Endpoint Buyers Guide

Endpoint Buyers Guide

It takes more than antivirus to stop todays advanced threats. Protecting corporate assets requires a complete security solution that includes anti-malware, hostbased intrusion prevention (HIPS), web protection, patch assessment, application and device control, network access control, data loss prevention, rewall and other capabilities. In addition to complete protection you need a solution thats easy to install and manage, and that can grow with your needssaving you time and ensuring comprehensive protection for years to come. In short, you need an endpoint protection solution. Evaluating the many components that make up an endpoint security solution can be overwhelming. This buyers guide is designed to help. Weve provided you with independent research and test results to help you determine your endpoint security solution requirements and identify the vendor that best meets your needs. We examine the top vendors according to market share and industry analysis: Kaspersky Lab, McAfee, Sophos, Symantec and Trend Micro. Each vendors solutions are evaluated according to: Product features and capabilities Effectiveness Performance Usability Data protection Technical support

Endpoint Buyers Guide

Product Features and Capabilities

Basic endpoint security solutions include antivirus, anti-spyware, host-based intrusion prevention and rewall technologies. More advanced endpoint solutions also include cloudbased protection, device and application control, patch assessment, web productivity ltering, network access control, data loss prevention and full-disk encryption. Even if you dont need these advanced capabilities today, your organization will likely need them tomorrow, given the increasing complexity of security threats. When it comes to independent reviews of endpoint solution features and availability, Sophos and McAfee offer the most complete solutions and Sophos scores the best overall. See our chart for at-a-glance information, and read the report summaries for more information on test results by vendor.
Review
Gartner EPP Magic Quadrant (Jan 2012) Cascadia Labs Endpoint Security for Enterprises (Jan 2010) AV-Comparatives Review of IT Security Suites (Nov 2010) Enex TestLab Usability of Endpoint Security (Sept 2011)

Sophos
Leaders Quadrant

Symantec
Leaders Quadrant

McAfee
Leaders Quadrant

Trend Micro
Leaders Quadrant

Kaspersky Lab
Leaders Quadrant

4 stars

3.5 stars

2.5 stars

2.5 stars

NA

5 stars

NA

5 stars

4 stars

5 stars

Complete

Partial

Complete

Partial

Partial

Endpoint Buyers Guide

Gartner Magic Quadrant for Endpoint Protection Platforms (January 2012)

Gartners 2011 endpoint security Magic Quadrant, a research tool that rates vendors on completeness of vision and ability to execute, reviewed 17 vendors. Kaspersky Lab, McAfee, Sophos, Symantec and Trend Micro were placed in the Leaders Quadrant. According to Gartner,

Leaders demonstrate balanced progress and effort in all execution and vision categories.Their capabilities in advanced malware protection, data protection and/ or management features raise the competitive bar for all products in the market, and they can change the course of the industry. A leading vendor isnt a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant. Some clients believe that Leaders are spreading their efforts too thinly and arent pursuing clients special needs. Cascadia Labs: Endpoint Security for Enterprises (January 2010)
Independent technology evaluator Cascadia Labs tested four top security providers in six categories: installation, conguration, policies, management, visibility and threat awareness. Sophos took top scores in performance, data protection and technical support, followed closely by Symantec, which faltered on support. McAfee and Trend Micro received lower marks for complexity.

AV-Comparatives Review of IT Security Suites (November 2010)

AV-Comparatives, a nonprot testing organization, individually tested and provided an overview of endpoint security solutions. The test evaluated 12 qualities or capabilities, including ease of installation, Microsoft Active Directory support, user manual and database support. Trend Micro didnt perform as well as others in this test, receiving two and three stars out of ve in a number of categories, including ease of installation, default values and database support. Sophos received a minimum of four stars in every category and ve stars in seven categories, including ease of installation, usability and management, spam, and Microsoft Active Directory Support. McAfee earned ve stars in eight categories but received only two stars for its website. Kaspersky earned ve stars in only ve categories, and Symantec didnt participate in the report.

