Endpoint Security

Buyers Guide
As cyber threats become ever more complex, the pressure
to have the right endpoint solution in place has also grown.
However, the endpoint security marketplace has become
congested with many different solutions, and is so full of
indefensible marketing claims that making an educated
decision for your organization is increasingly difficult.
This guide provides clarity by walking you through
the key endpoint security technologies to ensure you
have the right protection in place. It also enables you
to see how different vendors stack up in independent
tests, helping you make an informed choice.
Endpoint Security Buyers Guide

The uncomfortable truth about endpoint security

The endpoint security market is full of hype and extravagant claims. However, the reality is that 68%
of organizations fell victim to a cyberattack in the last year*. That’s why world-class protection is the
foundation of any effective security strategy.

However, protection alone is not enough. Four out of five organization admit having a shortage of internal
security expertise*. With this in mind usability is also essential if hard-pressed IT teams are to make best
use of the protection capabilities.

You should also assume that a threat will get through your defenses and equip your organization
accordingly. This includes having full visibility into how threats enter the organization, where they went, and
what they touched so that you can neutralize the attack and plug any security gaps.

Use this guide to understand the protection technologies available and make and informed choice of
endpoint protection products.

Product Features and Capabilities

Endpoint security solutions, sometimes referred to simply as antivirus solutions, may include a variety
of foundational (traditional) and modern (next-gen) approaches to preventing endpoint threats. When
evaluating solutions, it is important to look for solutions that have a comprehensive set of techniques to
stop a wide range of threats. It also is important to understand the threats you are trying to prevent.

Endpoint Threats
While the threat landscape is constantly evolving, below are some key endpoint threats to consider when
evaluating different solutions:

ÌÌ Portable executables (malware): When endpoint protection is considered, malicious software programs
(malware) is often the primary concern. Malware includes both known as well as never-seen-before
malware. Often, solutions struggle to detect the unknown malware. This is important, as SophosLabs
sees approximately four hundred thousand pieces of unknown malware every day. Solutions should be
adept at spotting packed and polymorphic files that have been modified to make them harder to identify.

ÌÌ Potentially unwanted applications (PUA): PUAs are applications that are not technically malware,
but are likely not something you want running on your machine, such as adware. PUA detection has
become increasingly important with the rise of cryptomining programs used in cryptojacking attacks.

ÌÌ Ransomware: More than half of organizations have been hit by ransomware in the past year, costing on
average $133,000 (USD)2. The two primary types of ransomware are file encryptors and disk encryptors
(wipers). File encryptors are the most common, which encrypt the victim’s files and holds them for
ransom. Disk encryptors lock up the victim's entire hard drive, not just the files, or wipes it completely.

ÌÌ Exploit-based and file-less attacks: Not all attacks rely on malware. Exploit-based attacks
leverage techniques to take advantage of software bugs and vulnerabilities in order gain access
and control of your computer. Weaponized documents (typically a Microsoft Office program
that has been crafted or modified to cause damage) and malicious scripts (malicious code
often hidden in legitimate programs and websites) are common types of techniques used in
these attacks. Other examples include man-in-the-browser attacks (the use of malware to
infect a browser, allowing attackers to view and manipulate traffic) and malicious traffic (using
web traffic for nefarious purposes, such as contacting a command-and-control server).

*
Seven Uncomfortable Truths of Endpoint Security, March 2019. An independent survey of 3,100 IT Managers in 12 countries, commissioned by Sophos

October 2019 2
Endpoint Security Buyers Guide

ÌÌ Active adversary techniques: Many endpoint attacks involve multiple stages and multiple
techniques. Examples of active adversary techniques include privilege escalation (methods
used by attackers to gain additional access in a system), credential theft (stealing user names
and passwords), and code caves (hiding malicious code inside legitimate applications).

