Computing hub.jpg

Spotlight on AI-enhanced security: four contenders for SMEs and enterprise

A Computing Delta look at solutions from Sophos, Symantec, CrowdStrike and Fortinet

Recently we looked at the two market leaders in AI-enhanced security, Microsoft Azure Sentinel and Darktrace. This time we turn our attention to some other popular choices Sophos, Symantec, Fortinet and CrowdStrike, all of which produce endpoint and firewall solutions augmented by machine learning and offer solutions for smaller organisations as well as enterprise.

These results come from a Computing Delta study among 150 IT leaders with some responsibility for their organisation's cyber security solutions who have trialled or adopted these solutions. The study was carried out in June 2021.

AI is the industry's current buzzword. How much has AI really changed these vendors' security tools?

Sample sizes: Sophos 27, CrowdStrike 15, Symantec 25 , Fortinet 15

Sophos

UK cyber security firm Sophos focuses on two solutions, endpoint protection Intercept X and XG Firewall for organisations with 100 to 5,000 employees.

Intercept X is an endpoint protection tool that uses deep learning to detect, predict and respond to threats, without relying on signatures. Sophos trains its neural networks it uses on 30 years of malware collection and analysis from SophosLabs.

A notable point that separates Sophos' deep learning from similar tools is the company's transparency. As well as presenting details of its methodology at industry conferences, Sophos also allows independent third parties to test its models.

XG Firewall uses deep learning to block threats using a cloud-based solution called Sandstorm Sandboxing.

Sandstorm Sandboxing identifies threats using technologies from Intercept X. Suspicious payloads from email attachments and web downloads are routed to and opened in the Sandbox to determine their behaviour before reaching the network.

XG Firewall also responds to incidents utilising Sophos Security Heartbeat, a feature that allows endpoints and firewalls to communicate their health status with one an other. XG Firewall quarantines contaminated endpoints and can use healthy endpoints to isolate a compromised host at the endpoint level (‘lateral movement protection').

Sophos products are generally thought to be reasonably priced compared with the competition. The company does not publish pricing details, but third-party sites suggest figures of around £30 per user for Intercept X and £1,000 for XG Firewall, although pricing will obviously depend on the implementation.

A respondent from the education sector said Sophos open to negotiation, and the vendor was praised for the flexibility of its licensing, clarity of its communications and roadmap.

Sophos's AI-enhanced security solutions achieved their highest ratings for Integration with current or future environment, Level of coverage, including new threats and High speed / real-time analysis / detection, with no outstanding weak points identified by Delta respondents.

Sophos "exceeds the sector's needs," said one respondent. Another commented that Sophos is one of the few companies with flexibility in its pricing: "It's EU/UK-focused and willing to negotiate," they said. "Sophos has clear licensing with no hidden costs."

Broadcom Symantec

Symantec (acquired by Broadcom in 2019) offers Symantec Endpoint Security (SES) which uses AI for threat detection, replacing the older Symantec Endpoint Protection Cloud (SEPC) and Symantec Endpoint Protection Small Business Edition (SEP SBE).

Available as an on-premises, cloud or hybrid solution, SES is a single-agent system for both traditional and mobile endpoints, using AI to assist security decision-making. Control is through a single console, providing real-time threat visibility across the device, application and network level.

Another offering is the Symantec Endpoint Detection and Response (EDR) with Targeted Attack Analytics (TAA). This tool, deployable on-premises or in the cloud, uses machine learning and behavioural analytics to identify suspicious activity, as well as detect and prioritise incidents.

The application covers the four common stages of endpoint protection software: ‘Detect and Expose', ‘Investigate and Contain', ‘Resolve' and ‘Integrate and Automate'. However, AI-enhancement is only present in the first of these. Symantec EDR utilises Symantec's global threat intelligence to identify new attacks and minimise false positives.

SES pricing starts at around $20.00 per device per year, according to third-party sites, with EDR coming in at about twice that figure.