Enex TestLab Usability of Endpoint Security (September 2011)

Enex TestLab tested the various feature sets, compatibility and usability of endpoint security products against ve endpoints. Of the six products Enex TestLab evaluated, it singled out McAfee and Sophos as enterprise-grade solutions largely due to their data loss protection, device protection and full-disk encryption capabilities. Only these two vendors had complete products, meaning they offer a complete endpoint solution whereas the other products are missing features. In terms of usability, McAfee had the most involved and lengthy installation processes, and Trend Micro followed closely behind. Kaspersky, Sophos and Symantec offer more simplied installation procedures. Of the ve vendors, Sophos came out on top due to the integration of security capabilities in a single package, ease of installation and deployment, and data protection capabilities.

Endpoint Buyers Guide

Effectiveness
The primary goal of an endpoint security solution is to prevent malware infection. As the anchor solution in EPP suites, the quality of the malware scan engine should be a major consideration in any RFP, according to Gartner. However, no antivirus engine can provide 100% protectioneven against known threats. You should therefore also consider the solutions advanced features, such as behavior detection and HIPS capabilities. Also worth noting is whether the solution leverages the cloud to deliver real-time signature updates. Live protection from the cloud means protection against the latest threats with minimal impact on network bandwidth.
Review
VB100 (Oct 2010)

Sophos
79.6%

Symantec
NA

McAfee
NA

Trend Micro
NA

Kaspersky Lab
85.5%

VB100 (Dec 2010)

84.2%

NA

Failed

NA

84.4% / 88.3%

AV Test (Jan 2011)

96% / 99.74%

96% / 97.16%

80% / 91.38%

92% / 99.59%

92% / 98.83%

VB 100 (Feb 2011)

90.7%

NA

NA

NA

Failed

VB 100 (Jun 2011)

87.9%

NA

NA

NA

94.3%

% represents: VB100 - percent of previously unseen malware detected. AV Test - percent of real infection vectors/prevalent malware detected

VB100: Windows Server 2003 (October 2010)

Virus Bulletin magazine independently tests antivirus products. According to the magazine, The VB100 award is granted to any product that passes the test criteria under test conditions in the VB lab as part of the formal VB comparative review process. Virus Bulletin magazine evaluated the ability of 38 antivirus solutions to protect Windows Server 2003. The recipients of this VB100 detected 100% of known viruses without generating any false positives. Sophos and Kaspersky earned VB100 awards. VB100 also evaluates ability to detect unknown viruses and gives a RAP (Reactive and Proactive) score. Sophos earned a RAP score of 79.6% for Sophos Endpoint Security and Control 9.5. Kaspersky earned a RAP score of 85.5% for Kaspersky Anti-Virus 8 for Windows Servers Enterprise Edition 8.0.0.495. Symantec, McAfee and Trend Micro did not submit products to be tested.

VB100: Windows 7 Professional (December 2010)

In December 2010, Virus Bulletin magazine awarded the VB100 to antivirus solutions that demonstrated an ability to protect Windows 7 Professional. Kaspersky submitted two products for this evaluation, and both won a VB100. Kaspersky Antivirus 6 for Windows 6.0.4.1212a earned a RAP score of 84.4% while Kaspersky Internet Security 2011 11.0.2.556 earned a RAP score of 88.3%. Sophos earned a VB100 for Sophos Endpoint Security and Control 9.5.4, with a RAP score of 84.2%. McAfee failed this test. Symantec and Trend Micro did not participate.

Endpoint Buyers Guide

AV-Test (January 2011)

The AV-Test, conducted by The Independent IT-Security Institute, evaluates the ability of top endpoint security solutions to block real infection vectors and prevalent malware. Sophos outperformed the other vendors in both categories, blocking 96% of real infection vectors and 99.74% of prevalent malware. Symantec also performed well by blocking 96% of real infection vectors, followed by Trend Micro and Kaspersky each at 92%, and McAfee at 80%. Trend Micro blocked 99.59% of prevalent malware, followed by Kaspersky at 98.83%, Symantec at 97.16% and McAfee at 91.38%.