Modern (next-gen) techniques vs. foundational (traditional) techniques

While it may have different names, antivirus solutions have been around for a while and are proven
to be very effective against known threats. There are a variety of foundational techniques that
traditional endpoint protection solutions have relied on. However, as the threat landscape has
shifted, unknown threats, such as malware that has never been seen before, have become more
and more common. Because of this, new technologies have come to the marketplace. Buyers
should look for a combination of both modern approaches, often referred to as “next-gen” security,
as well as proven foundational approaches. Some key capabilities include:

Foundational capabilities:
ÌÌ Anti-malware/antivirus: Signature-based detection of known malware.
Malware engines should have the ability to inspect not just executables but
also other code such as malicious JavaScript found on websites.

ÌÌ Application lockdown: Preventing malicious behaviors of applications, like a

weaponized Office document that installs another application and runs it.

ÌÌ Behavioral monitoring/Host Intrusion Prevention Systems (HIPS): This foundational

technology protects computers from unidentified viruses and suspicious behavior.
It should include both pre-execution and runtime behavior analysis.

ÌÌ Web protection: URL lookup and blocking of known malicious websites. Blocked
sites should include those that may run JavaScript to perform cryptomining, and
sites that harvest user authentication credentials and other sensitive data.

ÌÌ Web control: Endpoint web filtering allows administrators to define

which file types a user can download from the internet.

ÌÌ Data loss prevention (DLP): If an adversary is able to go unnoticed, DLP capabilities would be
able to detect and prevent the last stage of some attacks, when the attacker is attempting
to exfiltrate data. This is achieved by monitoring a variety of sensitive data types.

Modern capabilities:
ÌÌ Machine learning: There are multiple types of machine learning methods, including deep
learning neural networks, random forest, bayesian, and clustering. Regardless of the
methodology, machine learning malware detection engines should be built to detect both
known and unknown malware without relying on signatures. The advantage of machine
learning is that it can detect malware that has never been seen before, ideally increasing
the overall malware detection rate. Organizations should evaluate the detection rate, the
false positive rate, and the performance impact of machine learning-based solutions.

October 2019 3
Endpoint Security Buyers Guide

ÌÌ Anti-exploit: Anti-exploit technology is designed to deny attackers by preventing the tools

and techniques they rely on in the attack chain. For example, exploits like EternalBlue and
DoublePulsar were used to execute the NotPetya and WannaCry ransomware. Anti-exploit
technology stops the relatively small collection of techniques used to spread malware and
conduct attacks, warding off many zero-day attacks without having seen them previously.

ÌÌ Ransomware-specific: Some solutions contain techniques specifically designed

to prevent the malicious encryption of data by ransomware. Often ransomware
specific techniques will also remediate any impacted files. Ransomware
solutions should not only stop file ransomware, but also disk ransomware used
in destructive wiper attacks that tamper with the master boot record.

ÌÌ Credential theft protection: Technology designed to prevent the theft of authentication

passwords and hash information from memory, registry, and off the hard disk.

ÌÌ Process protection (privilege escalation): Protection built to determine when a process

has a privileged authentication token inserted into it to elevate privileges as part of
an active adversary attack. This should be effective regardless of what vulnerability,
known or unknown, was used to steal the authentication token in the first place.

ÌÌ Process protection (code cave): Prevents use of techniques such as code cave and
AtomBombing often used by adversaries looking to take advantage of the presence of legitimate
applications. Adversaries can abuse these calls to get another process to execute their code.

ÌÌ Endpoint detection and response (EDR)/root cause analysis: EDR and other analytical
tools are not focused on preventing attacks, but rather analyzing and responding
to previously detected incidents. Some also offer hunting capabilities to discover
attacks that previous went unnoticed. It is important to match the size and skillset of
your IT team with the complexity and ease of use of the tool being considered.

ÌÌ Incident response/Synchronized Security: Endpoint tools should at a minimum

provide insight into what has occurred to help avoid future incidents. Ideally, they would
automatically respond to incidents, without a need for analyst intervention, to stop threats
from spreading or causing more damage. It is important that incident response tools
communicate with other endpoint security tools as well as network security tools.

