arthead -


EDR tools for Windows Server compared

Windows Server 2022 comes with native security technologies to protect the enterprise. But endpoint detection and response tools can be worth the price of admission.

Endpoint detection and response products are a step up from the antivirus products of old, using automation and machine learning to combat emerging threats.

Enterprises that rely on Windows Server will want to enlist multiple layers of protection to keep critical workloads from being overtaken by bad actors. In addition to malware safeguards, many endpoint protection and response (EDR) tools have other features, such as data analytics, to identify suspicious behavior. Others will go even further and provide administrators with automated remediations.

EDR and Windows Server 2022

Although EDR tools can significantly improve an organization's security, you will not find true EDR capabilities baked into the Windows Server 2022 operating system.

This is not to say that Windows Server is lacking when it comes to EDR-like capabilities. For example, nearly all EDR offerings have malware and attack prevention capabilities. Windows Server 2022 includes virus and threat protection with Microsoft Defender Antivirus, formerly known as Windows Defender. These native anti-malware capabilities are like those found in Windows 10 and Windows 11.

Windows Server 2022 security features
Windows Server 2022 includes a built-in virus and threat protection feature.

In addition to basic malware protection, Windows Server 2022 also offers firmware protection on secured-core servers. Most antivirus products cannot scan a server's firmware for signs of tampering, but Microsoft gives administrators another layer of security protection with this native feature.

Additionally, Windows Server 2022 supports virtualization-based protection of code integrity, which prevents unauthorized modifications to the Control Flow Guard. That protects systems from memory corruption vulnerabilities while also shielding the Credential Guard feature.

Most EDR products include an endpoint firewall. Windows Server 2022 includes the Windows Defender Firewall, which is like the basic firewall included with desktop versions of Windows.

While Windows Server 2022 includes some features used in EDR offerings, they are not comprehensive. The best option for organizations that need EDR capabilities is to invest in a separate product that augments native security features in Windows Server 2022.

Microsoft Defender for Endpoint

Although Windows Server's native antimalware capabilities are limited, Microsoft has a more expansive feature set in its Microsoft Defender for Endpoint product.

Microsoft sells two versions of Microsoft Defender for Endpoint. The company bundles Microsoft Defender for Endpoint P1 with Microsoft 365 E3 subscriptions. It includes Microsoft's next generation antimalware software, an endpoint firewall, category-based web filtering and device-based conditional access policies. Microsoft Defender for Endpoint P1 adds other features as well, including controlled folder access, device control (such as USB device protection), attack surface reduction rules and application control.

Microsoft Defender for Endpoint P2 comes bundled with Microsoft 365 E5 subscriptions. It includes all the features found in Microsoft Defender for Endpoint P1 but adds more capabilities, such as endpoint detection and response, and automated investigation and remediation. Microsoft Defender for Endpoint P2 also features threat analytics and a sandboxed environment for deep analysis. Microsoft Defender for Endpoint P2 is more of a true EDR product than its P1 counterpart.

Microsoft offers a free trial of Defender for Endpoint.

VMware Carbon Black EDR

VMWare's Carbon Black EDR, which was previously owned by Bit9, offers a multifaceted approach to endpoint protection.

Like other EDR tools, malware protection is one of Carbon Black's core competencies. Rather than relying solely on signature-based detection, Carbon Black checks for attack patterns. This helps it find incidents from traditional and fileless malware. Carbon Black does not focus solely on malware, instead giving administrators a way to audit endpoint devices in real time and remediate any security deficiencies it detects.

VMware provides a free hands-on lab for enterprises interested in trying Carbon Black.

Falcon by CrowdStrike

CrowdStrike's Falcon platform addresses a wide variety of threats in the cloud and across the enterprise. EDR capabilities are only a small part of the larger Falcon platform and are integrated into Falcon Endpoint Protection Enterprise

Falcon Endpoint Protection Enterprise acts as a replacement for traditional antivirus but uncovers all manner of attacks, not just those tied to a malware infection. Falcon Endpoint Protection Enterprise uses machine learning-based threat analytics to detect threats in real time. The software works to remediate and assist with incident investigations. In addition to blocking attacks, Falcon Endpoint Protection Enterprise attempts to do cleanup work and undo registry changes and files left behind by the malware.

CrowdStrike offers a free trial of its Falcon platform.

Singularity platform by SentinelOne

SentinelOne's Singularity for Endpoint acts as a comprehensive enterprise security platform. The main selling point behind the Singularity product is that it functions autonomously, detecting and defending against attacks faster than a human could.

Like other third-party EDR tools, the Endpoint Protection Platform uses machine learning for its attack-detection capabilities rather than relying on a signature database. When it finds a threat, the software pieces together the steps of the attack into a storyline, reconstructing the entire attack from beginning to end. Additionally, endpoints affected by an attack can be remediated with a single click.

You can request a demo at the SentinelOne website.

Next Steps

The reality behind bypassing EDR attempts

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop