How leading endpoint security providers compare on enterprise performance

Check out all the on-demand sessions from the Intelligent Security Summit here.

A skilled attacker can scan and find unprotected endpoints on an enterprise network in seconds, taking just one hour and 24 minutes to move from the initial point of compromise to other systems. That’s 14 minutes faster than last year, based on Falcon OverWatch’s findings in the 2022 CrowdStrike Global Threat Report. 

Over-configured endpoints are just as vulnerable, creating threat surfaces as they decay. A typical endpoint has, on average, 11.7 security controls installed, and each is decaying at a different rate. Absolute Software’s Endpoint Risk Report found that 52% of endpoints have installed three or more endpoint management clients, and 59% have installed at least one identity access management (IAM) client. 

Unprotected and overprotected endpoints not managed well are a breach waiting to happen. Endpoint intrusions often lead to months-long breaches costing millions of dollars. The Ponemon Institute and Adaptiva’s 2022 report, Managing Risks and Costs At The Edge, found that 54% of organizations have had an average of five attacks on their endpoints in the past year. The annual cost of these annual attacks is $1.8 million, or $360,000 per attack.  

Only 20% of CISOs and cybersecurity leaders say they could prevent a damaging breach today, despite 97% believing their enterprises are as prepared or more prepared for a cyberattack than a year ago. Ivanti’s State of Security Preparedness 2023 Report reflects enterprises’ urgent need to upscale their tech stacks, consolidating applications to improve performance while reducing costs.


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

What’s driving more spending on endpoint security

CISOs deal with a threatscape where endpoint sprawl creates more human and machine identities than many enterprise security teams can track and protect. The typical enterprise reports having more than 250,000 machine identities. It’s no surprise that in many enterprises, machine identities outnumber human identities by 45 times.

Cybercriminal gangs are increasingly using artificial intelligence (AI) and machine learning (ML) to go on the offensive. Critical targets for these technologies are identifying unprotected, weak endpoints in milliseconds, inventing new ways to evade detection so malware can be installed on enterprise servers, and automating phishing attacks, while also performing ongoing network reconnaissance.

“Security experts have noted that AI-generated phishing emails have higher rates of being opened — [for example] tricking possible victims into clicking on them and thus generating attacks — than manually crafted phishing emails,” said Brian Finch, co-leader of the cybersecurity, data protection and privacy practice at law firm Pillsbury Law. “AI can also be used to design malware that is constantly changing, to avoid detection by automated defensive tools.”

The combination of offensive AI techniques that are nearly impossible to identify and stop with legacy endpoint systems combined with the need to update tech stacks to zero trust are driving spending. CISOs tell VentureBeat that they’re relying on zero-trust wins they can quickly achieve to save next year’s budget. Ivanti’s study validates that cybersecurity budgets are growing next year, finding that 71% of CISOs and security professionals predict their budgets will jump an average of 11%. 

Gartner’s forecast is equally optimistic, predicting worldwide spending on information security and risk management will grow from $157.7 billion in 2021 to $261.5 billion in 2026, attaining a compound annual growth rate (CAGR) of 11.1%.

Endpoint protection platform spending worldwide is projected to increase from $11.9 billion in 2021 to $25.8 billion in 2026, more than doubling in size in five years. Frost and Sullivan’s Endpoint Security Forecast predicts that the global endpoint security market will reach $31.1 billion by 2026, up from $17.4 billion in 2021, attaining a 12.3% CAGR.

Comparing leading endpoint security vendors

CISOs need endpoint security providers to go on the offensive and provide cloud-based platforms capable of interpreting and taking action on a broader base of telemetry data in real-time. CrowdStrike’s 2022 Falcon OverWatch Threat Hunting Report discovered that 71% of all detections indexed by the CrowdStrike Threat Graph are malware-free intrusions.

“A key finding from the report was that upwards of 60% of interactive intrusions observed by OverWatch involved the use of valid credentials, which continue to be abused by adversaries to facilitate initial access and lateral movement,” said Param Singh, VP of Falcon OverWatch at CrowdStrike.

The Omdia Market Radar: Endpoint Security Platforms 2022 report looks at six core areas of endpoint security platform performance. These measure how well an endpoint platform will scale and meet the four core areas of preventing and protecting against file-based and file-less malware exploits; allowing or blocking processes, scripts and software; detecting and preventing threats using behavioral analysis; and tools to investigate incidents and define remediation strategies.

