My organisation recently migrated all its workstations from Windows boxes to MacOS devices. The Windows fleet was equipped with a remotely managed anti-virus software. We needed to maintain a similar level of protection, so I had to select the security agent that would be deployed on the new Mac fleet.
I spent a few days testing security software for Mac, and I’ll be sharing with your my thought process on the matter.
Context
Why move to Mac?
The move from Windows to Mac boxes was driven by the IT department for various reasons that will not be discussed in this blog post. We will be focusing solely on the security side of things.
AV or EDR?
A regular AV coupled with regular network and proxy monitoring might be good enough for an organisation where everybody works from the office, or joins the corporate network with a VPN. That was not our case. Our workforce is highly distributed, and our organisation has taken many steps down the path of the BeyondCorp paradigm. As a result, we decided to go with an EDR agent instead of a regular AV solution, because it allowed us greater visibility as to what was going on in our fleet, as well as better response capabilities in the case of an incident.
Is this a paid product review?
No. This is not a paid product ad, nor is it a thorough, scientific review of the security products I’ll be presenting. Each organisation has its own requirements and resources. Those that apply to mine, might not necessarily apply to yours.
Also, this work was done in March 2021. The findings presented reflect my experience with the tested products at that specific moment in time.
Selection process
We followed a simple 3 step process.
Step 1️⃣
Decide what was important to us, and how important it was.
So I prepared a comparison table with all our requirements, and set a priority for each item using the MoSCoW method.
| Category | Criteria | Priority | Comment |
|---|---|---|---|
| Detection | Adequate protection against common known malware | must | Needs testing |
| GRC | Data processing location | must | EU only |
| GRC | Data storage duration | must | 6 months at most |
| MOC | Ease of installation | should | Using our Mac MDM. Needs testing. |
| MOC | Agent auto-update | must | |
| MOC | Fast releases in case of OS updates | could | In case Apple rolled out a new OS, we wanted to be able to update our fleet ASAP |
| MOC | Low workstation resource usage (CPU, RAM) | should | We don’t want to cripple our fleet and annoy our colleagues. Needs testing |
| Logs | Syslog integration | must | The bare minimum required to plug this data into a SIEM |
| Logs | S3 Bucket integration | should | Our preferred method of SIEM data ingestion |
| Logs | ElasticSearch integration | could | |
| RBAC | SSO integration for admins | should | Allows admins to log in using our usual 2FA method |
| RBAC | RBAC for EDR admins | must | |
| RBAC | Role-based EDR agent configuration | must | We need different EDR configurations for different populations (engineers & non-engineers) |
| DFIR | Workstation quarantine | must | Allows us to isolate a machine using its local firewall |
| DFIR | Workstation shell access | could | Nice to have feature in case of a big incident, but otherwise a rather risky feature |
| DFIR | Malicious file quarantine | must | |
| DFIR | IP and/or URL blocking | could | |
| DFIR | On-demand scans | should | |
| Usability | User friendly admin interface | should | Needs testing |
| Usability | Easily identifiable workstation user | must |
Step 2️⃣
Find EDR providers and, using public information, narrow the list down.
I looked up various EDR solution providers, and found many of the answers to the previously listed criteria. Quite a few did not meet all the “must have” requirements.
This allowed me to narrow the list down to 3 potential candidates:
However, Jamf Protect’s list price was quite a bit higher than that of its competitors. More than double in fact. So it dropped out of the race, leaving CarbonBlack & SentinelOne as the finalists.
Step 3️⃣
Test the shortlisted solutions and choose one.
To find out which provider was best for us, I needed to answer the questions that could not be answered in step 2. I specifically focused on addressing the following issues:
👉 Adequate protection against common known malware
The solution must detect and stop common malware, with MacOS’ GateKeepter deactivated.
