Comodo: Cloud Native Cyber Security Platform

WHY CHOOSE COMODO OVER SYMANTEC

Comodo’s Advanced Endpoint Protection (AEP) is a game-changing, validated approach that offers the world’s only active
breach protection that renders ransomware, malware and cyber-attacks useless.

Comodo Dragon Platform Offers Protection Over Old School Signatures and Scans

Detection and protection go hand in hand with Comodo Dragon Enterprise Platform. Unlike other solutions in the market, Comodo Dragon focuses on delivering active breach protection by combining endpoint and network security. Dragon prevents any breach at its’ core with patented unknown file containment technology.

Compare

Comodo Dragon Enterprise Versus Symantec Endpoint Protection

  Comodo
Dragon Enterprise
Symantec
EPP Capabilities
Signature-based anti-malware protection
Machine learning/algorithmic file analysis on the endpoint
Machine learning for process activity analysis
Process isolation
Memory protection and exploit prevention
Protection Against Undetected Malware
Application whitelisting
Local endpoint sandboxing/endpoint emulation
Script, PE, or fileless malware protection
Integration with on-premises network/cloud sandbox
Real-time IoC search capabilities
Retention period for full access to data No Limit 1 month
Endpoint Firewall
FW Learning Mode
Automatically creates network traffic rules
URL Filtering
Host Based IPS
USB device Control
Full Device Control (Device Control based on Device Class product ID, Vendor ID and Device Name)
Agent self-protection/remediation or alerting when there is an attempt to disable, bypass, or uninstall it
Ransomware protection
Protect/block ransomware when "Offline" or "Disconnected" from the internet?
VDI support
Manage, and maintain, an application control database of known "trusted" applications?
Multi-tenant cloud based service
EPP management console available as an on-premises virtual or physical server/application
Consolidated EPP management console to report on, manage, and alert for Windows macOS clients and mobile
Data loss prevention Requires Additional Product(s)
Mobile Device Management Requires Additional Product(s)
Mobile threat Defense Requires Additional Product(s)
Vulnerability and patch management Requires Additional Product(s)
Network/Cloud sandboxing Cloud Sandbox
Security Orchestration, Analysis and Response (SOAR) Integration
Network discovery tool
Remote Access Requires Additional Product(s)
Remote scripting capabilities Requires Additional Product(s)
Default Deny & Containment
Default Deny Security with Default Allow Usability
Run unknown files with Auto Containment Protection
Create Virtual environment for any unknowns
Virtualize file system, registry, COM on real endpoints
EDR
Telemetry (observables)
Interprocess Memory Access
Windows/WinEvent Hook
Device Driver Installations
File Access/Modification/Deletion
Registry Access/Modification/Deletion
Network Connection
URL Monitoring
DNS Monitoring
Process Creation
thread Creation
Inter-Process Communication (Named Pipes, etc) up to this
Telemetry data itself can be extended in real time
Event chaining and enrichment on the endpoints
Detection/Hunting/Reporting    
Adaptive Event Modelling

Behavioral analysis (e.g. analysis over active memory, OS activity, user behavior, process/application behavior, etc.)

Static analysis of files using capabilities such as machine learning (not including signature based malware detection)

Time-series analysis
Integration with automated malware analysis solutions (sandboxing)
threat Hunting interface or API for searching with YARA/REGEX/ElasticSearch/IOC Yes without Yara IOC and Regex only
Support for matching against private IOC
threat Intelligence integration (TIP, upload, webservice connector, etc) to enrich and contextualize alerts
Linking telemetry (observable data) to recreate a sequence of events to aid investigation
Process/attack visualization
Incident Response Platform (IRP) or orchestration integration?
Vulnerability reporting (ex. reporting on unpatched CVEs)
Alert prioritization based on confidence, able to define thresholds for alerting.
Alert prioritization factors system criticality
Able to monitor risk exposure across environment organized by logical asset groups
Reporting interface identifies frequent alerts that may be appropriate for automating response
Response    
Remote scripting capabilities
Quarantine and removal of files
Kill processes remotely
File retrieval
Network isolation
Filesystem snapshotting
Memory snapshotting
MDR
Managed endpoints    
Manage customer endpoints and policies
Incident Investigation & Response
Preemptive containment
Application profiling (AI support)
Customizable policy creation
Central monitoring of all endpoints
Live remote inspection
Tuning of monitoring rules for reduction of false positives
Forensic analysis
Managed network    
Cloud-based SIEM and Big Data Analytics
Log data collection/correlation
Threat intelligence integration
Network profiling (AI support)
Available as virtual or physical
Integrated file analysis (cloud sandbox)
Full packet capture
Protocol analyzers for 40+ different protocols such as TCP, UDP, DNS, DHCP, HTTP, HTTPS, NTLM, etc. w/full decoding capability
Managed cloud    
Includes ready-to-use cloud application connectors for:    
Azure
Google Cloud Platform
Office 365
AWS
Threat detection for cloud applications
Log collection from cloud environments
Generating actionable incident response from cloud application
Threat intelligence and Verdict    
InHolistic security approach Combined network, endpoint, cloud
Internal security sensor logs (IOCs)
Expert Human Analysis
ML & Behavioral Analysis and Verdict
Open source threat intelligence feeds
Information sharing with industry
Clean web (phishing sites, keyloggers, spam)
Deep web (C&C servers, TOR browsers, database platform archives—pastebins)
Cyber Adversary Characterization
Security operations center (SOC)    
Global, real-time support (24 / 7 /365)
Dedicated cybersecurity expert
Breach (case) management
Security monitoring
Incident analysis
Incident response (handling)
Extensive threat hunting (scenario-based)
See Less
Reasons to Switch from Symantec Endpoint Protection to Comodo Dragon Enterprise Platform Right Now
Reason 01
Protection Against Zero-Day Attacks and Unknown Files