VB100: Linux Ubuntu (February 2011)

This round of comparative antivirus tests by Virus Bulletin magazine focused on Linux Ubuntu. Much like the tests that Virus Bulletin conducts on other operating system platforms, it awards the VB100 title only to products capable of detecting all in-the-wild viruses on both on-demand and on-access modes without experiencing any false positives. Due to the limited support for Linux from other security vendors, Sophos and Kaspersky Labs were the only two large security vendors whose products were tested. Kaspersky submitted two products and failed both tests. Sophos had an average detection rate of 90.7% and received the VB100 for its antivirus.

VB100: Windows Server 2008 R2 (June 2011)

The June 2011 round of comparative antivirus tests focused on Windows Server 2008 R2. Kaspersky Small Ofce Security earned a VB100 with a RAP test score of 94.3%. Sophos Endpoint Security and Control also earned a VB100 with a RAP test score of 87.9%. Symantec, McAfee and Trend Micro did not submit solutions for testing.

Endpoint Buyers Guide

Performance
Performance measures how a security solution impacts user experience and the number of help desk calls. Ideally, users wont experience slowdown when a security solution is scanning their system: during scheduled scans, at boot up or when opening a le. This should still be the case on a loaded or low-memory system. Strong security performance can improve IT efciency and end-user productivity.
Review
Cascadia Labs: Endpoint Security for Enterprises (Jan 2010) AV-Comparatives Scanning Speeds Test (Dec 2010) AV-Comparatives PC Mark Tests (Dec 2010)

Sophos
High scan speeds

Symantec
Solid performance

McAfee
Slow scan speeds

Trend Micro
Solid performance

Kaspersky Lab
NA

2nd

7th

13th

19th

16th

Fastest vendor tested

14th fastest vendor tested

10th fastest vendor tested

Came in last at 20th place

15th fastest vendor tested

Cascadia Labs Report: Endpoint Security for Enterprises (January 2010)

Cascadias tests looked at the time required to perform both an on-access and on-demand scan, and the time required to open a large PowerPoint le. Additionally, the test looked at the time of scan in a low-memory environment. The tests found Sophos had high scan speeds for both on-access and on-demand scans, and disappointingly slow McAfee results across the board. Sophos and Trend Micro both did well in low-memory situations, and Symantec performed solidly overall. Kaspersky was not included in the test.

AV-Comparatives Scanning Speeds Test (December 2010)

This test of 20 antivirus providers measured performance based on six common user tasks and applied a scoring system to sum the various results. AV-Comparatives awarded Sophos an Advanced+ rating for excellent performance scores. Sophos tied for second place with an overall score of 180. Symantec came in at seventh with a score of 177; McAfee came in at thirteenth with a score of 172; Kaspersky came in at sixteenth with a score of 160; and Trend Micro came in second-to-last with a score of 143. As part of its tests, AV-Comparatives ran each endpoint solution on an older system to see if its protection modules loaded before malware in the start-up folder could execute. Sophos was one of only two providers to pass the test and whose product launched a scanner early enough to catch malware before it executed.

AV-Comparatives PC Mark Tests (December 2010)

AV-Comparatives carried out a performance test using PC Mark Vantage Professional Edition 1.0.2 testing suite from FutureMark. The test consisted of several subtests that judged the speed of le copying, archiving/unarchiving, encoding/transcoding, installing/uninstalling, downloading, and launching applications. PC Mark used a scoring system to sum the results of the subtests. With a PC Mark score of 97, Sophos performed the best, second only to a computer with no antivirus installed. McAfee earned a score of 92, Symantecs score was 91, Kasperskys score was 90 and Trend Micro came in behind every other vendor tested with a score of 83.

