Technology: Endpoint Detection and Response (EDR)
Choose the best enterprise endpoint security solution
Choose the best enterprise endpoint security solution
Welcome to the first edition of the Enterprise Advanced Security test that compares different endpoint security products directly. We look at how they handle the major threats that face all businesses, from the Global 100, down to medium enterprises. And most likely small businesses, too.
We give an overall score but also dig down into the details that your security team will care about. This report explains the different levels of coverage that these products provide.
Loading…
Reload document 
Open in new tab Product factsheets:
An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of
an attack.
While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.
Full attack chain testing
Each step of the attack must be realistic too. You can’t just make up what you think bad guys are doing and hope you’re right. This is why SE Labs tracks cybercriminal behaviour and builds tests based on how bad guys try to compromise victims.
The cybersecurity industry is familiar with the concept of the ‘attack chain’, which is the combination of those attack steps.
Fortunately the MITRE organisation has documented each step with its ATT&CK framework. While this doesn’t give an exact blueprint for realistic attacks, it does present a general structure that testers, security vendors and customers (you!) can use to run tests and understand test results.
The Enterprise Advanced Security tests that SE Labs runs are based on real attackers’ behaviour. This means we can present how we run those attacks using a MITRE ATT&CK-style format.
Endpoint Detection Compared
You can see how ATT&CK lists out the details of each attack, and how we represent the way we tested, in Appendix A: Threat Intelligence, starting on page 15. This brings two main advantages: you can have confidence that the way we test is realistic and relevant, and you’re probably already familiar with this way of illustrating cyber attacks.
EDR is more than anti-virus
An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack.
Intelligence-led testing
While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.
Each step of the attack must be realistic too. You can’t just make up what you think bad guys are doing and hope you’re right. This is why SE Labs tracks cybercriminal behaviour and builds tests based on how bad guys try to compromise victims.
SE Labs tested IronNet IronDefense against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.
How we test
Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.
Loading…
Product factsheet:
APT groups include:
- FIN7 & Carbanak
- OilRig
- APT3
- APT29
All reports
01/2022 - 01/2022
Enterprise Advanced Security (EDR): BlackBerry Protect and Optics – PROTECTION
Advanced Security (EDR): BlackBerry Protect and Optics
SE Labs tested BlackBerry Protect and Optics against a range of hacking attacks. These were designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.
We used full chains of attack , meaning that our testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/ attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.
Loading…
Product factsheet:
Advanced Security (EDR): Kaspersky
SE Labs tested Kaspersky Endpoint Detection and Response against a range of hacking attacks. These were designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.
We used full chains of attack, meaning that our testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/ attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.
Loading…
In this report we explain the threats used and explore how the tested product interacts with them. You might notice a similarity between the way we present this information and the way that the MITRE ATT&CK framework illustrates threat chains. This is not a coincidence. Our goal is to share information in ways that are familiar and easily understandable by the security community and its customers.
Read more of our reports here.
Advanced Security (EDR): CrowdStrike
SE Labs tested CrowdStrike Falcon against a range of hacking attacks. These were designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.
We used full chains of attack, meaning that our testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/ attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.
Loading…
In this report we explain the threats used and explore how the tested product interacts with them. You might notice a similarity between the way we present this information and the way that the MITRE ATT&CK framework illustrates threat chains. This is not a coincidence. Our goal is to share information in ways that are familiar and easily understandable by the security community and its customers.
Read more of our reports here.
SE Labs Security Awards
Find out which products won in our annual awards
In this report, we reveal the SE Labs Security Awards for 2020-2021 and provide the latest security testing updates.
The third annual report from SE Labs charts the successes and failures of security companies, their customers and the criminals who keep relentless pressure on us all. Working from home is at its highest level in human history, which emphasises the need to secure all devices, everywhere.
Our annual awards recognise great performance in tests and in the real world.
Focus on endpoint protection results – 6 years of testing
After six solid years of testing endpoint protection we’ve produced a review that examines some of the trends and data points we’ve identified. How did your favourite anti-virus behave over the last few years?
What can we test, and how do we do it?
Meet the team behind SE Labs and find out which security solutions we test, and how we do it more realistically than anyone else.
Loading…
In our second annual report we review the unprecedented year of 2020, announce our annual awards winners and discuss testing like hackers.
You can find out all about the exciting new Breach Response and Email Security Services Protection tests. And learn that even security testers can use machine learning to make testing better, while still testing like hackers.
Loading…
We will explain who we work with, to try and improve everyone’s security in this time of uncertainty. We’ll also explore how security testing has improved (or not) over the last 12 months and suggest ways in which you can use us better to help you personally or your organisation.
Awards winners and testing like hackers
Our annual award winners announcement shows who has impressed us the most since our last annual report.
And if you are new to security testing, we explain what the full attack chain is, and why you should use it when assessing security products.
Loading…
Loading…
