Top 8 Endpoint Protection for Business (EPP) Tools

CrowdStrike FalconSentinelOneCisco Secure EndpointSymantec End-User Endpoint SecurityMicrosoft Defender for EndpointSophos Intercept XCarbon Black CB DefenseCortex XDR by Palo Alto Networks
  1. leader badge
    As long as the machine is connected to the Internet, and CrowdStrike is running, then it will be on and we will have visibility; no VPNing in or making some type of network connection. CrowdStrike always there and running in the background; for us, that is big. We wanted something that could give us data as long as the machines connected to the Internet and be almost invisible to the employees.
  2. leader badge
    Our clients have been able to survive a ransomware attack without even knowing that they had had files encrypted and automatically rolled back - even their Point of Sale (POS) system did not miss a beat and the business continued as normal without interruption.
  3. Find out what your peers are saying about CrowdStrike, SentinelOne, Cisco and others in Endpoint Protection for Business (EPP). Updated: September 2021.
    535,015 professionals have used our research since 2012.
  4. leader badge
    It is extensive in terms of providing visibility and insights into threats. It allows for research into a threat, and you can chart your progress on how you're resolving it.
  5. leader badge
    It seems to be user-friendly. Our users seem to like it for the most part. The solutions' main features are patch management and security.
  6. leader badge
    Defender has very little impact on the end-user and the agent works quite well with a minimal impact on the client and server.We like that it has a free version available.
  7. leader badge
    The solution is easy to install.The most valuable feature of the solution is that it is less hash-based than competitors.
  8. report
    Use our free recommendation engine to learn which Endpoint Protection for Business (EPP) solutions are best for your needs.
    535,015 professionals have used our research since 2012.
  9. leader badge
    The initial setup is very easy.The visibility provided has been great.
  10. leader badge
    Its ability to react to cyber data attacks is awesome. That is pretty much the use of it. What blows your mind is the ability to access your assets remotely and see what is actually going on with them. You can not only see them in a console. You can also react very rapidly to your assets that are compromised.

Advice From The Community

Read answers to top Endpoint Protection for Business (EPP) questions. 535,015 professionals have gotten help from our community of experts.
What is the best for ransomware infection? 
author avatarAlex Vakulov

Install all security updates, create an incident response plan, use whitelisting to the maximum.

author avatarKirk Stephen

Look at the ACSC Essential Eight. If you can implement all of these then you will be highly unlikely to get hit by ransomware.

author avatarJairo Willian Pereira
Real User

Proactive: Patch Mgmt Program, Continuos Vulnerability Scanner (search and fix), Monitoring by SOC/NOC or others secutiry tools (like a HIDS or NIDS components).
Reactive: Incident Mgmt Plans categorized and specific by typication, BCP (complete Business Continuity Plan not only Disaster Recover Plans) and, mainly, verified backups tapes/medias (if possible, stored out of company, with continuous restore tests).

author avatarNadeem Syed
Real User

there are different solutions for ransomware these days. Best i have found is trendmicro end point protection for end users since it has a feature of stopping the attack or as soon as it says changes in files , it starts making a back up copy of it , so even if you get infected by ransomware, you still have a good chance to recover your data.

author avatarSiddharth Narayanan (XYZ)

IPS & Blocking unwanted extensions at gateway level.

author avatarVincenzo Mazzara

First - Use Trend Micro

Second - Apply a Backup System similar to TIME MACHINE Apple.

author avatarShreekumarNair
Real User

Nurit Sherman
Hi community,  We all know that it's important to conduct a trial and/or proof-of-concept as part of the buying process.  Do you have any advice for your peers about the best way to conduct a trial/POC?  How do you conduct a trial effectively? Are there any mistakes to avoid?
author avatarJames Kiely

Ensure you have a defined set of outcomes. Communicate these expectations to the VAR/Vendor to ensure they can address all criteria and review results. (Example; EPP should not utilize more than 2% CPU).

Things to think about when forming the outcomes: 

Why are we looking at this solution? 

What have they previously claimed in conversations? 

What impacts will it have on the production environment? 

How does this align with company goals? 

Many solutions can be turned into production once the POC/POV has concluded and licenses purchased. This may allow cost savings in professional services. A good discussion to have when deciding the scope of the POC/POV.

author avatarJairo Willian Pereira
Real User

1. Choosing only using a Gartner magic quadrant.
2. Don't consider cross-platforms,like Linux, variants and mobile.
3. Evaluate the cost of each modules and TCO.

