Just wanted to add here, I had made this a few weeks ago. Most of it has been covered by Rafeeq.
With comparisons i prefere going a bit on the strategy more than apple to apple. Anyways, here goes:
- Previously Microsoft had a line of business for security solutions called Microsoft Forefront. This has been discontinued. The Forefront Endpoint Protection, Forefront Client Security and Client Protection is now known as System Center Endpoint Protection (SCEP) aka Windows Defender.
- Since being part of the System Center Configuration Manager (SCCM), it relies heavily on the SCCM infrastructure for Endpoint Protection management, policies and updates. In its natural state, SCCM is more related to systems management and there is no separate management capability for SCEP.
- All policies related to antimalware policies, firewall, updates, notification and alerts come from the SCCM infrastructure. Furthermore, SCEP installs its own client in addition to the SCCM client.
- As per Microsoft the SCEP Client has the following capabilities:
- Malware and Spyware detection and remediation.
- Rootkit detection and remediation.
- Critical vulnerability assessment and automatic definition and engine updates. Network vulnerability detection through Network Inspection System.
- Integration with Microsoft Active Protection Services to report malware to Microsoft. When you join this service, the Endpoint Protection client can download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.
- SCCM includes an Endpoint Protection client for Linux and for Mac computers. These clients are not supplied with Configuration Manager; instead, you must download the following products from the Microsoft Volume Licensing Service Center. These products cannot be managed from the Configuration Manager console. However, a System Center Operations Manager management pack is supplied with the installation files, which allows you to manage the client for Linux only by using Operations Manager.
It is a catch-22 situation, not everyone prefers SCCM. Large organizations, if using SCCM, most probably would have a separate information security/cyber security division which would be using more proven security technologies and would most likely keep security operations separate from infrastructure/systems operation. Hence, they might want a different system for endpoint security and client updates and not be dependent on SCCM. The opposite can also be true for some organizations.
According to Gartner:
“Microsoft introduced several new security features in Windows 10, including a new anti-malware scan interface (AMSI), PowerShell logging, Device Guard, App Locker and Windows Information Protection (WIP), which are now managed as part of Microsoft Intune and System Center Configuration Manager.
Microsoft’s strategy only becomes available when organizations create new systems from scratch with Windows 10. As many organizations have linked their Windows 10 deployment plans to their hardware refresh cycle beginning in 2017, it is likely to take three to four years to complete.”
Just a side note, Microsoft has been now focusing on security but the focus of their strategy is more with Azure platform, Windows 10, *other new stuff*. You can find many articles written on this with Intune, Azure Information Protection,etc. For example, Microsoft also has ATP but it is an add-on to Exchange Online or O365 that too has limitation and relies on third-party vendors + their file detonation is on virtual hypervisor only and not physical. Same goes for DLP, more on the email side but the detection technologies are limited.
The future might hold strong for security provided by Microsoft but currently it is not proven. You can see the same in Gartner, Forrester Wave, The Radicati Group, SE Labs, MRG, and AV-Test reports (https://www.symantec.com/products/performance-center) . If you notice the AV-Test results for Endpoint Security from June 2015 to December 2016, the results speak as below:
- Microsoft:
- average rating of 3.2/6.0 in Protection Score for Windows
- average rating of 4.42/6.0 in Performance Score for Windows
- average rating of 5.85/6.0 in Usability Score for Windows
- Symantec:
- 6.0/6.0 in Protection Score for Windows
- average rating of 5.4/6.0 in Performance Score
- average rating of 5.8/6.0 in Usability Score for Windows
Please note that the above is a result of 7 tests conducted between June 2015 to December 2016 on Windows 10 and 8/8.1.
By the way, Symantec Endpoint Protection was awarded the Best Protection 2016 for Corporate Users in the AV-TEST awards.
If you look at Symantec Endpoint Protection, it offers way more advanced threat protection technologies, especially for 14 you should highlight the following:
- Generic Exploit Mitigation which protects against 0-day exploits of vulnerabilities in common applications
- Emulator which protects against packers and code obfuscation (polymorphic threat analysis). Many of the emerging custom packers are polymorphic, which simply means that they use an anti-detection strategy whereby the code itself changes frequently, but the purpose and functionality of the malware remains the same. Symantec Endpoint Protections’ unpacker engine, Emulator, fools malware into thinking it will run on the regular machine, and instead unpacks and detonates the file in a lightweight virtual sandbox on the endpoint.
- Machine Learning Analysis for targeted, custom and unknown malware. ML uses several dimensions such the attributes of the file, the behavior and relationships with other files, machines and URLs.
This is apart from the IPS, Browser Intrusion Prevention, Reputation Analysis and Behavior Monitoring and of course the usual Signature Detection (antivirus) already available in 12.1
For organizations, serious with security (even those who are not) would really appreciate the control features that Symantec Endpoint Protection provides. Application Control, Device Control and Host Integrity are very powerful features when used correctly by the organization. With Application Control you can ensure applications do not use processes that they are not supposed to use, for example, Office applications do not require PowerShell or command line process in general so you can block those (ransomware cases).
Furthermore, you can also consider a bit of OS hardening through application whitelisting or blacklisting. You can create a file fingerprint list that could lock down clients on the usage of applications (whitelisting).
Last bit, all of the technolgoies mentioned in Symantec Endpoint Portection are not sperately licensed and require no additional services. A single package which includes everything.
Hope this helps a bit.