Upcoming SlideShare
Loading in...5







Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Endpointbuyersguidebgna Endpointbuyersguidebgna Document Transcript

  • EndpointBuyers Guide
  • Endpoint Buyers GuideIt takes more than antivirus to stop today’s advanced threats. Protecting corporateassets requires a complete security solution that includes anti-malware, host-based intrusion prevention (HIPS), web protection, patch assessment, applicationand device control, network access control, data loss prevention, firewall and othercapabilities. In addition to complete protection you need a solution that’s easyto install and manage, and that can grow with your needs—saving you time andensuring comprehensive protection for years to come. In short, you need an endpointprotection solution.Evaluating the many components that make up an endpoint security solution canbe overwhelming. This buyers guide is designed to help. We’ve provided you withindependent research and test results to help you determine your endpoint securitysolution requirements and identify the vendor that best meets your needs.We examine the top vendors according to market share and industry analysis:Kaspersky Lab, McAfee, Sophos, Symantec and Trend Micro. Each vendor’s solutionsare evaluated according to:ÌÌProduct features and capabilitiesÌÌEffectivenessÌÌPerformanceÌÌUsabilityÌÌData protectionÌÌTechnical support 1
  • Endpoint Buyers GuideProduct Features and CapabilitiesBasic endpoint security solutions include antivirus, anti-spyware, host-based intrusionprevention and firewall technologies. More advanced endpoint solutions also include cloud-based protection, device and application control, patch assessment, web productivityfiltering, network access control, data loss prevention and full-disk encryption. Even ifyou don’t need these advanced capabilities today, your organization will likely need themtomorrow, given the increasing complexity of security threats.When it comes to independent reviews of endpoint solution features and availability, Sophosand McAfee offer the most complete solutions and Sophos scores the best overall. See ourchart for at-a-glance information, and read the report summaries for more information ontest results by vendor. Review Sophos Symantec McAfee Trend Micro Kaspersky Lab Gartner EPP Magic Leaders Quadrant Leaders Quadrant Leaders Quadrant Leaders Quadrant Leaders Quadrant Quadrant (Jan 2012) Cascadia Labs Endpoint 4 stars 3.5 stars 2.5 stars 2.5 stars NA Security for Enterprises (Jan 2010) AV-Comparatives Review of 5 stars NA 5 stars 4 stars 5 stars IT Security Suites (Nov 2010) Enex TestLab Usability of Complete Partial Complete Partial Partial Endpoint Security (Sept 2011) 2
  • Endpoint Buyers GuideGartner Magic Quadrant for Endpoint Protection Platforms (January 2012)Gartner’s 2011 endpoint security Magic Quadrant, a research tool that rates vendors oncompleteness of vision and ability to execute, reviewed 17 vendors. Kaspersky Lab, McAfee,Sophos, Symantec and Trend Micro were placed in the Leaders Quadrant.According to Gartner,“Leaders demonstrate balanced progress and effort in all execution and visioncategories.Their capabilities in advanced malware protection, data protection and/or management features raise the competitive bar for all products in the market,and they can change the course of the industry. A leading vendor isn’t a defaultchoice for every buyer, and clients should not assume that they must buy only fromvendors in the Leaders quadrant. Some clients believe that Leaders are spreadingtheir efforts too thinly and aren’t pursuing clients’ special needs.”Cascadia Labs: Endpoint Security for Enterprises (January 2010)Independent technology evaluator Cascadia Labs tested four top security providers in sixcategories: installation, configuration, policies, management, visibility and threat awareness.Sophos took top scores in performance, data protection and technical support, followedclosely by Symantec, which faltered on support. McAfee and Trend Micro received lowermarks for complexity.AV-Comparatives Review of IT Security Suites (November 2010)AV-Comparatives, a nonprofit testing organization, individually tested and provided anoverview of endpoint security solutions. The test evaluated 12 qualities or capabilities,including ease of installation, Microsoft Active Directory support, user manual and databasesupport. Trend Micro didn’t perform as well as others in this test, receiving two and threestars out of five in a number of categories, including ease of installation, default values anddatabase support. Sophos received a minimum of four stars in