Omdia’s analysis found that Bitdefender, Cisco, CrowdStrike, Microsoft, SentinelOne, Sophos and Trellix are the highest-performing endpoint providers on the market. Absolute Software, Morphisec and Trend Micro are vendors to watch.

“Cyberthreats and compliance challenges have accelerated alongside explosive growth in remote work, creating new challenges for enterprises that are trying to mitigate the heightened risk that traditional security tools can no longer address,” said Rik Turner, principal analyst for cybersecurity at Omdia. “This new Radar identifies the latest innovations that effectively defend modern enterprise edge environments without disrupting business operations. Because all organizations have unique requirements, we profiled additional vendors delivering highly differentiated capabilities to the market.”

Omdia’s thorough analysis of endpoint security leaders provides valuable insights into each vendor’s strengths, weaknesses, and direction in the market. Source: Omdia Market Radar: Endpoint Security Platforms, 2022

Comparing vendors’ strengths and weaknesses

Bitdefender, Cisco, CrowdStrike, Microsoft, SentinelOne, Sophos and Trellix are proven enterprise-grade endpoint security platforms that contribute to zero-trust initiatives today. Absolute Software, Morphisec, and Trend Micro also have proven their platforms enterprise-ready across a broad spectrum of companies and use cases. Omdia’s conclusion that these three endpoint platform providers are the ones to watch reflects what VentureBeat hears from CISOs with experience on these platforms. 

Bitdefender excels at Active Directory integration, and dashboards have more than enough options

Bitdefender customers tell VentureBeat that integrating with Active Directory is one of the platform’s strongest features, along with solid performance managing passwords, keys and policies. Users also say that Bitdefender’s GravityZone Email Security helps stop phishing attacks.

Weaknesses include having too many options to configure dashboards with, which one CISO told VentureBeat tempts security teams to “boil the secops ocean” given how many options there are. Customers also say Windows support is the most comprehensive, with Linux and macOS needing an equitable amount of support.  

Cisco Secure Endpoint gets higher user marks for its scalability and threat detection, while scanning needs to be improved

Cisco’s customers appreciate how well Secure Endpoint is integrated into the broader Cisco Security Suite. Customers also praise Cisco’s approach to cloud services and secured endpoints, ThreadGrid integration and well-designed dashboards. Users also have high regard for Cisco Secure Endpoint and Cisco Talos, which provide real-time threat intelligence that helps detect new threats and malware.

Users want to see Cisco move faster to mature their endpoint and detection response (EDR) systems and broader stack and do more to reduce false positives the system creates. Another customer complaint is how much memory endpoint agents can take if not optimally configured and how scanning sometimes produces false positives. 

CrowdStrike’s many strengths have attracted the most enthusiastic customer base in endpoint security, with Indicators of Compromise (IOC) being an area they want more training on

VentureBeat has spoken with more than a dozen CrowdStrike customers this year and found that their favorite features of the CrowdStrike Falcon platform include how easy it is to deploy users’ machines, how fast and responsive the company’s EDR support teams are, and how its cloud console manageability delivers solid, trustworthy results. Customers also recommend behavioral analysis of devices, real-time threat detection, and customized dashboards.

Customers want more guidance on configuring Indicators of Compromise (IOC). One customer told VentureBeat that installing Falcon in complex enterprise networks requires technical expertise from CrowdStrike’s dedicated account team.

Microsoft Defender for Endpoint gets high praise for solid antivirus, malware and threat protection, with users asking for improved vulnerability reporting

Defender for Endpoint users told VentureBeat that they consider Microsoft’s endpoint security solution the best for combating malware, ransomware and spyware threats. For example, they’ve seen Defender for Endpoint stop breach attempts embedded in unrecognizable .exe files. They’re also seeing how effective application control, exploit protection, hardware-based isolation, network protection, web protection and network firewall support is.

The most common complaint from Defender from Endpoint is how the integration for remediation and patch management is less advanced than other platform areas. 

SentinelOne Singularity Platform is one of the most highly regarded in endpoint security, yet customers complain about persistence of endpoints

VentureBeat spoke with several SentinelOne customers who replaced on-premises systems with SentinelOne to gain greater detection and cloud management, and more visibility and control across enterprise-scale threatscapes. Customers tell VentureBeat that the deployment went smoothly, and the teams from SentinelOne helped define the best possible configuration given their budget constraints.