The ”power of the plus”: combining multiple techniques for

comprehensive endpoint security
When evaluating endpoint solutions, organizations should not just look for one primary feature.
Instead, look for a collection of impressive features that encompass both modern techniques, like
machine learning, as well as foundational approaches that have been proven to still be effective,
and endpoint detection and response (EDR) for investigation and incident response. Relying on one
dominant feature, even if it is best-in-class, means that you are vulnerable to single point of failure.
Conversely, a defense-in-depth approach, where there is a collection of multiple strong security
layers, will stop a wider range of threats. This is what we often refer to as “the power of the plus”
– a combination of foundational techniques, plus machine learning, plus anti-exploit, plus anti-
ransomware, plus EDR, plus much more.

As part of an endpoint security evaluation, ask different vendors what techniques are included in
their solution. How strong are each of their components? What threats are they built to stop? Do
they rely only on one primary technique? What if it fails?

October 2019 4
Endpoint Security Buyers Guide

Sophos vs. the Competition

Comparing products with different features is hard enough, but comparing their performance in simulated
attacks, where an attacker’s actions are potentially infinite and unknown, is nearly impossible. For
those who choose to test on their own, an introductory testing guide can be found here. However, many
organizations choose to rely on third party assessments to aid their buying decisions.

NSS Labs Advanced Endpoint Protection Test

The NSS Labs 2019 Advanced Endpoint Protection (AEP) Security Value MapTM rates Sophos ahead of all
other advanced endpoint protection solutions.

ÌÌ Sophos Intercept X Advanced ranked #1 at security effectiveness

ÌÌ Sophos Intercept X Advanced ranked #1 at total cost of ownership (TCO)

As a result, NSS Labs rewarded Sophos with a Recommended rating.

The full report is available here.

October 2019 5
Endpoint Security Buyers Guide

360 Degree Assessment & Certification

In the Q2, 2019 MRG Effitas endpoint test
Sophos Intercept X blocked 100% of the
attacks tested. This was achieved with the
default settings of Intercept X Advanced, while
the majority of other products deployed
additional protections for the test.

In addition to Sophos Intercept X, Avira

Antivirus Pro, Bitdefender Endpoint
Security, CrowdStrike Falcon Protect,
ESET Endpoint Security, F-Secure Computer Protection Premium, Kaspersky Small Office Security,
Microsoft Windows Defender, and Symantec Endpoint Protection received a Level 1 passing grade.

Test Employed Sophos Result

In the Wild 360 / Full Spectrum Test 100% block rate

Financial malware 100% block rate

Ransomware 100% block rate

PUA / Adware Test 100% block rate

Exploit/Fileless Test 100% block rate

False Positive Test 0 false positives

Avast Business Antivirus, McAfee Endpoint Security, and Trend Micro

Worry-Free Business Security all failed the test.

Read the full report here.

October 2019 6
Endpoint Security Buyers Guide

MRG Effitas Malware Protection Test

MRG Effitas conducted a commissioned test comparing the ability of different endpoint protection products to detect
malware and potentially unwanted applications (PUA). Six different vendors, including Sophos, were reviewed in the test.
Sophos ranked #1 at detecting malware, as well as #1 at detecting potentially unwanted applications. Sophos also had an
impressive false positive rate.

Malware & PUA Accuracy / False Positive

Missed False Positive

Behavior Blocked True Negative

COMPARATIVE PROTECTION ASSESSMENT Auto Blocked

100% 100%

50% 50%
ACCURACY / FP

ACCURACY / FP

ACCURACY / FP

ACCURACY / FP

ACCURACY / FP

ACCURACY / FP
MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE
PUA

PUA

PUA

PUA

PUA

PUA
0% 0%

0.81 0.00 0.05 4.05 1.42 0.03 1.62 48.94 0.06 12.96 50.35 0.01 14.98 47.52 0.14 12.55 68.79 1.61

0.00 4.96 25.91 1.42 0.81 0.71 4.05 15.60 2.43 26.95 12.96 14.89

99.19 95.04 99.95 69.23 83.69 99.97 97.57 50.35 99.94 83.00 34.04 99.99 82.59 25.53 99.86 74.49 16.31 98.39

DISPUTED 0.81 13.48 0.00

Read the complete results here.

