Endpoint Protection

Hi All,

am looking for comparision between Microsoft Forefront and SEP 14. or technical features and specs would also be helpful.

Thanks in advance.

There isn't a direct comparison. You'd need to review the admin guide for SEP but I don't know what MS has lately. I know that in the past they don't even come close to SEP.

Thanks Brian for the suggestion...could you pl highlight most important features availble in SEP 14...

I mean you could go through the What's New guide:

What's new in Symantec Endpoint Protection 14

Otherwise you could check out the Endpoint KB section and search for specifics:

https://support.symantec.com/en_US/endpoint-protection.html 

• Symantec Endpoint Protection (SEP) 12 has an extensive set of layered defense capabilities, such as Symantec Online Network for Advanced Response (SONAR), Symantec Insight and its network protect technologies, which go beyond traditional signatures for protection from advanced targeted attacks. Most recent improvements were in components of SONAR. Symantec also integrated an advanced repair tool, Norton Power Eraser, into the Symantec Endpoint Protection client.

• Symantec continues to be listed as the top overall competitive threat by vendors reviewed in this Magic Quadrant.

• Symantec's Security Technology and Response (STAR) technology allows evidence of compromise (EOC) scanning on the endpoint via SEP and is used by Symantec Managed Security Services and Symantec ATP.

• Cynic is a cloud-based sandboxing platform that provides bare-metal hardware and network sandboxing analysis of objects submitted by Advanced Threat Protection (ATP), Endpoint Protection and email. Results are passed to ATP for remediation.

• Application control offers one-click lockdown via a whitelist or blacklist of applications.

• Synapse integrates, correlates and prioritizes SEP, email security, cloud and ATP information.

• Symantec Data Center Security leverages VMware's vShield APIs and NSX to offer "agentless" antivirus and reputation security features on a VMware ESX hypervisor. On other platforms, such as Hyper-V or Kernel-based Virtual Machine (KVM), SEP provides input/output (I/O)-sensitive scan, virtual image exception and file cache, offline image scanner, and randomized scanning.

• Symantec's new Advanced Threat Protection will combine network-based object and traffic scanning with existing SEP clients to provide EDR functionality without the need for existing customers to deploy new client agents.

===FOREFRONT=================

• Microsoft SCEP continues to rely heavily on signature-based detection methods. Test results (such as AV-Test and AV-Comparatives) of the effectiveness of SCEP remain very low when compared with industry averages. Microsoft is focused on reducing the impact of prevalent malware in the Windows installed base, with very low false-positive rates. It does not focus exclusively on rare or targeted threats, the impact of which minimal to the entire Microsoft ecosystem.

• SCEP still lacks numerous capabilities that are common in other security solutions, including advanced device control, network-based sandbox and application control. Windows features such as Firewall, BitLocker, and AppLocker are not as full-featured as comparable solutions from leading vendors, and the management of these components is not integrated into a single policy and reporting interface.

• While Microsoft supports anti-malware product updates independently, it delivers its most important security improvements in the OS. While every Microsoft customer benefits when the OS is more secure, including those that use alternative EPP solutions, most enterprises cannot upgrade OSs as fast as EPP versions.

• Despite the integration with system and configuration management, SCEP does not provide a security state assessment that combines the various security indicators into a single prioritized task list or score. SCEP also does not provide preconfigured forensic investigation or malware detection capabilities.

• SCEP provides support for virtual environments by enabling the randomization of signature updates and scans, and by offline scanning. It does not integrate with VMware's vShield or provide similar agentless solutions for Microsoft's Hyper-V environments.

• Intune EMM comes at an additional cost.

=====You can pick few more points from here===

https://www.gartner.com/doc/reprints?id=1-2XU816T&ct=160203

Thank you for all your support.

What was posted above is for SEP 12.1. Didn't you ask for SEP 14?

Here's Symantec's datasheet for SEP 14 which has the info you requested:

https://www.symantec.com/content/dam/symantec/docs/data-sheets/endpoint-protection-14-en.pdf

Thanks,

Brian

Just wanted to add here, I had made this a few weeks ago. Most of it has been covered by Rafeeq.

With comparisons i prefere going a bit on the strategy more than apple to apple. Anyways, here goes:

1. Previously Microsoft had a line of business for security solutions called Microsoft Forefront. This has been discontinued. The Forefront Endpoint Protection, Forefront Client Security and Client Protection is now known as System Center Endpoint Protection (SCEP) aka Windows Defender.
2. Since being part of the System Center Configuration Manager (SCCM), it relies heavily on the SCCM infrastructure for Endpoint Protection management, policies and updates. In its natural state, SCCM is more related to systems management and there is no separate management capability for SCEP.
3. All policies related to antimalware policies, firewall, updates, notification and alerts come from the SCCM infrastructure. Furthermore, SCEP installs its own client in addition to the SCCM client.
4. As per Microsoft the SCEP Client has the following capabilities:
   1. Malware and Spyware detection and remediation.
   2. Rootkit detection and remediation.
   3. Critical vulnerability assessment and automatic definition and engine updates. Network vulnerability detection through Network Inspection System.
   4. Integration with Microsoft Active Protection Services to report malware to Microsoft. When you join this service, the Endpoint Protection client can download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.
5. SCCM includes an Endpoint Protection client for Linux and for Mac computers. These clients are not supplied with Configuration Manager; instead, you must download the following products from the Microsoft Volume Licensing Service Center. These products cannot be managed from the Configuration Manager console. However, a System Center Operations Manager management pack is supplied with the installation files, which allows you to manage the client for Linux only by using Operations Manager.

