McAfee holds the number three slot in the world’s endpoint security market. It has a little over 13 percent of market share. The two market leaders, Symantec and Trend Micro have roughly 20 percent of the market each. That gap will be difficult for McAfee to close. CrowdStrike isn’t even in the top ten, so its chances of market dominance are slight.

Market share, however, is often more a function of a large marketing budget rather than the result of having a good product. McAfee Endpoint Security and CrowdStrike Falcon aren’t the biggest endpoint protection systems, but they could be among the best. Let’s investigate.

McAfee Endpoint Security

McAfee was one of the first companies in the USA to produce antivirus software. The company started up in 1987 and is now a division of chipmaker Intel. The fame of the computer protection system got the company customers in both residential and business markets.

McAfee’s star product is VirusScan, which was first released in 1988. The cybersecurity industry has changed almost beyond recognition in the past decade and traditional AV solutions are no longer regarded with respect. The company had to retool and overhaul its computer security software, resulting in the release of McAfee Endpoint Security in 2019. This framework solution is an extension of the company’s successful VirusScan Enterprise product. It adds extra protection measures to expand the capabilities of VirusScan beyond its original focus on malware detection.

Other McAfee products that have now been replaced by Endpoint security include McAfee SiteAdvisor and McAfee Host Intrusion Prevention. The functionality of these deprecated products has been bundled into McAfee Endpoint Security and improved.

The McAfee approach to endpoint security starts from the company’s traditional malware target. However, the old system of searching for files that appear in a research list is no longer operational. Like many endpoint protection systems, the McAfee solution deploys machine learning techniques from the school of AI.

The system watches regular activities on the endpoint and then keeps tracking processes to spot unusual activities. This is very similar to the old AV approach and the endpoint security bundle also includes a firewall. However, the strategy of scanning for anomalies has a better chance of defending against new attacks that the old system of relying on a distributed threat database originating from a research lab.

McAfee Endpoint Security uses application isolation to test suspicious programs and it establishes rollback points on the computer to resolve problems caused by malicious activity. This strategy is particularly aimed at blocking ransomware, remote access Trojans, and other damaging software. Security checks extend to inbound web traffic and the code that gets loaded into the browsers running on the protected endpoint.

Threat remediation can be implemented automatically or the security software can be set to trigger an alert. That allows the user to decide which action the software should take in order to resolve the troubling issue.

Each instance of the McAfee Endpoint Security software reports the attacks it encounters and the solutions it deployed up to a cloud-based remediation library. If the software is having difficulties killing off the malware, it will refer to that library of strategies. If it successfully defeats the malware it makes the solution available to other instances running around the world. So, all installations of McAfee Endpoint Security contribute to shared threat intelligence.

The control console for the endpoint protection software is available on the protected device, on a central server on-premises, or a SaaS utility on the McAfee cloud servers. Business users can opt to control all installed instances of the protection software from one console. This centralized control makes it easier to identify lateral attacks across the organization.

Up to this point, the McAfee software sounds as though it is only focused on detecting and stopping malware. As the company derives its experience in the antimalware field, that focus is understandable. However, in order to fully defend endpoints against all manner of threats, today’s security software needs to be able to identify and block manual intrusion and long-term occupation of the endpoints within an organization. These types of intrusion are called “advanced persistent threats” (APT) and fortunately, McAfee Endpoint Security includes modules that scan for such activity.

The Endpoint Security package includes a firewall. It is able to detect and log attempts to access the endpoint and it will also block attacks, such as DDoS attacks and botnet infection. The Endpoint Security suite is able to coordinate with other McAfee infrastructure security products through a module coordinator, called ePolicy Orchestrator (McAfee ePO).

The endpoint agent for McAfee Endpoint Security can be installed on Windows, Mac OS, and Linux. The controlling console, implemented with McAfee ePolicy Coordinator is available for the same three operating systems. The console can monitor endpoints across OSs. The ePO system is also available online.

The shift over to a full endpoint protection framework by MacAfee only occurred very recently. The company achieved its large market share in the endpoint protection software field solely on its VirusScan product. The expansion of the system to integrate other products, especially the host-based intrusion prevention system of the company shows a concerted effort by McAfee to get its market share from 13 percent up to the 20 percent enjoyed by Trend Micro and Symantec. Both of those more successful rivals include APT protection as well as defenses against malware.

CrowdStrike Falcon

CrowdStrike started out as a cybersecurity consultancy. Its business lay in hiring out security specialists to organizations that were under threat. The specialists of the company were able to clean up the damaged systems and leave them stronger and better able to defend themselves in the future.