"Good clear licensing model and well supported knowledge bases. Good product at a good price," was one comment.

Symantec's history and pedigree were mentioned as plus points by respondents. "A reliable giant with experience in the field", said one, and its products drew good ratings for High speed / real-time analysis / detection and Minimising gaps and vulnerabilities, although they were marked down on Clarity of information / recommendation. Costs were considered reasonable and pricing transparent with few hidden costs, but the firm was considered a little weaker in terms of training and product roadmap than some of its rivals.

Broadcom's acquisition of Symantec provided a much needed boost to its fortunes, but some respondents felt the juggernaut was slow to turn around and that it lacked the customer focus of some rivals "The product set feels cumbersome and not light touch. Need the whole suite to get the benefits," said one IT leader. Others weren't totally convinced about the effectiveness of the AI modelling: "Good stable product, easy to setup, monitor and use, but the AI needs improvement a little."

See also: AI-enhanced security tools: living up to their promise?

CrowdStrike

CrowdStrike is a US firm providing endpoint security and threat intelligence which was founded in 2011.

CrowdStrike launched CrowdStrike Falcon, its endpoint protection platform, in 2013. It is a scalable, cloud-based solution using machine learning in its anti-virus capabilities to identify unknown malware, in combination with the company's threat intelligence database for known malware. CrowdStrike collects and analyses more than 30 billion endpoint events per day.

Falcon customers can apply various levels of machine learning, from Disabled to Cautious, Moderate or Aggressive. For example, Aggressive detection will send alerts about all suspicious files, but Cautious will only alert if Falcon's machine learning is very sure that a file a malicious. Users can choose different levels for detection and prevention.

Although the Falcon platform is agent-based, CrowdStrike claims that it uses less than one per cent of CPU power, and is completely silent. One customer said it was "good technology that stays out of the way of end-users."

CrowdStrike markets Falcon in four tiers: Pro ($8.99 per endpoint per month); Enterprise ($15.99), Premium ($18.99) and Complete (price on request). Pro includes anti-virus, threat intelligence, USB device control and firewall; Enterprise adds EDR and threat hunting; Premium adds IT hygiene; Complete adds managed detection and response by a dedicated team.

The company was seen as a leader in the AI-enhanced security space, as shown by these comments. "Consistent ability to innovate, they have a vision and lead from the front", "Superior threat detection and responses," "Good AI tool set within the product", "Innovative tailored solutions that meet our needs. Confidence that we have strong protection".

Technical support was rated highest of all the vendors we asked about, and roadmap, attention to local conditions and investment in new technologies were also strong, as was customer focus and support, exemplified by a head of IT in the busines services sector, who had just been through a procurement process.

"There's a big difference with CrowdStrike compared to Darktrace. With Darktrace you could speak to a lot of technical people, we didn't actually understand how it could work in the real world sometimes, whereas CrowdStrike as a company were very, very strong; they were much more customer-focused. The product maybe didn't look the same but I think the way it gave information to the operator was very powerful. Just a really well-formed company."

Not everyone was convinced though.

"Not good enough on its own. Ideal paired with a traditional solution," said a CISO in a large manufacturing firm.

Fortinet

California-headquartered Fortinet develops multiple AIS tools, including a web application firewall (FortiWeb), endpoint protection tool (FortiEDR/FortiXDR) and virtual security analyst (FortiAI). Each has a defined niche, and overlap between them is minimal.

FortiEDR is the company's cloud-native endpoint detection and response tool, while the newer FortiXDR (extended detection and response) automates many of the manual tasks performed by experienced security analysts.

Like other EDR tools, FortiEDR and FortiXDR promise real-time detection of threats and protection of assets, both pre- and post-infection. Fortinet launched FortiXDR (Extended Detection and Response) in January 2021. Like FortiEDR, the tool uses AI to detect, investigate and respond to threats. The main difference is in the location covered: FortiXDR is intended to come into play after other threat prevention tools, Fortinet says.

