In 2021, Microsoft committed $20 billion over five years to deliver more-advanced security tools, upping the ante from its $1 billion per year spend on cybersecurity since 2015. Beyond the dollar signs, Microsoft has a vision to protect all endpoints through a combination of prevention, detection, and autoremediation. Reference customers highlighted this investment as a key reason they chose to work with the vendor, despite early industry perception in IT. It has also altered its pricing structure to add flexibility, offering standalone pricing per endpoint or license-based pricing. Its roadmap includes continued progress on Linux and Mac feature capabilities, IT and security collaboration, and XDR capabilities. Microsoft has on par coverage of Windows versions, Mac, and Linux distributions compared to other vendors in his evaluation. The offering has a variety of helpful features for investigation such as autogenerated human-readable detection names and a replay of the attack story to see exactly what happened in the attack and in what order. All telemetry is aligned to MITRE ATT&CK. It provides a native sandbox feature, response recommendations, remote shell capabilities, and custom scripting. Threat hunters can search telemetry by type or search raw telemetry for 30 days by default. They can schedule queries but cannot create custom detection rules based on a hunt. Microsoft is best suited for those with a large Windows deployment or those moving to an E5 license.

Trend Micro innovates far beyond its public perception and wins on customer support. Trend Micro focuses its offering on a cycle of attack surface discovery, risk assessment, and security application. Reference customers highlight its fast pace of innovation, a stark contrast from public recognition. Planned enhancements include attack surface risk assessment, broader response actions and guidance, and third-party integrations. Reference customers highlight the interoperability between different parts of the portfolio as a key differentiator, and it aligns this interoperability to its pricing model by pricing based on credits that can be applied to any of the offerings in the portfolio. Trend Micro provides differentiated coverage of Windows versions, Mac, and Linux distributions compared to others in this evaluation. Detections are labeled with dynamic descriptions of the attack. All aspects of the investigation are color-coded according to risk levels for faster investigation, and all telemetry is tagged with the appliable MITRE ATT&CK techniques. The offering does not provide orchestration of response across multiple endpoints, but does provide a native sandboxing feature, remote shell, and custom scripting. Threat hunters can search by type or by raw data and schedule queries accordingly but cannot create custom detection rules. All telemetry is retained for 30 days by default. Reference customers noted that compliance reporting remains a limitation. Trend Micro is best suited for security teams that want to focus on detection and response while keeping detection engineering and reporting separated in the SIEM.

Elastic is applying SIEM values to EDR capabilities but lags in response. Elastic envisions security as a data problem and prioritizes features that enable customers to use that data as they see fit. The endpoint agent acts as a collector and is now entirely incorporated into the Elastic SIEM. The free tier of the offering includes many core features such as the endpoint agent. Elastic uses a consumption-based pricing model, applying a cloud computing mindset to EDR product pricing. It has nurtured an online community so that security teams can crowdsource expertise, which customer references find valuable. Its roadmap looks to expand third-party ingestion capabilities, response actions, and workflows, and it prioritizes new ideas by dedicating a week of R&D every two months to focused innovation. The offering supports slightly fewer OS versions on Windows servers and Linux than most in this evaluation, but is on par for Mac coverage. Telemetry collection is customizable down to event collection. The data the offering provides for investigation isn’t as contextually rich as others, and detections are tagged with MITRE ATT&CK techniques, but not all telemetry. The offering does not have a native sandbox feature, orchestration of response across multiple endpoints, or remote shell capabilities, which are big limitations on response for an EDR offering. Threat hunters can search data and visualize it with graphs and charts, and can also schedule queries. Reference customers mentioned difficulty with custom integrations. Elastic is best suited for security teams with a depth of knowledge that want a flexible offering with features of SIEM and EDR.