Endpoint Buyers Guide

Usability
Usability, which includes installation, conguration, policies and management, impacts the time you spend on day-to-day security tasks. IT teams need a solution thats straightforward, with single-console management, easy implementation, a simple user interface and the ability to make changes easily. Policies should be exible, but not too complex so they dont confuse or overwhelm. For usability we will review three reports from Cascadia Labs, AVComparatives and Enex TestLab. Read the report summaries and see the at-a-glance tables for more information. According to Gartner,

Reporting capabilities are a signicant differentiator of EPP solutions and can make a signicant difference in the administration overhead. Buyers should consider both point-in-time reporting as well as real time dashboard capabilities. Cascadia Labs: Endpoint Security for Enterprises (January 2010)
Cascadia Labs in-depth usability report counted the number of hours involved in installation and conguration, and gave a star rating for ease of management. It also counted the number of clicks and hours required for basic tasks. Sophos had the fewest number of clicks and hours needed for installation and conguration. McAfee required the highest, with ve hours and 166 steps necessary to set up the system. Cascadia didnt include Kaspersky in this assessment. In both installation/conguration and day-to-day management, Sophos required the fewest steps and the least amount of time, while McAfee required the most. Below we examine each usability componentinstallation and conguration, policies and management, and visibilityin more detail. Installation and Conguration: Steps and timeThis test counted the total number of steps and time required to complete installation tasks. Sophos had the fastest set up time with the fewest number of steps, with Trend Micro next, then Symantec, followed by McAfee, which took twice as long as Sophos to set up. Policies and ManagementCascadias report also examined available policies and management, ranking vendors by simplicity and ease of use. It looked at details such as how many windows the interface uses, and how policies are created and arranged. Cascadia gave both Sophos and Symantec a high four-star rating for clear interfaces, and gave Trend Micro the lowest rankingtwo stars for non-centralized management. According to the reports authors,

Sophos keeps everything in one location, so unlike with the Trend and McAfee products you dont need to go to multiple places in the interface or bring up additional menus.
Visibility: Clicks to viewThis report also studied the visibility a solution offers into the overall security system, and the users level of threat awareness, which can enhance transparency and ease of use. A dashboard should be clear and require few clicks to access critical information and common actions (e.g., sending an email when a virus is detected).

Endpoint Buyers Guide

In some cases, solutions dont offer the full range of features, such as Trend Micro, which only lets you see out-of-date endpoints. Sophos and Symantec both include a complete range of dashboard options, leading the pack for this section, with Sophos requiring the fewest clicks for the most tasks. McAfee follows in third place with some included functionality, and Trend Micro falls in last place with limited capabilities. Cascadia Labs: Endpoint Security for Enterprises (Jan 2010)
Review:
Installation and conguration: Steps and time Policies and Management

Sophos
93 steps 2.5 hours 4 stars

Symantec
123 steps 3.5 hours 4 stars

McAfee
166 steps 5 hours 3 stars

Trend Micro
107 steps 3 hours 2 stars

Kaspersky Lab
NA NA NA

Visibility: Clicks to view

Out-of-date endpoint

Sophos
0

Symantec
0

McAfee
7

Trend Micro
0

Kaspersky Lab
NA

Send email on virus detection

13

NA

NA

Application-controlled users

NA

NA

Device-controlled users

NA

NA

NA

DLP-controlled users

NA

NA

NA

NA

AV-Comparatives Review of IT Security Suites (October 2010)

In its Review of IT Security Suites, AV-Comparatives evaluates products usability and management (one score), and ease of installation. McAfee and Sophos earned ve stars out of ve for ease of installation. Kaspersky earned four stars and Trend Micro earned three. All four vendors earned ve stars for usability and management. Symantec wasnt included in the evaluation. AV-Comparatives Review of IT Security Suites (Oct 2010)
Review:
Usability and management (one score) Ease of installation

Sophos
5 stars

Symantec
NA

McAfee
5 stars

Trend Micro
5 stars

Kaspersky Lab
5 stars

5 stars

NA

5 stars

3 stars

4 stars

Endpoint Buyers Guide

Enex TestLab Usability of Endpoint Security (September 2011)

Enex TestLab evaluated Kaspersky, McAfee, Sophos, Symantec and Trend Micros ease of use. It counted the number of steps required to complete various scenarios. McAfee and Trend Micro had the most involved and lengthy installations. McAfee came in rst or second as requiring the most steps to complete a given task. For example, specic device management tasks required a total of 69 steps from McAfee while Symantec (which came in second for this group of tasks) required 64 and Trend Micro (on the low end in this case) required 13. Overall, Sophos was considered the easiest to use and was recognized for its streamlined dashboard. Enex TestLab Usability of Endpoint Security (Sept 2011)
Review:
Server install

