Dispelling Myths: WireGuard® Is More Secure Than Other Protocols

May 29, 2020

There is a lot of misinformation surrounding WireGuard, so we are continuing to dispel those myths as best we can. In this entry, we are looking at the idea that WireGuard actually supports many different encryption and authentication methods. When in reality, it is a lot more limited than that.

Which encryption does WireGuard support

Whilst the vast majority of other VPN protocols have support for a wide range of cryptosystems, WireGuard is a bit simpler. It only supports one key agreement scheme (Curve25519), and only one AEAD (authenticated encryption with associated data), ChaCha20-Poly1305. In contrast to WireGuard IPSec supports RSA, DSA, ECDSA, Curve25519 and a plethora of other algorithms.

How WireGuard differs from other protocols

Before we start explaining what’s exactly beneath the hood we need to emphasize an important distinction between WireGuard and other well-known protocols. WireGuard is a peer-to-peer protocol. It does not distinguish between server nodes and client nodes nor is there any special functionality assigned to a peer as a consequence of a peer’s role. 

Roles, such as a server or a client, are a deployment detail and WireGuard does not care about such details. But, for easier understanding, we’ll address the hide.me peer as a “server” and the customer’s device as a “client”.

WireGuard authentication explained

As with any other asymmetric cryptosystem peers need to authenticate each other before a symmetric session key gets established. The only possible authentication mechanism that WireGuard supports is public key authentication. Other protocols, such as IKEv2 or OpenVPN support username and password authentication, but WireGuard doesn’t. With WireGuard the public keys serve as an authentication material, as a base for key agreement and as a crypto-key routing foundation.

In general, if a peer Alice wishes to prove its identity to some other peer Bob she’ll use her private key to digitally sign some sort of a message. Such a digital signature can be verified by Bob to be authentic, but only if Bob already possesses Alice’s public key. So, Bob needs to get hold of Alice’s public key somehow and in advance. 

WireGuard does not provide a facility for such a key exchange, it is stealthy, the public keys need to be set up in advance. If the public key of a peer is not known WireGuard keeps silent. In contrast to WireGuard, TLS, the dominant security protocol, during its handshake provides the server’s public key to the client in the form of a certificate.

How hide.me’s WireGuard authentication works

On hide.me we combined the two. We use HTTPS to establish a short-lived, authenticated and highly secure channel in order to exchange public keys. The customer’s public key will be used then for the WireGuard session which is about to start. Our apps generate fresh private and public key pair on each connection attempt.

Once the server’s and customer’s public keys are in place WireGuard has all the tools it needs to establish a session key over a Curve25519 key agreement scheme. Such a session key is then used by the symmetric ChaCha20-Poly1305 AEAD for the data transfer between the peers.

ChaCha20-Poly1305 explained

ChaCha20-Poly1305 is an AEAD (authenticated encryption with associated data), basically a good combination of a cipher (ChaCha20) and a message authentication code (Poly1305). An AEAD not only encrypts the sensitive data, it authenticates it too (AE part). In addition to the sensitive data other, non-sensitive, data may be included in the final message which gets authenticated as well (AD part). AEADs provide all the three pillars of security: 

Confidentiality, integrity and authenticity of the data. Nowadays the dominant AEAD is AES-GCM. It is a construction which consists of the AES-CTR (AES in counter mode) and a GHASH MAC. It is highly secure and has no known vulnerabilities, but it is computationally expensive on platforms other than recent Intel processors.

What’s the verdict

AES is cryptographically stronger than ChaCha20, but it is a lot more taxing. So, it is thought that ChaCha20 is a good “bang-for-your-buck” option when compared to AES, especially on mobile platforms. Before the advent of ChaCha20-Poly1305 there was no alternative to AES-GCM. 

Depending on a single AEAD was not an option for large enterprises. What would have happened if a critical vulnerability were to be discovered in AES-GCM? The industry has an alternative now, even if it is not as strong or as fast as AES-GCM it is still a viable option if the AES-GCM fails.

Ordering Clothing Using VPN

Hello, i will explain my situation because i really need some help as i am failing to understand how this works.
Before i start i want to say that i live in Serbia, South-East part of Europe (this is important).
Okay, to the problem now. I am trying to order a piece of clothing from a website. When i enter the UK website it auto transfers me to Canada website. My issue is that i can not even order from there as they only ship to Canada if ordered on Canadian website.
I managed to enter the UK website using VPN. Now, my question is, are they still going to be able to actually ship it to me if i order using VPN or no since my country apparently is not even supported without VPN.
Hope this is clear enough, thanks in advance!

