We just raised a $30M Series A: Read our story

Microsoft Defender for Endpoint Competitors and Alternatives

Get our free report covering CrowdStrike, Broadcom, Palo Alto Networks, and other competitors of Microsoft Defender for Endpoint. Updated: November 2021.
555,358 professionals have used our research since 2012.

Read reviews of Microsoft Defender for Endpoint competitors and alternatives

HB
Security Officer at a healthcare company with 51-200 employees
Real User
Top 10
Gives great network visibility by showing how a file interacts with other systems, devices, and files

Pros and Cons

  • "The visibility and insight this solution gives you into threats is pretty granular. It has constant monitoring. You can get onto the device trajectory to look at a threat, but you can also see what happened prior to the threat. You can see what happened after the threat. You can see what other applications were incorporated into the execution of the threat. For example, you have the event, but you see that the event was launched by Google Chrome, which was launched by something else. Then, after the event, something else was launched by whatever the threat was. Therefore, it gives you great detail, a timeline, and continuity of events leading up to whatever the incident is, and then, after. This helps you understand and nail down what the threat is and how to fix it."
  • "One of the best features of AMP is its cloud feature. It doesn't matter where the device is in regards to whether it's inside or outside of your network environment, especially right now when everybody's remote and taken their laptops home. You don't have to be VPNed into the environment for AMP to work. AMP will work anywhere in the world, as long as it has an Internet connection. You get protection and reporting with it. No matter where the device is, AMP has still got coverage on it and is protecting it. You still have the ability to manage and remediate things. The cloud feature is the magic bullet. This is what makes the solution a valuable tool as far as I'm concerned."
  • "The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on."

What is our primary use case?

AMP for Endpoints has Endpoint Connectors, which are agents on the endpoints, providing security against malware and intrusion detection. It also provides intrusion prevention. We install the Connector on all the endpoints before they're deployed and also on our virtual desktop images. They provide constant monitoring and alerting on any events or potential threats to let us know when there is something going on that we can further investigate.

AMP intersects with a bunch of other Cisco tools, such as Threat Grid, Threat Response, and Talos Intelligence to identify threats, then automatically quarantine or remove them. It also gives you the ability to isolate endpoints to prevent further spread of any sort of malware, like a virus that might infect other machines.

How has it helped my organization?

The visibility and insight this solution gives you into threats is pretty granular. It has constant monitoring. You can get onto the device trajectory to look at a threat, but you can also see what happened prior to the threat. You can see what happened after the threat. You can see what other applications were incorporated into the execution of the threat. For example, you have the event, but you see that the event was launched by Google Chrome, which was launched by something else. Then, after the event, something else was launched by whatever the threat was. Therefore, it gives you great detail, a timeline, and continuity of events leading up to whatever the incident is, and then, after. This helps you understand and nail down what the threat is and how to fix it.

The solution’s actionable alerts in the security console are granular. They take you right to whatever the incident was so you can start investigating it. One thing that I have noticed lately, as we have spun up more tools associated with our Enterprise Agreement, is that AMP interfaces with all of them, then takes on some automated actions. One of the things that AMP allows you to do if there's an incident, it gives you an alert. This is because a threat was detected. You can click on the threat that's detected, then it takes you right to it in the timeline. Finally, you can pull/fetch the file and submit it for analysis. However, it will also do that automatically.

Cisco is standing up so much stuff right now. This solution interfaces with Talos Intelligence, Threat Grid, Threat Response, and SecureX. All of these things are integrating together and a lot of stuff is now starting to happen automatically, e.g., if a threat is detected, it is automatically interfacing with Talos Intelligence to figure out what that threat is and the hash value of whatever file that is. If it thinks it's suspicious, it automatically submits it to Threat Grid, which detonates the file in the sandbox, but also in the cloud, and returns a report saying whether the file, or whatever it is, is an actual threat/incident. Then, it remediates and quarantines it, and you find out about it later. It's doing a lot of stuff in the background as the integration with other tools increases.

Cisco Threat Response accelerates security operation functions. It gives you great visibility into your network. You start with a hash value, and you can search for that hash value within your environment by just dropping it into Threat Response. Then, it'll show you how that file has interacted with other files, systems, and devices. It gives you immediate visibility with a chart that shows you where that file has gone and where it's been. If you're looking to contain outbreaks, it's all there.

Cisco AMP simplifies endpoint protection detection and response workflows, such as security instigation. It really shortens the window to respond to an incident. You can do something in five minutes that probably would have taken several days in a big, diverse, ambiguous environment, where you have a lot of people working remotely. It would be tough to run down all this stuff. It is saving not only time, but manpower. Another person plus myself can now fix a problem. Whereas before, I would have to crawl through four or five different people before I got the right guy to get to the right place to do the thing that I needed him to do.

What is most valuable?

I like all the features. They're continually adding features to the product as well. One of the most recent features that they added is Orbital Advanced Search, which gives you great visibility into each individual endpoint. If you need to go look and see what's going on, it gives you that ability very easily.

I've only used Orbital Advanced Search on individual endpoints. Unless what I'm looking for is of great urgency, then I don't want to run very complex queries because they can take a lot of time and use a lot of resources for the endpoint. I'm still getting used to it so I don't know its full capabilities, such as, what it can do without interrupting the use of the endpoint. However, if the endpoint is compromised, it doesn't really matter. If I'm just investigating an incident, I don't want to lock the box up if a user is still trying to use it while I'm trying to figure out what's going on.