Symantec Endpoint Protection’s (SEP) detection capabilities are focused on detection first, and this creates risk for zero-day attacks. Comodo Dragon Enterprise covers the loose ends with containment technology, providing protection against zero-day attacks and unknown files even if you are the patient zero.

Reason 02
Zero-Trust Architecture
Dragon Enterprise delivers zero trust architecture at its’ core, automatically not-trustingunknown files with patented unknown file containment. Dragon Enterprise will run every single unknown file within a low overhead containerand will only let them go live after each is tested and verified within its dynamic and behavioral malware analysis system. Dragon Enterprise’s zero trust analysis system will run every single file within a customer environment with its static and behavioral analysis system and verdict every single file it encounters. This system is the most thorough analysis engine in the world, backed by human analysts.
Reason 03
Symantec Endpoint Protection Misses Fileless Attacks, Behavioral Malware, and More
Symantec Endpoint protectionlacks the ability to utilize behavioral prevention telemetry to detect advanced threats. It uses signature-based detection, based on file system scans and does not support customizable prevention. SEP frequently misses today’s fileless attacks and behavioral malware.

In addition, SEP does not provide real-time reputation checks and no automatic action applied in the event of false positives. SEPalso does not provide real-time endpoint data or visibility over endpoint events, so it lacks the ability to query for assessments and audits addressing needs for incident. An additional product, Symantec EDR,is needed to cover those missing points. But even with EDR added, there is no ability to isolate compromised endpoints.

False positives are also another shortfall of SEP. Comodo’s Dragon Enterprise Platform haszero false positives with its trust verdict system. Using auto-containment combined with endpoint detection and response (EDR), it generates detection and alarms if, an only if,an unknown process exists within the execution path. It can be script, PE or fileless executable, as soon as any process access or unknown executable all relevant, events will be recorded in depth until that file has a verdict.

Comprehensive Detection and Response with Comodo Dragon Enterprise Platform

According to a SANS Survey, endpoint protection (EPP) and Endpoint Detection and Response (EDR) detect only 26 percent of initial vectors of an attack.*Due to the high volume of security alerts, and because many alerts are incomplete and lacking context, 54 percent of security professionals ignore alerts that should be investigated.

Reason 04
Comodo’s Dragon Enterprise Platform Does Much More than Just Protecting Endpoints

It is a comprehensive security solution that provides a broader perspective and a better context to identify threats more easily and contain them more effectively. It has enterprise-class network traffic analysis that detect suspicious behaviors, prioritizes investigations into the highest risk threats with automated response, captures all network traffic, generates extensive metadata for all important network protocols, and then send this data to the cloud to enrich it and correlate with endpoint sensor data.Only sensing through the endpoints (SEP limits its sensing to only the endpoints vs full network) will not reveal hybrid attack surfaces. Comodo Dragon Enterprise Platform gives the perspective needed to understand the hybrid attack surface from the inside out. It enables finding rouge devices and reports back any attack vector based on those undetectable devices.

 
Reason 05
Comodo Dragon Enterprise Platform Offers Next-Gen AV, EDR, Device Control, ITSM,RMM, Patch and Vulnerability Management Through a Single Pane of Glass

Comodo delivers everything needed to activate breach protection immediately:network and endpoint discovery, device management, vulnerability scanning, patch management, endpoint protection, endpoint detection and response, network and cloud detection and response and managed threat hunting/managed detection and response.