The Falcon tool grew out of that initial consultancy business, first as a set of tools that consultants could use to harden client systems and then as an extra income generator as a stand-alone automated product, which was first released in 2013. CrowdStrike keeps operating its consultancy arm and it bundles in those human services with many of its software products.

The Falcon product is a security framework. Businesses buy a set of modules, which are bundled by CrowdStrike into editions. The highest package is called Falcon Complete. This is a fully managed security service that combines the services of software and staff. This is like having the CrowdStrike cybersecurity consultancy team permanently on call.

That consultancy has input into a number of the modules offered as part of Falcon editions. Modules that are marketed as part of the endpoint protection platform (EPP) include Falcon Overwatch, which gives the client the attention of the human consultancy team to identify advanced persistent threats and other complicated attack strategies that automated software procedure might not be able to spot.

Falcon Overwatch is only included with the top two editions of CrowdStrike Falcon: Falcon Premium and Falcon Complete. The full menu of editions is:

Falcon Pro – Next-gen AV, firewall, and threat intelligence. Includes Falcon Prevent and Falcon X.

Falcon Enterprise – The Pro modules plus Falcon Insight, and Falcon Overwatch.

Falcon Premium – Provides all of the modules in Falcon Enterprise plus Falcon Discover.

Falcon Complete – The manages endpoint security service, which involves the deployment of all modules plus staff to run and monitor them.

CrowdStrike markets Falcon as being delivered from the Cloud. However, in secret, all of the work is performed by installed on-premises software. This is called the “agent” in the Falcon presentation. The Cloud element is the management console, or in the case of Falcon Complete, the remote security management team.

This is the only serious approach that an endpoint protection system could possibly take. A security system can’t risk the likelihood of an attacker isolating the endpoint from the network. The protection needs to continue to be active even when the device is online and so the security software has to operate on the endpoint itself.

The modules mentioned in the editions outlined above are:

Falcon Prevent – Next-gen antivirus and firewall.

Falcon X – A threat intelligence engine.

Falcon Insight – Endpoint detection and response, which aims at uncovering APTs.

Falcon Overwatch – Threat hunting and event analysis by human experts.

Falcon Discover – A vulnerability scanner, which will harden the potential entry points of attacks.

Falcon Device Control – A monitoring system for USB memory sticks.

None of the Falcon editions include Falcon Device Control. This is an add-on module that blocks USB devices from connecting to the operating system of the protected endpoint. A management console for the tool allows a system administrator to authorize specific USB devices. Of course, should any device be the transport for viruses, Falcon Prevent would spot and block that malware before it transferred onto the endpoint.

McAfee Endpoint Security and CrowdStrike Falcon

Although McAfee and CrowdStrike approached the endpoint security task from different starting points, both ended up with the same design. In both cases, these two rivals form a framework, which is known as an endpoint protection platform. Both companies built modules to address different attack vectors. In both cases, the search for and blocking of malware is a major part of the solution.

The McAfee solution is a single comprehensive package and it includes everything that a business would need to protect endpoints: malware detection, firewall, threat intelligence sharing, intrusion prevention, machine learning, zero-day attack protection, and vulnerability scanning.

CrowdStrike has all of those same elements in its Premium edition, but it also includes the services of cybersecurity experts. McAfee employs security experts behind the scenes but doesn’t offer their services directly to customers within the endpoint protection plan.

Clearly, CrowdStrike sees its background in cybersecurity consultancy as its main marketing advantage and it blends this into its security software plans as a unique selling point. The managed services angle could be a major winner for the company as more businesses adopt cloud services. Startups and SMEs are particularly attracted to SaaS and managed services because they remove the need to employ technical experts and they don’t need to buy their own hardware to run management and security software on.

The Cloud-based console offered by CrowdStrike is an advantage in the wider market. However, in this comparison, it doesn’t give the company much of an edge because McAfee offers that utility as well.

The decision of each individual customer over which of these two systems to buy could ultimately just boil down to which console the buyer likes the look of most. Both McAfee Endpoint Security and CrowdStrike Falcon offer competent and comprehensive endpoint protection. Both are backed by highly regarded cybersecurity experts and both companies have successful histories in providing IT security to businesses.

Getting your hands on each of these endpoint protection systems will help you decide which is best for you. CrowdStrike offers a 15-day free trial of Falcon Pro. You can’t have a free trial of McAfee Endpoint Security, but you can get a free demo of the system.  With the McAfee presentation, you also get a technician to guide you through the features of the software. However, that also requires you to hand over your contact details to a McAfee sales agent. Once you have tried out these two systems, leave a message in the Comments section below to share your opinions with the community.

Image credit kalhh from Pixabay