The Orbital Advanced Search is a great tool that gives you visibility. Otherwise, you would have to track down the device physically and possibility even do a forensic image of it to figure out what happened, or take it out of the environment just to investigate it. Having the ability to use Orbital to get the information off of a device to determine whether it's legitimately compromised, or if something weird is just going on, shortens the timeline of your response because you have immediate availability and visibility into the device that might be compromised.

Orbital helps reduce attack surface and investigate real-time data on our endpoints. For example, a device alerted in AMP for having a potential browser hijacker. At the same time, the user was also opening a help desk ticket because they were unable to access some online resources necessary for them to be able to work. I was then able to get on the device using Orbital (out of AMP) to locate the device and figure out what was going on, and it was a legitimate infection of a virus: It was a browser hijacker. All that happened in the span of five minutes, and I was able to get one of my guys out there to remove the device from our environment, reimage and replace it with another device.

I was able to figure out what was going on with that device in the span of five to 10 minutes. Then, I was able to have a guy onsite within the next three hours to get the device out of our environment. Previously, that would have taken days to figure out what was going on with the device, remote into the device, and find out where the device was physically, then get somebody to go to where the device was physically and pull the device out of the environment. That used to be a much longer process, and the longer that you have a threat risk in your environment, the riskier it becomes.

One of the best features of AMP is its cloud feature. It doesn't matter where the device is in regards to whether it's inside or outside of your network environment, especially right now when everybody's remote and taken their laptops home. You don't have to be VPNed into the environment for AMP to work. AMP will work anywhere in the world, as long as it has an internet connection. You get protection and reporting with it. No matter where the device is, AMP has still got coverage on it and is protecting it. You still have the ability to manage and remediate things. The cloud feature is the magic bullet. This is what makes the solution a valuable tool as far as I'm concerned.

What needs improvement?

The solution’s endpoint protection, in terms of the operating systems and devices that it protects, is pretty comprehensive. The one challenge that I see is the use of multiple endpoint protection platforms. For instance, we have AMP, but we also have Microsoft Windows Defender, System Center Endpoint Protection, and Microsoft Malware Protection Engine deployed. So, we have a bunch of different things that do the same thing. What winds up happening is, e.g., if I get an alert for a potential incident or malware and want to pull the file, I'll go to fetch the file to analyze it. But, one of these other programs has already gotten it, so the file has already been quarantined by another endpoint protection system. AMP doesn't realize that and the file fetch fails, then you're left wondering what's going on. 

It's a rapidly evolving product. Every time they turn on a new feature, you're going to have glitches. Recently, they put out a bad version of a Connector, but they put out a new version of a Connector every other week it seems, so they pulled that back and put out a new version.

For how long have I used the solution?

About a year.

What do I think about the stability of the solution?

It is very stable. I haven't noticed it being unstable. It is what it is and does what it does.

On a regular basis, we have four or five network security engineers working on its deployment and maintenance.

What do I think about the scalability of the solution?

It is easily scalable. It's a simple deployment. You can push it out through any sort of desktop management system that you have.

Because we're a hospital, some things (like an imaging device) will not be using the solution as it may stop the imaging software from working. As far as endpoints for regular people who are not doctors using nuclear medicine imaging computers, it is pretty much on all those devices, including all of our virtual desktops. We have about 5,000 endpoints.

How are customer service and technical support?

Their technical support is excellent. I often wind up working with the same people who are responsive, knowledgeable, and available to do live troubleshooting and analysis. They also do a great job of teaching you things that you otherwise wouldn't know about the tool.

Which solution did I use previously and why did I switch?

We still do use System Center Endpoint Protection (SCEP). I am in the security group, and there's an infrastructure group who deploys the desktop. As part of their deployment, not only do they include AMP, they also include the Microsoft tools of various types.

Mostly, AMP affords us utility and visibility. Whereas, we had very little control and visibility into other tools because they weren't ours. we didn't have such great access. For endpoints, it's really been great for us as far as having that level of visibility and ability to control what's going on. To not only have the responsibility for security, but the ability to provide security has been the big deal for us. We didn't have such great access. 

When we only had the SCEP solution, we would get alerts but that would be it. We wouldn't have access to the tool to get more information from it. This left us sort of trying to troubleshoot the device in a vacuum without understanding what was going on.

How was the initial setup?

The initial setup was straightforward, easy, and quick. When we first started testing and deploying it, we were installing it on individual machines ourselves. It's just a matter of downloading the Connector or having the URL to the Connector that you just run on the machine. All you need is local admin rights and it takes about five minutes. That's it. 

In our testing environment, deployment was probably a month or two, because we were just testing. Once we felt comfortable with it and started deploying it, we gave it to our desktop engineers because it's an integral part of the image that gets installed on every machine. Therefore, for our entire environment, it probably took a total of four months, since three months were for testing.

Initially, we deployed it to individual desktops for testing. Then, we incorporated it into the standard image deployed on all desktops, laptops, or endpoints.

What was our ROI?

We have absolutely seen ROI. The way that it is starting to integrate and work with all the other Cisco products, as far as the ease of use, visibility, and being able to respond to incidents. We can know if something bad is potentially happening instantaneously and prevent it from happening. We can go to a device and isolate it before it infects other devices. In our environment, that's millions of dollars saved in a matter of seconds.

The solution has made our team more effective and productive.