خرید فیلترشکن

Hong Kong VPN searches spike. Here’s what it means.

Demand for VPN in Hong Kong increased tenfold following the Chinese government’s newly-proposed national security laws. Experts worry the security laws presented would jeopardize the freedoms guaranteed to Hong Kong when it was handed over to China by the United Kingdom. Those freedoms include the right to protest, free media, and an independent judiciary system.

While the new national security law does not specifically address online freedom, the “Great Firewall” in mainland China heavily restricts the internet. Social media websites including Facebook and Twitter, and news publications like The New York Times cannot be accessed from mainland China.

Google, which monitors search trends shows search interest for the keyword “VPN” increased 500% for the week of May 17th – 23rd.

Why are Hong Kong citizens flocking to use a VPN?

A VPN conceals a user’s internet activity by encrypting all the data transmitted through the internet from their device. IPVanish has applications for both iOS, and Android, as well as macOS, and Windows, covering the requirements for most users.

Once the data is encrypted, it is transmitted through servers owned by the VPN provider. By re-routing the traffic through the VPN servers rather than directly to the requested website, the traffic is concealed, masking the user’s personal IP address. This allows users to continue to safely conduct their online activities, shielded from prying eyes. IPVanish maintains a network of more than 1,400 servers in 75+ locations, ensuring users always have a nearby location. 

How should Hong Kong citizens protect themselves?

While Hong Kong at this point continues to have a free and open internet, it’s best to be prepared. Those participating in the protests in Hong Kong should absolutely be using a VPN. Many protestors are already using a VPN, out of fear the Chinese Communist Party will obtain their personal information. In this case, it’s definitely a situation where it’s best to be prepared for the worst-case scenario.

As always at IPVanish, we operate a zero-log VPN service. We never track your online activities in any of our 75+ locations.

Ready to get started? Sign up for IPVanish now.

VPN router question

I want to setup a VPN router, but I want to pick and choose which devices go through the VPN tunnel and which dont.

Is that possible? I was hoping to either be able to setup rules to pick and choose which devices i want to connect via VPN. Or ideally, have 2 WIFI SSID’s. One call it X and the other X-VPN where I can use that for the VPN connected devices.

خرید فیلترشکن

How to Play Microsoft Edge’s Secret Surfing Game

Surfing in Microsoft Edge's new hidden game.

Remember SkiFree? Microsoft is one-upping Google Chrome’s hidden dinosaur game. The new version of Microsoft Edge has a secret surfing game that works offline. It’s SkiFree with a fresh new coat of paint, swapping out yetis for the Kraken.

Update: The game is now available to everyone in Microsoft Edge 83, released in May 2020. Update your Edge browser if you can’t access it yet.

How to Access the Surfing Game

To access the game, type edge://surf into Edge’s address bar and press Enter. If you’re using a version of Edge that contains the game, it will load immediately. The “edge://” part of the address signifies this is an internal page that’s built into the Microsoft Edge application itself.

You’ll see the character select screen. Use the left and right arrow keys and space bar to select a character and start playing.

Accessing Microsoft Edge's secret SkiFree-style game.

RELATED: How to Play Chrome’s Hidden Dinosaur Game Without Going Offline

How to Play Edge’s Secret Surfing Game

Use the arrow keys to control your character and the space bar to pause. The left and right keys move left and right, the up key stops your surfer, and the down key resumes surfing. Press the “f” key to use a speed boost power-up—you can get one near the start of the game. They look like green lightning bolts.

As in the classic SkiFree game, your goal is to make it as far as you can. The game counts how far you’ve traveled in your current run at the top of the window. You start with three hearts. With every crash, you lose a heart. After you lose all your hearts, your run ends and the game shows you how far you made it.

Microsoft's secret surfing game gameplay

You can control the game with a mouse or touchpad, too. Move your mouse cursor to control your character and double-click to activate the speed boost.

The game even includes support for Xbox controllers. Plug in an Xbox 360 controller or pair an Xbox One controller wirelessly and you can control the game with the joysticks or d-pad, using the A button to pause and the right trigger to activate your speed boost. This game even supports the rumble feature on your controller!

Using an Xbox controller in Microsoft Edge's surfing game.