1. Test against pieces of real artifacts.
2. Consider geographic and political issues (including support/language).
3. Prefer virtualized (and controlled) installations/images/tests.
4. Evaluate exit/disruption capability with supplier.
5. Cross testing (scripts from supplier-A against supplier-B and vice-versa).

author avatarITSecuri7cfd (IT Security Coordinator at a healthcare company with 10,001+ employees)
Real User

Once you have narrowed down the top 5 picks for a capability/solution, we typically will look at the last few things that make things stand out from the competition. 

1-cost, 2-ease of deployment (need prof serv?) 3-support or training if all other features of products being similar of course. That usually narrows it down to 2 or 3 tops for vendors to choose from. 

We then work with our VAR to help coordinate a POC for us from anywhere from 30-90days depending on the vendor/product. 

Our architect sets a requirements doc. for the POC to see how each vendor performs: stops virus, test remote healing, replication, client mgmt. features, failover testing when things go bad, etc... 

Once the requirements are completely charted either success or failure in the checklist we then review how those top 2 or 3 vendors performed and score them accordingly. If they do well and the price point is right we typically start working on an SOW and agreement with the vendor and get a quote to purchase from there. 

It normally works out ok. Sometimes products change over the course of time or support gets work, but this general method works for the US.

author avatarNorman Freitag

Well, these are pretty good points with a vast variety of options and hints.

Please think of creating success criteria out of these points and let the vendors agree to them. 

And if you have a lot of criteria you should sort them in A, B, C classification (from "must" to "nice-to-have"). 

You can use marks (or scores) to grain down and make different solutions more comparable.

Best Regards,

author avatarJohn Johny Restrepo Hernández

Hello, the best way to carry a proof-of-concept is to implement an environment as much as possible, at least a few users who are part of all kinds of company profiles, for example, financial, marketing, human resources, legal, technology, etc.; what are the expected features at the functional and response level of the Endpoint Protection Platform (EPP) solution.

Now, for the tests, you must also consider the technical aspects such as: Implementation, Performance, Response to conventional and advanced Threats, if you have Artificial Intelligence if you can add an Endpoint Detection and Response (EDR) solution. It is highly recommended that the tests performed on the new solution, also with the same laboratory will be tested on the current EPP solution, confirm that it is working as expected.

The most important thing of all comes, both technical and functional tests have already been done, the time has come to review costs. I think I intentionally left it last. The new EPP + EDR solution if meets everything expected, the cost should not be the first option to evaluate. It is important to have a new solution but that can integrate more security solutions such as identity management, devices and information, consolidate solutions.

author avatarABHILASH TH

Few points to add:

-Test the capability, effectiveness provided by the endpoint security solution compared to the one they are already running.
-The complexity of the migration.
-The implementation impact on the business.
-Efficacy of this solution in the long term.
-Local support and Vendor support.
-How easy to arrange the POC- without complicated formalities and commitment.
-Limitation of trial license. For e.g. Crowdstrike falcon POV is a full product - without any restrictions and user/usage limitations.
-How easy it is to navigate the required feature on a daily basis without external support.
-Flexibility from a channel partner and OEM

author avatarJayandraWickramasinghe

Before you do end point evaluation, I think you should identify proper requirement and feathers that you required. Also you have to consider feature security implementation, if there, because sometimes we do focus only Antivirus and later may need some additional feathers such as DLP, Encryption, Web and App filtering.
1st step - Selected few antivirus Product and do feature comparison at technical point of view. And get an idea about the features currently available in market.
2nd step – Considering those features select which are more suitable for your environment, always need to consider the latest advance features rather than looking for a common traditional AV features.
3rd step- Select one or two best product that will suite for your environment and get proper evaluation licenses from expertise and do the evaluation.
Consider the
1. PC Performance
2. How easy to use
3. Product rating
4. Malware detection rates (NSS labs, IDC, Gartner and etc.)
5. Implementation Structure and architecture.
6. Protection for malware and non-malware attacks
Recommended products
Next Generation AV
• Carbon black
• CrowdStrike
Common AV solution
• MacAfee
• Kaspersky
• TrendMicro
• Symantec

author avatarEric Rise
Real User

Consult with several VARs with any product being looked at. If possible work directly with the vendor of the product to avoid the VAR pressing you in any one direction. The product vendor can then point you to the proper/ best fit VAR offering the best price for the product as this will vary based on VAR choice.
Provide the VAR with a list of what things you need and then things you might want in a product.
Have a set of hardware and users that will be the test group for your product(s) being tested then have a proper plan in place to document every step all the way through to end result for each and every product being tested.
Apples to apples as close as possible for all products to make a decision. It's not always about price either, expensive solutions hurt one time, cheap ones will hurt for a long long time.
Don't be afraid to contact the vendor either if you're not happy with a price or a VARs service... that vendor will or should always be happy to accommodate your request as a customer/ possible lead to become one.
All other suggestions above here are all valid as well.

