EDR Platform Comparison
Take a look at the CDC-ON® response to the rest of the EDR/XDR competition including multiple market leaders.
CDC-ON®'s Response to Market Leaders
Market Leader 1 | Market Leader 2 | ||
MSSPs', You name it, we will get it for you | |||
Freedom to Choose Vs. One Size Fits All | |||
Customizable without the cost: Multi-site, multi-level architecture tailored to your org structure with no extra charge | Flexibility that costs a fortune: Flat, limited tenancy with additional costs for limited customisation | Customizable at code-level to suit the MSSP's business goals. | |
Easy to learn, easy to become an expert: Manage your operations from one intuitive console | A laborious learning curve: Requires navigation between Market Leader 2-native & Splunk-powered technology | No learning curve | |
Cloud-native, with options for more: Cloud-first SaaS, hybrid, and on-prem deployment & management available | Confined to cloud-only | MSSP decides the architecture, implementation, and delivery modes based on their business needs. | |
Time is Money: Faster, Better, Smarter Than Humans Alone | |||
The simplicity of Storyline™: Automatic correlation of benign and malicious telemetry, events are mapped to MITRE for faster investigation and response | Less signal, more noise: “Continuous, comprehensive recording” translates to manual parsing, prioritization, and correlation of telemetry; especially challenging across reboots | CDC-ON® SOAR: Automatic correlation of benign and malicious telemetry, events are mapped to MITRE and or to other tactics of the MSSPs' choice for faster investigation and response | |
Real-time reconstruction: Machine-powered attack reconstruction generates focused, contextualized alerts for faster MTTR | Human-powered, human-limited: Delayed, manual analysis introduces greater risk exposure | CDC-ON® focuses on the shortest possible dwell time between attacks and the fastest MTTR | |
Fully automated recovery: Patented automatic and 1-click remediation & rollback | Rudimentary remediation: Implemented through API and custom code | Single click remediation or map the remediation to the clients' change management process | |
Confidence and Continuity in the Cloud | |||
Scalable and sustainable: Runtime protection for containers, 10 Linux distributions | Limited in Linux: Reduced feature support for 7 Linux distros, containers | Containerized architecture, all Linux distributions or can custom build it for the MSSP | |
Control and confidence: No DevOps / performance impact, scheduling and maintenance window support available | Unplanned updates: OS kernel module dependencies may cause forced updates No maintenance window controls | No, performance degradation, Quad server architecture and containers allow live updates with minimal maintenance windows | |
EDR That Over-delivers, Not Overwrites | |||
365 days: Malicious incident details | 180 days: Malicious incident details | Limitation is determined by the MSSP not the product | |
14 days: EDR data handles attacks like SUNBURST, upgradable to 365 days | 7 days: EDR data misses attacks like SUNBURST, overwrites data every 7 days; high comparative cost to upgrade beyond 7 | Limitation is determined by the MSSP not the product | |
The data you need, on-demand: Cloud data lake streams in real time | Delays for data: Data lake streaming takes hours or longer | Real-time data availability | |
Where You’re a Name, Not a Number | |||
No security team left behind: Vigilance Respond & Respond Pro MDR offer accessible options for incident-driven triage, digital forensics, incident response, and threat resolution as needed for your organization | Premium prices for standard services: Comparable capabilities require OverWatch Elite or Falcon Complete (Market Leader 2 highest-tier offerings) | Fully customizable as per the MSSP needs. | |
Actionable hunting & intelligence: WatchTower threat hunting service comes standard with Vigilance offerings | Overpromised, under-delivered: Falcon Overwatch costs a premium for correlation-based services | Under promise and over deliver. Your pie in the sky is what we want to deliver | |
Fastest MDR on the planet: SOC expertise powered by platform automation | MDR at human-speed: Only responds as quickly as its analysts, even with Falcon Complete | Humans are still need, fastest automated response and or human-automated hybrid mode. | |
Ready. Real-time. Record-breaking. | |||
Quick and customizable (STAR, MITRE): Rules and policy updates are active and instantly responsive upon deployment to agents | Lags and limitations: Behavioral rule, custom IOA, and policy changes can take up to 40 minutes to take effect, extending an attack’s lifespan and cost | Instantaneous, customizable | |
