Endpoint protection platforms (EPPs) prevent file-based malware and other attacks on endpoint devices. They also offer tools for investigating and remediating security incidents.
Advanced EPPs are typically cloud managed, and offer a variety of detection techniques—from static indicators of compromise (IOCs) to behavioral analysis based on machine learning.
Cloud-based EPP solutions offer continuous monitoring and collect data both from endpoints located in the corporate network, and those running outside the office. They enable taking remote action to mitigate threats, for example whitelisting or blacklisting applications, and remotely wiping and reimaging an endpoint.
Furthermore, EPPs provide a cloud-based threat intelligence database, so an endpoint agent does not need to maintain and update a local database with all known IOCs.
How EPP Solutions Work
A core capability of endpoint protection is to prevent malware from breaching your environment. While a firewall protects a network from illicit access, an EPP solution protects endpoints from known threats.
Malware comes from a variety of sources. Common attack vectors include ransomware, phishing, which tricks users into divulging personal information, and attacks that aim to hijack computing power, such as cryptojacking and bot herding. Upon infiltrating your environment, these threats attempt to infect as many processes and devices as possible.
Endpoint protection platforms typically combine four information security techniques to identify and block malware:
- Known IoCs and threat signatures—an EPP uses legacy antivirus techniques to block known malware binaries and easily recognizable attack patterns.
- Threat intelligence—EPPs leverage information based on billions of threats and threat actors, and continuously updated. This can power capabilities like blocking traffic from known bad IPs.
- Behavioral analysis—even if a threat does not match a known signature or traffic source, modern EPPs use machine learning algorithms to identify deviations from normal behavior, detecting when a process on the endpoint is behaving suspiciously.
- Sandboxing—EPPs can isolate suspected malicious software in a sandbox environment. Here it can safely trigger a suspected file and monitor it, without risking harm to the wider system.
What Are The Core Capabilities Of A Modern Endpoint Protection Platform?
Prevention And Endpoint Security Controls
To block malware, whether file-based or fileless, an EPP uses a combination of detection techniques to identify known threats, while detecting suspicious behavior of unknown threats, and blocking or sandboxing them.
Modern EPPs have specialized ransomware prevention features, and can detect processes that exhibit suspect behavior, such as encrypting a large number of files, and immediately block them.
In addition, EPPs can add controls to improve security on the device. For example, they can block network ports, deny access to peripherals or devices, encrypt data at rest on the device, set up a personal firewall, and whitelist or blacklist applications or websites.
Endpoint Detection And Response
Many EPPs now include endpoint detection and response (EDR). EDR helps security teams detect when security breaches occur on an endpoint, rapidly gather forensic information to investigate the threat, and take automated or manual action to mitigate it.
EDR complements the preventive capabilities of EPP, adding another line of defense. It allows security analysts to proactively detect and respond to sophisticated attackers, who were able to sidestep the defenses of the EPP platform, and have already penetrated the endpoint.
For small and understaffed security teams, providers of endpoint protection platforms offer managed services. These can include implementation and deployment services, ongoing monitoring and triage of incidents, proactive threat hunting, and incident response.
Most EPP solutions integrate with third party tools, in particular with security information and event management (SIEM) systems. By feeding EPP alerts into a SIEM, a security organization can combine data from endpoints with data from other layers of the IT environment, such as events from network security tools.
Endpoint Detection And Response Vs Endpoint Protection Platform
Endpoint detection and response (EDR) technology is designed to proactively detect and respond to endpoint threats. This is achieved through a combination of real-time endpoint data collection, continuous monitoring, rule-based automated response, and intelligent analysis.
Here are several notable features provided by EDR solutions:
- Threat detection – proactively searching for anomalies for the purpose of detecting malicious activity on endpoints.
- Security incident containment – blocking security events as they occur on endpoints to isolate threats and preventing attacks from spreading.
- Incident response – rule-based automated response that includes prioritized notifications to prevent alert fatigue.
- Incident investigation – efficient and intelligent forensic investigations that provide data for present and future analysis.
Here is a summary of the main differences between EPP and EDR:
|Blocks are known threats. If used in combination with machine learning (ML) or behavioral analysis, EPP addresses unknown threats.||Proactively detects and responds to threats|
|Serves as a front-line threat prevention layer.||Serves as a secondary layer of defense that contains, investigates and responds to security events.|
|Offers mainly a passive software that can prevent known threats.||Offers mainly a proactive software that can automatically hunt threats and alert the security team.|
|Provides protection through device isolation.||Provides detection and response through the aggregation and analysis of incident data from multiple endpoints.|
To conclude, EDR solutions proactively search for unknown threats and then initiate the relevant response upon detection, whereas EPP solutions are designed to passively block known (and sometimes unknown) threats.
An EDR is typically deployed alongside other security tools, including EPP. The two technologies compliment each other and can provide greater coverage when combined. For example, if the EPP solution missed a zero-day vulnerability or new malware strains, the EDR can detect these threats and initiate response before any escalation occurs.
Endpoint protection platforms are a critical part of endpoint security. They provide the first line of defense against known malware, enable central control of security teams over endpoints, and provide valuable data that can be used to detect and respond to attacks.
To summarize the key capabilities of EPP solutions:
- Endpoint threat prevention – detecting and blocking known or identifiable threats on the endpoint
- Endpoint Detection and Response – allowing security teams to detect and respond to security incidents on endpoints
- Managed services – serving as a platform for third party providers to assist with threat management and incident response
- Third-party integrations – integrating with the rest of the security ecosystem, providing data about security events on endpoints, which can be correlated with data from other security silos
I hope this will be helpful on your journey to improving the security of endpoints in your organization.