Endpoint Detection Compared

We compare endpoint security products directly using real, major threats

How can you test and judge endpoint protection products? SE Labs tested a variety of Endpoint Detection and Response products against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.

EDR products require advanced testing

An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack.

Full attack chain testing

While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.

Each step of the attack must be realistic too. You can’t just make up what you think bad guys are doing and hope you’re right. This is why SE Labs tracks cyber criminal behaviour and builds tests based on how bad guys try to compromise victims.

Mitre framework

The cyber security industry is familiar with the concept of the ‘attack chain’, which is the combination of those attack steps. Fortunately, the MITRE organisation has documented each step with its ATT&CK framework. While this doesn’t give an exact blueprint for realistic attacks, it does present a general structure that testers, security vendors and customers (you!) can use to run tests and understand test results.

The Enterprise Advanced Security tests that SE Labs runs are based on real attackers’ behaviour. This means we can present how we run those attacks using a MITRE ATT&CK-style format. You can see how ATT&CK lists out the details of each attack, and how we represent the way we tested, in Appendix A: Threat Intelligence, starting on page 16. This brings two main advantages: you can have confidence that the way we test is realistic and relevant, and you’re probably already familiar with this way of illustrating cyber attacks.