You can select other game modes by clicking the menu button at the top-right corner of the game. Here are the available game modes:

  • Let’s surf: The standard endless game mode. Try to get as far as you can.
  • Time trial: There’s an end to this course. Try to get there as fast as possible.
  • Zig zag: The sea has gates you need to surf through. Try to get through as many gates you can in a row.

The game also includes other helpful accessibility features. There’s a “High visibility mode” toggle that makes obstacles easier to see and a “Reduced speed mode” that slows down the surfing speed.

All the game’s controls are explained in the menu, too. Click the menu button and select “How to play” to see the control schemes for keyboard, mouse, touchpad, and game controller.

Game settings in Edge's secret surfing game

It’s 2020 and SkiFree Is Back

This game is different from SkiFree, of course. Instead of skiing, you’re surfing. Instead of dodging yetis, you’re avoiding sea monsters. But the gameplay feels pretty familiar, and anyone who remembers playing Microsoft SkiFree in the 90s should get a dose of nostalgia from it.

This game may seem a little silly, but it’s much more fully-featured than Google Chrome’s dinosaur game. Like Chrome’s famous dino game, it works entirely offline. If your internet connection goes down and you want to kill a few minutes, you can always load the surfing game and play it entirely offline.

HI VPN I have a question about IP locations

I was getting shady messages from visitors to my website. Non sequiturs for subject and message. Real names who were unaware when I looked them up, fake addresses, emails and phone numbers. They were subtly telling me they were going to hack me-the subjects and messages were always cryptic and one word like “following” “insult” “gain” “searching” ‘Tracking” ect.

How are the IPs determined? I had one whose location was the Kermlin and Iwould think it would be rather difficult to access a Kremilin server

Thanks

خرید فیلترشکن

VPN for Kodi – Our Selection of High-Performance VPNs for Kodi

Kodi is one of the most user-friendly and scalable media players available on the market. Free and open-source, it is available for almost all modern devices and makes it very easy to download and stream music, movies, and other media at home or while on the move. Search for content from various sources or upload your own files and start watching them.

Why should you be using Kodi in 2019?

Kodi has been taking the streaming world by storm lately.
It is the latest application for streaming, storing, and playing digital content that will make you want to consider selling your smartTV; at least that’s what their website is claiming. Kodi is a new kind of platform for streaming and playback of all types of media. It is not limited to a specific type of device or operating system; it is compatible with a wide range of OS, including Windows, OSX, Android, Linux, and Raspberry Pi.

One of the most exciting things about Kodi is that it is free software.

It means that the program is developed by the community, for the community, and receives significant support. Users will easily find discussions online on any topic or problem they may have. The XBMC/Kodi Foundation manages the project, and its use is free of charge. For people who are after more flexibility than the one offered by traditional devices or subscriptions, this is a tool to consider!

At first, you may think that it looks a lot like any other media player you’ve already used, but there’s a difference. This platform is truly a media-centric web browser, capable of managing and executing media in a connected environment such as a smart home. With Kodi, users can manage, access, and play media from any source, local or online. All this from the same place and on any device connected to the network. In practical terms, you can use your smart remote control, smartphone, tablet, or laptop as a unique way to manage all your devices, music and movies from the same place.

  • Music – Kodi organizes and supports virtually all forms of music. Albums are stored with their covers and texts, in addition to other features. It is possible to create playlists, party mixes, and more.
  • Movies – Movies are stored and displayed with their covers, casting information as well as a few exclusive bonuses.
  • TV – Kodi can adapt to the way you watch TV so you can follow the latest shows, or prepare for an intense TV session. By using the PVR extension, it is even possible to save and review your favorite programs.
  • Photos – Photos can be displayed on the largest screen in your home. You can create slideshows and much more.
  • Radio – You can listen to and control web radios from your mobile phone.

Problems you could be facing with Kodi

The use of Kodi is not without caveats, however.

Sending so much unencrypted data over the Internet raises privacy concerns, primarily if you regularly use torrent or P2P networks. It can trigger red flags from your Internet service provider and may even result in account termination. Access to channels and geo-blocked content is also tricky with a ready-to-use version of Kodi.

Most people will use Kodi in combination with illegal sources allowing them to access and stream a wide range of free content.

Fortunately, the combination of a virtual private network (VPN) service with Kodi solves both problems. Not only do they provide encrypted and anonymous traffic, but VPNs also allow you to bypass blocked content by region with a simple mouse click.

