Endpoint Protection
Businesses have a requirement to protect and preserve the digital information they maintain and produce along with maintaining the operational capabilities of the information services required to run day-to-day operational activities.
Typically multiple methods are deployed to meet these requirements ranging from technical solutions to processes and procedures. More specifically implementing a defence in-depth approach to protection including:
Technical Defences include: Edge/border security systems, Internet content filtering, Network Transport level security, Multi-Factor Authentication, Malware mitigation tools
Security Awareness Training
Policies and procedures include: Acceptable Use Policies, Anti-phishing policies, Business Continuity and Disaster Recovery Plans
One aspect of Malware mitigation tools Endpoint Protection tools. Solutions in this space come in many forms from Anti-Virus, Anti-Malware, Endpoint Protection Platforms, Endpoint Detection and Response (EDR) Platforms or Extended Detection and Response (XDR) Platforms.
Market Overview
There are many EPP, EDR and XDR products available in the market with some having been solutions in various forms for a significant number of years.
The challenge traditionally is staying ahead of the would-be attackers who constantly probe for vulnerabilities in systems, applications and processes. This has led to examples where specific products would provide effective protection for a period and then be found to be deficient against a specific new exploit while competitors have countered the exploit in a more timely manner. This was more evident in the use of traditional anti-virus techniques where the use of virus signatures was the norm in detecting and responding to known attacks – typically called a signature scan.
Subsequently, vendors introduced heuristic scanning where the behaviour of applications is analysed to determine if suspicious activities are being performed (e.g. deleting or altering files, launching additional processes) then alerting the logged-on user and/or support staff before being allowed to proceed thus allowing a determination to be made if the activity is allowable or not.
Today we have advanced approaches to managing the endpoint exposure using technologies under the banner of Endpoint Protection Platform (EPP), Endpoint Detection & Response (EDR) and Extended Detection and Response (XDR
Endpoint Protection Platform further enhances the traditional approach by using
Behavioural analysis: Using a machine learning engine, the EPP will identify actions and files that can be considered malicious
Memory monitoring: The protection software will analyse in real-time during the use of a program if the latter does not corrupt the memory of the system or another program.
Verification of Indicator of Compromise (IOC): the EPP will identify on the machine any file or registry key that could be linked to an attack based on threat intelligence (human search for the last types of known attacks).
Endpoint Detection & Response enhances the EPP capabilities to identify and stop threats across the environment, not just the endpoint by analysing events from the endpoints to identify suspicious activity through Deployed Agents, Automated Incident Response and Analysis. Alerts are generated from this to help security operations analysts uncover, investigate and remediate issues. EDR tools also collect telemetry data on suspicious activity and may enrich that data with other contextual information from correlated events. Through these functions, EDR's target is to shorten response times for incident response teams, and ideally, eliminate threats before damage is done. The EDR achieves these goals through:
Ingesting telemetry from endpoints: Collecting telemetry data from endpoints by installing software agents on each endpoint or through other indirect means.
Sending the ingested telemetry to the EDR platform: Data is sent from all endpoint agents to a central location, usually a cloud-based EDR platform. It can also work on-premises or as a hybrid cloud to help meet compliance requirements.
Correlating and analysing data: Employing machine learning to correlate and analyse the data. Typically, the solution uses this technology to establish a baseline of normal endpoint operations and user behaviour and then looks for anomalies.
Flagging and responding to suspicious activity: Suspicious activities are flagged and then alerts are pushed to notify security analysts and relevant personnel. The solution also initiates automated responses according to predetermined triggers. For example, temporarily isolating an endpoint to block malware from spreading across the network.
Retaining data for future use: EDR solutions retain data to enable future investigations and proactive threat hunting. Analysts and tools can use this data to consolidate events into one incident to investigate existing prolonged attacks or previously undetected attacks.
Extended Detection and Response is a new paradigm whereby a unified cybersecurity solution extends the capabilities found in EDR by collecting and analysing data from multiple sources and all monitored security layers. This includes traditional endpoints (desktop, servers etc) to the cloud, security devices, email etc. This enhances the prevention, discovery and response to cyberattacks using the power of the cloud to perform automated analysis over a superset of rich data allowing faster detection of threats and allowing the information to be used directly by security analysts or fed into a SEIM.