The solution has decreased our time to detection because we are getting alerts letting us know that something needs to be looked at. Now that it's integrating with all these other tools, it's automatically submitting files for analysis to determine whether they are dangerous. Up until about two months ago, I would get a bunch of alerts about certain files. For example, I used to get alerts about a machine having a file, then I'd have to fetch the file and submit it for analysis. That stuff is happening automatically now. So, I went from about 100 or so odd alerts a week to around five because everything is now happening on its own.

What's my experience with pricing, setup cost, and licensing?

We have an Enterprise Agreement with Cisco for a bunch of tools. This is one of them.

The Enterprise Agreement is like an all-you-can-eat buffet of Cisco products. In that vein, it was very affordable.

Which other solutions did I evaluate?

We looked at a bunch of different things. We looked at Carbon Black along with two or three other of our tools that we didn't really have any control over. 

Cisco AMP came as part of the Enterprise Agreement with Cisco, so it was included. This made it much easier to spin up and use.

What other advice do I have?

You need to look at your exclusions. You need to understand everything you have in your environment that needs to be able to operate. Because one thing AMP does, if doesn't know what a file is, it will go get that file and isolate/quarantine it. That file might be part of another software platform that's needed to function for whatever it is you do. Chances are you won't have any visibility into whatever that platform is until it stops working, because AMP has quarantined one of the central files for it. Knowing what you have in your environment, what the exclusions are, and how to create and apply those exclusions for those other systems is a key piece.

I think that AMP is really effective in isolating and stopping things that it doesn't know. This is probably good because you don't know if a threat is really a threat until you get a chance to look at it. AMP gets out in front of that. This can cause problems if you don't know that you need to have an exclusion, but you're better safe than sorry.

We are using Cisco Email Security, Cisco Firepower, Cisco Talos, Cisco Threat Grid, and SecureX. We have not stood Stealthwatch up yet. We are refreshing our ISE instance. The integrations across the board have really been a multiplier for each tool individually, and certainly through AMP. It's really launched AMP into another level far as automation is concerned. The integration of all these tools is seamless and very effective.

I would rate it an eight (out of 10). It is all still a work in progress; it is all still a new thing. Not only is the tool itself a new thing, but how the tool integrates with all the other tools. It's in development.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
DM
Information Security & Privacy Manager at a retailer with 10,001+ employees
Real User
Top 20
By using the Deep Visibility feature, we found some previously unknown persistent threats

Pros and Cons

  • "The Deep Visibility feature is the most useful part of the EDR platform. It gives us good insights into what is actually happening on the endpoints, e.g., when we have malicious or suspicious activity. We came from a legacy type AV previously, so we didn't have that level of visibility or understanding. For simplifying threat-hunting, it is extremely useful, where traditional techniques in threat hunting are quite laborious. We can put in indicators of compromise and it will sweep the environment for them, then they would give us a breakdown of what assets have been seen and where they have been seen, which is more of a forensics overview."
  • "The role-based access is in dire need of improvement. We actually discussed this on a roadmap call and were informed that it was coming, but then it was delayed. It limits the roles that you can have in the platform, and we require several custom roles. We work with a lot of third-parties whom we rely on for some of our IT services. Part of those are an external SOC function where they are over-provisioned in the solution because there isn't anything relevant for the level of work that they do."

What is our primary use case?

Our use cases are for client and server visibility in our enterprise and operational technology environments, as EPP and EDR solutions.

How has it helped my organization?

Traditionally, we have had an open policy on endpoints in terms of what has actually been installed. We don't really centrally manage the application. So, we have had a sort of dirty environment. Now that we have SentinelOne with its advanced capabilities, this has enabled us to detect and categorize unwanted applications. It has given us a good foothold into the area of inventory management on endpoints when it comes to our applications as well.

One of the main selling points of SentinelOne is its one-click, automatic remediation and rollback for restoring an endpoint. It is extremely effective. Everything is reduced, like cost and manpower, by having these capabilities available to us.

What is most valuable?

The Deep Visibility feature is the most useful part of the EDR platform. It gives us good insights into what is actually happening on the endpoints, e.g., when we have malicious or suspicious activity. We came from a legacy type AV previously, so we didn't have that level of visibility or understanding. For simplifying threat-hunting, it is extremely useful, where traditional techniques in threat hunting are quite laborious. We can put in indicators of compromise and it will sweep the environment for them, then they would give us a breakdown of what assets have been seen and where they have been seen, which is more of a forensics overview.

From a forensics point of view, we can see exactly what is going on with the endpoint when we have threats in progress. It also gives us the ability to react in real-time, if it has not been handled by the AI. We have set the policy to protect against unknown threats, but only alert on suspicious ones. 

The Behavioral AI feature is excellent. It is one of the reasons why we selected SentinelOne. We needed a solution that was quite autonomous in its approach to dealing with threats when presented, which it has handled very well. It has allowed us to put resources into other areas, so we don't need to have someone sitting in front of a bunch of screens looking at this information.

The Behavioral AI recognizes novel and fileless attacks, responding in real-time. We have been able to detect several attacks of this nature where our previous solution was completely blind to them. This has allowed us to close gaps in other areas of our environment that we weren't previously aware had some deficiencies.

The Storyline technology is part of our response matrix, where you can see when the threat was initially detected and what processes were touched, tempered, or modified during the course of the threat. The Storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and technique is very effective. By getting that visibility on how the attack is progressing, we can get a good idea of the objective. When we have the reference back to the framework, that is good additional threat intelligence for us.