I used Objective-See’s excellent expertise on Mac malware to get a diverse selection of recent, highly dangerous malware samples to throw at the EDRs:
- EICAR - Dummy payload that was developed to test the response of computer antivirus programs
- FinSpy - Spyware
- ElectroRAT - Backdoor
- EvilQuest - Ransomware
- XCSSET - Virus
- IPStorm - Botnet agent & backdoor
👉 Ease of installation
Agent installation, uninstallation & updates should be straightforward using our MDM system.
👉 Resource utilization
The solution should have the lowest CPU & RAM footprints possible, over a typical workday’s workload. That included:
- Heavy internet browsing
- Light spreadsheet work
- Light terminal work
- A few file downloads in the browser
👉 User friendly admin interface
The solution should have an easy to understand and use UI.
Results
I won’t go into a tedious description of how each product fared during our benchmarking, and will instead provide a quick overview for each product, as well as a comparison table.
CarbonBlack
CarbonBlack blocked all the malware samples I used. It had low resource utilization, a good enough UI, and a reasonable price compared to all the other candidates.
Getting the installation to work well was a little tricky on Mac OS Big Sur, but once we figured it out, it was all plain sailing.
SentinelOne
Things started out well for SentinelOne. Installation was a breeze.
It turned sour quickly though. It didn’t block all the malware I threw at it. It even let ElectroRAT & FinSpy install and run for a while, before it shut them down. I presume it waited until a lot of malicious syscalls were being made before it terminated the offending processes. This would be okay in the case of a new, unknown malware strain, but these were well known samples.
SentinelOne then proceeded to delete all the malware’s files without any human intervention. I found this to be quite counter productive, as it would make any investigation a tiny bit more involved.
To add insult to injury, it also had a larger resource footprint than CarbonBlack.
On a brighter note, when I tried to relaunch ElectroRAT & FinSpy, it blocked them immediately! Delightful! It had learned that these binaries were malicious. So I tried another sample (GravityRAT), hoping for more success. Lo and behold, GravityRAT ran happily before eventually getting terminated.
Comparison
| Category | Criteria | Priority | CarbonBlack | SentinelOne |
|---|---|---|---|---|
| Detection | Adequate protection against common known malware | must | ✅ | ❌ |
| GRC | Data processing location | must | ✅ | ✅ |
| GRC | Data storage duration | must | ✅ | ✅ |
| MOC | Ease of installation | should | ✅ | ✅ |
| MOC | Agent auto-update | must | ✅ | ✅ |
| MOC | Fast releases in case of OS updates | could | ❌ | ❌ |
| MOC | Low workstation resource usage (CPU, RAM) | should | ✅ | ❌ |
| Logs | Syslog integration | must | ✅ | ✅ |
| Logs | S3 Bucket integration | should | ❌ | ❌ |
| Logs | ElasticSearch integration | could | ❌ | ❌ |
| RBAC | SSO integration for admins | should | ✅ | ❌ |
| RBAC | RBAC for EDR admins | must | ✅ | ✅ |
| RBAC | Role-based EDR agent configuration | must | ✅ | ✅ |
| DFIR | Workstation quarantine | must | ✅ | ✅ |
| DFIR | Workstation shell access | could | ✅ | ✅ |
| DFIR | Malicious file quarantine | must | ✅ | ✅ |
| DFIR | IP and/or URL blocking | could | ❌ | ❌ |
| DFIR | On-demand scans | should | ✅ | ✅ |
| Usability | User friendly admin interface | should | ✅ | ✅ |
| Usability | Easily identifiable workstation user | must | ✅ | ✅ |
The winner
To absolutely nobody’s surprise, we decided to go with CarbonBlack.
Once licensing was sorted out, we rolled it out progressively on all workstations. Configuration went smoothly enough. We grouped machines depending on their users, giving a bit more leeway to our software engineers. We also set up notifications on Slack for faster alert processing.
The EDR has been running in production for a few weeks now, and it’s been quite painless. There are a few false positives every now and then, but far from unmanageable.