Endgame is marketed as an endpoint protection platform that prevents, detects, responds, and hunts for targeted attacks before damage and loss occurs. Endgame uses a single agent protection technology that operates on the endpoint at the hardware and kernel level to prevent targeted attacks. Endgame has built in multiple, exclusive features.
The Endgame Resolver provides real-time data collection and analysis of file, registry, user, process, network, NetFlow, and DNS data to visually render the origin, extent, and timeline of an attack. Endgame Arbiter automates advanced attack analysis to determine file reputation and attack type, and it extracts IOCs to reveal previously unknown threats across the entire enterprise. Endgame also has an AI security mentor called Endgame Artemis that uses natural language understanding to automate attack triage and empower analysts.
When deploying the sensor to your endpoints, you have two options. Endgame refers to them as in-band and out-of-band deployments. In-band deployments are only compatible with Windows and not Linux; you would install the sensor directly from the Endgame platform. Out-of-band deployments are where you directly install the sensor on the endpoint, a process that consists of running an executable file using popular asset management tools. The documentation provides the instructions on how to do this, and it should be relatively easy provided one has experience using asset management tools. Most users will likely purchase the Endgame platform where you can push sensors out from the platform. We were a bit surprised to find ourselves using an asset management tool to install the sensor. This is the opposite of simply clicking on an executable file to install.
After setting up the sensor and running testing procedures, we asked a few questions. The Artemis query is a formulated search that enables you to search for historical event data. Some of the searchable data in these event types are hashes, process IDs, IP, port, the amount of data transmitted or received in a network connection, filenames, and even dates and times for when a user logged on or off an endpoint. This is extremely useful as it considerably cuts down an administrator's time.
The management console is minimalistic and clean, which we always like to see. The initial landing page takes you to a dashboard that displays high-level information: top alerts consisting of exploits, malware, and file-less alerts, as well as the status of endpoints. From the dashboard, you can navigate and drill down on other sections such as endpoints and alerts.
Basic no-cost support, as well as advanced support, is offered with 8x5 or 24x7 email and phone support. Premium support is offered at an additional fee of $1.30 per endpoint annually. Endgame also offers an FAQ list and extremely useful knowledge base.
- Matthew Hreben
Tested by: Matthew Hreben