every category and five starsin seven categories, including ease of installation, usability and management, spam, andMicrosoft Active Directory Support. McAfee earned five stars in eight categories but receivedonly two stars for its website. Kaspersky earned five stars in only five categories, andSymantec didn’t participate in the report.Enex TestLab Usability of Endpoint Security (September 2011)Enex TestLab tested the various feature sets, compatibility and usability of endpointsecurity products against five endpoints. Of the six products Enex TestLab evaluated, itsingled out McAfee and Sophos as enterprise-grade solutions largely due to their data lossprotection, device protection and full-disk encryption capabilities. Only these two vendorshad “complete” products, meaning they offer a complete endpoint solution whereas theother products are missing features. In terms of usability, McAfee had the most involved andlengthy installation processes, and Trend Micro followed closely behind. Kaspersky, Sophosand Symantec offer more simplified installation procedures. Of the five vendors, Sophoscame out on top due to the integration of security capabilities in a single package, ease ofinstallation and deployment, and data protection capabilities. 3
  • Endpoint Buyers GuideEffectivenessThe primary goal of an endpoint security solution is to prevent malware infection. “As theanchor solution in EPP suites, the quality of the malware scan engine should be a majorconsideration in any RFP,” according to Gartner. However, no antivirus engine can provide100% protection—even against known threats. You should therefore also consider thesolution’s advanced features, such as behavior detection and HIPS capabilities. Also worthnoting is whether the solution leverages the cloud to deliver real-time signature updates.Live protection from the cloud means protection against the latest threats with minimalimpact on network bandwidth. Review Sophos Symantec McAfee Trend Micro Kaspersky Lab VB100 (Oct 2010) 79.6% NA NA NA 85.5% VB100 (Dec 2010) 84.2% NA Failed NA 84.4% / 88.3% AV Test (Jan 2011) 96% / 99.74% 96% / 97.16% 80% / 91.38% 92% / 99.59% 92% / 98.83% VB 100 (Feb 2011) 90.7% NA NA NA Failed VB 100 (Jun 2011) 87.9% NA NA NA 94.3%% represents: VB100 - percent of previously unseen malware detected. AV Test - percent of real infection vectors/prevalent malware detectedVB100: Windows Server 2003 (October 2010)Virus Bulletin magazine independently tests antivirus products. According to the magazine,“The VB100 award is granted to any product that passes the test criteria under testconditions in the VB lab as part of the formal VB comparative review process.” Virus Bulletinmagazine evaluated the ability of 38 antivirus solutions to protect Windows Server 2003.The recipients of this VB100 detected 100% of known viruses without generating any falsepositives. Sophos and Kaspersky earned VB100 awards. VB100 also evaluates ability todetect unknown viruses and gives a RAP (Reactive and Proactive) score. Sophos earned aRAP score of 79.6% for Sophos Endpoint Security and Control 9.5. Kaspersky earned a RAPscore of 85.5% for Kaspersky Anti-Virus 8 for Windows Servers Enterprise Edition, McAfee and Trend Micro did not submit products to be tested.VB100: Windows 7 Professional (December 2010)In December 2010, Virus Bulletin magazine awarded the VB100 to antivirus solutions thatdemonstrated an ability to protect Windows 7 Professional. Kaspersky submitted twoproducts for this evaluation, and both won a VB100. Kaspersky Antivirus 6 for Windows6.0.4.1212a earned a RAP score of 84.4% while Kaspersky Internet Security 2011 a RAP score of 88.3%. Sophos earned a VB100 for Sophos Endpoint Security andControl 9.5.4, with a RAP score of 84.2%. McAfee failed this test. Symantec and Trend Microdid not participate. 4
  • Endpoint Buyers GuideAV-Test (January 2011)The AV-Test, conducted by The Independent IT-Security Institute, evaluates the ability of topendpoint security solutions to block real infection vectors and prevalent malware. Sophosoutperformed the other vendors in both categories, blocking 96% of real infection vectorsand 99.74% of prevalent malware. Symantec also performed well by blocking 96% of realinfection vectors, followed by Trend Micro and Kaspersky each at 92%, and McAfee at80%. Trend Micro blocked 99.59% of prevalent malware, followed by Kaspersky at 98.83%,Symantec at 97.16% and McAfee at 91.38%.VB100: Linux Ubuntu (February 2011)This round of comparative antivirus tests by Virus Bulletin magazine focused on LinuxUbuntu. Much like the tests that Virus Bulletin conducts on other operating