When it comes to building a portfolio of services you can offer your customers, endpoint security is a must-have. In today’s world of organized criminals, ransomware, phishing schemes, and polymorphic threats, organizations of every type are in desperate need of protection. Some established MSPs, recognizing the critical nature of security, have changed their moniker to MSSP — managed security service provider — and lead their service sales pitch with security and fear of data loss or a breach. It’s not a bad idea.
Regardless of your market focus or size of customers, malware can be devastating for your customers. Valuable data can be lost or held ransom. If your customers are in regulated industries like healthcare, retail and banking, costly fines can be levied. According to the U.S. National Cyber Security Alliance, 60 percent of small businesses go out of business six months after a cyber-attack.
However, it’s not just your customers who can suffer. When malware strikes, all eyes will turn to you, the trusted advisor who was supposed to be protecting your customer. Many MSPs make malware protection a mandatory part of their service offering. Fortunately, there are dozens of excellent endpoint security products available today. Unfortunately, there are so many that it can be overwhelming to determine which is the right one for you.
To help you make the best decision, XaaS Journal plans to compare some of the most popular security offerings today. We will not be selecting a “best” or “Editor’s Choice.” Instead, our goal is to lay out the fundamental features and characteristics of each product to allow you to make the most informed decision for your business and your customers.
In this roundup, we’ll look at solutions from Avast, Bitdefender, and Sophos. In the coming months, we’ll be publishing more comparisons to eventually be able to provide a more holistic view of the field.
For this comparison, Avast submitted its Business Antivirus Pro Plus, the company’s endpoint protection that MSPs can use with their existing remote monitoring and management (RMM) tool. Alternatively, the solution is available through Avast’s Managed Workplace RMM with integrated antivirus services.
Avast’s other endpoint protection solutions, Antivirus and Antivirus Pro, are available as standalone products (along with Antivirus Pro Plus).
Bitdefender submitted its Cloud Security for MSPs solution.
Sophos submitted Intercept X, Sophos Intercept X Advanced (the company’s primary offering), Sophos Intercept X for Server, Sophos Mobile, and Sophos SafeGuard Encryption.
Methods of Protection
The days of creating virus signatures after malware strikes are long gone. Today’s solutions leverage a variety of tools and AI to detect and protect against malware.
Avast Business Managed Workplace’s integrated antivirus services is integrated with Avast Business Antivirus Pro Plus, an enterprise-grade endpoint protection solution that can be deployed for devices under management from the Managed Workplace console. Through Managed Workplace, MSPs can apply policy configuration and enhanced device security. Avast Business Antivirus Pro Plus is a full-featured antivirus solution for small to midsize businesses that protects end users’ data and devices from sophisticated online threats across corporate and public networks.
Avast has hundreds of millions of connected users providing a continual stream of data that helps the software quickly identify and destroy threats while predicting future ones. The company’s cloud-based machine-learning engine is evolving and learning, making the solutions smarter, faster and more powerful.
The product features Avast’s four-shield defense system (web, email, file, and behavior) that works together to analyze suspicious information coming and going from devices and block malicious files, dangerous websites, unusual behavior, unauthorized connections, and other threats. Combined with CyberCapture, Avast can protect against zero-day attacks by seizing, or “capturing” any files that have not been seen before for more in-depth analysis in a safe cloud environment.
Bitdefender Cloud Security for MSPs is a security suite that features antivirus, anti-malware, content control, device control, anti-exploit, web filtering, and process behavior monitoring in the standard product without additional charges.
With a layered approach to security, Bitdefender Cloud Security for MSPs includes hardening and control, automatic prevention, threat investigation, detection and response. From the same console, MSPs can manage a dedicated security product integrated with Amazon Web Services designed to protect workloads hosted in Amazon.
To stop the broadest range of threats, Sophos Intercept X employs a defense-in-depth approach, rather than merely relying on one primary security technique. Intercept X combines proven foundational (traditional) techniques with modern (next-gen) approaches such as deep learning (advanced machine learning) and anti-exploit and active adversary protection capabilities.
Years ago, the need to protect Mac devices didn’t exist outside of school labs and graphic design companies. However, today Macs are used in many businesses and in all departments, including the C-suite. With increased adoption has come increased risk. Thankfully, many security solutions can now protect Macs. In fact, all three of the companies we compared support MacOS.