October 2019 7
Endpoint Security Buyers Guide

MRG Effitas Exploit and Post-Exploit Protection Test

As a follow up to their malware protection test, MRG Effitas also release a report comparing different
endpoint solutions stop specific exploitation techniques. Sophos Intercept X far outperforming the other
solutions tested. In fact, Sophos was able to block more than twice the amount of exploit techniques
relative to most of the other tools tested.

Level 1: Product blocked the exploit

Level 2: Exploit missed by attack stopped by other methods
Disputed

EXPLOIT PROTECTION TEST RESULTS Missed

35 35

30 30

25 25

20 20

15 15

10 10

5 5

0 0

1 12 16 16 19 21 22 23 24

1 2 2 1 2 1 2 3

34 19 17 17 15 12 12 10 8

The full report is available here.

SE Labs Endpoint Protection Report

SE Labs Endpoint Protection Report Sophos Intercept X Advanced achieved a 100% Total Accuracy Rating
for both enterprise endpoint protection and small business endpoint protection in the SE Labs endpoint
protection test report (Jul - Sep 2019). Intercept X Advanced has been given a AAA rating by SE Labs in
every test they have conducted, dating back to April 2018.

TOTAL ACCURACY RATINGS

Product Total Accuracy Rating Total Accuracy (%) Award

Sophos Intercept X 1,136 100% AAA

Kaspersky Endpoint Security 1,135 100% AAA

McAfee Endpoint Security 1,135 100% AAA

Symantec Endpoint Security Enterprise Edition 1,134 100% AAA

Microsoft Windows Defender ATP's Antivirus 1,126 99% AAA

ESET Endpoint Security 1,123 99% AAA

Crowdstrike Falcon 1,120 99% AAA

Trend Micro OfficeScan, Intrusion Defense Firewall 1,117 98% AAA

Bitdefender Gravity Zone Endpoint Security 1,098 97% AAA

VIPRE Endpoint Security 1,088 96% AAA

Source: SE Labs Small Business Protection Jul-Sep 2019

October 2019 8
Endpoint Security Buyers Guide

TOTAL ACCURACY RATINGS

Product Total Accuracy Rating Total Accuracy (%) Award

Sophos Intercept X 1,136 100% AAA

Kaspersky Endpoint Security 1,135 100% AAA

McAfee Endpoint Security 1,135 100% AAA

Symantec Endpoint Protection Card 1,134 100% AAA

Trend Micro Worry Free Security Services 1,129 99% AAA

Microsoft Windows Defender ATP's Antivirus 1,126 99% AAA

ESET Endpoint Security 1,123 99% AAA

Bitdefender Gravity Zone Endpoint Security 1,098 97% AAA

Source: SE Labs Enterprise Protection Jul-Sep 2019

Gartner Magic Quadrant for Endpoint Protection Platforms

Gartner’s Magic Quadrant for Endpoint
Protection Platforms is a research tool
that rates vendors on completeness of
vision and ability to execute. Sophos
has been named a “Leader” in the
Gartner Magic Quadrant for Endpoint
Protection Platforms for the eleventh
consecutive report. Gartner praised
Sophos for our strong endpoint
protection, real-world endpoint
detection and response (EDR) usability,
as well as our unifying platform, Sophos
Central. Gartner praised Sophos for our
proven record at stopping ransomware,
the deep learning technology that
blocks never-seen-before malware, and
our anti-exploit technology. According
to Gartner, the success of Sophos
Intercept X “has propelled Sophos
beyond its SMB roots and increased its
brand awareness in enterprise
organizations”.

October 2019 9
Endpoint Security Buyers Guide

AV Comparatives
Intercept X made its first public AV-Comparatives Business Security Test appearance and ranked #1 for
malware detection. We earned a 99.7% detection rate with just one false alarm in the "real world" test,
and 99.9% detection and zero false alarms in the "malware" test.

