As threats quickly evolve, approaches to security must evolve as well. Simple signature-based antivirus solutions are no longer enough to prevent against targeted and zero-day attacks. Hackers have found ways to subvert and at times take advantage of legacy security products, making traditional solutions an inadequate defense.
In order to address the evolving threat landscape, the security industry has turned to more comprehensive endpoint protection platforms. These solutions build on antivirus and next-generation antivirus by layering with more advanced security tools. This often includes various detection technologies like machine learning, behavioral analytics, signature matching, and anomaly detection.
To read about the history of endpoint protection platforms and how we got here, check out this blog.
What is an Endpoint Protection Platform?
Though there is no explicit, check-all-boxes definition of an endpoint protection platform (EPP), there are qualifications for “what good looks like”. According to Gartner, EPPs need to:
- Prevent File-based Malware
- Detect and Block Malicious Activity from Trusted and Untrusted Applications
- Investigate and Remediate to Respond to Dynamic Incidents and Alerts
An EPP can be a simple, traditional antivirus solution, but enterprise-level, competitive EPPs now have multiple components that work together. To address modern threats, these platforms have begun to incorporate security architecture tasks like detection, investigation, and incident response. As part of this, there has been a shift from a reactive to a more proactive approach to defense, often involving hardening of endpoints and the development of advanced threat hunting capabilities.
Let’s drill down into this a little more.
What are the Core Capabilities of a MODERN Endpoint Protection Platform?
- EPPs should be able to block file-based and fileless malware. EPPs will often use signatures to prevent file-based malware and a combination of machine learning and behavioral analysis to protect against fileless attacks. They should also be able to prevent ransomware attacks.
- Endpoint Controls
- EPPs should support endpoint controls like personal firewall, port and device control, data protection, and others.
- Endpoint Detection and Response
- Though not a strict requirement, EPPs have begun to incorporate detection and response capabilities. This includes the ability to detect, investigate, and remediate threats, while leaving room open for customization and automation based on environment. Strong EDR offerings have auto-remediation options and align to popular frameworks like MITRE ATT&CK to enable easier communication across security teams and with the larger security community. Learn about how we used the MITRE ATT&CK framework when uncovering Operation Soft Cell.
- Managed Services
- Many EPP offerings are incorporating managed security services, like monitoring, response, and hunting. Incident response is also common. These services benefit small or understaffed teams, which is very beneficial when dealing with the skills gap, a common and problematic issue according to half of IT professionals.
- Third-party Integrations
- Allowing security teams to integrate with third-party solutions gives them the freedom to add additional capabilities. Customizing with the best tools for your industry and environment is a critical component of a successful defense.
Ideally, all of these capabilities will be implemented in a single console and on a single agent. It’s important to consider that, while all the above capabilities are important, there needs to be a balance between capability and efficiency. Security teams don’t want a solution that exceeds all these qualifications, but is so bloated with multiple agents and different consoles that it disrupts day-to-day business functions and adds IT complexity.
Can EPPs Address Advancing Technology?
It’s important to note that the security landscape is always evolving. The best EPPs are structured to develop in the industry as we see it today and for the future. With the shift toward remote work, leaders in the EPP space are expected to be cloud-managed and offer remote remediation actions. In order to help do no harm, they should also be cloud-assisted and maintain a database of known IOCs.
But it goes further than that. Enterprise-level endpoint protection platforms must keep up with consumer technology, too. Bring-your-own-device policies have muddied the waters of enterprise security, forcing security teams to address endpoints that are largely outside of their control.
Mobile devices are used more than ever, generating 52.2% of all website traffic worldwide, and there are expected to be more than 64 billion internet of things devices by 2025. Not only that, but organizations are experiencing IoT-focused cyberattacks more than ever. In 2018, 8 out of 10 organizations experienced an IoT-focused cyberattack, and 30% of these incidents compromised end-user safety. Attacks on the endpoint are no longer limited to servers and desktop PCs.
Security teams need to address multiple new kinds of endpoints to ensure a complete defense. They need a dynamic, proactive solution to a complex and growing problem. Endpoint protection is critical to this effort, and in order to keep up, traditional EPPs are being replaced with solutions that augment prevention with endpoint detection and response across endpoints: traditional, mobile, and IoT. Greater visibility and control is critical for this effort, and that is what high-quality endpoint detection and response brings to endpoint protection platforms.
Interested in developing your security operations? Read about the right roles for SIEM and EDR in the 2020 SOC.