SentinelOne needs to align its vision and strategy to the strengths of its offering. SentinelOne is often called “the new kid on the block” due to its recent IPO and unique implementations of automation. Its vision is to secure work, though planned capabilities and features are not explicitly linked to this. Instead, its roadmap is focused on unifying DataSet (formerly Scalyr) into the offering, moving to XDR, and improving endpoint security capabilities. SentinelOne is frequently mentioned by its IR partners for its Remote Script Orchestration feature and automation capabilities. The offering has on-par coverage of Windows versions, Mac, and Linux distributions compared to others in this evaluation. All telemetry is mapped to applicable MITRE ATT&CK techniques. Its Storyline feature provides some context about the attack, but integrations with third-party marketplace apps do not give immersive context in the alert and instead provide links and comments in the notes feature. There is no native sandboxing capability; however, it provides written response recommendations and orchestration of response actions across multiple endpoints. Its Remote Script Orchestration feature can apply response actions across endpoints in an orchestrated fashion and allows for custom scripting. Threat hunters can search across all telemetry, which is retained for 14 days by default, less than most vendors in this evaluation. They can also create custom detections based on a threat hunt. Reference customers highlighted the ease of deployment and management of the offering. SentinelOne is best suited for mid- to advanced-maturity security teams that want to leverage unique automation capabilities.

Bitdefender focuses on resilience but lacks the integrations of a mature offering. Bitdefender has long been the behind-the-scenes, reliable endpoint security technology leveraged by many leading security products on the market. It is one of the most used, yet surprisingly least considered, EDRs for security team RFPs. It focuses its R&D weight behind features that methodically improve its offering without getting ahead of its skis, with a particular focus on asset visibility, risk scoring, and automation for prevention, detection, and response. The Bitdefender offering is straightforward and reliable. It supports a wide array of OS versions and distributions across Windows, Mac, and Linux, more than most in this evaluation. The user interface is logical and clean, combines individual alerts into related incidents, and provides helpful context and color coding within an incident. The offering maps all telemetry to MITRE ATT&CK. It also provides a native sandbox feature and remote shell capabilities, though it does not provide orchestration of response actions across multiple endpoints or custom scripting. Threat hunters can search over all collected telemetry, which is retained for seven days by default, and can create custom detection rules. Reference customers lauded its support and product teams, as well as the partnership it brings to the table. However, they noted that its integrations with third-party SIEMs, SOARs, and other tools are limited, making it difficult to use in a larger ecosystem of interconnected offerings. Bitdefender is best suited for small and early- to mid-maturity security teams that want a robust, effective EDR tool.

Palo Alto Networks has built a robust offering with a steep learning curve. With XDR as its North Star, Palo Alto has catapulted the capabilities of its EDR offering over the past two years. It has successfully energized its product team, with customer references praising Palo Alto’s engagement with them, especially its willingness to develop specialized product features to address industry- and customer-specific use cases. Its roadmap is focused on three core initiatives: improving endpoint management, providing additional security content, and simplifying ease of use. Its pricing model is aggressive, and customer references recommend negotiating and bundling the offering with other Palo Alto Networks products to get to a competitive price point. The offering has average coverage for Windows versions, Mac, and Linux distributions compared to others in this evaluation. The user interface is busy and built for those with experience, with alerts that contain a plethora of related information, though the information is not closely tailored to what is most important for investigation. All telemetry is tagged with the applicable MITRE ATT&CK techniques. The offering provides orchestration of response across multiple endpoints and has a native sandbox feature through an integration with Wildfire, remote shell capabilities, and custom scripting. Threat hunters can search over all data, which is retained for 30 days by default, and can create scheduled queries and custom detection rules. Palo Alto Networks is best suited to advanced security teams looking to buy into the existing Palo Alto Networks stack.

VMware Carbon Black is ubiquitous but struggles to match top competitor’s innovation. VMware Carbon Black is best known for its predominant use by MDR and IR services providers. However, that seems to be changing as more services providers broaden their support for other EDR vendor offerings with unique automation features and licensing options. VMware’s short- and long-term focus is on transitioning to XDR by introducing new data sources to the offering and supporting third-party partners. While these enhancements will further the XDR offering, it leaves gaps in the EDR offering that must be filled to stay competitive. Reference customers noted the value of the Carbon Black community for idea sharing between customers. The offering has excellent coverage of a variety of Windows versions, Mac, and Linux distributions, though customer references stressed limitations on legacy OSes with the SaaS offering. The offering can correlate related detections into incident alerts, which show a process tree with limited context. There is no native sandbox feature or orchestration of response across multiple endpoints, though it has a remote shell capability without custom scripting. Threat hunters can search endpoint data using regex and can save searches as scheduled queries or as custom rules. Telemetry is retained for 30 days by default. Reference customers noted that the offering does not currently support SSO and MFA active at the same time and that reporting is not available in the offering. VMware Carbon Black is best suited for mid- to advanced maturity-security teams with dedicated staff for tuning and platform management.