With Symantec on the other hand, you need to buy Symantec EPM: Endpoint Management, Symantec Endpoint Protection, SEP Cloud, Symantec EDR, and that only covers part of what is available with Dragon Enterprise Platform. With Symantec, you need to deploy all those agents and manage them separately from different portals.

Dragon Enterprise Platform gives complete visibility and provides one console with one source of management that simplifies the steps to achieving a full understanding of the attack vector, impact and how remediate.You’ll not only get unique patented protection that’s proven to stop malware — you’ll also receive integrated threat intelligence and managed response. And it’s all delivered via the single lightweight agent and management portal.

Reason 06
Ransomware Protection: Only Comodo Can Prevent Ransomware Damage by Virtualizing "Write Privilege to Hard Drive”

Ransomware is an emerging threat targeting organizations across all industries. The impact of a successful ransomware attackis critical and includes the loss of access to data and systems, and operational downtimes. Most of the times, if a 3-2-1 backup rule is not followed(meaning keep at least three (3) copies of your data, store two (2) backup copies on different storage media, with one (1) of them located offsite)the damage of a ransomware attack is devastating and irreversible.

Ransomware is commonly deployed across an environment in two ways:

The first way is through manual propagation by a threat actor after they’ve penetrated an environment and have administrator level privileges broadly across the environment or automated propagation with either credential or Windows token extraction from disk or memory.The second method is by leveraging methods such as Windows Management Instrumentation (WMI), SMB, or PsExec.

Modern ransomware attempt to thwart security controls and sign their ransomware with an authenticode certificate, which is widely available for purchase or can be easily stolen. This minimizes detection by anti-malware or anti ransomware defenses because most traditional endpoint protection solutions, including SEP, depend on signatures as well as code-signing. This meant SEP may trust malicious code andwill not scan the code itself.

Although it is a lot easier to change a malware’s appearance (obfuscate its code) than it is to change its purpose or behavior,all ransomware uses file encryption to overwrite the original files that can be only reverted back if the ransom price is paid to get the descriptor keys back from the attacker. Comodo invented run-time automatic threat containment that virtualizes all persistent changes from steady state (safe state) of running applications, those that are write operations to registry, file system and COM interfaces. So even the malicious software hides itself and cannot be detected, when it tries to write-over the original files, all it can write on will be virtual file system not the exact file system.When the code execution finalized, the virtual file system will be destroyed so no need to revert as some other protection solution do.

Symantec, along withother endpoint protection solutions can never offer protection from ransomware, because it’s not baked into its core technology.

Reason 07
Ransomware Protection: Only Comodo Can Prevent Ransomware Damage by Virtualizing "Write Privilege to Hard Drive

Comodo’s Dragon Enterprise Platform comes with full operational 24×7 SOC service tomonitor and alert, with a Managed Detection and Response (MDR) component that is an integrated suite of managed detection and response technologies offered as a combined turnkey service for advanced cybersecurity.Our customers leverage a combination of Comodo technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response.

If the automated response systems missa threat, or customer does not have enough security expertise to operate the platform, our threat hunting support teams provide response guidelines when malicious activity is discovered.

Comodo MDR incorporates artificial intelligence capabilities with semi-supervised artificial intelligence engine that learns from the activities and operations of Comodo’s cybersecurity experts, accelerating the detection and response to new threats. Human security analyst decisions are fed into the AI engine which yields better accuracy.

MDR allows security analysts to hunt for threats throughout the environment to show full attack chain threat hunting with the help of data visualization and analysis, statistical correlations, data pivoting, and other tools.

MDR collects numerous security datasets (from network, endpoints, cloud, and applications) to investigate. The many data inputs help to normalize and analyze many sources for a more complete, timely, and accurate picture. Faster response translates to reducing an adversary’s dwell time.

Symantec’s Managed Endpoint Detection and Response (MEDR) provides managed threat hunting and continuous monitoring using their endpoint solutions, however their service offering only covers the endpoints. Comodo’s MDR service collects and hunts from network, endpoint, cloud and applications.

In addition, Symantec’scyber security services business was sold to Accentureafter Symantec was acquired by Broadcom. This includes global threat monitoring and analysis via a network of security operation centers, threat intelligence, and incident response services. So, it is a big question if Symantec will continue to provide such services.

*Endpoint Protection and Response: A SANS Survey Analyst Paper by Lee Neely – June 12, 2018

Scroll to Top