Sophos
30 steps

Symantec
43 steps

McAfee
133 steps

Trend Micro
59 steps

Kaspersky Lab
18 steps

Endpoint deployment

35 steps

34 steps

81 steps

92 steps

41 steps

Role-based administration

74 steps

176 steps

109 steps

123 steps

56 steps

Maintain protection

28 steps

52 steps

62 steps

37 steps

67 steps

Policy management

49 steps

62 steps

49 steps

38 steps

63 steps

Device management

38 steps

64 steps

69 steps

13 steps

19 steps

Reporting

26 steps

40 steps

61 steps

11 steps

65 steps

Endpoint Buyers Guide

Data Protection
Data protection technology is becoming increasingly important in todays distributed work environment. Introducing encryption and content awareness to the business makes users more aware of how they handle sensitive data, and impresses upon them the importance of data protection. Having encryption and data loss prevention (DLP) incorporated in an endpoint security solution offers a number of benets, including simplied management and cost savings. McAfee, Sophos, Symantec and Trend Micro all offer described content detection (for example, Social Security numbers), predened dictionaries and weightings to specic words. However, Sophos is the only vendor to provide these DLP capabilities integrated into a single endpoint agent. Trend Micro offers an optional hosted DLP agent as part of its Endpoint Security Platform. McAfee and Symantec use separate agents and licenses to provide host DLP capabilities. Kaspersky Lab does not have a DLP offering. And, Sophos and McAfee provide encryption capabilities in their endpoint protection, while the others do not.
Review
Cascadia Labs: Endpoint Security for Enterprises (Jan 2010) Enex TestLab Usability of Endpoint Security (Sept 2011)

Sophos
Full range of DLP options

Symantec
Few DLP options

McAfee
Still fewer DLP options

Trend Micro
Still fewer DLP options

Kaspersky Lab
NA

Data protection and encryption capabilities

No data protection; No encryption

Data protection and encryption capabilities

No data protection; no encryption

Data protection and encryption for smartphones

Cascadia Labs: Endpoint Security for Enterprises (January 2010)

The comprehensive Cascadia Labs report, Endpoint Security for Enterprises (January 2010), examined how security vendors deliver DLP with endpoint security. Cascadia Labs studied each vendor to determine how many clicks are required to create read-only access for removable media, and also to implement exception policies for certain devices. And it measured how quickly an IT manager can block access to a particular dangerous application. The report found that only Sophos provides integrated DLP in its platform, with a full range of options for blocking application access, adding read-only access for removable storage and creating device class exceptions. Symantec follows Sophos with a few options available, while McAfee and Trend Micro trail them both.

Enex TestLab Usability of Endpoint Security (September 2011)

Enex TestLab examined the features found in six endpoint security products and determined that McAfee and Sophos offer the most comprehensive endpoint security suites, designating them as the only enterprise-grade solutions in the report. As the only two solutions to offer full-disk encryption, McAfee and Sophos provide the most complete data protection. Sophos offers the added benet of providing DLP capabilities without adding complexity to its solution.

10

Endpoint Buyers Guide

Technical Support
You can hope youll never need tech support for your endpoint security solution, but it should be a key part of any vendors product. Tech support requirements are fairly straightforward: a vendor that offers 24/7 local language support, with knowledgeable engineers answering the phone and short wait times (if you have to wait at all). Of the ve vendors we are looking at here, only Sophos support has been independently audited and approved by SCP. Its 24/7, follow-the-sun support operations (UK, U.S., Australia) are SCP certied.