Richer context, fewer alerts: The most analytic detections in the MITRE ATT&CK Evaluation 3 years running, Singularity automatically consolidated 109 attack steps into just 9 alerts | Manual and maintenance-heavy: A third as many analytic detections, despite all of the continuous tuning and manual correlation & analysis | Automated and hybrid mode. | |
Unparalleled Visibility: Works out-of-the-box, achieved record-breaking results in the ATT&CK evaluation with the highest analytic coverage | Middle-of-the-road: 86% visibility with 17 missed detections, delays, and configuration changes with analytic detections for only 94 of 109 sub steps | Full range of visibility combining the strengths of both Market Leader 1 and Crowd strike | |
Discovery as Dynamic as Your Attack Surface | |||
Passive and active: Network discovery, fingerprinting, and suspicious device blocking | Passive-only: Rudimentary network discovery | Combines all the strengths of these competing products and also the only product in the market that slows code level customization to meet the MSSPs' business needs | |
Full functionality, one price: Unlimited Device Control and Firewall Control, no fine print | Multiple modules, multiple costs: Complicated licensing for rudimentary capabilities | ||
Enterprise-ready: Broad OS support for Firewall Control and USB & Bluetooth Device Control, no reboot needed | A minimally viable product: Windows-only Device and Firewall Control for USB (no Bluetooth), requires reboot to activate |
Market Leader 1 | Market Leader 2 | * | |
EDR | Partial visibility Focused on process, file, network and user events. |
Full visibility Continuous, comprehensive recording captures raw events and related information that provides needed context - critical for hunting and investigations. |
Full visibility and highly customizable. Can go at the process, file and network level as well. |
Deployment | Reboot required Required endpoint downtime and restart for installation. |
Immediately Operational Deploys in minutes and is immediately operational - no reboot required. |
Instantaneous deployment, client can choose any deployment strategy |
Proactive threat hunting | Alert monitoring, triage & investigation Performs alert monitoring, triage and investigation on detected threats, not proactive threat hunting. |
24/7 proactive hunting Elite team of experts proactively hunt, investigate and advise on threat activity. |
24/7 full support available including L1/L2 analysts to augment the MSSP teams during grave yard shifts, holidays and week-ends |
Threat intelligence | File reputation Threat intelligence is limited to filehash reputation. |
Integrated intel Alerts are automatically enriched with Market Leader 2 threat intelligence including actor attribution, sandbox analysis and malware search for the threat and all known variants. |
Combines the strengths of both Market Leader 1 and Market Leader 2 |
Managed services | Alert monitoring, triage & investigation Performs alert monitoring, triage and investigation on detected threats, not a full, end-to-end managed service. |
Fully managed endpoint protection Team of experts handles all aspects of endpoint security, from deployment, configuration, maintenance and monitoring, to alert handling, incident response and remediation. |
CDC-ON® is built by a Master MSSP for MSSPs. |
Unique for CDC-ON®
Build Your Own SIEM-EDR Platform
1 | Zero learning curve | |
2 | Advanced Machine Learning | |
3 | Zero Trust | |
4 | Highly Scalable | |
5 | A comprehensive solution | |
6 | Fully customizable, build your own niche custom SOC service with: |
Build your own niche custom SOC service with: | ||
| CDC-ON® PLATFORM | Integrates/replaces any SIEM, EDR, XDR, Antivirus, providing a full-service SOC platform custom built for your business. |
| CDC-ON® PEOPLE| CDC trained SOC L1/2 analyst FTEs can support client SOC on any industry standard any third-party platform, or on custom built CDC-ON® platform. Can cover all shift options, including holidays and weekends. |
| CDC-ON® PROCESS | Support industry standard process frameworks, regulations: MITRE, NIST, ISO 270001, ISA 62443, IEC 61850, PLC MODBUS, HIPAA, SOX, integrated with CDC-ON® SOC process. |
7 | Code Level Customisation: Bespoke Platform Build Custom Modules and Features | ||
8 | Code / API Level Integration With: Any platform including: Splunk, AlienVault, LogRhythm,Q Radar, Bitdefender, Sentinel One, Carbon Black etc. or can support SOC on custom-built CDC-ON® platform. |
MSSPs:
Custom build your service: You can add your needs to this list. We will build it for you.