systemplatforms, it awards the VB100 title only to products capable of detecting all in-the-wildviruses on both on-demand and on-access modes without experiencing any false positives.Due to the limited support for Linux from other security vendors, Sophos and Kaspersky Labswere the only two large security vendors whose products were tested. Kaspersky submittedtwo products and failed both tests. Sophos had an average detection rate of 90.7% andreceived the VB100 for its antivirus.VB100: Windows Server 2008 R2 (June 2011)The June 2011 round of comparative antivirus tests focused on Windows Server 2008 R2.Kaspersky Small Office Security earned a VB100 with a RAP test score of 94.3%. SophosEndpoint Security and Control also earned a VB100 with a RAP test score of 87.9%.Symantec, McAfee and Trend Micro did not submit solutions for testing. 5
  • Endpoint Buyers GuidePerformancePerformance measures how a security solution impacts user experience and the numberof help desk calls. Ideally, users won’t experience slowdown when a security solution isscanning their system: during scheduled scans, at boot up or when opening a file.This should still be the case on a loaded or low-memory system. Strong securityperformance can improve IT efficiency and end-user productivity. Review Sophos Symantec McAfee Trend Micro Kaspersky Lab Cascadia Labs: Endpoint High scan speeds Solid performance Slow scan speeds Solid performance NA Security for Enterprises (Jan 2010) AV-Comparatives Scanning 2nd 7th 13th 19th 16th Speeds Test (Dec 2010) AV-Comparatives PC Fastest vendor tested 14th fastest 10th fastest Came in last at 15th fastest Mark Tests (Dec 2010) vendor tested vendor tested 20th place vendor testedCascadia Labs Report: Endpoint Security for Enterprises (January 2010)Cascadia’s tests looked at the time required to perform both an on-access and on-demandscan, and the time required to open a large PowerPoint file. Additionally, the test lookedat the time of scan in a low-memory environment. The tests found Sophos had high scanspeeds for both on-access and on-demand scans, and “disappointingly slow” McAfee resultsacross the board. Sophos and Trend Micro both did well in low-memory situations, andSymantec performed solidly overall. Kaspersky was not included in the test.AV-Comparatives Scanning Speeds Test (December 2010)This test of 20 antivirus providers measured performance based on six common user tasksand applied a scoring system to sum the various results. AV-Comparatives awarded Sophosan Advanced+ rating for excellent performance scores. Sophos tied for second place with anoverall score of 180. Symantec came in at seventh with a score of 177; McAfee came in atthirteenth with a score of 172; Kaspersky came in at sixteenth with a score of 160; and TrendMicro came in second-to-last with a score of 143. As part of its tests, AV-Comparatives raneach endpoint solution on an older system to see if its protection modules loaded beforemalware in the start-up folder could execute. Sophos was one of only two providers to passthe test and whose product launched a scanner early enough to catch malware before itexecuted.AV-Comparatives PC Mark Tests (December 2010)AV-Comparatives carried out a performance test using PC Mark Vantage Professional Edition1.0.2 testing suite from FutureMark. The test consisted of several subtests that judged thespeed of file copying, archiving/unarchiving, encoding/transcoding, installing/uninstalling,downloading, and launching applications. PC Mark used a scoring system to sum the resultsof the subtests. With a PC Mark score of 97, Sophos performed the best, second only to acomputer with no antivirus installed. McAfee earned a score of 92, Symantec’s score was 91,Kaspersky’s score was 90 and Trend Micro came in behind every other vendor tested with ascore of 83. 6
  • Endpoint Buyers GuideUsabilityUsability, which includes installation, configuration, policies and management, impacts thetime you spend on day-to-day security tasks. IT teams need a solution that’s straightforward,with single-console management, easy implementation, a simple user interface and theability to make changes easily. Policies should be flexible, but not too complex so they don’tconfuse or overwhelm. For usability we will review three reports from Cascadia Labs, AV-Comparatives and Enex TestLab. Read the report summaries and see the at-a-glance tablesfor more information.According to Gartner,“Reporting capabilities are a significant differentiator of EPP solutions and can makea significant difference in the administration overhead. Buyers should consider both‘point-in-time’ reporting