Peter Stephenson, technology editor, SC Media
Peter Stephenson, technology editor, SC Media

Wow! Does this group look different from the past. In prior years, we got used to seeing a combination of features on endpoint security products. In fact, they started to get a bit boring with the same old functionality year after year. Traditionally, we saw DLP, access control and anti-malware as the core pieces. We also saw host-based intrusion detection (HIDS), firewall and patch management in the mix from time to time. Every product that we saw claimed to do all of these things and, we found, for better or worse, too often, worse. That was not the story this year.

This year we saw an interesting mix of functions. Instead of having the firewall or HIDS as the staple offering, with other roles added on, everything we saw was built on anti-malware. After that we saw a mix from eclectic functionality (as we have seen in the past) ranging to very specialized capability. At the core, though, we saw heavy use of AI and machine learning as well as some of the most sophisticated policy engines we've seen in a long time.

Boring? Not a bit this year. These were among the most fascinating tools we've seen during this year's review cycle. With this level of product complexity, though, our old irritation at products that were not ready for prime time with inadequate documentation raised its ugly head. This leads to a suggestion, even at this early stage of our reviews this month: If the vendor offers an onsite engineer to help you deploy, take them up on it. 

What the vendor is saying, based on our experience over the past few Group Tests, is that these techies are the only ones who can make the product work. We found good products universally – once deployed – that we could not install. Usually, along with that, the documentation did not agree with reality. And, in at least one case, during a screen-sharing session, the vendor could not get the product to install. We had to drop four products from the Group Test this year simply because we could not get them to work.

While we did have two hardware appliances, the state of the practice today is either virtual appliances or software that you can install. That usually will mean installing in a virtual environment, but it does not need to. The rest of our products were, in one form or another, software. One vendor even went to the trouble of sending us a physical device with an entire test bed pre-installed. That allowed us to spend more time testing the functionality of the tool set.

Overall, we found these tools an interesting and refreshingly new approach to endpoint security. One thing that came through to us quite clearly is that while endpoint certainly is critically important to the security of the enterprise, tight integration with a total security platform that includes perimeter security is a very good thing. We also began to see the value of cloud-based computing in a product group that, traditionally, has done its computations at the endpoint itself.