Symantec EDR

Basic Information

Broadcom Symantec EDR (Endpoint Detection and Response) is a security solution designed for advanced threat detection, investigation, and response across endpoints. It is often integrated within the broader Symantec Endpoint Security Complete (SES-C) platform.

• Model: Symantec EDR (part of Symantec Endpoint Security Complete). Specific hardware appliance models include S550, 8840, and 8880.
• Version: Appliance versions include Symantec EDR 4.12 (latest stable). Agent versions for Symantec Endpoint Protection (SEP) are typically 14.3 RUx, with 14.3 RU9 MP1 supporting Ubuntu 24.04 LTS.
• Release Date: Specific overall product release dates are not consistently published, but new features and versions are released periodically. For example, new visibility features were added around November 2, 2020.
• Minimum Requirements: Varies significantly by deployment type (agent, virtual appliance, hardware appliance) and enabled features.
• Supported Operating Systems:
  • Windows: Various versions, with 32-bit operating systems no longer supported by SEP 14.3 RU6 and later.
  • Linux: Amazon Linux, CentOS, Debian, Fedora, Oracle Linux (OEL), Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), SUSE Linux Enterprise Desktop (SLED), and Ubuntu (e.g., 12.04, 14.04, 16.04, 18.04, 24.04 LTS).
  • macOS: Supported with a dedicated agent.
• Latest Stable Version: Symantec EDR 4.12 for the appliance. Symantec Endpoint Protection agent 14.3 RU9 MP1 for Linux.
• End of Support Date: Varies by product version and component. The Symantec EDR Network Sensor feature reached End of Support Life on December 31, 2023. Symantec Endpoint Protection versions 14.2 and earlier are End of Service. Users should consult the Broadcom Product Lifecycle page for specific dates.
• End of Life Date: Varies by product version and component. Symantec Endpoint Protection Cloud (SEPC) and Small Business Version 2013 (SEP SBE 2013) reached End of Life on December 7, 2020, with free upgrades to Symantec Endpoint Security (SES). Users should consult the Broadcom Product Lifecycle page for specific dates.
• Auto-update Expiration Date: Not explicitly specified in publicly available documentation.
• License Type: Typically subscription-based.
• Deployment Model: Flexible deployment options include on-premises (hardware or virtual appliance), cloud-based, or hybrid configurations.

Technical Requirements

Technical requirements for Symantec EDR are highly dependent on the deployment model (agent, virtual appliance, or hardware appliance) and the specific features enabled, such as the Endpoint Activity Recorder.

• RAM:
  • Agent (Windows): Minimum 256 MB.
  • Agent (Linux): Minimum 512 MB (4 GB recommended).
  • EDR Virtual Appliance: Minimum 48 GB (for production environments, with or without Endpoint Activity Recorder).
  • Hardware Appliances (e.g., S550, 8840, 8880): Ranges from 32 GB to 256 GB.
  • AD Gateway: 16 GB (for large Active Directory domains, more may be needed).
• Processor:
  • Agent (Windows): 1 GHz Intel Pentium.
  • Agent (Linux): Intel Pentium 4 (2 GHz) or equivalent with 2 cores (4 cores recommended).
  • EDR Virtual Appliance: 12 Cores.
  • Hardware Appliances: Configurations vary, such as 12 x 1, 1 x 4, or 2 x 18 cores.
• Storage:
  • Agent (Windows): 245 MB installed to system drive.
  • Agent (Linux): 2 GB available disk space (+5 GB recommended in /opt for EDR features).
  • EDR Virtual Appliance: 500 GB (without Endpoint Activity Recorder), 1.5 TB (with Endpoint Activity Recorder).
  • Hardware Appliances: Configurations vary, such as 500 GB + 1 TB, 1.6 TB + 14 TB, or 2x64 GB SATA boot disk + 4x12 TB SAS.
• Display: Standard display capabilities are assumed; no specific requirements are listed.
• Ports: Specific firewall ports are required for communication between EDR components and backend servers.
• Operating System: Refer to the "Basic Information" section for supported operating systems for agents and appliance platforms (e.g., VMware ESXi 7.0 or later for virtual appliances).

Analysis of Technical Requirements: The technical requirements for Symantec EDR are substantial, particularly for appliance deployments and when advanced features like the Endpoint Activity Recorder are enabled. This reflects the intensive data processing and storage needs of a comprehensive EDR solution. Organizations must carefully size their deployments based on the number of endpoints and desired feature set to ensure optimal performance and avoid resource bottlenecks. Virtual appliance deployments require dedicated resources to prevent performance issues.

Support & Compatibility

Symantec EDR offers broad compatibility across various operating systems and integrates with other Symantec security products.