There are many cybersecurity tools available, but some aren't doing the job that they should be doing.  What are some of the threats that may be associated with using 'fake' cybersecurity tools? What can people do to ensure that they're using a tool that actually does what it says it does?
author avatarSimonClark
Real User

Dan Doggendorf gave sound advice.

Whilst some of the free or cheap platforms will provide valuable information and protection, your security strategy has to be layered. Understand what you want to protect and from whom. At some point you will need to spend money but how do you know where to spend it? There are over 5,000 security vendors to choose from.

There is no silver bullet and throwing money at it won’t necessarily fix what you are at risk from but at the same time free products are free for a reason.

If your organisation doesn’t have a large team of security experts to research the market and build labs then you need to get outside advice. Good Cyber-advisors will understand your business and network architecture therefore will ask the right questions to help you to navigate the plethora of vendors and find the ones that are right for where your business is now and where you intend it to be in the future.

Large IT resellers will sell you what they have in their catalogues based on what you ask for and give a healthy discount too but that may not fix the specific risks your business is vulnerable to. A consultative approach is required for such critical decisions.

By the way, there are free security products and services that I recommend.

author avatarDanny Miller

Tools are not necessarily bogus. Sometimes they are just 'legacy' tools that have been around for too long and no longer fit the problem they were designed to solve, simply because IT infrastructure, organizational needs, and cybersecurity threat complexity have evolved. 

author avatarDoctor Mafuwafuwane (Altron Systems Integration )
Real User

Open Source or Free products need proper management. Based on my experience I have found that many people who uses open source don't bother to patch them and attackers then utilize such loopholes.

One of the great example one client was using free vulnerability management plus IP scanner. And they got hit with ransomware. During the investigation I realise the attacker utilized the same tool to affect other devices on the network. The attack took his time at least 2 months unnoticed. 

author avatarBasil Dange
Real User

One should 1st have details understanding of what he/she is looking to protect within environment as tool are specially designed for point solution. Single tool will not able to secure complete environment and you should not procure any solution without performing POC within your environment 

As there is possibility that tool which works for your peer organisation does not work in similar way for yours as each organisation has different components and workload/use case

author avatarJavier Medina
Real User

You should build a lab, try the tools and analyze the traffic and behavior with a traffic analizer like wireshark and any sandbox or edr that shows you what the tools do, but all this should be outside your production environment, use tools that has been released by the company provider and not third party downloads or unknown or untrusted sources.

author avatarCurtis Yanko (Shiftleft)

I suppose it depends on just how 'bogus' they are. If they are truly 'bogus' then you are likely looking at a trojan. If, however, we are just talking about a 'bad' security tool then you are talking about trying to manage your security with bad or missing information.

author avatarreviewer1266459 (Network Security Engineer at a performing arts with 201-500 employees)
Real User

Refrain from free products

Delete products and traces of product after evaluation

Always know what you want from the cybersecurity solution. Can identify illegal operations of the products if different from its stipulated functions.

Work with recognised partners and solution providers

Download opensource from reputable sites

With remote work having become the norm for many, what security should businesses have in place? Do you have suggestions of specific products that businesses should look at?
author avatarPhilippe Panardie
Real User

There is not a single answer.

In our company, we use only company devices for workers at home and VPN appropriate clients to control the internet flows towards our company firewall.

A behavioral endpoint product is recommended. This product is likely to cooperate with your corporate signature-based antivirus.

Any good product could be used in that way. We chose well known Israel products, combined with our standard US products, at that time.

author avatarOmer Mohammed
Real User

Wearing a mask while accessing your service is not a joke hardening tunneling protocols and uses the most updated one it's kind of like wearing masks.

author avatarLetsogile Baloi

Security is a multi-layered problem and as always the human end is the weak layer

Increasingly I believe the human layer-layer8 needs more attention. This requires getting the basics right. How are we allowing external devices into our networks? DO we own these devices? VPN Tunnels?

Or are creating a virtual working place and focus on IAM? 

This is BYOD on steroids and multiplies the attack zone. A line has to be drawn and a Trust Zone created. Traditional devices have native encryption so we allow them as trusted devices and use their native encryption. Then other policies are made. Does the employee have access to good internet(In Africa this is an issue) or do they have to go to a coffee shop or some such place? A good behavioral endpoint product will help. In some cases a company intranet. Microsoft teams are proving very accessible in Africa.

Find out what your peers are saying about CrowdStrike, SentinelOne, Cisco and others in Endpoint Protection for Business (EPP). Updated: September 2021.
535,015 professionals have used our research since 2012.