Storyline automatically assembles a PID tree for us. It gives us a good framing of the information from a visibility standpoint, so it is not all text-based. We can get a visualization of how the threat or suspicious activity manifested itself.

The abilities of Storyline have enabled our incident response to be a lot more agile. We are able to react with a lot greater speed because we have all the information front and center.

The solution’s distributed intelligence at the endpoint is extremely effective. We have a lot of guys who are road warriors. Having that intelligence on the network to make decisions autonomously is highly valuable for us.

What needs improvement?

The role-based access is in dire need of improvement. We actually discussed this on a roadmap call and were informed that it was coming, but then it was delayed. It limits the roles that you can have in the platform, and we require several custom roles. We work with a lot of third-parties whom we rely on for some of our IT services. Part of those are an external SOC function where they are over-provisioned in the solution because there isn't anything relevant for the level of work that they do.

For how long have I used the solution?

We have used it for around 10 to 11 months.

What do I think about the stability of the solution?

In the 11 months that we have had it, we have only had one problem. That was related back to a bug on the endpoint agent. So. it is very stable when I compare it to other platforms that I have used, like McAfee, Symantec, and Cylance.

Being a SaaS service, they take care of all the maintenance on the back-end. The only thing that we have to do is lifecycle the agents when there is a new version or fixes. So, it is very minimal.

What do I think about the scalability of the solution?

It is highly scalable. It is just a case of purchasing more licensing and deploying agents.

We have three global admins, myself included, with about 10 other administrators. Primarily, the way that we are structured is we have a client team and a server team. So, we have resources from each geographical region who have access to the solution to police their own environment on a geographical basis. So, we have three global admins, then everybody else just has a sort of SoC-based level functionality, which goes back to the custom role issue because this is too much access. 

How are customer service and technical support?

The technical support is very good. My only criticism is they are not very transparent when they are giving you a resolution to a problem. We have had several cases where we have had a problem that we have been given the fix for it. However, when we asked for background information on the actual problem, just to get some more clarity, it is very difficult to get that. I don't know if it's relative to protecting the information regarding the platform or a liability thing where they don't want to give out too much information. But, in my experience, most vendors when you have a problem, they are quite open in explaining what the cause of the issue was. I find SentinelOne is a bit more standoffish. We have gotten the information in the end, but it is not an easy process. 

When responding to fixing a problem, they are excellent. It is any of the background information that we are after (around a particular problem) that we find it difficult to get the right information.

Which solution did I use previously and why did I switch?

We were previously using Trend Micro Deep Security. The primary reason why we switched was that it is rubbish. It is a legacy-based AV. We had a lot of problems functionality-wise. It was missing a lot of things, e.g., no EDR, no NextGen capabilities, and it had interoperability problems with our Windows platform deployments. So, there was just this big, long list of historical problems.

We specifically selected SentinelOne for its rollback feature for ransomware. When we started looking into securing a new endpoint solution about 24 months ago, there was a big uptick in ransomware attacks in the territory where I am based. This was one of the leading criteria for selecting it.

How was the initial setup?

The initial setup is extremely straightforward. The nature of the platform has been very simplistic when it comes to configuring the structure for our assets and policies. Several other platforms that I have worked with are quite complex in their nature, taking a lot of time. We were up and running within a day on the initial part of our rollout. For the whole organization, it took us about 30 days to roll out completely in five different countries across roughly 20,000 endpoints. 

Behavioral AI works both with or without a network connection. We tested it several times during procurement. It can work autonomously from the network. One of our selection criteria was that we needed it to be autonomous because we have air gapped environments. Therefore, we can connect, install, or disconnect, knowing that we have an adequate level of protection. This mitigates certain risks from our organization. It also gives us good assurance that we have protection.

We had a loose implementation strategy. It was based on geography and the size of the business premises in each country. We started with our administration office, but most of our environment is operational technology, e.g., factories and manufacturing plants.

What about the implementation team?

We did the deployment ourselves, but we had representation from the vendor in the form of their security engineer (SE). We did the work, but he gave us input and advisories during the course of the deployment.

Three of us from the business and one person from Sentinel (their SE) were involved in the deployment of SentinelOne.

What was our ROI?

We saw a return of investment within the first month.

On several occasions, we found some persistent threats that we wouldn't have known were there by using the Deep Visibility feature.

The solution has reduced incident response time by easily 70 percent.

The solution has reduced mean time to repair by probably 40 to 50 percent. This has been a game changer for us.

Analyst productivity has increased by about 50 percent.

What's my experience with pricing, setup cost, and licensing?

We are on a subscription model by choice. Therefore, we are paying a premium for the flexibility. We would have huge cost savings if we committed to a three-year buy-in. So, it's more expensive than the other solutions that we were looking at, but we have the flexibility of a subscription model. I think the pricing is fair. For example, if we had a three-year tie-in SentinelOne versus Cylance or one of the others, there is not that much difference in pricing. There might be a few euro or dollars here and there, but it's negligible.

Which other solutions did I evaluate?

We evaluated:

  • Microsoft Defender for Endpoint
  • Cisco AMP for Endpoints
  • CylancePROTECT
  • Apex One, which is Trend Micro's NextGen platform.