• Latest Version: The latest stable appliance version is Symantec EDR 4.12. Agent versions are continually updated, with Symantec Endpoint Protection 14.3 RU9 MP1 supporting recent Linux distributions.
• OS Support: Comprehensive support for modern Windows (primarily 64-bit), macOS, and a wide range of Linux distributions. Older 32-bit Windows operating systems are no longer supported by recent SEP agent versions.
• End of Support Date: End of Support (EoS) and End of Life (EoL) dates are version-specific and component-specific. For example, the Symantec EDR Network Sensor feature reached EoL on December 31, 2023. Symantec Endpoint Protection 14.2 and earlier are End of Service. Broadcom maintains a Product Lifecycle page for up-to-date information.
• Localization: Documentation and support resources are available in multiple languages, including English and Japanese.
• Available Drivers: Necessary drivers and components are typically included within the agent installations. Broadcom validates disk operation speeds using VMware drivers for virtual appliances.

Analysis of Overall Support & Compatibility Status: Symantec EDR demonstrates strong compatibility with major operating systems, reflecting its enterprise focus. The continuous updates to agent versions ensure support for newer OS releases. However, organizations must actively monitor EoS and EoL dates for their specific versions and components to maintain supported configurations. The phasing out of 32-bit Windows support indicates a shift towards modern, 64-bit environments. Integration with Symantec Endpoint Protection (SEP) is a core aspect of its compatibility, with specific SEP versions required for optimal EDR functionality.

Security Status

Broadcom Symantec EDR provides a robust security posture through advanced detection, prevention, and response capabilities, leveraging AI and global threat intelligence.

• Security Features:
  • Advanced Threat Detection: Utilizes precision machine learning, behavioral analytics, and global threat intelligence to detect sophisticated attacks, including malware, ransomware, zero-day threats, breach detection, command and control beaconing, and lateral movement.
  • Automated Incident Response: Supports automated incident playbook rules and user behavior analytics to enhance investigator productivity. Provides rapid remediation actions such as file deletion, blacklisting, and endpoint quarantine.
  • Attack Surface Reduction: Includes features like device control, application control, and behavioral isolation.
  • Attack Prevention: Offers machine learning-driven exploit and malware prevention, behavior-based prevention, network integrity, Wi-Fi reputation, and Smart VPN.
  • Breach Prevention: Incorporates deception technologies, Active Directory Defense (preventing credential theft and lateral movement), network firewall, and intrusion prevention.
  • Endpoint Visibility: Provides continuous and on-demand recording of system activity for full endpoint visibility and forensic analysis.
• Known Vulnerabilities: Publicly available information does not detail specific known vulnerabilities for the current EDR product, implying active management and patching by the vendor.
• Blacklist Status: Supports blacklisting of files and applications for rapid containment.
• Certifications: Achieves AAA ratings from SE Labs for perfect real-world ransomware defense with zero false positives. Participates in rigorous MITRE ATT&CK evaluations.
• Encryption Support: While not explicitly detailed as a direct EDR feature, it is a fundamental component of broader Symantec security offerings.
• Authentication Methods: Supports integration with Microsoft Active Directory and Single Sign-On (SSO) for user authentication and management.
• General Recommendations: Implement continuous monitoring, leverage automated incident generation, and utilize global threat intelligence. Regular upgrades to the latest versions are recommended for optimal security and performance.

Analysis on the Overall Security Rating: Symantec EDR demonstrates a high overall security rating, characterized by its multi-layered defense strategy covering the entire attack lifecycle from prevention to post-breach remediation. Its reliance on AI, machine learning, and global threat intelligence enables effective detection of advanced and evasive threats. Independent validations, such as the SE Labs AAA rating and strong performance in MITRE ATT&CK evaluations, underscore its efficacy against real-world attacks, particularly ransomware. The integration of Active Directory Defense is a significant feature for preventing lateral movement and credential theft.

Performance & Benchmarks

Symantec EDR exhibits strong performance in critical security functions, validated by independent testing, though some user feedback points to potential resource utilization concerns.

• Benchmark Scores:
  • SE Labs: Achieved a perfect AAA rating for Advanced Security EDR Protection, scoring 100% in detection and protection against ransomware with zero false positives in real-world tests.
  • MITRE ATT&CK Evaluations: Demonstrated strong performance, stopping 85% of attacks in the APT29 evaluation.
• Real-world Performance Metrics:
  • Effectively detects, blocks, and neutralizes ransomware and other sophisticated attacks in environments mimicking real-life scenarios.
  • Users report it provides reliable, consistent protection and is effective at catching threats.
  • Some users have reported CPU utilization issues, which can impact production environments.
  • The agent is generally perceived as running "fairly light" in the background by some, while others note a heavier agent compared to competitors.
• Power Consumption: Not explicitly detailed in publicly available documentation.
• Carbon Footprint: Not explicitly detailed in publicly available documentation.
• Comparison with Similar Assets:
  • vs. CrowdStrike Falcon: Symantec EDR holds an edge in raw security, while CrowdStrike often leads in management and response capabilities. Both perform comparably in MITRE ATT&CK evaluations. CrowdStrike is frequently cited for its lightweight agent and minimal endpoint performance impact, contrasting with some perceptions of Symantec's agent. Symantec EDR excels in Intrusion Prevention (9.4) and Automated Remediation (9.1) compared to CrowdSec.
  • vs. SanerNow: Symantec EDR shows higher malware detection (9.3) and compliance monitoring (8.6), while SanerNow is noted for ease of setup and quality of support.