1 | Signature-based anti-malware protection |
2 | Machine learning/algorithmic file analysis on the endpoint |
3 | Machine learning for process activity analysis |
4 | Process isolation |
5 | Memory protection and exploit prevention |
6 | Protection Against Undetected Malware |
7 | Application whitelisting |
8 | Local endpoint sandboxing/endpoint emulation |
9 | Script, PE, or fileless malware protection |
10 | Integration with on-premises network/cloud sandbox |
11 | Real-time IoC search capabilities |
12 | Retention period for full access to data |
13 | Endpoint Firewall |
14 | FW Learning Mode |
15 | Automatically creates network traffic rules |
16 | URL Filtering |
17 | Host Based IPS |
18 | USB device Control |
19 | Full Device Control (Device Control based on Device Class product ID, Vendor ID and Device Name) |
20 | Agent self-protection/remediation or alerting when there is an attempt to disable, bypass, or uninstall it |
21 | Ransomware protection |
22 | Protect/block ransomware |
23 | VDI support |
24 | Manage, and maintain, an application control database of known trusted applications? |
25 | Multi-tenant cloud based service |
26 | EPP management console available as an on-premises virtual or physical server/application |
27 | Consolidated EPP management console to report on, manage, and alert for Windows macOS clients and mobile |
28 | Data loss prevention |
29 | Mobile Device Management |
30 | Mobile threat Defense |
31 | Vulnerability and patch management |
32 | Network/Cloud sandboxing |
33 | Security Orchestration, Analysis and Response (SOAR) Integration |
34 | Network discovery tool |
35 | Remote Access |
36 | Remote scripting capabilities |
37 | Default Deny Security with Default Allow Usability |
38 | Run unknown files with Auto Containment Protection |
39 | Create Virtual environment for any unknowns |
40 | Virtualize file system, registry, COM on real endpoints |
41 | Inter process Memory Access |
42 | Windows/WinEvent Hook |
43 | Device Driver Installations |
44 | File Access/Modification/Deletion |
45 | Registry Access/Modification/Deletion |
46 | Network Connection |
47 | URL Monitoring |
48 | DNS Monitoring |
49 | Process Creation |
50 | Thread Creation |
51 | Inter-Process Communication (Named Pipes, etc.) up to this |
52 | Telemetry data itself can be extended in real time |
53 | Event chaining and enrichment on the endpoints |
54 | Adaptive Event Modelling |
55 | Behavioral analysis (e.g. analysis over active memory, OS activity, user behavior, process/application behavior, etc.) |
56 | Static analysis of files using capabilities such as machine learning (not including signature based malware detection) |
57 | Time-series analysis |
58 | Integration with automated malware analysis solutions (sandboxing) |
59 | Threat Hunting interface or API for searching with YARA/REGEX/ElasticSearch/IOC |
60 | Support for matching against private IOC |
61 | Threat Intelligence integration |
62 | Linking telemetry (observable data) to recreate a sequence of events to aid investigation |
63 | Process/attack visualization |
64 | Incident Response Platform or orchestration integration? |
65 | Vulnerability reporting (ex. reporting on unpatched CVEs) |
66 | Alert prioritization based on confidence, able to define thresholds for alerting. |
67 | Alert prioritization factors system criticality |
68 | Able to monitor risk exposure across environment organized by logical asset groups |
69 | Reporting interface identifies frequent alerts that may be appropriate for automating response |
70 | Remote scripting capabilities |
71 | Quarantine and removal of files |
72 | Kill processes remotely |
73 | File retrieval |
74 | Network isolation |
75 | Filesystem snapshotting |
76 | Memory snapshotting |
77 | Manage customer endpoints and policies |
78 | Incident Investigation & Response |
79 | Preemptive containment |
80 | Application profiling (AI support) |
81 | Customizable policy creation |
82 | Central monitoring of all endpoints |
83 | Live remote inspection |
84 | Tuning of monitoring rules for reduction of false positives |
85 | Forensic analysis |
86 | Cloud-based SIEM and Big Data Analytics |
87 | Log data collection/correlation |
88 | Threat intelligence integration |
89 | Network profiling (AI support) |
90 | Available as virtual or physical |
91 | Integrated file analysis (cloud sandbox) |
92 | Full packet capture |
93 | Protocol analyzers numerous protocols such as TCP, UDP, DNS, DHCP, HTTP, HTTPS, NTLM, etc. w/full decoding capability |
94 | Includes ready-to-use cloud application connectors for: |
95 | Azure |
96 | Google Cloud Platform |
97 | Office 365 |
98 | AWS |
99 | Threat detection for cloud applications |
100 | Log collection from cloud environments |
101 | Generating actionable incident response from cloud application |
102 | InHolistic security approach Combined network, endpoint, cloud |
103 | Internal security sensor logs (IOCs) |
104 | Expert Human Analysis |
105 | ML & Behavioral Analysis |
106 | Open source threat intelligence feeds |
107 | Information sharing with industry |
108 | Clean web (phishing sites, keyloggers, spam) |
109 | Deep web (C&C servers, TOR browsers, database platform archives—pastebins) |
110 | Cyber Adversary Characterization |
111 | Security operations center (SOC) ISO27001 certified |
112 | Dedicated cybersecurity expert and L1/2/3 resources |
113 | Security monitoring |
114 | Incident analysis |
115 | Incident response (handling) |
116 | Extensive threat hunting (scenario-based) |