A typical customer complaint is that the scanning engine can be challenging to configure for optimal performance, leading to too many false positives. Customers say this leads to many threats being labeled ambiguously, making analysts’ tasks in the security operations centers (SOC) more challenging. 

Sophos Intercept X is highly regarded for its use of ML to detect malware, yet it needs to improve scanning alert accuracy

Customers tell VentureBeat that Sophos Intercept X excels at using ML to detect malware and prioritize the most urgent threats. Sophos XDR integrated quickly with cloud, network and server infrastructure — including mobile and email systems — all in a single platform, which improves accuracy. Customers also praise a crypto guard feature that allows reversing the encryption of unauthorized files, preventing attackers from publishing a company’s information for ransom.

Like other endpoint platforms, customers say Sophos needs to improve the level of customization for scanning and provide greater control over disk utilization of the scan, along with more control over asset management at the endpoint level. 

Trellix Endpoint Security is recognized as a solid integrated suite, yet endpoints aren’t configured to self-heal

Known for having a well-integrated suite of endpoint security tools, Trellix is a market leader in the endpoint protection market, Their integration of asset management, application control, endpoint intelligence, behavioral analysis and automated remediation are considered among the best in the industry. Their cloud portal supports and streamlines using multifactor authentication (MFA) on an enterprise scale.

Weaknesses include too many false positives if scanning is not optimized for a given corporate environment, and challenges getting the platform integrated with legacy security information and event management (SIEM) platforms. Customers also tell VentureBeat that their endpoints are not as self-healing as they’d hoped and would like to see that improved. 

Comparing Omdia’s companies to watch

Absolute Software 

Absolute’s Resilience platform provides real-time visibility and control of any device on a network or not, along with detailed asset management data. It’s also the industry’s first self-healing zero-trust platform that provides asset management, device and application control, endpoint intelligence, incident reporting, resilience and compliance.

What’s also noteworthy about Absolute is how they have collaborated with 28 device manufacturers who have embedded Absolute firmware in their devices to enable an undeletable digital tether to every device to help ensure the highest levels of resiliency. Omdia notes how successful Absolute’s partnerships continue to be, with leading device manufacturers embedding its patented Persistence technology into their devices’ firmware. According to the Omdia analysis, the company is embedded in over half a billion laptops. It offers three product lines: Secure Endpoint, Secure Access and Application Persistence-as-a-Service. 

The Secure Endpoint product portfolio enables IT and security personnel to monitor and address laptop computer problems and enables the laptops and their mission-critical applications to self-heal. This helps with IT management, strengthening a company’s security posture, and maintaining compliance. The company offers three tiered Secure Endpoint options: Absolute Visibility, Absolute Control and Absolute Resilience. 

All three tiers are managed from a cloud-based, configurable dashboard with predefined and custom reports and alerts. It can be integrated with ServiceNow and third-party SIEM tools. Absolute Insights for Endpoints, an add-on module for anomaly detection using real-time and historic data across devices, is also available as an option for any tier. 

Omdia notes that Absolute launched Absolute Ransomware Response in April 2022, which repackages its Absolute Resilience offering with additional recovery services focused on assessing ransomware preparedness and response. This is also offered as an add-on to Absolute Visibility or Absolute Control, but is only available for Windows devices in all cases. All Secure Endpoint solutions take advantage of the patented Absolute Persistence technology.

In November 2021, Absolute launched a new product line called Application Persistence-as-a-Service (APaaS), enabling independent software vendors (ISVs) to embed Absolute’s self-healing application capabilities into their security and business applications — helping ensure they stay installed, healthy and working across their entire customer base. Absolute’s route to market follows a “land and expand” approach, using channel partners at the outset and expanding through its direct sales force to expand or renew. 

Absolute also has its Secure Access portfolio, which was added through the acquisition of NetMotion in May 2021, and comprises Absolute VPN, which is an enterprise VPN; Absolute ZTNA, which provides a software-defined perimeter with access policies defined at the endpoint; and Absolute Insights for Network, which has diagnostics and experience monitoring across endpoints and network.


Morphisec is a cybersecurity company that offers endpoint security solutions through its Moving Target Defense (MTD) technology. MTD works by constantly changing the real-time memory structure of an application unpredictably, making it difficult for attackers to inject code and carry out attacks. Morphisec’s technology can protect against various attacks, including polymorphic, file-less, APT and ransomware.