The pre-infection layer is what the company calls Next Generation Anti Virus a machine learning system to protect against file-based malware, while post-infection defences claims to guard against data loss even if a machine has been compromised.

Web application firewall FortiWeb is designed to keep up with the changing configurations of web apps - for instance, on deploying new features, updating existing ones or exposing new web APIs. It covers everything a standard WAF would, with the ‘AI' part is in the machine learning-based behaviour analytics. FortiWeb builds and maintains a model of normal behaviour, and uses that model to identify benign and malicious application traffic. FortiWeb is available as a virtual machine, on-premise appliance, SaaS application, in the cloud or a container environment.

FortiAI is an on-premises appliance that uses deep learning neural networks for threat remediation. According to Fortinet, the AI is designed to work as a virtual analyst, quickly detecting and responding to security incidents. FortiAI uses a reinforcement learning model while it is being trained, and later transitions to unsupervised learning, which does not require a labelled dataset. This enables the AI model to evolve to respond to new threats. FortiAI then integrates with the FortiGate intrusion prevention system to block these threats, automatically.

Fortinet promises a ‘low, predictable cost and capped TCO' for FortiEDR, but does not publicly share prices. Estimated prices are available on third-party sites, however.

Fortinet scored well on factors including technical support and commercial flexibility. Coverage and threat detection were positives as was ease of use.

"Innovative ideas and sophisticated machine-learning," commented an IT director in business services. "Good toolset and great management capability," added a service availability manager in distribuition and transport.

"Fortinet have a good suite of products, and are competitively priced, and as I understand it from our security resellers they're not a hard organisation to do business with, so if you want to do trials and things they're willing and able," said an IT director in construction.

Fortinet achieved solid scores across the board, but a little lower than some rivals in terms of Flexibility to modify controls, Suitable licensing models and Initial and ongoing costs.

"The costs and implementation time were the main reasons we went elsewhere," said an analyst in a technology firm.

Conclusion

Organisations do not buy AI security solutions off the shelf, so like-for-like comparisons are of limited use. Important factors are existing suppliers and skills, integration and support requirements and bespoke needs. That said, all four of these vendors achieved thoroughly commendable results in our study, with most respondents saying their AI/ML capabilities are a genuine advance rather than a gimmick (as was the case when we first ran this study two years ago). Their solutions are reasonably priced and effective at stopping the vast majority of threats quickly and adapting their behaviour thereafter.

CrowdStrike managed the highest scores overall, albiet from a relatively small small sample size, and is the one that's achieved the fastest growth in recognition in the UK over the last two years. The youngest of the four, it perhaps retains the start-up virtues of moving fast and innovating rapidly. At the other end of the scale Symantec has seen its fortunes rejuvenated. Two years ago it was considered by some to be a ‘has been', but it's new AI enhanced products have caused a few to rethink. Overall its ratings, though respectable were a little lower than the others, however.

What's clear is that machine learning has become a genuine benefit to endpoint protection and firewalls, finding itself embedded in more and more areas, and that soon the term AI-enhanced will soon become a thing of the past.

You may also like

CrowdStrike outage to cost $44m per Fortune 500 company, report
/news/4340182/crowdstrike-outage-cost-usd44m-fortune-500-company-report

Corporate

CrowdStrike outage to cost $44m per Fortune 500 company, report

A quarter of top US firms were hit by the update blunder

CrowdStrike: Thousands of typosquatting domains registered after global outage
/news/4339044/crowdstrike-thousands-typosquatting-domains-registered-global-outage

Threats and Risks

CrowdStrike: Thousands of typosquatting domains registered after global outage

CrowdStrike says cybercriminals are attempting to install a new infostealer malware through fake fixes

CISO: Why we will probably stick with CrowdStrike
/news/4338373/ciso-probably-stick-crowdstrike

Security Technology

CISO: Why we will probably stick with CrowdStrike

CrowdStrike has to take 99% of the blame, but it could happen to others too