Should I use a VPN with Kodi?

Although the use of Kodi does not require the use of a VPN, it is strongly recommended that you do so. This is even more true if you are using quality streaming sources such as Exodus Redux or Covenant. As online privacy becomes more and more a concern, sending so much unencrypted personal data over the Internet can be a concern for your service provider, especially if you use P2P networks or torrents. Each online action leaves a trail, and this information can make you vulnerable.

Most of Kodi’s content comes from third-party modules, which means that your online security is always under threat. Many of these add-ons come from illegal catalogs and not from Kodi, which is continuously controlled by its developers.

VPNs are inexpensive and easy to install. They also offer additional features that work well with Kodi. Even if digital privacy is not an issue, using a VPN can give you access to content and streaming channels that are usually blocked in your region. Are you traveling abroad and want to continue watching your favorite show? Install your VPN on your router, and you are ready to go. Some Kodi extensions and channels also have regional restrictions that can be easily bypassed with a good VPN.

Setting up a VPN with Kodi

Kodi can run on a wide variety of platforms, not just computers, laptops, or tablets. To encrypt your data and protect your privacy when using Kodi, you must have your VPN software installed on the same device.

Not all VPNs can be installed on new media centers such as Amazon Fire TV Stick or Apple TV in 2019, so you will need to take additional measures to protect your information.

To ensure that your non-standard Kodi devices are protected, you will need to connect your router directly to your VPN service. The process varies depending on the brand of your router and VPN provider, but it usually involves opening a browser window on your router’s configuration page and entering server/protocol information for your specific VPN. It may seem complicated and technical, but the process is actually straightforward.

Occasionally, you will need a specific type of router or a basic router with a special firmware installed. See your VPN provider’s support pages for more information on securing your connection. Some VPNs even sell routers with custom software and VPN information preinstalled.

Why we do not recommend using a Free VPN with Kodi?

Free VPNs are sometimes effective. However, when used to stream large files from unknown sources, they are not reliable at all.

Free VPNs do not have the encryption standards, server networks, and bandwidth necessary for effective use with Kodi.

You will need a quality paid VPN for Kodi that offers excellent speed!

Is Kodi Legal?

Kodi is, of course, legal. All you have to do is download it from their official website or your favorite App store.

It is also legal to view any content to which you have access rights, such as Netflix or Hulu subscriptions.

The problem with Kodi is that many websites choose to distribute questionable and illegal content while relying on the Kodi application. And users like to install sources allowing access to this illegal content.

Top Endpoint Detection and Response (EDR) Solutions

Endpoint security is a cornerstone of IT security, so our team put considerable time and thought into this list of top endpoint detection and response (EDR) vendors.

IT security isn’t just about raw test scores, although independent testing is very important in our view. It’s also the advanced features that provide additional protection, the ease of implementation and use, management control of endpoints and threats, value and support, and so we rate EDR products in all those areas. Generally, the more you pay, the more advanced features you get, and many vendors offer multiple levels of products at different price points.

One important trend to note: endpoint protection platforms (EPP) and endpoint detection and response (EDR) products are rapidly converging, so one thing EDR buyers should look for is a product that combines both, or gets EPP and EDR tools to work together as seamlessly as possible. All our top EDR products have that feature.

We rated more than 30 EDR products in seven key areas and measured 130 data points for each vendor to come up with our list of 12 top EDR vendors and 10 honorable mentions. For more on our methodology and ratings, see our Methodology section.

So with that context, here are our picks for top EDR products, followed by honorable mentions.

Top EDR products

CrowdStrike Falcon

CrowdStrike Falcon is popular with analysts and users alike – and it came out on top in our analysis too. Falcon is near the top in raw security scores, but when factoring in the product’s advanced features, it wound up with an overall Detection score well above any other vendor on this list. It also scored high in Response, Management, Ease of Use, and Support. Pricing is above average, but as all EDR products save millions of dollars in breach and remediation costs, price is relative, and well-executed advanced features pay for themselves. Falcon offers almost all the standard features you’d expect in a top EDR product, although automated remediation costs extra. Web content filtering and VPN aren’t offered, and for encryption it merely reports on the status of Windows BitLocker, but none of those features are widely offered enough to be considered a standard EDR feature. Users score it high in capabilities, implementation, cloud-based management, and Linux and technical support, among other areas. But CrowdStrike’s biggest strength is the additional services offered with Falcon, including threat hunting, vulnerability assessment and more. In short, CrowdStrike is for those willing to pay for advanced features that are hard to beat.