as well as ‘real time’ dashboard capabilities.”Cascadia Labs: Endpoint Security for Enterprises (January 2010)Cascadia Labs’ in-depth usability report counted the number of hours involved in installationand configuration, and gave a star rating for ease of management. It also counted thenumber of clicks and hours required for basic tasks. Sophos had the fewest number of clicksand hours needed for installation and configuration. McAfee required the highest, with fivehours and 166 steps necessary to set up the system. Cascadia didn’t include Kaspersky inthis assessment.In both installation/configuration and day-to-day management, Sophos required the feweststeps and the least amount of time, while McAfee required the most. Below we examineeach usability component—installation and configuration, policies and management, andvisibility—in more detail.Installation and Configuration: Steps and time—This test counted the total number of stepsand time required to complete installation tasks. Sophos had the fastest set up time with thefewest number of steps, with Trend Micro next, then Symantec, followed by McAfee, whichtook twice as long as Sophos to set up.Policies and Management—Cascadia’s report also examined available policies andmanagement, ranking vendors by simplicity and ease of use. It looked at details such as howmany windows the interface uses, and how policies are created and arranged. Cascadia gaveboth Sophos and Symantec a high four-star rating for clear interfaces, and gave Trend Microthe lowest ranking—two stars for non-centralized management.According to the report’s authors,“Sophos keeps everything in one location, so unlike with the Trend and McAfeeproducts you don’t need to go to multiple places in the interface or bring upadditional menus.”Visibility: Clicks to view—This report also studied the visibility a solution offers into theoverall security system, and the user’s level of threat awareness, which can enhancetransparency and ease of use. A dashboard should be clear and require few clicks to accesscritical information and common actions (e.g., sending an email when a virus is detected). 7
  • Endpoint Buyers GuideIn some cases, solutions don’t offer the full range of features, such as Trend Micro, whichonly lets you see out-of-date endpoints. Sophos and Symantec both include a completerange of dashboard options, leading the pack for this section, with Sophos requiringthe fewest clicks for the most tasks. McAfee follows in third place with some includedfunctionality, and Trend Micro falls in last place with limited capabilities.Cascadia Labs: Endpoint Security for Enterprises (Jan 2010) Review: Sophos Symantec McAfee Trend Micro Kaspersky Lab Installation and configuration: 93 steps 123 steps 166 steps 107 steps NA Steps and time 2.5 hours 3.5 hours 5 hours 3 hours NA Policies and Management 4 stars 4 stars 3 stars 2 stars NA Visibility: Clicks to view Sophos Symantec McAfee Trend Micro Kaspersky Lab Out-of-date endpoint 0 0 7 0 NA Send email on virus detection 7 8 13 NA NA Application-controlled users 0 5 7 NA NA Device-controlled users 0 5 NA NA NA DLP-controlled users 0 NA NA NA NAAV-Comparatives Review of IT Security Suites (October 2010)In its Review of IT Security Suites, AV-Comparatives evaluates products’ usability andmanagement (one score), and ease of installation. McAfee and Sophos earned five stars outof five for ease of installation. Kaspersky earned four stars and Trend Micro earned three. Allfour vendors earned five stars for usability and management. Symantec wasn’t included inthe evaluation.AV-Comparatives Review of IT Security Suites (Oct 2010) Review: Sophos Symantec McAfee Trend Micro Kaspersky Lab Usability and management 5 stars NA 5 stars 5 stars 5 stars (one score) Ease of installation 5 stars NA 5 stars 3 stars 4 stars 8
  • Endpoint Buyers GuideEnex TestLab Usability of Endpoint Security (September 2011)Enex TestLab evaluated Kaspersky, McAfee, Sophos, Symantec and Trend Micro’s easeof use. It counted the number of steps required to complete various scenarios. McAfeeand Trend Micro had the most involved and lengthy installations. McAfee came in first orsecond as requiring the most steps to complete a given task. For example, specific devicemanagement tasks required a total of 69 steps from McAfee while Symantec (which camein second for this group of tasks) required 64 and Trend Micro (on the low end in this case)required 13. Overall, Sophos was considered the easiest to use and was recognized for itsstreamlined dashboard.Enex TestLab Usability of Endpoint Security (Sept 2011) Review: Sophos Symantec McAfee Trend Micro Kaspersky Lab Server install 30 steps 43 steps 133 steps 59 steps 18 steps Endpoint deployment 35 steps 34 steps 81 steps 92 steps 41 steps Role-based administration 74 steps 176 steps 109 steps 123 steps 56 steps Maintain protection 28 steps 52 steps 62 steps 37 steps 67 steps Policy management 49 steps 62 steps 49 steps 38 steps 63 steps Device management 38 steps 64 steps 69 steps 13 steps 19 steps Reporting 26 steps 40 steps 61 steps 11 steps 65 steps 9
