In the 2000’s many end users believed that Anti-virus was a commodity. It wasn’t hard to find Security Companies that agreed with this notion. In those days the argument was simple to make, there are few kinds of threats that can be stopped with a signature. The bulk of the companies could stop the bulk of these threats so why not buy the cheapest solution.
Those days are long gone, but conversations around Endpoint Security still have a whiff of a notion that all solutions are the same. This could not be further from the case.The threat landscape now includes the ability to use threat techniques that have nothing to scan. So traditional scanning technologies don’t even come into play. Hash’s get regenerated, file names change constantly, or threats run in an un-scannable encrypted format.
Security Companies and Threat Makers continue to evolve their techniques. The most advanced hacking organizations are doing a great job of making their attacks blend in with the network infrastructure so that they are hard to see and detect. This is where the leading security companies have had to make investments into R&D in order to develop new ways to block and detect the attacks as well as the signs of something that could lead to an attack.
Part of an endpoint security evaluation needs to include asking questions beyond viruses and malware. The evaluation needs to include detecting hacking techniques and the use of reconnaissance tools. An endpoint evaluation also needs to be mindful of remediation tools that are included in the solution. If something does get through, how will it be remediated?
The easiest place to start is by evaluating multiple solutions to get different takes on how each vendor solves the security problem. If they have multiple tiers, stay away from their cheapest solution, as it has usually stripped out the advanced features that are needed the most. Some key questions should include: How do you stop Power-shell Attacks? How do you Stop threats that only run in memory? Do you detect Privilege Escalation? How do you detect signs that ransomware is about to occur?
This will give you a good start in making sure you are evaluating solutions that are from forward thinking companies.