Pros:

  • Happy customers
  • Easy cloud-based implementation
  • Advanced features that deliver

Cons:

  • Can get pricey
  • A few vendors have higher raw independent test scores – but in any other product, we’d place that in the “Pros” section
  • Web content filtering and VPN needs would have to be met in other ways

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

CrowdStrike

4.7

4.7

4.5

4.6

4.6

4.7

4.8

 

Check Point Software SandBlast

Check Point’s SandBlast offering was tied for second overall on the strength of its top-notch security and support at a good price. It received the highest score in Ease of Use and came in second in Management, and its automated response capability is also good, making it a strong candidate for smaller companies or those with less sophisticated security teams. In NSS Labs testing, SandBlast handled everything thrown at it, with the sole exception of targeted (hand-crafted) attacks, where it stopped 40%. It offers full-featured management, although users report some challenges with implementation. Check Point also offers a remarkably full-featured product for a price that’s toward the lower end of EDR products, with custom rules the only missing piece. There may be cheaper products and there may be more advanced ones, but none offer better security for the price. It’s a good match for companies of all sizes seeking strong endpoint security at a good price point, particularly those who want their EDR solution to do some of the work for them.

Pros:

  • Automated response
  • Ease of use and management
  • Full-featured at reasonable cost

Cons:

  • Custom rules missing
  • Some implementation challenges reported

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

Check Point

4.4

4.6

4.7

4.1

4.9

4.6

4.5

 

SentinelOne

SentinelOne tied for second overall, with top scores in Detection, Deployment and Value. SentinelOne users are among the happiest in the EDR space, and they have good reason to be. The product’s automated response features are rated highly by users, which could make SentinelOne a good choice for smaller companies and those without a sophisticated security team. Security scores are good, and SentinelOne even came out on top in the second round of MITRE testing – that’s no small feat, as participants are basically trying to stop Russian nation-state hackers across 140 areas. Missing features include full-disk encryption, VPN, mobile support and web content filtering, and rogue device discovery can be had at an additional cost, but as only about half of top vendors offer those, it would be hard to call them standard features. SentinelOne isn’t the cheapest EDR product on the market, but even there, price is often cited as a reason for buying. A good choice for companies willing to pay for advanced features without sweating the details too much.

Pros:

  • Automated response
  • Strong security at a reasonable price
  • Good security for less sophisticated teams

Cons:

  • Missing features: full-disk encryption, VPN, mobile support, web content filtering
  • Rogue device discovery offered at an additional cost
  • Not for those buying on price alone, but otherwise a good value

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

SentinelOne

4.5

4.8

4.4

4.6

4.5

4.8

4.5

 

F-Secure

F-Secure, headquartered in Helsinki, matched Palo Alto for the highest independent test scores. The company offers some of the best security on the EDR market for a price that’s about average, with some of the highest scores in the MITRE evaluations. It gets high scores for Ease of Use and Value too. F-Secure boasts a solid lineup of advanced features, but they can come at an additional cost: vulnerability monitoring, custom rules, advanced threat hunting, rogue device discovery, rollback, VPN. Still, the list of features is pretty thorough. Users report some difficulty with implementation, but support and services are there if you need them. In short, if top-notch security is a requirement, F-Secure is a good one to add to your shortlist.

Pros:

  • Top security
  • Full lineup of advanced features, but some cost extra
  • Ease of use and value

Cons:

  • Advanced features can cost extra
  • Some implementation challenges

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

F-Secure

4.5

4.4

4.3

4.4

4.7

4.7

4.4

 

Palo Alto Networks Cortex XDR

Palo Alto Networks matched F-Secure for the highest independent test scores, with strong results from both NSS Labs and MITRE. And that security can be had for a price that’s about average. Palo Alto’s Cortex XDR system is priced solidly in the midrange of EDR products, where a majority of vendors seem to price their EDR offerings. NSS Labs found that the product handled all manner of attacks, including handcrafted (targeted attacks), and Palo Alto came out on top in the first round of the rigorous MITRE ATT@CK evaluations, and in the top two or three in the just-released second round results. The only weak spot in the NSS tests was social exploits embedded in documents, where Palo Alto stopped just over 60% of attacks. Alerting capabilities are solid, and AI and behavioral analytics track threats across endpoints, the network and the cloud. Users report some issues with integration and support, and some of the less common EDR features are missing: vulnerability monitoring, patch management, web content filtering, rogue device discovery, rollback. Strong integration with Palo Alto firewalls and technologies could limit the product’s market to current Palo Alto customers, but anyone seeking top security and a product that goes beyond endpoints should take a look.

