EPP Security: Prevention, Detection and Response at Your Fingertips
There is a huge proliferation of endpoints in organizations: workstations, corporate mobile devices, Bring Your Own Device (BYOD), container-based resources, cloud servers, and more. All of these are attractive targets for attackers, who can bypass the traditional security perimeter and directly target endpoints.
Until not long ago, an antivirus package was considered state of the art endpoint protection. Today, legacy antivirus is still important but is only a small piece of the puzzle. In this article we explain how modern Endpoint Protection Platforms (EPP) and a new EPP Security paradigm can help prevent a wide range of evolving threats, as well as allow teams to detect and react to breaches on endpoints across the enterprise via EDR security technology.
Endpoint Protection Platforms (EPP) are defined by Gartner as:
“A solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.”
EPP Prevention Features
The first part of the definition – “a solution to prevent malware …” is the next logical step after traditional antivirus. EPP aims to prevent and block a wide range of threats, by providing:
User and Event Behavioral Analytics – to detect anomalous or suspicious behavior on an endpoint, and other measures to block evolving threats.
Application control, browser control and whitelisting – restricts and blocks certain applications and websites on the endpoint.
Device control and compliance – enables security teams to remotely control endpoints, gather data from endpoints for auditing, investigation and compliance purposes, and enforce policies.
Sandbox – an isolated location on the device where potential malware can be contained, analyzed and “detonated” in a way that does not threaten the rest of the device.
Which Types of Attacks Can EPP Prevent?
The preventive side of an EPP solution can block many types of attacks, including:
Malware with known attack signatures (detectable by legacy AV)
Zero-day malware or malware without a known attack signature
Exploits of known software vulnerabilities
Rootkits and backdoors
EPP with EDR for Detection and Response
The second part of the Gartner definition – “provide investigation and remediation capabilities” – talks about Endpoint Detection and Response (EDR) technology, which helps security teams react to incidents that occur on endpoints, gather information and take immediate action to contain and mitigate them.
To many in the industry EPP is only about preventive measures that can block threats on endpoints. But in Gartner’s holistic definition, EPP also includes EDR.
Preventive EPP vs EDR – What is The Difference?
Keep in mind that in the modern definition of EPP, EPP includes both the preventive aspects and also EDR components that allow security teams to respond if a security breach has also occurred.
The differences between these two parts of EPP solutions can be summarized as follows:
Preventive EPP is a first-line defense that “just works”, it blocks threats without requiring active involvement from security staff. It focuses on protecting each endpoint individually
EDR helps deal with ongoing attacks that have already occurred. It helps security staff identify and respond to security incidents, by aggregating endpoint data from across the enterprise, and executing automatic or manual actions on the endpoint to mitigate the threat.
Below we show the main system components of the preventive part of EPP platforms, vs. the EDR part.
Components of Preventive EPP
Components of EDR
Data collection via software agents
Detection engine to discover anomalies on the endpoint
Data analytics to identify security incidents
Automated incident response
How to Choose the Right EPP Solution
Before evaluating EPP solutions, do some research about your needs:
Take an inventory of your endpoints and understand which operating systems they are running, which are the applications most commonly used by your users.
Investigate which threats have affected your company and industry in the recent path. Decide if fileless attack prevention and EDR are a priority for you.
Understand which existing tools you have (for example, firewall, threat intelligence platform, SIEM) and how the EPP solution could integrate with them.
Understand how many endpoints you have, now and in the foreseeable future, and what will be the license price for EPP, which may depend on capabilities used
Capabilities checklist Create a checklist and identify, for each of the vendors you are evaluating, who has the points below that are most significant you:
On-demand manual scan of local files
Machine learning or other approaches to reduce false positives
Ability to quarantine systems or kill processes
Inspection of downloaded files
Detect and prevent malware
Preventing fileless attacks
Endpoint Protection—Prevention, Detection and Protection with Cynet 360