AV-Comparatives reveals the results of its EPR - Endpoint Prevention and Response Test
January 2022 by AV-Comparatives
The independent ISO-certified security testing lab AV-Comparatives has released the results of its Endpoint Prevention and Response Test (EPR).
The AV-Comparatives EPR test is the most comprehensive assessment of its kind in the world.
Each of the 10 products in the test were subjected to 50 separate targeted attack scenarios.
The top Strategic Leader Award was given to Bitdefender, Palo Alto Networks, Check Point, CrowdStrike, F-Secure, Cisco and ESET. Symantec by Broadcom was awarded with the CyberRisk Visionaries award. Two further vendors reached the Strong Challengers award.
The Strategic Leader award is given to EPR products which showed a very high return on investment and a provide a very low total cost of ownership. These products demonstrate outstanding enterprise-class prevention, detection, response, and reporting capabilities, combined with optimal operational and analyst workflow features.
Peter Stelzhammer, co-founder of AV-Comparatives, said: “Congratulations to our Strategic Leaders. These winners show others the way forward by setting and meeting ambitious targets. They develop ground-breaking ideas and implement these in their products.”
"All tested vendors were provided with information on their performance, so that they can further improve their products.”
"Security breaches can have significant financial impacts, with the average cost of a breach now standing at $4.24 million, according to IBM.”
“An effective EPR product that minimises the negative impact of an attack can be a very good investment. If a company stands to lose $2 million if an attack, then spending half of that on security measures makes good financial sense.”
Enterprises use EPR products to detect, prevent, analyse, and respond to targeted attacks such as advanced persistent threats (ATPs). They should be able to detect and block malware and network attacks on individual workstations as well as dealing with multi-stage attacks designed to infiltrate an organisation’s entire network.
In addition to protecting individual devices, EPR systems should also provide detailed analysis of an attack’s origin, methods and aims in order to allow security staff to understand the nature of the threat, prevent it from spreading, repair damage and take precautions to prevent similar attacks in the future.
The EPR test involves a variety of different techniques. When left unchecked, the attacks progress through three separate phases: Endpoint Compromise and Foothold; Internal Propagation and Asset Breach.
The tests determined whether the product detected the attack, took automated action to block the threat (active response), or provided information about the attack which the administrator could use to take action themselves (passive response).
If an EPR product did not block an attack at one stage, the attack would continue to the next phase.
Each tested products were given a window of 24 hours after the start of an attack. Testers examined the ability of each product to take remedial action such as isolating an endpoint from the network, restoring it from a system image, or editing the Windows Registry.
AV-Comparatives also tested every products’ ability to investigate the nature of an attack, including a timeline and breakdown of phases. Finally, the ability of each product to collect and present information on indicators of compromise in an easily accessible form was assessed.
Like all AV-Comparatives’ public test reports, the 2021 EPR Comparative Report is available for free: https://www.av-comparatives.org/wp-...