Comodo Dragon Platform Offers Protection Over Old School Signatures and Scans
Detection and protection go hand in hand with Comodo Dragon Enterprise Platform. Unlike other solutions in the market, Comodo Dragon focuses on delivering active breach protection by combining endpoint and network security. Dragon prevents any breach at its’ core with patented unknown file containment technology.
Comodo Dragon Enterprise Versus Symantec Endpoint Protection
|Signature-based anti-malware protection|
|Machine learning/algorithmic file analysis on the endpoint|
|Machine learning for process activity analysis|
|Memory protection and exploit prevention|
|Protection Against Undetected Malware|
Symantec Endpoint Protection’s (SEP) detection capabilities are focused on detection first, and this creates risk for zero-day attacks. Comodo Dragon Enterprise covers the loose ends with containment technology, providing protection against zero-day attacks and unknown files even if you are the patient zero.
Symantec Endpoint protectionlacks the ability to utilize behavioral prevention telemetry to detect advanced threats. It uses signature-based detection, based on file system scans and does not support customizable prevention. SEP frequently misses today’s fileless attacks and behavioral malware.
In addition, SEP does not provide real-time reputation checks and no automatic action applied in the event of false positives. SEPalso does not provide real-time endpoint data or visibility over endpoint events, so it lacks the ability to query for assessments and audits addressing needs for incident. An additional product, Symantec EDR,is needed to cover those missing points. But even with EDR added, there is no ability to isolate compromised endpoints.
False positives are also another shortfall of SEP. Comodo’s Dragon Enterprise Platform haszero false positives with its trust verdict system. Using auto-containment combined with endpoint detection and response (EDR), it generates detection and alarms if, an only if,an unknown process exists within the execution path. It can be script, PE or fileless executable, as soon as any process access or unknown executable all relevant, events will be recorded in depth until that file has a verdict.
Comprehensive Detection and Response with Comodo Dragon Enterprise Platform
According to a SANS Survey, endpoint protection (EPP) and Endpoint Detection and Response (EDR) detect only 26 percent of initial vectors of an attack.*Due to the high volume of security alerts, and because many alerts are incomplete and lacking context, 54 percent of security professionals ignore alerts that should be investigated.
It is a comprehensive security solution that provides a broader perspective and a better context to identify threats more easily and contain them more effectively. It has enterprise-class network traffic analysis that detect suspicious behaviors, prioritizes investigations into the highest risk threats with automated response, captures all network traffic, generates extensive metadata for all important network protocols, and then send this data to the cloud to enrich it and correlate with endpoint sensor data.Only sensing through the endpoints (SEP limits its sensing to only the endpoints vs full network) will not reveal hybrid attack surfaces. Comodo Dragon Enterprise Platform gives the perspective needed to understand the hybrid attack surface from the inside out. It enables finding rouge devices and reports back any attack vector based on those undetectable devices.
Comodo delivers everything needed to activate breach protection immediately:network and endpoint discovery, device management, vulnerability scanning, patch management, endpoint protection, endpoint detection and response, network and cloud detection and response and managed threat hunting/managed detection and response.
With Symantec on the other hand, you need to buy Symantec EPM: Endpoint Management, Symantec Endpoint Protection, SEP Cloud, Symantec EDR, and that only covers part of what is available with Dragon Enterprise Platform. With Symantec, you need to deploy all those agents and manage them separately from different portals.
Dragon Enterprise Platform gives complete visibility and provides one console with one source of management that simplifies the steps to achieving a full understanding of the attack vector, impact and how remediate.You’ll not only get unique patented protection that’s proven to stop malware — you’ll also receive integrated threat intelligence and managed response. And it’s all delivered via the single lightweight agent and management portal.
Ransomware is an emerging threat targeting organizations across all industries. The impact of a successful ransomware attackis critical and includes the loss of access to data and systems, and operational downtimes. Most of the times, if a 3-2-1 backup rule is not followed(meaning keep at least three (3) copies of your data, store two (2) backup copies on different storage media, with one (1) of them located offsite)the damage of a ransomware attack is devastating and irreversible.
Ransomware is commonly deployed across an environment in two ways:
The first way is through manual propagation by a threat actor after they’ve penetrated an environment and have administrator level privileges broadly across the environment or automated propagation with either credential or Windows token extraction from disk or memory.The second method is by leveraging methods such as Windows Management Instrumentation (WMI), SMB, or PsExec.
Modern ransomware attempt to thwart security controls and sign their ransomware with an authenticode certificate, which is widely available for purchase or can be easily stolen. This minimizes detection by anti-malware or anti ransomware defenses because most traditional endpoint protection solutions, including SEP, depend on signatures as well as code-signing. This meant SEP may trust malicious code andwill not scan the code itself.
Although it is a lot easier to change a malware’s appearance (obfuscate its code) than it is to change its purpose or behavior,all ransomware uses file encryption to overwrite the original files that can be only reverted back if the ransom price is paid to get the descriptor keys back from the attacker. Comodo invented run-time automatic threat containment that virtualizes all persistent changes from steady state (safe state) of running applications, those that are write operations to registry, file system and COM interfaces. So even the malicious software hides itself and cannot be detected, when it tries to write-over the original files, all it can write on will be virtual file system not the exact file system.When the code execution finalized, the virtual file system will be destroyed so no need to revert as some other protection solution do.
Symantec, along withother endpoint protection solutions can never offer protection from ransomware, because it’s not baked into its core technology.
Comodo’s Dragon Enterprise Platform comes with full operational 24×7 SOC service tomonitor and alert, with a Managed Detection and Response (MDR) component that is an integrated suite of managed detection and response technologies offered as a combined turnkey service for advanced cybersecurity.Our customers leverage a combination of Comodo technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response.
If the automated response systems missa threat, or customer does not have enough security expertise to operate the platform, our threat hunting support teams provide response guidelines when malicious activity is discovered.
Comodo MDR incorporates artificial intelligence capabilities with semi-supervised artificial intelligence engine that learns from the activities and operations of Comodo’s cybersecurity experts, accelerating the detection and response to new threats. Human security analyst decisions are fed into the AI engine which yields better accuracy.
MDR allows security analysts to hunt for threats throughout the environment to show full attack chain threat hunting with the help of data visualization and analysis, statistical correlations, data pivoting, and other tools.
MDR collects numerous security datasets (from network, endpoints, cloud, and applications) to investigate. The many data inputs help to normalize and analyze many sources for a more complete, timely, and accurate picture. Faster response translates to reducing an adversary’s dwell time.
Symantec’s Managed Endpoint Detection and Response (MEDR) provides managed threat hunting and continuous monitoring using their endpoint solutions, however their service offering only covers the endpoints. Comodo’s MDR service collects and hunts from network, endpoint, cloud and applications.
In addition, Symantec’scyber security services business was sold to Accentureafter Symantec was acquired by Broadcom. This includes global threat monitoring and analysis via a network of security operation centers, threat intelligence, and incident response services. So, it is a big question if Symantec will continue to provide such services.
*Endpoint Protection and Response: A SANS Survey Analyst Paper by Lee Neely – June 12, 2018