  • Endpoint Buyers GuideData ProtectionData protection technology is becoming increasingly important in today’s distributed workenvironment. Introducing encryption and content awareness to the business makes usersmore aware of how they handle sensitive data, and impresses upon them the importanceof data protection. Having encryption and data loss prevention (DLP) incorporated in anendpoint security solution offers a number of benefits, including simplified management andcost savings.McAfee, Sophos, Symantec and Trend Micro all offer described content detection (forexample, Social Security numbers), predefined dictionaries and weightings to specific words.However, Sophos is the only vendor to provide these DLP capabilities integrated into a singleendpoint agent. Trend Micro offers an optional hosted DLP agent as part of its EndpointSecurity Platform. McAfee and Symantec use separate agents and licenses to provide hostDLP capabilities. Kaspersky Lab does not have a DLP offering. And, Sophos and McAfeeprovide encryption capabilities in their endpoint protection, while the others do not. Review Sophos Symantec McAfee Trend Micro Kaspersky Lab Cascadia Labs: Endpoint Full range of Few DLP options Still fewer DLP options Still fewer DLP options NA Security for Enterprises DLP options (Jan 2010) Enex TestLab Usability Data protection and No data protection; Data protection and No data protection; Data protection of Endpoint Security encryption capabilities No encryption encryption capabilities no encryption and encryption for (Sept 2011) smartphonesCascadia Labs: Endpoint Security for Enterprises (January 2010)The comprehensive Cascadia Labs report, Endpoint Security for Enterprises (January2010), examined how security vendors deliver DLP with endpoint security. Cascadia Labsstudied each vendor to determine how many clicks are required to create read-only accessfor removable media, and also to implement exception policies for certain devices. And itmeasured how quickly an IT manager can block access to a particular dangerous application.The report found that only Sophos provides integrated DLP in its platform, with a full rangeof options for blocking application access, adding read-only access for removable storageand creating device class exceptions. Symantec follows Sophos with a few options available,while McAfee and Trend Micro trail them both.Enex TestLab Usability of Endpoint Security (September 2011)Enex TestLab examined the features found in six endpoint security products and determinedthat McAfee and Sophos offer the most comprehensive endpoint security suites, designatingthem as the only enterprise-grade solutions in the report. As the only two solutions to offerfull-disk encryption, McAfee and Sophos provide the most complete data protection. Sophosoffers the added benefit of providing DLP capabilities without adding complexity to its solution. 10
  • Endpoint Buyers GuideTechnical SupportYou can hope you’ll never need tech support for your endpoint security solution, but it shouldbe a key part of any vendor’s product. Tech support requirements are fairly straightforward:a vendor that offers 24/7 local language support, with knowledgeable engineers answeringthe phone and short wait times (if you have to wait at all). Of the five vendors we are lookingat here, only Sophos’ support has been independently audited and approved by SCP. Its 24/7,follow-the-sun support operations (UK, U.S., Australia) are SCP certified.Cascadia Labs: Endpoint Security for Enterprises (January 2010)The Cascadia Labs report, Endpoint Security for Enterprises (Jan. 2010), studied endpointsecurity technical support and awarded Sophos four stars, McAfee three, and Symantecand Trend Micro two stars each for overall tech support. Only Trend Micro doesn’t offer24/7 tech support. Cascadia called each vendor’s tech support line and experienced thefastest response time with Sophos (two minute wait time) and the slowest response timewith McAfee (22-minute wait time). Cascadia Labs also determined whether easy questionswere answered by Tier 1 and whether difficult questions were answered by Tier 1. All of thevendors answered easy questions, but only Sophos and McAfee answered difficult questionsby Tier 1. Review Sophos Symantec McAfee Trend Micro Kaspersky Lab Overall rating Four Stars Two Stars Three Stars Two Stars NA Time on hold (minutes) 2 22 22 16 NA Answered easy Yes Yes Yes Yes NA questions by Tier 1 Answered difficult Yes No Yes No NA questions by Tier 1 Hours of operation 24/7 24/7 24/7 Mon – Fri, NA 8 a.m. to 8 p.m. EST 11