Sophos’ Mac release features CryptoGuard ransomware protection which detects malicious encryption activity, stops the attack, and rolls back any impacted files to their previous state. Also included in the Mac version is Root Cause Analysis (RCA), which offers forensic analysis capabilities to determine the details behind an attack. Other included features are Malicious Traffic Detection, which monitors for suspected command and control servers, endpoint self-help for easier diagnostics, and local cache updates.
Bitdefender’s Endpoint Security for Mac provides antivirus/anti-malware, content control (including web traffic scan, anti-phishing, web categories filtering, web access control, application blacklisting), device control, and full disk encryption (as a separate add-on).
Whether you have tens or hundreds of customers, each with tens or hundreds of endpoint devices, it can quickly become overwhelming to manage everything. Therefore, it’s critical to have a solution that makes it easy for you to:
- see what’s going on with all your customers
- install and push out updates remotely and
- integrate with your other systems (e.g., RMM [remote monitoring and management] and PSA [professional services automation] tools).
All three of the solutions here offer a management console that can be accessed remotely.
Avast Business Endpoint Protection solutions have both a cloud-based and on-premises management console. MSPs who use Managed Workplace RMM can manage the integrated antivirus services (Antivirus Pro Plus) from the Managed Workplace platform as well.
Avast Business Antivirus Pro Plus is integrated with Avast Business Managed Workplace and Avast Business CloudCare. Managed Workplace is integrated with Autotask, Connectwise, Tigerpaw, Salesforce, and others.
Sophos Central provides centralized management for all Sophos services and allows partners and MSPs to integrate with common PSA and RMM vendors. Sophos has integrations with Kaseya and ConnectWise Automate and is currently working with other RMM vendors. Sophos has also created sample scripts that MSPs can use to automate the installation of the Sophos agent. MSPs can use the company’s scripts as a baseline to write their own scripts and get the Sophos agent deployed across their customers quickly and easily. Sophos Central also has ConnectWise Manage billing integration.
Staying ahead of criminals and malware is difficult, if not impossible. Therefore, many providers have devised new ways of addressing zero-day threats. One technique is to use a form of journaling whereby the software keeps constant track of all changes being written to a device. In the event malware attacks, the journal or record of all changes can act as a time machine to roll the device back to a previously safe state.
Bitdefender creates an audit trail of changes made by processes on the endpoint. Based on this audit trail, when a threat is detected, it automatically kills the malicious process and any other related processes and rolls back the malicious changes made by these processes. For example, it removes other instances of the file or other dropped files, persistence mechanisms such as registry keys and startup locations containing or pointing to the file. However, a rollback does not cover files encrypted by ransomware on the local computer or file shares.
Zero-Day Threats and Ransomware
As mentioned earlier, Sophos Intercept X includes rollback capabilities called CryptoGuard. CryptoGuard runs a file filter driver and intercepts file opens of certain file types. It creates copies of those files in a folder on the machine. When those files are closed, it compares the closed file with the copy taken earlier. If the file is determined to be maliciously encrypted, CryptoGuard notes the process or IP that did it and retains a copy of the file. CryptoGuard then looks back at all the malicious file modifications and restores them to their original location. This feature applies to network shares as well — an important distinction among security products.
Through its four-shield defense system, Avast Business Endpoint Protection can detect a zero-day variant and immediately quarantine the variant through CyberCapture for future inspection. If the variant is a confirmed zero-day virus, Avast will immediately push out a virus definition update to the entire network to ensure it’s protected from the zero-day virus.
Last year, Avast says it blocked 128 million ransomware attacks. The Behavior Shield feature is continuously monitoring for suspicious behavior across all software installed on a device. This is a powerful tool against ransomware because it can expose unknown samples by looking at the behavior of the code as it executes. It then steps in, stops, and quarantines the threat in real time. Avast also offers a free decryption tool that can help users decrypt any of the ransomware-encrypted files.
Bitdefender anti-exploit stops zero-day exploits by looking not at signatures of known exploits but by looking at behavior and techniques that the exploits invariably use to hijack legitimate programs.
MSPs can limit users’ exposure to ransomware by preventing access to malicious websites or preventing malicious emails from reaching users. If systems are unpatched and a vulnerability is used as part of the ransomware attack, Bitdefender anti-exploit blocks the attack in memory before it can compromise the system and before the attacker payload can run on the machine.
Known ransomware is stopped using cloud and local lookups, while zero-day samples are stopped using machine learning algorithms. Bitdefender also includes a Ransomware Vaccine that causes ransomware to believe it has already infected the system, thus preventing it from trying to infect the same system again.
If ransomware does get by these layers of protection, it is stopped by the continuous monitoring process which notices malicious actions and terminates the process.
Sophos uses multiple approaches for zero-days. First, the company’s deep learning malware detection engine can detect malicious files even if they’ve never been seen before. This works by examining the “DNA” of the file and determining if it’s malicious before it executes. Also, Intercept X disrupts the attack chain by focusing on 25+ tools and techniques attackers use as part of exploit-based attacks (as opposed to only looking for malware). This is highly effective against zero-day attacks, including file-less and exploit-based attacks. Even if Sophos has never seen the threat before, it has likely seen the tool or technique used to distribute the attack, install the threat, move laterally, steal credentials and exfiltrate data.
The company also has multiple ways of stopping ransomware. First, Sophos’ anti-exploit capabilities can stop the delivery and installation of ransomware in many cases, such as the use of Eternal Blue or Double Pulsar used in WannaCry. If the ransomware does make it on disk, the software’s deep learning technology would look at the DNA of the file and determine it is ransomware (even if it’s never been seen before). It would then quarantine the file before it executes. If the ransomware were executed, CryptoGuard technology would see malicious encryption happening, stop the ransomware, and roll back any impacted files to their original state. All these techniques are included in Intercept X.
As we’ve mentioned a couple of times now, security products are continually evolving to keep up with threats. If you evaluated any of these products a few years ago — even one year ago — some things have changed. We asked each vendor to share some details about their latest enhancements and new features.
Avast Business Endpoint Protection solutions’ Management Console now includes features for remote deployment and local update server that allow users to perform local updates to their antivirus clients when they determine it’s a convenient time for their users. These features were made available September 2018.
The Avast Business Managed Workplace solution was updated in July 2018. New intuitive patch management reduces cost and labor by enabling MSPs to quickly identify when an individual device was last patched, establish a steady schedule of update checks for all connected devices, and filter out superseded patches to reduce customer disruption. New features for the product include the aforementioned Webcam Shield and advanced firewall settings that allow for more tailored endpoint protection.
Bitdefender also added patch management. Additionally, Advanced Threat Security (HyperDetect, and Sandbox), and EDR (Endpoint Detection and Response) are the newest functionalities that were made available July 2018.
Sophos Intercept X with deep learning technology was released in Q1 2018. Intercept X for Server (which includes deep learning) was launched in the summer of 2018.
Let’s Talk Dollars and Cents
Let’s face it, you can have the most feature-rich solution in the world, but if it isn’t priced right for you and your customers, it might be out of reach. While some vendors require an annual minimum spend to participate in their partner program, none of these three impose such restrictions.
Today, it’s possible that a user has multiple devices that need protection. Another potential cost factor is whether charges are incurred per device or user. Avast and Bitdefender are priced per device, while Sophos is priced per user. We’re not suggesting one model is better than the other, but it’s worth knowing the differences and calculating the number of endpoints you’ll be protecting vs. the number of users.
As far as licensing is concerned, Avast Business Endpoint Protection licenses are automatically generated upon purchase for the standalone products. For MSPs using the Managed Workplace RMM platform, the licenses are enabled upon purchase and can be deployed, removed, or moved to different customers. Through Managed Workplace, MSPs are not required to manage the licenses for their customers but have an inventory of antivirus service licenses to roll out when there is demand.
Under Bitdefender, MSPs are invoiced based on the total number of endpoints protected in the previous month based on usage reports that are available in the console.
Since Sophos is licensed per user, if a customer brings on an employee who needs protection, you can add the employee and modify the billing during that cycle.
Having talked with many MSPs over the years, we know that what’s best for one isn’t necessarily so for another. Your choice might be limited by the PSA platform or RMM tools you’ve already adopted. Maybe the pricing model isn’t right for you. Regardless, weighing the options contained in this product overview should give you good food for thought to help you make the best decision for you and your customers.