Pros:

  • Top scores in third-party security tests
  • Ability to handle advanced attacks
  • AI and behavioral analytics, strong alerting capabilities
  • Tracks threats across endpoints, networks and cloud

Cons:

  • vulnerability monitoring, patch management, web content filtering, rogue device discovery, and rollback are missing features
  • Management and implementation can be complicated
  • Palo Alto customers make up a big part of the market; need for broader visibility

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

Palo Alto

4.4

4.6

4.3

4.3

4.4

4.4

4.5

 

Kaspersky

Kaspersky’s EDR offering offers solid security at bargain-basement prices, which also makes the product one of the more popular ones on the market. It’s a feature-rich product too, with an additional cost for VPN the only noteworthy omission. Users like the product’s automation features that surface the most critical issues, investigation and response capabilities, top-notch research, ease of implementation and use, and support. Some users have said the product can be resource-intensive, straining CPUs, and Kaspersky’s raw score in the just-released second round of MITRE testing was below average. The Moscow-based company has also moved much of its data processing to Switzerland to ease any suspicions about ties to the Russian government. A good choice for any company looking for solid security and ease of use on a budget.

Pros:

  • Solid security for a low price
  • Feature-rich
  • Ease of use
  • Support

Cons:

  • Can be resource-intensive
  • VPN costs extra
  • Underwhelming MITRE round two evaluation

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

Kaspersky

4.2

4.3

4.2

4.2

4.7

4.7

4.7

 

Microsoft Defender Advanced Threat Protection

Microsoft has invested significantly in its security capabilities and in-house development, and the result was an impressive performance in both rounds of the rigorous MITRE ATT@CK evaluations. By virtue of including its endpoint security software in Windows 10, Microsoft is number one in deployed endpoints, but the company is taking the Mac and Linux markets seriously too, and has also addressed licensing concerns by making Defender Advanced Threat Protection available as a standalone EDR product or as part of a suite. Microsoft turned in top-tier performances in the first two rounds of MITRE ATT@CK evaluations, proof that the software giant intends to be a player in endpoint security. Management and Ease of Use were two areas the product scored high in. Defender ATP is feature-packed, with analyst workflow the lone missing feature, and rogue device discovery and VPN available for an additional cost. With its integration into Windows source code, the product is a natural for Windows environments, but the product’s strong security makes it a contender elsewhere too.

Pros:

  • Strong security
  • Windows source code integration
  • Management and ease of use
  • Lots of standard features like vulnerability and configuration management

Cons:

  • Analyst workflow a missing feature
  • Rogue device discovery and VPN cost extra
  • Some reports that it can get pricey

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

Microsoft Defender ATP

4.5

4.1

4.8

3.9

4.6

4.5

4.3

 

Trend Micro

Apex One, Trend Micro’s combined EPP/EDR offering, scores highest in value, not surprising since it’s priced at the low end of the EDR market. With a top-tier performance in the just-released second round of MITRE evaluations, it’s one of the biggest bargains in the market. Apex One’s combination of low cost and good security effectiveness gave it one of the best total cost of ownership (TCO) scores in NSS Labs testing last year. Office 365 and Google G Suite integration are a focus, a plus for cloud office suite users. There have been some issues with deployment, and users have reported occasionally needing to manually remove malware found by the product. A number of features are missing or cost extra, like patching, device control, analyst workflow, custom rules, and rollback, but as the product is at the low end of the pricing spectrum, those features can be added at a pretty reasonable cost when available. Apex One should be considered by those seeking strong security on a budget.