  • Endpoint Buyers GuideSummaryEndpoint security at its best is complete and simple. It protects your organization fromthreats and data loss across all platforms from a single management console. Finding theright solution may seem daunting, but ask the right questions and look at the research to findthe vendor that can serve your company best. This quick look at the major vendors sums uphow each fared in third party tests in each of the areas evaluated. Sophos Symantec McAfee Trend Micro Kaspersky Lab Overall Best Better Better Good Good Features & Capabilities Best Good Better Good Good Effectiveness Best Better Good Good Good Performance Best Better Good Good Good Usability Best Best Good Better Better Data Protection Best Better Good Good Not reviewed Technical Support Best Good Better Good Not reviewedEvaluating Endpoint Protection: Questions to AskEndpoint security solutions claim many different features. To learn if a product satisfies yourminimum required capabilities, start by asking vendors the following questions:1. Is it easy to implement?2. Is it easy to manage with a single console?3. Does it support all of your platforms?4. Does it offer all of the features required for complete security?5. Does it offer localized support?6. What impact will it have on end users?7. Does it include data protection?8. Can it ensure compliance?9. Does it include expert support in the local language?10. Does it include free upgrades?11. Does it protect against malware?12. Does it improve IT efficiency?13. Does it improve end-user flexibility and productivity?14. Does it provide web protection where ever your users are?15. Does it include patch assessment? 12
  • Endpoint Buyers GuideRecommended Features ChecklistWe’ve listed below the primary capabilities and features found in advanced EPP solutions. Not every solution will have everyitem on the list. As you begin researching solutions, use this checklist to create your requests for proposal or as a scorecardto evaluate different products.Product features and capabilities Performance□□ Web protection that includes URL filtering, □□ Native management server redundancy capabilities malware scanning, and content filtering □□ Single signature database and scanning□□ Application control capabilities engine for all forms of malware□□ Patch assessment capabilities Usability □□ Easy installation that includes optimal□□ Manages list of known good/unwanted applications default settings for your environment□□ Extensive firewall log data □□ Role-based administration□□ Creates firewall policies based on connection type □□ Object-oriented policy creation□□ Creates device policies based on device □□ Administrator-configurable dashboard with real class (i.e., CD, DVD, USB, etc.) time graphical and table-based view of events□□ Distinguishes between classes of devices □□ Removes competitive endpoint products on installation based on serial number or manufacturer Data protection□□ RSS feeds into dashboard with relevant news □□ DLP content inspection for removable storage,□□ Imports or exports data and alerts email clients, web browsers and IM clients with other security systems □□ Creates content detection for organization□□ Creates custom reports in HTML, XML, CVS and PDF specific intellectual property□□ Installs protection on Windows, Mac, Unix, □□ Encrypts computer hard disks and files Linux, storage and virtual platforms Technical support□□ Assesses computers accessing your network □□ Installation assistance and training to ensure they meet your security policies, and □□ Support resources such as user forums and white papers blocks or quarantines them if they do not □□ Independently certified, follow-the-Effectiveness sun support operations□□ Dashboard of real-time events□□ Broad malware signatures that detect new variants of old threats without causing false positivesTry Sophos Endpoint Protection for freeRegister for a free 30-day evaluationat sophos.com.United Kingdom Sales: North American Sales:Tel: +44 (0)8447 671131 Toll Free: 1-866-866-2802Email: sales@sophos.com Email: nasales@sophos.comBoston, USA    Oxford, UK |© Copyright 2011. Sophos Ltd. All rights reserved.All trademarks are the property of their respective owners.11.11.v1.dNA