Cascadia Labs: Endpoint Security for Enterprises (January 2010)

The Cascadia Labs report, Endpoint Security for Enterprises (Jan. 2010), studied endpoint security technical support and awarded Sophos four stars, McAfee three, and Symantec and Trend Micro two stars each for overall tech support. Only Trend Micro doesnt offer 24/7 tech support. Cascadia called each vendors tech support line and experienced the fastest response time with Sophos (two minute wait time) and the slowest response time with McAfee (22-minute wait time). Cascadia Labs also determined whether easy questions were answered by Tier 1 and whether difcult questions were answered by Tier 1. All of the vendors answered easy questions, but only Sophos and McAfee answered difcult questions by Tier 1.
Review
Overall rating

Sophos
Four Stars

Symantec
Two Stars

McAfee
Three Stars

Trend Micro
Two Stars

Kaspersky Lab
NA

Time on hold (minutes)

22

22

16

NA

Answered easy questions by Tier 1 Answered difcult questions by Tier 1 Hours of operation

Yes

Yes

Yes

Yes

NA

Yes

No

Yes

No

NA

24/7

24/7

24/7

Mon Fri, 8 a.m. to 8 p.m. EST

NA

11

Endpoint Buyers Guide

Summary
Endpoint security at its best is complete and simple. It protects your organization from threats and data loss across all platforms from a single management console. Finding the right solution may seem daunting, but ask the right questions and look at the research to nd the vendor that can serve your company best. This quick look at the major vendors sums up how each fared in third party tests in each of the areas evaluated.
Sophos
Overall Best

Symantec
Better

McAfee
Better

Trend Micro
Good

Kaspersky Lab
Good

Features & Capabilities

Best

Good

Better

Good

Good

Effectiveness

Best

Better

Good

Good

Good

Performance

Best

Better

Good

Good

Good

Usability

Best

Best

Good

Better

Better

Data Protection

Best

Better

Good

Good

Not reviewed

Technical Support

Best

Good

Better

Good

Not reviewed

Evaluating Endpoint Protection: Questions to Ask

Endpoint security solutions claim many different features. To learn if a product satises your minimum required capabilities, start by asking vendors the following questions: 1. Is it easy to implement? 2. Is it easy to manage with a single console? 3. Does it support all of your platforms? 4. Does it offer all of the features required for complete security? 5. Does it offer localized support? 6. What impact will it have on end users? 7. Does it include data protection? 8. Can it ensure compliance? 9. Does it include expert support in the local language? 10. Does it include free upgrades? 11. Does it protect against malware? 12. Does it improve IT efciency? 13. Does it improve end-user exibility and productivity? 14. Does it provide web protection where ever your users are? 15. Does it include patch assessment?
12

Endpoint Buyers Guide

Recommended Features Checklist

Weve listed below the primary capabilities and features found in advanced EPP solutions. Not every solution will have every item on the list. As you begin researching solutions, use this checklist to create your requests for proposal or as a scorecard to evaluate different products. Product features and capabilities Web protection that includes URL ltering, malware scanning, and content ltering Application control capabilities Patch assessment capabilities Manages list of known good/unwanted applications Extensive rewall log data Creates rewall policies based on connection type Creates device policies based on device class (i.e., CD, DVD, USB, etc.) Distinguishes between classes of devices based on serial number or manufacturer RSS feeds into dashboard with relevant news Imports or exports data and alerts with other security systems Creates custom reports in HTML, XML, CVS and PDF Installs protection on Windows, Mac, Unix, Linux, storage and virtual platforms Assesses computers accessing your network to ensure they meet your security policies, and blocks or quarantines them if they do not Effectiveness Dashboard of real-time events Broad malware signatures that detect new variants of old threats without causing false positives Performance Native management server redundancy capabilities Single signature database and scanning engine for all forms of malware Usability Easy installation that includes optimal default settings for your environment Role-based administration Object-oriented policy creation Administrator-congurable dashboard with real time graphical and table-based view of events Removes competitive endpoint products on installation Data protection DLP content inspection for removable storage, email clients, web browsers and IM clients Creates content detection for organization specic intellectual property Encrypts computer hard disks and les Technical support Installation assistance and training Support resources such as user forums and white papers Independently certied, follow-thesun support operations

Try Sophos Endpoint Protection for free

Register for a free 30-day evaluation at sophos.com.

United Kingdom Sales: Tel: +44 (0)8447 671131 Email: sales@sophos.com

North American Sales: Toll Free: 1-866-866-2802 Email: nasales@sophos.com

Boston, USA | Oxford, UK Copyright 2011. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners. 11.11.v1.dNA