 

It is a catch-22 situation, not everyone prefers SCCM. Large organizations, if using SCCM, most probably would have a separate information security/cyber security division which would be using more proven security technologies and would most likely keep security operations separate from infrastructure/systems operation. Hence, they might want a different system for endpoint security and client updates and not be dependent on SCCM. The opposite can also be true for some organizations.

 

According to Gartner:

 

“Microsoft introduced several new security features in Windows 10, including a new anti-malware scan interface (AMSI), PowerShell logging, Device Guard, App Locker and Windows Information Protection (WIP), which are now managed as part of Microsoft Intune and System Center Configuration Manager.

 

Microsoft’s strategy only becomes available when organizations create new systems from scratch with Windows 10. As many organizations have linked their Windows 10 deployment plans to their hardware refresh cycle beginning in 2017, it is likely to take three to four years to complete.”

 

Just a side note, Microsoft has been now focusing on security but the focus of their strategy is more with Azure platform, Windows 10, *other new stuff*. You can find many articles written on this with Intune, Azure Information Protection,etc. For example, Microsoft also has ATP but it is an add-on to Exchange Online or O365 that too has limitation and relies on third-party vendors + their file detonation is on virtual hypervisor only and not physical. Same goes for DLP, more on the email side but the detection technologies are limited.

 

The future might hold strong for security provided by Microsoft but currently it is not proven. You can see the same in Gartner, Forrester Wave, The Radicati Group, SE Labs, MRG, and AV-Test reports (https://www.symantec.com/products/performance-center) . If you notice the AV-Test results for Endpoint Security from June 2015 to December 2016, the results speak as below:

 

• Microsoft:
  • average rating of 3.2/6.0 in Protection Score for Windows
  • average rating of 4.42/6.0 in Performance Score for Windows
  • average rating of 5.85/6.0 in Usability Score for Windows

 

• Symantec:
  • 6.0/6.0 in Protection Score for Windows
  • average rating of 5.4/6.0 in Performance Score
  • average rating of 5.8/6.0 in Usability Score for Windows

Please note that the above is a result of 7 tests conducted between June 2015 to December 2016 on Windows 10 and 8/8.1.

By the way, Symantec Endpoint Protection was awarded the Best Protection 2016 for Corporate Users in the AV-TEST awards.

If you look at Symantec Endpoint Protection, it offers way more advanced threat protection technologies, especially for 14 you should highlight the following:

 

• Generic Exploit Mitigation which protects against 0-day exploits of vulnerabilities in common applications
• Emulator which protects against packers and code obfuscation (polymorphic threat analysis). Many of the emerging custom packers are polymorphic, which simply means that they use an anti-detection strategy whereby the code itself changes frequently, but the purpose and functionality of the malware remains the same. Symantec Endpoint Protections’ unpacker engine, Emulator, fools malware into thinking it will run on the regular machine, and instead unpacks and detonates the file in a lightweight virtual sandbox on the endpoint.
• Machine Learning Analysis for targeted, custom and unknown malware. ML uses several dimensions such the attributes of the file, the behavior and relationships with other files, machines and URLs.

 

This is apart from the IPS, Browser Intrusion Prevention, Reputation Analysis and Behavior Monitoring and of course the usual Signature Detection (antivirus) already available in 12.1

 

For organizations, serious with security (even those who are not) would really appreciate the control features that Symantec Endpoint Protection provides. Application Control, Device Control and Host Integrity are very powerful features when used correctly by the organization. With Application Control you can ensure applications do not use processes that they are not supposed to use, for example, Office applications do not require PowerShell or command line process in general so you can block those (ransomware cases).

 

Furthermore, you can also consider a bit of OS hardening through application whitelisting or blacklisting. You can create a file fingerprint list that could lock down clients on the usage of applications (whitelisting).

Last bit, all of the technolgoies mentioned in Symantec Endpoint Portection are not sperately licensed and require no additional services. A single package which includes everything.

 

Hope this helps a bit.

 

Does this include SEP 14? The OP was asking for 14.

Yes

Brian, before posting i have already gone thorugh the datasheet but unfortuantely did not find what i was looking at..

anyway thank you all for your commments, 

@ Iftikhariqbal..Nice work....I really appreciate your efforts...thanks again :)