The main differentiator between SentinelOne has been ease of use, configuration, and performance. It outperformed every single one of the other solutions by a large margin in our testing. We had a standardized approach in tests, which was uniform across the platforms. Also, there is a lot of functionality built into SentinelOne, where other vendors offered the additional functionality as paid add-ons from their basic platforms.

During our evaluation process, SentinelOne detected quite a lot of things that other solutions missed, e.g., generic malware detection. We had a test bed of 15,000 samples, and about 150 were left for SentinelOne. What was left was actually mobile device malware, so Android and iOS specific, fileless attacks, and MITRE ATT&CKs. SentinelOne performed a lot stronger than others. Cylance came second to SentinelOne, even though they were 20 percent more effective in speed and detection. The gulf was so huge compared to other solutions.

SentinelOne's EDR is a lot more comprehensive than what is offered by Cylance. They are just two different beasts. SentinelOne is a lot more user-friendly with a lot less impactful on resources. While I saw a lot of statistics from Cylance about how light it is, in reality, I don't think it is as good as the marketing. What I saw from SentinelOne is the claims that they put on paper were backed up by the product. The overall package from SentinelOne was a lot more attractive in terms of manageability, usability, and feature set; it was just a more well-rounded package.

What other advice do I have?

Give SentinelOne a chance. Traditionally, a lot of companies look at the big brand vendors and SentinelOne is making quite a good name for itself. I have actually recommended them to several other companies where I have contacts. Several of those have picked up the solution to have a look at it.

You need to know your environment and make sure it is clean and controlled. If it's clean and you have control, then you will have no problems with this product. If your environment isn't hygienic, then you will run into issues. We have had some issues, but that's nothing to do with the product. We have never been really good at securing what is installed on the endpoint, so we get a lot of false positives. Give it a chance, as it's a good platform.

I would give the platform and company, with the support, a strong eight or nine out of 10.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
SG
Owner at a security firm with 1-10 employees
Reseller
Very customizable but slow in the cloud environment

Pros and Cons

  • "The features that I have found most valuable are the ability to customize it and to reduce its size. It lets you run in a very small window in terms of memory and resources on legacy cash registers."
  • "Everything with Fortinet having to do with their cloud services. They need to invest more in their internal infrastructure that they are running in the cloud. One of the things I find with their cloud environment compared to others' is that they go cheap on the equipment. So it causes some performance degradation."

What is our primary use case?

Our primary use cases for Fortinet FortiEDR are cash registers and endpoint, and point of sales.

The reason we originally started with FortiClient with one of our clients in the first place was that they were able to have legacy cash registers, a really old technology, which we had to get to run in a small resource space, and FortiClient, which was the predecessor, allowed us to literally pick and choose what features we wanted in the client and reduce its size, which you couldn't do with any other types of clients that were out there. That's how we started with that.

It is mostly on premise and any cloud services that we use are directly from Fortinet themselves. I would call that public cloud. We do run some of the customer's environment in private cloud, basically co-location. This has provided the services back to their dataset. I am talking about Fortinet's cloud for the public. For the private stuff it was basically out at Q9, which is the co-location provider.

How has it helped my organization?

Fortinet FortiEDR has the ability to customize the footprint of the client or the agents on the device and on the endpoint.

What is most valuable?

The features that I have found most valuable are the ability to customize it and to reduce its size. It lets you run in a very small window in terms of memory and resources on legacy cash registers. The customer has literally about 800 cash registers. That was the use case for Fortinet FortiEDR - to get that down into a tiny space. The only way to do that was to use this product because it had that ability to unbundle services that were a surplus.

What needs improvement?

In terms of what could be improved, I would say everything with Fortinet having to do with their cloud services. They need to invest more in their internal infrastructure that they are running in the cloud. One of the things I find with their cloud environment compared to others' is that they go cheap on the equipment. So it causes some performance degradation.

A classic example of that would be products like FortiMail where you're basically acting as a mail relay. So say you're on a support call and I'm sending you a mail with document that you expect to come to you immediately, or within 30 - 60 seconds, could take up to 45 minutes because of the load on the cloud services. This can result in trouble tickets and other customer side issue.

In the next release I would like to see more investment in their cloud services. Additionally, they definitely need better integration into their FortiSIEM and FortiSOAR solutions.

They should continue to improve that and possibly include a managed threat hunting feature, an MDR solution.

For how long have I used the solution?

I'm a Fortinet Gold Reseller but primarily we're a consulting company, not a product company. We tend to be agnostic with the one caveat being Fortinet, and only because I was the first guy in Canada to get certified in that, and also the first guy to sell it. There is a personal preference there. But I'm looking deeper into more enterprise security solutions that are SASE and endpoints and EDR, XDR, MDR, all that kind of stuff.

We've done work primarily with FortiGate deployments, but we've also done multiple SD-WAN projects and we've worked with FortiEDR, which is similar to their version of EDR. We've worked with FortiClient before that. As far as FortiCloud goes, we've worked with FortiMail in the cloud, we've worked with FortiManager in the cloud, but we haven't gone into CASB stuff yet.

We also do some Fortinet managed services in our customer base. So I have worked with Fortinet since 2004, 2005.

Fortinet FortiEDR has only been out for a couple of years. We've been working with it for a couple of months, primarily migrating a customer from FortiClient to FortiEDR.

We haven't done full scale deployments of FortiEDR yet, it's still fairly new.

What do I think about the stability of the solution?