Sophos has a powerful vision but must make strides in UX to fulfill it. Sophos is known for protecting midsize organizations over 1,000 employees. It has a unique vision of supporting analysts to do more than they are trained for, but its planned enhancements skip over filling critical gaps in its offering. Its roadmap is focused on mapping to MITRE ATT&CK, guiding investigation and response, improving ML models, and XDR. Reference customers noted that it may not be a good fit for teams that want to integrate with third parties. Coverage for Windows, Mac, and Linux is below average compared to others in this evaluation. The offering gives basic context for investigation alongside a threat graph, which becomes complex and difficult to parse as more detections and events are incorporated. The offering does not have a native sandbox feature or orchestration of response actions across multiple endpoints, though it does provide written response recommendations and remote shell capabilities without custom scripting. Threat hunters can search by type, though customer references mentioned queries can take a long time to execute and time out after 15 minutes. Threat hunters can define scheduled queries based off a threat hunt, and all telemetry is retained for 30 days by default. Sophos is best suited for low- to mid-maturity organizations with small IT teams that don’t necessarily have dedicated security staff.

Cybereason is prioritizing its broader portfolio over EDR advancements. Cybereason has been a pure-play endpoint vendor since its inception in 2012, yet showcased a vision and planned enhancements that decouple its most well-known product from its core company strategy. Its future strategy is focused on its go-to-market and technology partnership with Google Chronicle: delivering its XDR offering and leaning into security analytics. Planned enhancements continue this trend, focusing on XDR detections, integrations, and the launch of new offerings over new features in EDR. The offering has similar coverage for Windows versions, Mac, and Linux distributions as others in this evaluation. Related alerts are correlated into incident alerts, and customer references highlighted that the user interface is intuitive. However, it does not provide the same depth of threat intelligence and greater context about the attack that others in this evaluation were able to. The offering can orchestrate response actions across endpoints and provides a restricted and unrestricted remote shell capability but does not include a native sandbox feature. Threat hunters can search telemetry solely by type (process, IP, MITRE ATT&CK technique, etc.), and telemetry is retained for 30 days by default. It allows for turning threat hunt queries into real-time custom detections. Cybereason is a good fit for organizations that are early adopters of new technology or those that want to operationalize Google Chronicle.

The FireEye brand is being retired, leaving customers in a state of limbo. What was once a titan of the security industry and the first cybersecurity vendor to be certified by the DHS is now a portfolio vendor whose products and features are being split apart and recombined to form a new organization, Trellix. As of January 18, 2022, the FireEye and McAfee Enterprise brands were relaunched as Trellix, and the two brands are reportedly set to retire. Though much of the company’s strategy remains in question, it will be streamlining its portfolio over the next several months and intends to focus on XDR capabilities. For the time being, it remains unclear how this will affect the FireEye customer base. FireEye’s OS support is on par with other vendors in this evaluation. Alerts are per endpoint and are not correlated with other related alerts. The offering tags all alerts and endpoint metadata with MITRE ATT&CK techniques. The offering provides limited context within each alert, and no native sandbox feature is available in the offering. The offering does not provide orchestration of response across multiple endpoints, but there is a remote shell capability. Threat hunters can create custom rules based on queries. FireEye is best suited for security teams currently invested in FireEye Helix, or those interested in the future of Trellix. FireEye declined to participate in the full Forrester Wave evaluation process; this assessment is based on publicly available information.

McAfee Enterprise is split in two, leaving the EDR product’s future unknown. McAfee Enterprise, once the most well-known security brand in the world, was acquired by STG in July 2021 and is now being decoupled into two business units. One is expected to be the McAfee Enterprise Secure Service Edge (SSE) portfolio, while the rest of the McAfee portfolio is undergoing a rebranding. As of January 18, 2022, the FireEye and McAfee Enterprise brands were relaunched as Trellix, and the two brands are reportedly set to retire. The fate of McAfee’s EDR offering remains in question, as the new company’s direction will be focused on the XDR market. Related detections can be correlated together into incident alerts. The user interface is busy and provides an arguably excessive amount of data to the end user during an investigation, complicating the incident response process. This includes multiple different ways of viewing the data, data tagged with MITRE ATT&CK techniques, and a breakdown of questions and answers the product identifies as relevant. The offering provides a native sandbox feature capabilities and remote shell capabilities, though it does not include orchestration of response across multiple endpoints. Threat hunters can define custom rules. McAfee is best suited for security teams currently invested in the McAfee portfolio, or those interested in the future of Trellix. McAfee declined to participate in the full Forrester Wave evaluation process; this assessment is based on publicly available information.

