EDR Platform Comparison
Take a look at the CDC-ON® response to the rest of the EDR/XDR competition including multiple market leaders.
CDC-ON®'s Response to Market Leaders
| Market Leader 1 | Market Leader 2 |  |
|
| MSSPs', You name it, we will get it for you | |||
| Freedom to Choose Vs. One Size Fits All | |||
| Customizable without the cost: Multi-site, multi-level architecture tailored to your org structure with no extra charge | Flexibility that costs a fortune: Flat, limited tenancy with additional costs for limited customisation | Customizable at code-level to suit the MSSP's business goals. | |
| Easy to learn, easy to become an expert: Manage your operations from one intuitive console | A laborious learning curve: Requires navigation between Market Leader 2-native & Splunk-powered technology | No learning curve | |
| Cloud-native, with options for more: Cloud-first SaaS, hybrid, and on-prem deployment & management available | Confined to cloud-only | MSSP decides the architecture, implementation, and delivery modes based on their business needs. | |
| Time is Money: Faster, Better, Smarter Than Humans Alone | |||
| The simplicity of Storyline™: Automatic correlation of benign and malicious telemetry, events are mapped to MITRE for faster investigation and response | Less signal, more noise: “Continuous, comprehensive recording” translates to manual parsing, prioritization, and correlation of telemetry; especially challenging across reboots | CDC-ON® SOAR: Automatic correlation of benign and malicious telemetry, events are mapped to MITRE and or to other tactics of the MSSPs' choice for faster investigation and response | |
| Real-time reconstruction: Machine-powered attack reconstruction generates focused, contextualized alerts for faster MTTR | Human-powered, human-limited: Delayed, manual analysis introduces greater risk exposure | CDC-ON® focuses on the shortest possible dwell time between attacks and the fastest MTTR | |
| Fully automated recovery: Patented automatic and 1-click remediation & rollback | Rudimentary remediation: Implemented through API and custom code | Single click remediation or map the remediation to the clients' change management process | |
| Confidence and Continuity in the Cloud | |||
| Scalable and sustainable: Runtime protection for containers, 10 Linux distributions | Limited in Linux: Reduced feature support for 7 Linux distros, containers | Containerized architecture, all Linux distributions or can custom build it for the MSSP | |
| Control and confidence: No DevOps / performance impact, scheduling and maintenance window support available | Unplanned updates: OS kernel module dependencies may cause forced updates No maintenance window controls | No, performance degradation, Quad server architecture and containers allow live updates with minimal maintenance windows | |
| EDR That Over-delivers, Not Overwrites | |||
| 365 days: Malicious incident details | 180 days: Malicious incident details | Limitation is determined by the MSSP not the product | |
| 14 days: EDR data handles attacks like SUNBURST, upgradable to 365 days | 7 days: EDR data misses attacks like SUNBURST, overwrites data every 7 days; high comparative cost to upgrade beyond 7 | Limitation is determined by the MSSP not the product | |
| The data you need, on-demand: Cloud data lake streams in real time | Delays for data: Data lake streaming takes hours or longer | Real-time data availability | |
| Where You’re a Name, Not a Number | |||
| No security team left behind: Vigilance Respond & Respond Pro MDR offer accessible options for incident-driven triage, digital forensics, incident response, and threat resolution as needed for your organization | Premium prices for standard services: Comparable capabilities require OverWatch Elite or Falcon Complete (Market Leader 2 highest-tier offerings) | Fully customizable as per the MSSP needs. | |
| Actionable hunting & intelligence: WatchTower threat hunting service comes standard with Vigilance offerings | Overpromised, under-delivered: Falcon Overwatch costs a premium for correlation-based services | Under promise and over deliver. Your pie in the sky is what we want to deliver | |
| Fastest MDR on the planet: SOC expertise powered by platform automation | MDR at human-speed: Only responds as quickly as its analysts, even with Falcon Complete | Humans are still need, fastest automated response and or human-automated hybrid mode. | |
| Ready. Real-time. Record-breaking. | |||
| Quick and customizable (STAR, MITRE): Rules and policy updates are active and instantly responsive upon deployment to agents | Lags and limitations: Behavioral rule, custom IOA, and policy changes can take up to 40 minutes to take effect, extending an attack’s lifespan and cost | Instantaneous, customizable | |