In terms of stability, EDR is a pretty decent solution, but it's not best of breed. One of the challenges with Fortinet, and all of these vendors, is that they are doing acquisitions and doing things to retrofit into their environment, but there's a dependency on legacy or other features that Fortinet has, and Prisma from Palo Alto has. They have their own products, which are how their system is designed. It's really a suite of products. Fortinet is now FortiFabric, with Palo Alto it's Prisma, Prisma Cloud and XSOAR and all that stuff.

All these types of companies are not as flexible. I think in the future, people are not going to be interested in having these huge complex suites of products in order to take advantage of integration.

If you look at a true SASE solution, for example Zscaler, it's a product on its own. And it typically integrates with industry best of breed products first. So Zscaler would work with CrowdStrike or Microsoft Defender before it's going to work with an integrated solution like Palo Alto or Fortinet.

I'm finding more and more that these companies, Palo Alto, Fortinet, Check Point, Juniper, are all doing well right now. But I think in the next year to two, you're going to see a transition away from that type of technology.

It is actually one of Fortinet's big selling points that they're not maintenance heavy and they've got their gang leveraging all the other components. It actually updates itself automatically if you choose. And it has the ability, using FortiManager and other products, where you can push out policies very easily across multiple appliances, although that requires proper design and architecture from the beginning to make sure that you've got cookie cutter configurations across your enterprise.

What do I think about the scalability of the solution?

Scalability is Fortinet's sweet spot, even though they're heavily focused trying to sell into enterprise, their sweet spot is still mid-size, SMB, customers.

Those products work well in an environment which is below 3000 users. It also works well in in terms of large enterprises, like a bank.

I don't see EDR really expanding. Fortinet Firewalls is another story. Firewalls can scale up to very large enterprises, including Telcos, but I don't see the EDR product deployed in those environments.

How are customer service and support?

Their support is getting better.

Right now it is not that good. Fortinet was never big on technical support. I think they went by the theory that if it was hard to write, it should be hard to understand. Their technical support is getting better, but if you compare it to Cisco, it's not as good and it never was. It is one of their weak points. Its response time is not bad, but the attitude of the people on the phone is. It's the amount of information they ask for to do an RMA, for example. They can be very challenging to work for. That's an opportunity for managed security providers, because if you confront them, and take it away from the customer, it makes the customer's experience much better. So a bad support center is good for an MSSP.

How was the initial setup?

The initial setup is complex compared to stuff like CrowdStrike or other products where you can just sign up and download and it, and it works.

It's a little bit more complex with FortiEDR because you're dealing with the setup and management of it, whereas in products like CrowdStrike, it's pretty automatic and it's just a question of a radio button to turn on or turn off additional features that you may want.

For example, going EDR to XDR or going EDR to MDR in CrowdStrike, you can do that in Fortinet but you have to implement FortiSOAR and all this other stuff.

Initially the setup took us a while, simply because we had to mess around with the client. We are talking weeks because we had to test and make sure that there were no performance issues and no interruptions in the flow of data, etc...

That took us probably five, six weeks to get up in a POC type environment. Once we got that, it's cookie cutter. You have an image that you deploy that already has that compiled in it, and it works pretty easily.

What's my experience with pricing, setup cost, and licensing?

Fortinet FortiEDR is priced pretty competitively if you compare it to other companies that are in the same boat, like Palo Alto, who have similar product suites. It is reasonable. In the industry, they call Fortinet the Chevy of Perimeter Security and Palo Alto the Cadillac. I think that's undeserved. I think Fortinet is actually, in the long run, a better product, but it has that reputation because of their pricing. Palo Alto, right off the bat, charged a much higher premium, which created the illusion that you're getting a better product. Palo Alto products are brutally expensive.

But that's the way Palo Alto works and it works for them. Although, I've heard rumors that they're changing their channel model where they're going after enterprise customers directly, rather than forcing it through the channel. Fortinet is a 100% channel, Palo Alto is not. And that's affecting them. If you look at stock prices and earnings, Fortinet is actually doing better.

What other advice do I have?

With any of these products, you need to step back and look at where the wave of technology is going in the security posture. I think that you need to step back and say, "Here's my current situation, what's the best solution two to three years from now?" If you look at that, I don't see Fortinet or Palo Alto or any of those traditional product vendors being the future state.

These companies are like system integrators. A lot of system integrators went out of business mostly because they couldn't make the paradigm shift from a product led business to a service led business. I see the same type of thing happening in the traditional Perimeter Security companies, that are not designed from the ground up. They make an acquisition of a product and they try to integrate it into their business model, and to leverage all their other products in a suite. That's not the way the industry is going.

On a scale of one to ten, I would rate Fortinet FortiEDR somewhere around a six.

It goes back to what I said that I don't think it's got a huge future. If you compare it to CrowdStrike or those type of products, it is very similar to Palo Alto's Cortex, they didn't even come out with an an EDR solution, they went directly to an XDR solution. What is XDR penetration? About 2% of the market right now. It's just not a fit to the future. That's why I give it a six.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
CL
Sr. Security Lead at a healthcare company with 10,001+ employees
Real User
Enables us to see at a glance whether users have device control and disk encryption enabled properly

Pros and Cons

  • "The fact that Morphisec uses deterministic attack prevention that does not require human intervention has affected our security team's operations by making things much simpler. We don't have to really track down various alerts anymore, they've just stopped. At that point, we can go in and we can clean up whatever needs to be cleaned up. There are some things that Morphisec detects that we can't really remove, it's parts of Internet Explorer, but it's being blocked anyway. So we're happy with that."
  • "Some of the filters for the console need improvement. There are alerts that show up and just being able to acknowledge that we've seen those and not turn them off, but dismiss them, would be a huge benefit."