BlackBerry follows its DNA in prevention and makes up for product gaps with services. BlackBerry acquired Cylance in 2019, and much of its strategy since follows these roots with a prevention-first mindset. It has designed the offering to operate with minimal interaction from the end user, which is a strong strategy for a prevention product, but for an offering that necessitates end user interaction like EDR, it falls short. BlackBerry’s strategy looks to make up for this by partnering with Exabeam to deliver fully managed XDR. However, it will be an uphill battle given the state of the offering and that its service offering is not well-known in an already crowded market. Its roadmap includes endpoint sensor enhancements and XDR capabilities. The offering has broad support for Windows versions and Mac but does not provide on-par coverage for Linux. BlackBerry detects solely on the endpoint, which limits the context the offering can provide, and only detections are tagged with MITRE ATT&CK, not all telemetry. It requires significant manual effort to correlate alerts, investigate, and resolve an attack. It has automated response actions, remote shell, and custom scripting, but does not have a native sandbox feature or orchestration of response across multiple endpoints. Threat hunters can search based on types (IP, hash, etc.) and can define custom detection rules based on queries. All telemetry is retained for 30 days by default. Reference customers noted that the offering needed constant tuning and took longer to complete initial tuning than expected. They also recommended escalating beyond tier 1 support for the most effective customer service. BlackBerry Cylance is best suited for security teams with a prevention-first mindset looking to spend less time in their EDR tool.

Fortinet leverages its Security Fabric to address shortcomings in its EDR offering. Fortinet acquired enSilo in 2019, renaming it FortiEDR shortly after and incorporating it into the Fortinet Security Fabric. Fortinet struggles to align its capabilities because of a lack of a vision. Its roadmap is focused on its Security Fabric and building out its XDR capabilities despite major holes in its EDR offering. However, reference customers mentioned that the roadmap is tentative and is frequently changed, with items removed. Fortinet works closely with MSSPs to deliver its offering, and customer references highlight the offering is more cost-effective than others on the market. The offering has above-average coverage for various Windows server versions, with average coverage for different Linux distributions and Mac. Alerts provide basic information such as an event graph and what caused the detection, but lacks context about the attack. Users manually correlate related detections, requiring effort to fully investigate and resolve an attack. The offering does not include a native sandbox feature without a separate subscription to FortiSandbox, and it does not provide response recommendations or remote shell. It provides orchestration of response across multiple endpoints through a playbook feature outside of the alert. Threat hunters can search by type (process, IP, etc.), and telemetry is retained for 30 days by default. Threat hunters can create scheduled queries based off threat hunts, but not custom detection rules. Fortinet is best suited for those looking for broad coverage of Windows server versions or those invested in the Fortinet Security Fabric.

Check Point uses its portfolio to differentiate an offering that is otherwise outmatched. Check Point Software Technologies is known for the breadth of its portfolio, with tools covering network, cloud, user, and access. Reference customers chose the offering because of its portfolio approach; however, compared to others in this evaluation, including portfolio vendors, its EDR capabilities are lacking. Its roadmap and strategy are not focused on improvements to its endpoint technology, but instead to expanding the reach of its technology, shifting EDR to XDR, attack surface management capabilities, and improving the deployment process. Its vision lacks detail and focus on client needs. Reference customers valued the integrated portfolio to consolidate tooling, as Check Point provides table stakes endpoint security capabilities in addition to VPN connectivity in one client. However, the offering does not support the same depth of OS coverage as others in this evaluation, with limited support for Windows versions and Linux distributions and on-par coverage for Mac. It maps detections to MITRE ATT&CK, and to investigate alerts further, a report must be generated. The layout of investigation and response capabilities — including a native sandbox feature — requires manual effort to identify, scope, and coordinate activities, which is far more complex and time-consuming than most in this evaluation. Threat hunters can search by type (process, IP, etc.) and can schedule queries, but cannot generate custom detection rules. All telemetry is retained for seven days by default. A reference customer also highlighted challenges with customer support and performance issues with the agent. The offering does not have XDR capabilities generally available currently. Check Point is best suited for security teams currently using other products within the Check Point portfolio.