| Richer context, fewer alerts: The most analytic detections in the MITRE ATT&CK Evaluation 3 years running, Singularity automatically consolidated 109 attack steps into just 9 alerts | Manual and maintenance-heavy: A third as many analytic detections, despite all of the continuous tuning and manual correlation & analysis | Automated and hybrid mode. | |
| Unparalleled Visibility: Works out-of-the-box, achieved record-breaking results in the ATT&CK evaluation with the highest analytic coverage | Middle-of-the-road: 86% visibility with 17 missed detections, delays, and configuration changes with analytic detections for only 94 of 109 sub steps | Full range of visibility combining the strengths of both Market Leader 1 and Crowd strike | |
| Discovery as Dynamic as Your Attack Surface | |||
| Passive and active: Network discovery, fingerprinting, and suspicious device blocking | Passive-only: Rudimentary network discovery | Combines all the strengths of these competing products and also the only product in the market that slows code level customization to meet the MSSPs' business needs | |
| Full functionality, one price: Unlimited Device Control and Firewall Control, no fine print | Multiple modules, multiple costs: Complicated licensing for rudimentary capabilities | ||
| Enterprise-ready: Broad OS support for Firewall Control and USB & Bluetooth Device Control, no reboot needed | A minimally viable product: Windows-only Device and Firewall Control for USB (no Bluetooth), requires reboot to activate |
| Market Leader 1 | Market Leader 2 | * |
|
| EDR | Partial visibility Focused on process, file, network and user events. |
Full visibility Continuous, comprehensive recording captures raw events and related information that provides needed context - critical for hunting and investigations. |
Full visibility and highly customizable. Can go at the process, file and network level as well. |
| Deployment | Reboot required Required endpoint downtime and restart for installation. |
Immediately Operational Deploys in minutes and is immediately operational - no reboot required. |
Instantaneous deployment, client can choose any deployment strategy |
| Proactive threat hunting | Alert monitoring, triage & investigation Performs alert monitoring, triage and investigation on detected threats, not proactive threat hunting. |
24/7 proactive hunting Elite team of experts proactively hunt, investigate and advise on threat activity. |
24/7 full support available including L1/L2 analysts to augment the MSSP teams during grave yard shifts, holidays and week-ends |
| Threat intelligence | File reputation Threat intelligence is limited to filehash reputation. |
Integrated intel Alerts are automatically enriched with Market Leader 2 threat intelligence including actor attribution, sandbox analysis and malware search for the threat and all known variants. |
Combines the strengths of both Market Leader 1 and Market Leader 2 |
| Managed services | Alert monitoring, triage & investigation Performs alert monitoring, triage and investigation on detected threats, not a full, end-to-end managed service. |
Fully managed endpoint protection Team of experts handles all aspects of endpoint security, from deployment, configuration, maintenance and monitoring, to alert handling, incident response and remediation. |
CDC-ON® is built by a Master MSSP for MSSPs. |
Unique for CDC-ON®
Build Your Own SIEM-EDR Platform
| 1 | Zero learning curve | |
| 2 | Advanced Machine Learning | |
| 3 | Zero Trust | |
| 4 | Highly Scalable | |
| 5 | A comprehensive solution | |
| 6 | Fully customizable, build your own niche custom SOC service with: | |
| | CDC-ON® PLATFORM | Integrates/replaces any SIEM, EDR, XDR, Antivirus, providing a full-service SOC platform custom built for your business. |
| CDC-ON® PEOPLE| CDC trained SOC L1/2 analyst FTEs can support client SOC on any industry standard any third-party platform, or on custom built CDC-ON® platform. Can cover all shift options, including holidays and weekends. |
| CDC-ON® PROCESS | Support industry standard process frameworks, regulations: MITRE, NIST, ISO 270001, ISA 62443, IEC 61850, PLC MODBUS, HIPAA, SOX, integrated with CDC-ON® SOC process. |
| 7 | Code Level Customisation: Bespoke Platform Build Custom Modules and Features | ||
| 8 | Code / API Level Integration With: Any platform including: Splunk, AlienVault, LogRhythm,Q Radar, Bitdefender, Sentinel One, Carbon Black etc. or can support SOC on custom-built CDC-ON® platform. | ||
MSSPs:
Custom build your service: You can add your needs to this list. We will build it for you.