Pros:

  • Price, value and TCO
  • Cloud office support
  • Strong security

Cons:

  • Missing features: analyst workflow, custom rules, rollback
  • Features that cost extra: patch management, full-disk encryption, device control, threat intelligence feed integration, VPN
  • Some deployment issues
  • Some reports of malware needing to be removed manually

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

Trend Micro

4.5

4.3

4.5

3.4

4.5

4.7

4.4

 

VMware Carbon Black

Ease of Use and Value were the areas VMware Carbon Black scored highest in, perhaps a little surprising for a product priced in the middle of the pack. Users are pretty high on the product’s capabilities, which were solid enough to give it a very good TCO score in NSS Labs testing last year. Security is good too, with solid scores in NSS Labs and MITRE testing. One downside is that a number of features that might be expected in a mid-to-high end product are missing or cost extra: vulnerability monitoring, device control, guided investigation, advanced threat hunting and rollback among them. Predictive Security Cloud is the flagship offering, with options for threat hunting and response, and audit and remediation, and is popular with sophisticated security teams, but those needing more standard features may find value in Carbon Black too.

Pros:

  • Ease of use and product capabilities are strengths
  • Well integrated EPP and EDR
  • Advanced threat hunting may cost extra, but it’s well done

Cons:

  • Features that cost extra: advanced threat hunting, vulnerability monitoring and patch management
  • Features not offered: full-disk encryption, web content filtering, device control, guided investigation, rollback, VPN
  • Despite relative value, a few users report that the product can get pricey

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

VMware Carbon Black

4.3

4.4

4.2

4.4

4.5

4.6

4.3

 

Symantec

Now owned by Broadcom, the EDR market leader hasn’t been resting on its laurels, not that any vendor could afford to in such a competitive market. Symantec Endpoint Security (SES), the vendor’s combined EPP-EDR offering, offers advanced features such as vulnerability remediation, threat hunting and targeted attack analytics. Response, Management, Ease of Use and Value were all good, indications that Symantec has put together a solid product. Pricing can range from low-cost to very expensive, depending on features selected. Standard features include vulnerability and patch management, device control, analyst workflow, guided investigation, custom rules, advanced threat hunting, rogue device discovery and more. Full-disk encryption, web content monitoring and threat intelligence feed integration are available at extra cost, while rollback isn’t offered, the only missing feature on our 28-item checklist. Symantec recently posted a very good raw score of 85% in the second round of MITRE testing, but as quite a few detections were made by MSSP only, we expect that Symantec’s EDR and services teams are getting together to make sure that both products get maximum benefit from the MITRE evaluations. Symantec has made some good choices and gets solid marks from users across the board. A comfortable choice that gets the job done.

Pros:

  • Many standard features: vulnerability and patch management, device control, analyst workflow, guided investigation, custom rules, advanced threat hunting, rogue device discovery
  • Good security
  • Overall balanced scores

Cons:

  • Full-disk encryption, web content monitoring and threat intelligence feed integration are available at extra cost
  • Rollback isn’t offered
  • Pricing can be high
  • Can be resource-intensive on endpoints

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

Symantec

4.2

4.5

4.5

3.9

4.5

4.5

4.4

 

Bitdefender

Bucharest-based Bitdefender is popular with small and mid-sized businesses that want their endpoint security to do a lot of the work for them, and Bitdefender GravityZone can do that with machine learning, behavioral monitoring, risk analytics and automated remediation. Those features come at a cost, however, and for a product that can get pricey, a number of advanced features are missing, like guided investigation, threat intelligence feed integration and custom rules. Patch management, full-disk encryption, and rogue device discovery can be had at a premium. Security is good, with solid scores in NSS Labs and MITRE evaluations. Bitdefender is one that SMBs should be taking a look at, and even some enterprises too, as the company has basic and advanced offerings for both SMBs and enterprises.

Pros:

  • Good security
  • Popular with SMBs
  • Good automation features

Cons:

  • Missing: guided investigation, threat intelligence feed integration, custom rules
  • Available at a premium: patch management, full-disk encryption, rogue device discovery
  • Can get pricey

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

Bitdefender

4.5

4.1

4

4

4.5

4.5

4.5

 

BlackBerry Cylance

Rounding out our top vendor list is Cylance, acquired by BlackBerry last year. One standout feature is its automated response abilities, and users are also high on the ability of CylancePROTECT EPP and CylanceOPTICS EDR to stop ransomware and unknown threats. NSS Labs and MITRE scores have been solid, but the product can be pricey. Threat hunting and custom rules are some of the advanced EDR features offered, but a number of advanced features are missing, like behavioral detection, patch management, full-disk encryption, web content filtering, guided investigation, rogue device discovery, and rollback. OPTICS in particular may present some implementation challenges, but users are generally pleased with the results. In short, a product for enterprises willing to pay extra for protection against unknown threats, but that extra cost may pay for itself in reduced remediation time.