Analysis of the Overall Performance Status: Symantec EDR demonstrates excellent performance in its core function of threat detection and prevention, particularly against ransomware, as evidenced by top-tier independent benchmark scores. Its real-time detection and automated response capabilities are strong. While its security efficacy is highly rated, some user feedback suggests that performance optimization and system resource usage can be areas for improvement, especially when compared to cloud-native competitors known for lightweight agents.

User Reviews & Feedback

User reviews for Broadcom Symantec EDR highlight its robust security capabilities, though some areas like ease of use and support consistency receive mixed feedback.

• Strengths:
  • Comprehensive Threat Analysis and Detection: Praised for its ability to detect, isolate, and eliminate intrusions using AI, machine learning, and global threat intelligence. Users appreciate its real-time detection and advanced filtering.
  • Robust Prevention and Remediation: Excels in intrusion prevention and automated remediation, allowing for quick responses to threats. It effectively catches threats and provides reliable, consistent protection.
  • Enterprise Management: Considered easy to deploy, configure, and manage across various endpoints in enterprise environments.
  • Integration: Integrates well with other applications and security ecosystems.
• Weaknesses:
  • Ease of Use: Some users find the interface less intuitive compared to competitors, leading to a slightly lower score in ease of use.
  • Quality of Support: Feedback on support quality is mixed, with some reviewers indicating room for improvement in responsiveness and helpfulness.
  • Resource Utilization: Reports of CPU utilization issues have been noted, potentially impacting production. Users suggest a need for performance optimization and reduced system resource usage.
  • Scalability and Stability: While generally stable, some users point to scalability and stability as areas that could be improved.
• Recommended Use Cases:
  • Organizations requiring advanced threat detection, investigation, and automated response capabilities for sophisticated cyber threats like malware, ransomware, and zero-day attacks.
  • Enterprises seeking a comprehensive, integrated endpoint security platform for all devices and operating systems.
  • Environments needing strong incident response, threat hunting, forensic analysis, and endpoint containment features.

Analysis: Overall, user feedback positions Symantec EDR as a powerful and effective security solution, particularly for its core functions of threat detection and prevention. Its strengths lie in its advanced analytics, automated response, and comprehensive protection against a wide array of cyber threats. However, the platform faces challenges in user experience, with some finding it less intuitive and desiring more consistent support. Performance impact, specifically CPU utilization, is also a recurring concern for some users. These insights suggest that while Symantec EDR delivers robust security, there is an opportunity for enhancement in usability and resource efficiency to improve the overall user experience.

Summary

Broadcom Symantec EDR is a comprehensive and robust Endpoint Detection and Response solution, integral to the broader Symantec Endpoint Security Complete platform. It offers advanced capabilities for detecting, investigating, and responding to sophisticated cyber threats across diverse operating systems, including Windows, macOS, and various Linux distributions. The product supports flexible deployment models, including on-premises hardware or virtual appliances, as well as cloud and hybrid options.

Strengths: Symantec EDR excels in its core security functions, leveraging AI, machine learning, and global threat intelligence for precision threat detection and automated incident response. It provides extensive attack surface reduction, attack prevention, and breach prevention features, including specialized defenses against Active Directory credential theft and lateral movement. Independent evaluations, such as the SE Labs AAA rating for ransomware defense and strong performance in MITRE ATT&CK assessments, validate its high efficacy against real-world threats. Users frequently praise its comprehensive threat analysis, robust intrusion prevention, and automated remediation actions.

Weaknesses: Areas for improvement include user experience, with some feedback indicating that the platform can be less intuitive compared to competitors. The consistency and responsiveness of customer support also receive mixed reviews. Furthermore, some users report concerns regarding system resource utilization, specifically CPU usage, suggesting a need for further performance optimization.

Recommendations: Symantec EDR is highly recommended for enterprises seeking a powerful, integrated endpoint security solution capable of handling advanced and persistent threats. Organizations should carefully consider their deployment strategy, aligning with the detailed technical requirements for agents, virtual appliances, or hardware. Regular monitoring of Broadcom's Product Lifecycle pages is crucial to ensure components remain supported. While the security capabilities are top-tier, potential users should evaluate the platform's usability and resource impact within their specific environment. Ongoing feedback from the user community suggests that continuous enhancements in user interface design and performance efficiency would further strengthen the product's market position.

The information provided is based on publicly available data and may vary depending on specific device configurations. For up-to-date information, please consult official manufacturer resources.