| 1 | Signature-based anti-malware protection |
| 2 | Machine learning/algorithmic file analysis on the endpoint |
| 3 | Machine learning for process activity analysis |
| 4 | Process isolation |
| 5 | Memory protection and exploit prevention |
| 6 | Protection Against Undetected Malware |
| 7 | Application whitelisting |
| 8 | Local endpoint sandboxing/endpoint emulation |
| 9 | Script, PE, or fileless malware protection |
| 10 | Integration with on-premises network/cloud sandbox |
| 11 | Real-time IoC search capabilities |
| 12 | Retention period for full access to data |
| 13 | Endpoint Firewall |
| 14 | FW Learning Mode |
| 15 | Automatically creates network traffic rules |
| 16 | URL Filtering |
| 17 | Host Based IPS |
| 18 | USB device Control |
| 19 | Full Device Control (Device Control based on Device Class product ID, Vendor ID and Device Name) |
| 20 | Agent self-protection/remediation or alerting when there is an attempt to disable, bypass, or uninstall it |
| 21 | Ransomware protection |
| 22 | Protect/block ransomware |
| 23 | VDI support |
| 24 | Manage, and maintain, an application control database of known trusted applications? |
| 25 | Multi-tenant cloud based service |
| 26 | EPP management console available as an on-premises virtual or physical server/application |
| 27 | Consolidated EPP management console to report on, manage, and alert for Windows macOS clients and mobile |
| 28 | Data loss prevention |
| 29 | Mobile Device Management |
| 30 | Mobile threat Defense |
| 31 | Vulnerability and patch management |
| 32 | Network/Cloud sandboxing |
| 33 | Security Orchestration, Analysis and Response (SOAR) Integration |
| 34 | Network discovery tool |
| 35 | Remote Access |
| 36 | Remote scripting capabilities |
| 37 | Default Deny Security with Default Allow Usability |
| 38 | Run unknown files with Auto Containment Protection |
| 39 | Create Virtual environment for any unknowns |
| 40 | Virtualize file system, registry, COM on real endpoints |
| 41 | Inter process Memory Access |
| 42 | Windows/WinEvent Hook |
| 43 | Device Driver Installations |
| 44 | File Access/Modification/Deletion |
| 45 | Registry Access/Modification/Deletion |
| 46 | Network Connection |
| 47 | URL Monitoring |
| 48 | DNS Monitoring |
| 49 | Process Creation |
| 50 | Thread Creation |
| 51 | Inter-Process Communication (Named Pipes, etc.) up to this |
| 52 | Telemetry data itself can be extended in real time |
| 53 | Event chaining and enrichment on the endpoints |
| 54 | Adaptive Event Modelling |
| 55 | Behavioral analysis (e.g. analysis over active memory, OS activity, user behavior, process/application behavior, etc.) |
| 56 | Static analysis of files using capabilities such as machine learning (not including signature based malware detection) |
| 57 | Time-series analysis |
| 58 | Integration with automated malware analysis solutions (sandboxing) |
| 59 | Threat Hunting interface or API for searching with YARA/REGEX/ElasticSearch/IOC |
| 60 | Support for matching against private IOC |
| 61 | Threat Intelligence integration |
| 62 | Linking telemetry (observable data) to recreate a sequence of events to aid investigation |
| 63 | Process/attack visualization |
| 64 | Incident Response Platform or orchestration integration? |
| 65 | Vulnerability reporting (ex. reporting on unpatched CVEs) |
| 66 | Alert prioritization based on confidence, able to define thresholds for alerting. |
| 67 | Alert prioritization factors system criticality |
| 68 | Able to monitor risk exposure across environment organized by logical asset groups |
| 69 | Reporting interface identifies frequent alerts that may be appropriate for automating response |
| 70 | Remote scripting capabilities |
| 71 | Quarantine and removal of files |
| 72 | Kill processes remotely |
| 73 | File retrieval |
| 74 | Network isolation |
| 75 | Filesystem snapshotting |
| 76 | Memory snapshotting |
| 77 | Manage customer endpoints and policies |
| 78 | Incident Investigation & Response |
| 79 | Preemptive containment |
| 80 | Application profiling (AI support) |
| 81 | Customizable policy creation |
| 82 | Central monitoring of all endpoints |
| 83 | Live remote inspection |
| 84 | Tuning of monitoring rules for reduction of false positives |
| 85 | Forensic analysis |
| 86 | Cloud-based SIEM and Big Data Analytics |
| 87 | Log data collection/correlation |
| 88 | Threat intelligence integration |
| 89 | Network profiling (AI support) |
| 90 | Available as virtual or physical |
| 91 | Integrated file analysis (cloud sandbox) |
| 92 | Full packet capture |
| 93 | Protocol analyzers numerous protocols such as TCP, UDP, DNS, DHCP, HTTP, HTTPS, NTLM, etc. w/full decoding capability |
| 94 | Includes ready-to-use cloud application connectors for: |
| 95 | Azure |
| 96 | Google Cloud Platform |
| 97 | Office 365 |
| 98 | AWS |
| 99 | Threat detection for cloud applications |
| 100 | Log collection from cloud environments |
| 101 | Generating actionable incident response from cloud application |
| 102 | InHolistic security approach Combined network, endpoint, cloud |
| 103 | Internal security sensor logs (IOCs) |
| 104 | Expert Human Analysis |
| 105 | ML & Behavioral Analysis |
| 106 | Open source threat intelligence feeds |
| 107 | Information sharing with industry |
| 108 | Clean web (phishing sites, keyloggers, spam) |
| 109 | Deep web (C&C servers, TOR browsers, database platform archives—pastebins) |
| 110 | Cyber Adversary Characterization |
| 111 | Security operations center (SOC) ISO27001 certified |
| 112 | Dedicated cybersecurity expert and L1/2/3 resources |
| 113 | Security monitoring |
| 114 | Incident analysis |
| 115 | Incident response (handling) |
| 116 | Extensive threat hunting (scenario-based) |
