Featured image of post Selecting a Mac EDR agent

Selecting a Mac EDR agent

The making of a good decision

My organisation recently migrated all its workstations from Windows boxes to MacOS devices. The Windows fleet was equipped with a remotely managed anti-virus software. We needed to maintain a similar level of protection, so I had to select the security agent that would be deployed on the new Mac fleet.

I spent a few days testing security software for Mac, and I’ll be sharing with your my thought process on the matter.

# Context

# Why move to Mac?

The move from Windows to Mac boxes was driven by the IT department for various reasons that will not be discussed in this blog post. We will be focusing solely on the security side of things.

# AV or EDR?

A regular AV coupled with regular network and proxy monitoring might be good enough for an organisation where everybody works from the office, or joins the corporate network with a VPN. That was not our case. Our workforce is highly distributed, and our organisation has taken many steps down the path of the BeyondCorp paradigm. As a result, we decided to go with an EDR agent instead of a regular AV solution, because it allowed us greater visibility as to what was going on in our fleet, as well as better response capabilities in the case of an incident.

# Is this a paid product review?

No. This is not a paid product ad, nor is it a thorough, scientific review of the security products I’ll be presenting. Each organisation has its own requirements and resources. Those that apply to mine, might not necessarily apply to yours.

Also, this work was done in March 2021. The findings presented reflect my experience with the tested products at that specific moment in time.

# Selection process

We followed a simple 3 step process.

# Step 1️⃣

Decide what was important to us, and how important it was.

So I prepared a comparison table with all our requirements, and set a priority for each item using the MoSCoW method.

DetectionAdequate protection against common known malwaremustNeeds testing
GRCData processing locationmustEU only
GRCData storage durationmust6 months at most
MOCEase of installationshouldUsing our Mac MDM. Needs testing.
MOCAgent auto-updatemust
MOCFast releases in case of OS updatescouldIn case Apple rolled out a new OS, we wanted to be able to update our fleet ASAP
MOCLow workstation resource usage (CPU, RAM)shouldWe don’t want to cripple our fleet and annoy our colleagues. Needs testing
LogsSyslog integrationmustThe bare minimum required to plug this data into a SIEM
LogsS3 Bucket integrationshouldOur preferred method of SIEM data ingestion
LogsElasticSearch integrationcould
RBACSSO integration for adminsshouldAllows admins to log in using our usual 2FA method
RBACRBAC for EDR adminsmust
RBACRole-based EDR agent configurationmustWe need different EDR configurations for different populations (engineers & non-engineers)
DFIRWorkstation quarantinemustAllows us to isolate a machine using its local firewall
DFIRWorkstation shell accesscouldNice to have feature in case of a big incident, but otherwise a rather risky feature
DFIRMalicious file quarantinemust
DFIRIP and/or URL blockingcould
DFIROn-demand scansshould
UsabilityUser friendly admin interfaceshouldNeeds testing
UsabilityEasily identifiable workstation usermust

# Step 2️⃣

Find EDR providers and, using public information, narrow the list down.

I looked up various EDR solution providers, and found many of the answers to the previously listed criteria. Quite a few did not meet all the “must have” requirements.

This allowed me to narrow the list down to 3 potential candidates:

However, Jamf Protect’s list price was quite a bit higher than that of its competitors. More than double in fact. So it dropped out of the race, leaving CarbonBlack & SentinelOne as the finalists.

# Step 3️⃣

Test the shortlisted solutions and choose one.

To find out which provider was best for us, I needed to answer the questions that could not be answered in step 2. I specifically focused on addressing the following issues:

# 👉 Adequate protection against common known malware

The solution must detect and stop common malware, with MacOS’ GateKeepter deactivated.

I used Objective-See’s excellent expertise on Mac malware to get a diverse selection of recent, highly dangerous malware samples to throw at the EDRs:

# 👉 Ease of installation

Agent installation, uninstallation & updates should be straightforward using our MDM system.

# 👉 Resource utilization

The solution should have the lowest CPU & RAM footprints possible, over a typical workday’s workload. That included:

  • Heavy internet browsing
  • Light spreadsheet work
  • Light terminal work
  • A few file downloads in the browser

# 👉 User friendly admin interface

The solution should have an easy to understand and use UI.

# Results

I won’t go into a tedious description of how each product fared during our benchmarking, and will instead provide a quick overview for each product, as well as a comparison table.

# CarbonBlack

CarbonBlack blocked all the malware samples I used. It had low resource utilization, a good enough UI, and a reasonable price compared to all the other candidates.

Getting the installation to work well was a little tricky on Mac OS Big Sur, but once we figured it out, it was all plain sailing.

# SentinelOne

Things started out well for SentinelOne. Installation was a breeze.

It turned sour quickly though. It didn’t block all the malware I threw at it. It even let ElectroRAT & FinSpy install and run for a while, before it shut them down. I presume it waited until a lot of malicious syscalls were being made before it terminated the offending processes. This would be okay in the case of a new, unknown malware strain, but these were well known samples.

SentinelOne then proceeded to delete all the malware’s files without any human intervention. I found this to be quite counter productive, as it would make any investigation a tiny bit more involved.

To add insult to injury, it also had a larger resource footprint than CarbonBlack.

On a brighter note, when I tried to relaunch ElectroRAT & FinSpy, it blocked them immediately! Delightful! It had learned that these binaries were malicious. So I tried another sample (GravityRAT), hoping for more success. Lo and behold, GravityRAT ran happily before eventually getting terminated.

# Comparison

DetectionAdequate protection against common known malwaremust
GRCData processing locationmust
GRCData storage durationmust
MOCEase of installationshould
MOCAgent auto-updatemust
MOCFast releases in case of OS updatescould
MOCLow workstation resource usage (CPU, RAM)should
LogsSyslog integrationmust
LogsS3 Bucket integrationshould
LogsElasticSearch integrationcould
RBACSSO integration for adminsshould
RBACRBAC for EDR adminsmust
RBACRole-based EDR agent configurationmust
DFIRWorkstation quarantinemust
DFIRWorkstation shell accesscould
DFIRMalicious file quarantinemust
DFIRIP and/or URL blockingcould
DFIROn-demand scansshould
UsabilityUser friendly admin interfaceshould
UsabilityEasily identifiable workstation usermust

# The winner


To absolutely nobody’s surprise, we decided to go with CarbonBlack.

Once licensing was sorted out, we rolled it out progressively on all workstations. Configuration went smoothly enough. We grouped machines depending on their users, giving a bit more leeway to our software engineers. We also set up notifications on Slack for faster alert processing.

The EDR has been running in production for a few weeks now, and it’s been quite painless. There are a few false positives every now and then, but far from unmanageable.