What is our primary use case?

We purchased Morphisec primarily to help mitigate and protect us against Ryuk ransomware back in December when that was running really rampant. The antivirus that we were using at that point was outdated. We were looking to move to a new vendor, and we needed something as a stopgap to supplement our current antivirus. Morphisec fit that bill perfectly. It had features that our antivirus did not. It had an immediate deployment and immediate return on investment that we just would not be able to get if we were to turn around and try to deploy a full-blown antivirus across the entire environment. Morphisec was quick, simple, and did not conflict with anything that we already had. It also did not cause any additional delays in our virtualized environment, which was a huge concern for our infrastructure team. It just fit perfectly.

We've detected things that our antivirus was not picking up. We had no visibility or control over anything that was running in process memory. Morphisec immediately started blocking things that should not have been running in process memory. It also gave us visibility into the Windows Defender antivirus that we did not have without increasing our Microsoft licensing and gave us some basic control over Defender as well. We previously used McAfee.

How has it helped my organization?

The fact that Morphisec uses deterministic attack prevention that does not require human intervention has affected our security team's operations by making things much simpler. We don't have to really track down various alerts anymore, they've just stopped. At that point, we can go in and we can clean up whatever needs to be cleaned up. There are some things that Morphisec detects that we can't really remove, it's parts of Internet Explorer, but it's being blocked anyway. So we're happy with that.

It's very important to us that it offers visibility into and control over Windows 10, native device control, disc encryption, and personal firewall. We're actually in the process now of deploying the control over the firewall so that we can consolidate to a single pane of glass for our antivirus and controls. It will help us through leveraging group policy, which can fail, especially if the machine drops off of the domain, we have a significantly larger remote than we did a year ago. We have machines that don't necessarily get the policies they need to get when they need to get them. Morphisec fixed that.

The level of control from Morphisec Guard compared to Windows 10 Native Security tools is a bit more basic than the Windows 10 Native Controls. You basically enable the firewall or you disable it, based on the various profiles. I have not yet seen a way to create exceptions in the firewall or rules and things like that but those can be pushed through group policy, regardless. As long as the firewall is enabled, it's functioning and it's doing better than if there was no policy applied at all.

Morphisec Guard enabled us to see at a glance whether our users have device control and disk encryption enabled properly. It is especially important with our remote workforce. Disc encryption is an absolute must. And the device control, USB devices, is also an absolute must.

It has reduced the amount of time we spend investigating false positives. It reduced our amount of chasing antivirus alerts by about 80% a week.

Our team's overall workload has also been reduced by about 30% on a weekly basis of our workload, we would spend a lot of time tracking alerts.

It has enabled us to take Morphisec and leverage one product where we would have had to have had at least two previously. I don't really have numbers for what that would look like. We didn't really investigate too many other vendors in that space, but it's probably at least 50% savings over what we would have needed. So it has helped us to save money on our security stack.

What needs improvement?

Some of the filters for the console need improvement. There are alerts that show up and just being able to acknowledge that we've seen those and not turn them off, but dismiss them, would be a huge benefit.

For how long have I used the solution?

We've been using Morphisec for about six months now. It is installed on our endpoints and servers. We have a SaaS version of the console.

What do I think about the stability of the solution?

I've had 100% availability anytime I've needed to go look. I have not had any issues in any of our environments with the agents.

What do I think about the scalability of the solution?

Scalability is very easy. We can just call and say that we need more licenses and they give us more licenses and we can push that agent out. It's the same executable file we have on our file shares. We just expand however many we need, to as large as we want to go.

We have about 8,000 endpoints, 2,500 servers, and 4,000 virtualized desktops.

Our next step would be to purchase the Linux agent and get that on the few Linux servers and appliances that we have.

How are customer service and technical support?

The technical support has been fantastic. Any feature requests I've had, any issues I've run into, which have been very minimal, they've had an immediate response. Turnaround for feature requests is really, really fast. I've seen it within the next update which they do monthly. They provide great technical support. 

Which solution did I use previously and why did I switch?

We looked at Bitdefender, Trend Micro, and Microsoft Defender. We are still using Microsoft Defender in conjunction with Morphisec in a small pilot group. We're still evaluating where we want to go for a true antivirus solution. So, we still have a small deployment of Defender.

Deployment was the biggest difference between Morphisec and the other solutions. It was far simpler to deploy Morphisec without having to remove another antivirus, without having to make a large-scale project, or look for compatibility. It works on all supported operating systems. It works in conjunction with other antiviruses. We didn't have to create exceptions and there were no conflicts with the antivirus we were running and Morphisec. So that really helped us make that decision, purchase this, roll it out, and have it supplement our existing technologies. And it gave us an almost immediate return on investment.

How was the initial setup?

The initial setup was very straightforward. We deployed it via group policy. We had it deployed across the entire environment in about three days.

What's my experience with pricing, setup cost, and licensing?

There are no additional costs to standard licensing. We've had full support. I get biweekly calls with my technical account manager and we purchased the licenses for everything we needed for a single cost.

What other advice do I have?

If you have the ability to get Morphisec into their environment, it's going to be a hundred percent return on investment. I would recommend it every time.