False Alarms on common

Malware Protection Rate
business software

Avast, Bitdefender, Panda, Sophos, SparkCognition 99.9% 0

Cisco, Symantec, Trend Micro 99.8% 0

K7, McAfee 99.7% 0

Seqrite 99.6% 0

FireEye, Microsoft 99.5% 0

CrowdStrike, Endgame, VIPRE 99.2% 0

Kaspersky Lab 99.0% 0

Fortinet 98.9% 0

ESET 99.5% 0

Source: AV-Comparatives Business Security Test March-April 2019

PC Magazine
Intercept X received an “Excellent” Rating and their “Editor’s Choice” award.

PC Magazine declared that Intercept X is “an instant win for anyone looking
to provide a defense against ransomware for any sized business.” They went
on to say that it “has a wide range of sophisticated features to guard against
malware of all forms, and has earned the praise of several independent
labs as well as earned our Editors' Choice designation in our ransomware
protection for business review roundup”.

Source: https://www.pcmag.com/review/366727/sophos-intercept-x-
endpoint-protection

AV-Test (Mac)
Sophos scored a 6/6 on protection, 6/6 on performance, and a 6/6 for
usability, the only perfect score among Mac endpoint protection vendors
tested.

Source: https://www.av-test.org/en/antivirus/business-macos/macos-
mojave/june-2019/sophos-endpoint-9.8-191636/

October 2019 10
Endpoint Security Buyers Guide

The Forrester Wave™: Endpoint Security Suites

Forrester Research, Inc. conducts extensive product evaluations to create their report, interviewing
both endpoint vendors and their customers. They evaluate vendors based on the strength of both their
product and their strategy. Sophos has, once again, been named as a Leader in the Forrester Wave for
Endpoint Protection Suites.

The full report is available here.

ESG Labs Intercept X Review

The Enterprise Strategy Group Lab tested Sophos Intercept X and determined:

“Intercept X stopped 100% of the exploit techniques that were missed by the traditional antivirus
application.”3

The full report is available here.

October 2019 11
Endpoint Security Buyers Guide

Intercept X Third Party Test Results and Top Analyst Reports

SE Labs
ÌÌ AAA Rated for Enterprise – 100% total accuracy rating
ÌÌ AAA Rated for SMB – 100% total accuracy rating

NSS Labs
ÌÌ Ranked #1 for Security Effectiveness
ÌÌ Ranked #1 for Total Cost of Ownership (TCO)

AV-Comparatives
ÌÌ Ranked #1 for Malware Protection (99.9% detection, zero false alarms)

MRG Effitas
ÌÌ Ranked #1 for Malware Protection
ÌÌ Ranked #1 for Exploit Protection
ÌÌ 100% block rate, 0 false positives 360 Degree Assessment

PC Magazine
ÌÌ Editor’s Choice

AV-Test
ÌÌ Top Product: 6/6 Protection, 6/6 Usability, 5.6/6 Performance
ÌÌ #1 macOS protection: 6/6 Protection, 6/6 Usability, 6/6 Performance
ÌÌ AV-Test (Android): Perfect Score

Gartner
ÌÌ Leader: 2019 EPP Magic Quadrant

Forrester
ÌÌ Leader: 2018 Endpoint Security Wave

October 2019 12
Endpoint Security Buyers Guide

Extending Your Security:

Consider Complete Protection
An endpoint security solution is just one part of an overall security strategy. Today’s organizations are wise
to look beyond the endpoint toward protecting the entire environment.

Ideally, a single vendor provides solutions that work together to give you consistent protection and policy
enforcement throughout your organization. Working with a single vendor can provide better security, reduce
administration, and lower costs.

Some specific technologies to consider along with endpoint protection include full disk encryption,
mobile device management, mobile security, secure email gateway, specialized server or virtual
machine protection, and Synchronized Security between endpoint and network devices.