The company offers Windows and Linux operating systems products and can be integrated with other endpoint protection and EDR platforms.

Morphisec’s technology has minimal impact on system performance and can be deployed without requiring a system restart. The company plans to release versions for containers and serverless environments.

Omdia notes that, while it is in the endpoint security market, Morphisec offers neither an EPP nor an EDR platform. Rather, it complements and augments either of these types of platforms. Its technology offering is attractive because it does not rely on prior knowledge, unlike the signatures that traditionally underpin EPPs and the behavioral analysis used by EDR, since normal behavior must be modeled beforehand to detect anomalies.

Instead, it seeks to reduce an organization’s attack surface by using what it calls Moving Target Defense (MTD), which is one way of delivering the proactive security that Omdia has been highlighting as a growing trend in the market over recent months. 

Morphisec has released a version of its MTD technology for Linux operating systems called Morphisec Knight, specifically designed to protect against sophisticated attacks that have become more prevalent on the Linux platform. Morphisec Knight offers runtime exploit prevention and attack surface reduction for legacy or unprotected systems, with minimal impact on system performance. It is the only solution that can block most supply-chain attack variations in real time without prior knowledge, addressing a common problem in the cybersecurity industry.

The Linux version of the technology operates differently than the version for Windows, using an agent in the kernel to change the system’s functioning so that only trusted apps have access. A container version is planned for release later this year, with a version for serverless environments planned for 2023.

As of mid-2022, Morphisec offered its cloud-based cybersecurity technology to more than 5,000 companies across 8.7 million endpoints through a software-as-a-service (SaaS) model and on-premises deployment. The company charges on a per-server/endpoint/virtual machine/virtual desktop basis.

The company has raised a total of $50 million in funding, with its most recent $31 million series C in March 2021, led by Jerusalem Venture Partners with participation from existing investors Orange Ventures, Deutsche Telekom Capital Partners and OurCrowd.

Trend Micro

Trend Micro is a well-established company in the endpoint security market, has been a significant player in the endpoint protection platform (EPP) space, and is one of the first vendors to expand into EDR. However, Omdia included it as a vendor to watch because its product offering is undergoing significant changes, making it unfair to compare its existing product to those of other vendors.

Omdia notes that Trend Micro is consolidating its endpoint, server and cloud workload security technologies onto a single platform called Cloud One. This platform already delivers all of the company’s cloud security technologies, such as workload protection, security posture management and software composition analysis, through a partnership with Snyk.

The move to Cloud One will allow for greater scalability, enabling the platform to handle large amounts of telemetry from current and future endpoint systems. While Trend’s existing endpoint security product, Apex One, has both on-premises and SaaS versions, the latter lacks the scalability of the new Cloud One platform.

Trend Micro plans to gradually roll out its new endpoint security offering, the Endpoint Security Service, to avoid disruption for existing Apex One customers. The new offering will be the next version of the company’s endpoint security technology, with enhanced user interface and workflows, improved performance and consolidated capabilities across endpoint, server and workload security. 

What’s in store for 2023

Endpoint security platforms need to accelerate product development and R&D to keep up with an increasingly lethal threatscape. Vendors need to follow CrowdStrike’s and Ivanti’s lead on integrating AI and ML into their core platforms, using both technologies to defend against attackers and trying to innovate with these technologies quickly.

Secondly, it’s clear that the cloud has won the endpoint security market and will continue to be a core part of any future product strategy. Thirdly, there will be a greater focus on user behavior and risk management to help better identify and take action on threats in 2023.

Also, the core elements of a zero-trust framework will become more compliant across the more than 100 different endpoint security platforms available today. Finally, data protection and privacy will define how endpoint security providers meet compliance, regulatory and customer requirements.

“Endpoint management and self-healing capabilities allow IT teams to discover every device on their network, and then manage and secure each device using modern, best-practice techniques that ensure end users are productive and company resources are safe,” Srinivas Mukkamala, chief product officer at Ivanti told VentureBeat.

“Automation and self-healing improve employee productivity, simplify device management and improve security posture by providing complete visibility into an organization’s entire asset estate and delivering automation across a broad range of devices.”  

Originally appeared on: TheSpuzz