Pros:

  • Automated remediation
  • Time-saving response and management capabilities
  • Stops unknown threats

Cons:

  • Missing features: behavioral detection, patch management, full-disk encryption, web content filtering, guided investigation, rogue device discovery, rollback
  • Some implementation challenges
  • Can be pricey

 

Detection

Response

Management

Deployment

Ease of use

Value

Support

BlackBerry Cylance

4.2

4.4

3.6

3.4

4.5

4.4

4.5

 

Honorable mentions

“Honorable mention” in no way means these vendors are second tier. In fact, many of them have posted impressive scores in rigorous third-party testing. Vendors in this category are more likely to have an offering that is best for specific uses cases, or are emerging and worthy of consideration.

Sophos: Sophos Intercept X had a strong showing in NSS Labs testing last year and is priced toward the low end of EDR products, making it a security bargain. Users have had their complaints – false positives, implementation and performance overhead are a few – but you won’t find many complaints about its security performance. We’d like to see Sophos join the MITRE ATT@CK evaluations to confirm that strong security. In the meantime, it remains a bargain worth considering.

McAfee MVISION: A relative newcomer to the EDR market, McAfee has been quick to offer advanced features such as behavioral blocking, credential theft monitoring, rollback options and more. McAfee scored among the leaders in Value and posted a solid performance in the first round of the rigorous MITRE ATT@CK evaluations, but didn’t fare as well in the second round. McAfee has the pedigree to continue to evolve in the EDR (and any security) market, so they’re one to watch. Certainly one for McAfee users to consider, as well as others.

Elastic/Endgame: A recent acquisition combining two strong security companies – Endgame in endpoint security and Elastic in SIEM – makes Elastic a vendor to keep an eye on. MITRE and NSS Labs scores were particularly impressive, so anyone valuing strong security should have a look.

Cybereason: An up and coming vendor with an impressive vision for the future, Cybereason scored well in the first round of MITRE ATT@CK evaluations and roughly average in the second round, serving notice that this next-gen EDR vendor is for real.

Cisco AMP for Endpoints: Solid security at bargain prices; particularly well matched for Cisco shops. We’d like to see Cisco join the MITRE evaluations, which are rapidly becoming a standard measure in the field.

FireEye: Positioned more as a security platform vendor, but EDR is part of that platform, and with a solid performance in both rounds of the MITRE ATT@CK evaluations, it’s one worth considering, particularly if you’re looking to add other services to your EDR system.

Fortinet/enSilo: Fortinet may be best known for its firewalls, but with a low-cost, solid, easy-to-use EDR offering and the recent acquisition of the more advanced enSilo, the company is one to watch in the EDR space.

WatchGuard/Panda: A recent acquisition combines Panda’s strong EDR security, which received high marks from NSS Labs, with WatchGuard’s strength in firewalls and network security.

Comodo: Strong test results from NSS Labs and solid user reviews should bring Comodo some notice. Users report some challenges with implementation and ease of use, but otherwise satisifed.

ESET: An established EDR vendor with a strong presence with SMBs and a global reach.

Methodology and ratings

We analyzed third-party test data, user reviews, product features, analyst reports and reseller pricing, and winnowed an initial list of more than 30 EDR vendors to come up with our list of 12 top vendors and 10 honorable mentions.

Here’s an explanation of our ratings categories, in order of our weighting:

  • Detection: Not just whether the EDR product stops a high percentage of threats, but also whether it offers advanced features to protect more than a traditional endpoint security platform might, such as threat hunting, correlation and fileless threat detection, and user opinions of the product’s capabilities.
  • Response: How well the product removes threats, alerts security teams and guides response. Advanced features, such as automatically surfacing the most important threats and guided investigation, are also considered.
  • Management: Ease of use plays a role here, but more important are features that give a security team control over endpoints, such as vulnerability assessment, patching, endpoint control and more.
  • Ease of use: The higher the score, the more suitable the product may be for SMBs or less experienced security teams.
  • Support: Everyone contacting support has a problem that needs solving, so responsiveness matters.
  • Value: Value isn’t just price – where a product is truly low-cost, we note that, but value is also about advanced features and high security that cost less than competing products, and save companies data breach costs and security staff time in the process.
  • Deployment: Not just how easy a product is to implement, but also how well it integrates with user environments and how easy it is to deploy new endpoints.

.