Extending Your Security: Endpoint Detection & Response

Sophos Intercept X Advanced with EDR integrates intelligent endpoint detection and response (EDR) with
the industry’s top-rated malware detection, top-rated exploit protection, and other unmatched endpoint
protection features.

Intelligent endpoint detection and response means that security teams have the visibility and expertise
they need to answer the tough questions that are asked as part of an incident response effort including:

ÌÌ Understand the scope and impact of security incidents

ÌÌ Detect attacks that may have gone unnoticed
ÌÌ Search for indicators of compromise across the network
ÌÌ Prioritize events for further investigation
ÌÌ Analyze files to determine if they are a threat or potentially unwanted
ÌÌ Confidently report on your organization’s security posture at any given moment

Sophos Intercept X Advanced highlights include:

ÌÌ EDR combined with the strongest endpoint protection

ÌÌ Deep Learning Malware Analysis to replicate the role of malware analysts
ÌÌ On-demand curated threat intelligence from SophosLabs
ÌÌ Machine learning detection and prioritization of suspicious events (available in 2019)
ÌÌ Guided investigations that make EDR approachable yet powerful
ÌÌ Respond to incidents with a single click

Sophos Intercept X Sophos Intercept X Sophos Sophos Endpoint

Advanced with EDR Advanced Intercept X Protection
Foundational
techniques ✓ ✓ ✓
Deep learning ✓ ✓ ✓
Anti-exploit ✓ ✓ ✓
CryptoGuard
anti-ransomware ✓ ✓ ✓
Endpoint detection
and response (EDR) ✓

October 2019 13
Endpoint Security Buyers Guide

Evaluating Endpoint Security: Top 10 Questions to Ask

To evaluate an endpoint protection solution, start by asking the vendor the following questions:

1. D
 oes the product rely on foundational techniques, modern techniques, or a combination of both?
Which specific features are core to the technology?

2. How does the product detect unknown threats? Does it utilize machine learning?

3. F
 or products claiming to leverage machine learning, what type of machine learning is used? Where
does the training data come from? How long has the model been in production?

4. W
 hat technology exists to prevent exploit-based and file-less attacks? What anti-exploit techniques
are leveraged, and what types of attacks can they detect?

5. Does the product have technology specifically designed to stop ransomware?

6. Does the vendor have third party results validating their approach?

7. D
 oes the product have an acceptable level of false positives? If a false positive is detected, how easy is
it to reduce its impact?

8. What visibility into an attack does the vendor provide, such as root cause analysis?

9. D
 oes the product automatically respond to a threat? Can it automatically clean up a threat and respond
to an incident?

10. What level of effort is involved in the deployment and use of the solution?

Conclusion
As cyber threats continue to grow in both complexity and number it's more important than ever to have
effective protection in place at the endpoint. Understanding the threats you need to block and the different
security technologies available will enable you to make an informed choice of endpoint security, and give
your organization the best protection against today's attacks.

Source:
1 State of Endpoint Security Survey 2018
2 State of Endpoint Security Survey 2018
3 MRG Effitas Comparative Malware Protection Assessment, February 2018
Gartner Magic Quadrant for Endpoint Protection Platforms, Ian McShane, Eric Ouellet, Avivah Litan, Prateek Bhajanka, 24 January 2018 Gartner does not endorse any vendor, product
or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of
the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research,
including any warranties of merchantability or fitness for a particular purpose.
The Forrester Wave™: Endpoint Security Suites, Q4 2016 by Chris Sherman, October 19, 2016

Try Sophos Intercept X now for free.

United Kingdom and Worldwide Sales North American Sales Australia and New Zealand Sales Asia Sales
Tel: +44 (0)8447 671131 Toll Free: 1-866-866-2802 Tel: +61 2 9409 9100 Tel: +65 62244168
Email: [email protected] Email: [email protected] Email: [email protected] Email: [email protected]

© Copyright 2019. Sophos Ltd. All rights reserved.

Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK
Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are
trademarks or registered trademarks of their respective owners.

2019-08-08 WP-NA (RP)