If you can, get it and run with it, because it's great. It's been eye-opening, the things that other antiviruses were missing, and we've seen it protect against zero days. We've seen it protect against ransomware that other antiviruses have not even seen.

I would rate Morphisec a ten out of ten. 

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Stephen Hand
Director, IT & Systems Security at Tilson Technology Management
Real User
Top 20
Good visibility helps us make educated decisions, easy to scale, helpful threat-response support

Pros and Cons

  • "The Protect functionality on the laptops provides great visibility into what's occurring, and the cloud management of the platform is what we needed."
  • "The console is a little cluttered and at times, finding what you're looking for is not intuitive."

What is our primary use case?

We implemented CrowdStrike because we needed to identify a new solution to address a 100% remote workforce, both because of COVID, but in general, our workforce is very distributed around the country.

How has it helped my organization?

The primary way that CrowdStrike has improved the way our organization functions is visibility. When we do have an issue, the ability to see what was happening before, during, and after the issue on the target laptop or server is far better than what we were used to.

Having the updates happening automatically, with a third-party defining those updates and pushing those in, also providing us visibility into the current status of all of our endpoints, is critical.

We use Falcon's endpoint and cloud workload protection, which is deployed on our Azure cloud servers. It is definitely one of the top options available to any organization. We had reviewed 10 different applications in the EDR space and Falcon was one of the top three that we had identified.

In terms of preventing breaches, so far, it's doing great. Definitely, in our testing that we do every month, it is identifying issues that arise with more certainty. Simply, the team has more confidence in what they're utilizing as a tool and it has freed them up to work on things that are a more efficient use of their time.

What is most valuable?

The Protect functionality on the laptops provides great visibility into what's occurring, and the cloud management of the platform is what we needed.

It is important to us that this cloud-native solution provides us with flexibility and always-on protection because we have a 100% distributed workforce, in place even before COVID. To manage 600 remotely-deployed laptops requires a cloud-managed solution.

What needs improvement?

The console is a little cluttered and at times, finding what you're looking for is not intuitive. Once you find it, it's great, but it's not always very intuitive as to how to find exactly what you're looking for sometimes.

For how long have I used the solution?

I have been using CrowdStrike Falcon for six months.

What do I think about the stability of the solution?

We have had no issues at all with stability, and no conflicts on any of our endpoints or servers.

What do I think about the scalability of the solution?

It seems to be limitless from a scalability standpoint. Definitely, there would be no impact on our end, and we haven't noticed or run into any issues as we scaled from our initial 10 systems to 600. There was no difference in speed or reporting, et cetera.

So, scalability does not seem to be an issue.

How are customer service and technical support?

Technical support is an area for improvement. If you have an actual issue, such as an identified threat, then they are very good. However, if you're struggling to figure out what might have occurred, we're still trying to figure out how to get our best support from CrowdStrike in those situations.

Which solution did I use previously and why did I switch?

Prior to Falcon, we were using Webroot.

The primary improvement that we have seen is visibility. We had no visibility into what happened before, during, and after a situation with Webroot, but with CrowdStrike, we have that visibility, which allows our team to make educated decisions. In terms of detection and prevention, I believe it's all experiential so far. Falcon has been very good at both detection and remediation for any issue that has come up.

How was the initial setup?

The sensor setup and deployment were extremely easy. We were able to deploy a hundred percent of our endpoints within 60 days. We found it to be very smooth.

It was a very simple deployment strategy to get the agent out to the end-users. It was so smooth that we didn't even have to notify the end-users that it was being done. It just happened automatically. 

There was no conflict between CrowdStrike and our existing EDR that we were going to get rid of. After the installation, we were able to have the old EDR totally removed within 30 days.

What about the implementation team?

We had two people for deployment and we have one for maintenance. Their roles are in information security.

What was our ROI?

We have seen ROI in that our team is freed up to work on things that are more important.

What's my experience with pricing, setup cost, and licensing?

We took advantage of Falcon's free trial before purchasing it, and it was very easy to get it. We were on the phone with a representative discussing our next steps and they offered the free trial, and we were set up and functional with it the next morning. Having a free trial period is something that is expected. If anybody wants our business in this space then it's necessary because we aren't going to purchase something without trying it first.

The pricing is not bad. It's on the higher end of the market, but you get what you pay for. It's a little on the confusing side because the name of the item they're selling doesn't match what you see when you log into the product.

If you buy "Protect" and you log into the product, you don't see "Protect". You see something else, like "Identify" or whatever. So, they need to do a better job of aligning product names from the sale to within the product.

There are add-on fees for different packages that you can buy, and we are looking at adding on some feature functionality as we go forward.

Which other solutions did I evaluate?

We evaluated 10 different solutions in the EDR space. The top three included CrowdStrike Falcon, Carbon Black, and Microsoft's ATP.

CrowdStrike was a little better, cost-wise, than the other two. Also, I felt that the console for managing the platform was easier for my team.

What other advice do I have?

My advice for anybody who is looking into implementing this product is that every organization is slightly different in its needs, and CrowdStrike may or may not be the right solution. Once you can do a trial and a bake-off of multiple options, you'll find if CrowdStrike is the right solution or not.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Get our free report covering CrowdStrike, Broadcom, Palo Alto Networks, and other competitors of Microsoft Defender for Endpoint. Updated: November 2021.
555,358 professionals have used our research since 2012.