Hi Guys,
Looking for some advice. I currently have a Serverless Elastic Security Enterprise subscription and have the agent running on all my clients. My ES profiles are configured to "Detect only". I also use Eset Protect on the client machines too. Both have worked in harmony for a while. However, renewals are coming up and I was wanting to get the communities take on dumping Eset, reconfiguring my profiles and fully committing to Elastic Defend to be my sole AV/EDR for end users.
Anyone got any commets/thoughts or advice on the matter.
Thanks
In terms of protection capabilities, Elastic Defend is significantly stronger than ESET Endpoint Security. That said, Elastic generally consumes more memory and CPU than ESET. Because Elastic relies heavily on machine learning models to detect malicious executables, and because its behavioral protection processes events at scale, performs high-precision call stack analysis on Windows, and applies a large number of real-time behavioral detection rules, it also tends to have a relatively higher false-positive rate.
By contrast, ESET focuses on rapidly updated, high-accuracy signatures and heuristics, supplemented by memory scanning. (Elastic's memory threat protection also includes memory scanning, but it is less dependent on it.) ESET can accurately detect a wide range of malware, risk tools, and potentially unwanted applications (PUAs), but it is much weaker in terms of behavioral protection. Its Deep Behavioral Inspection can only detect known malware families. However, its performance overhead and false-positive rate are both lower—assuming that detections of potentially unwanted or potentially unsafe applications are not counted as false positives, even though such detections may sometimes affect legitimate software or packed/obfuscated programs.
I've never used ESET Enterprise Inspector, so I cannot offer a recommendation on it. Based on MITRE's test results, ESET's EDR does not appear to be in the top tier, and it is at least clearly behind products from vendors such as CrowdStrike, SentinelOne, and Palo Alto Networks. Elastic EDR also has relatively limited capabilities in data collection, correlation, and analysis, but the overall experience is still fairly decent. It works reasonably well if the security operations team can adapt to its workflow, although some of my friends find it comparatively difficult to use and not very intuitive.
Overall, unless you have particularly strict requirements around performance impact or false positives, I would definitely recommend replacing ESET with Elastic. Thanks.
Hi,
I appreciate your balanced and informative comment. From what I found, you're right. Defend's detection is far better. There is a bit more involvment in the day to day management of this plaform being the sole provider of endpoint security, however, I think the "juice is worth the squeeze".
Thanks again