An endpoint protection platform (EPP) is a comprehensive security solution deployed on endpoint devices to protect against threats.
Let’s Define an Endpoint Protection Platform
EPP solutions are typically cloud-managed and utilize cloud data to assist in advanced monitoring and remote remediation.
EPP solutions employ a broad range of security capabilities, but at a base level include:
- Prevention of file-based malware.
- Detection of suspicious activity using techniques ranging from indicators of compromise (IOCs) to behavioral analysis.
- Investigation and remediation tools to handle dynamic incidents and alerts.
Endpoint protection platforms are the latest evolution of endpoint security. They were developed to identify attackers who can bypass traditional endpoint security as well as to help consolidate complex security stacks. With consolidation comes improved data sharing—which improves the analytics available to detect suspicious behavior. It also significantly simplifies security operations.
Another important advantage of endpoint protection platforms is the move to the cloud. Cloud-native EPPs are able to use a single, lightweight agent to monitor all endpoints. Additionally, the data that can be collected and utilized goes well beyond the endpoints of a single company. Global shared data illustrating attacker tactics can be absorbed to improve the detection of attacker behaviors.
In studying the “Critical Capabilities for Endpoint Protection Platforms”, Gartner heralds the importance of cloud-based EPP stating that, “Cloud-based EPP solutions are delivering faster time to value, lower administration costs and more agile product improvements than traditional on-premise deployments.”
In Gartner’s latest Magic Quadrant for Endpoint Protection Platforms, Gartner sees EPPs evolving to provide “automated, orchestrated incident investigation and breach response.” And advises security and risk management leaders to “ensure that their EPP vendor evolves fast enough to keep up with modern threats.”
Going beyond IR, cloud-based endpoint protection platforms make real-time behavioral analytics possible. The most advanced EPP utilizes event stream processing, the same technology used in credit card fraud detection, to transform endpoint security. This allows for detection of behaviors that attackers exhibit where they intentionally try to “look normal” in order to hide their tactics. Today the VMware Carbon Black Cloud is the only endpoint protection platform that utilizes event stream processing and is already demonstrating superior results in detecting attackers before exfiltration can occur.
The key motivation behind endpoint protection platform development was the fact that attackers were more easily evading SecOps teams using traditional solutions. Fundamentally, attackers have advanced beyond the capabilities of traditional endpoint security and are now able to stay undetected in networks for long periods of time.
Five Ways Attackers Bypass Traditional Endpoint Security
- Fileless Ransomware – Without a file to detect and block, fileless techniques for delivering ransomware are largely undisrupted by traditional endpoint security. According to a cybersecurity report from SecureWorld, fileless attacks increased by 18% in the first half of 2019 compared to the second half of 2018. Only with an EPP can you track behaviors to find patterns alerting you to fileless attack methods.
- New Attack Techniques Available – Advanced attack techniques have been stolen or developed by cybercriminals and made available for sale or simply as open source on the internet and dark web. Utilization of these scripts and tactics allows attackers’ activity to “look normal” and remain hidden within a network.
- Outdated Endpoints – The threat landscape is evolving quickly. And that means that security vendors are developing patches and updates as fast as possible to attempt to keep up with emerging threats. The pace of updates often outpaces the capabilities of SecOps teams—particularly if there is a lack of patch management and automation. Additionally, endpoint agents often fail, leaving individual endpoints unsecure. A 2019 Global Endpoint Security Trends report showed that 35% of endpoint breaches are caused by existing vulnerabilities. Since endpoint protection platforms are typically cloud-based, they are able to continuously stay up-to-date to keep endpoints protected from the newest threats.
- Multiple Data Sources – Traditional endpoint security solutions run in relative isolation from the rest of the security stack. This means that it requires multiple systems to view activity at a single endpoint and trace any suspicious activity throughout the network during an investigation. Endpoint protection platforms provide a single source of “truth”, combining data from all security solutions across the platform to provide easy data access and investigation of alerts.
- Filtered Endpoint Data – Many endpoint security solutions filter out endpoint data that is regarded as unrelated to a threat according to known behavior patterns and IOCs. Now that attackers have more advanced techniques, they rely on endpoint data filtering to filter out their activity. That means that SecOps can’t see new patterns. When you continuously capture endpoint activity data, you can see these new techniques and predict new threats.
Analysts and security experts agree that EPPs are the best way forward for securing networks from advanced threats. Gartner and Forrester both cover this solution space with the Gartner Magic Quadrant for Endpoint Protection Platforms and the Forrester Wave for Endpoint Security Suites. The validation of EPPs comes from an ROI analysis done by Forrester. The Forrester Total Economic Impact of an Endpoint Protection Platform Study found the average ROI of seven companies that moved to an EPP was 204%. This equated to an average savings of $2.1M over three years.
Here’s what security experts that moved to an endpoint protection platform have to say about the value of EPPs:
Saving Significant Time
“I now have the ability for a 24/7 SOC to immediately identify and take action on any issues that come up without needing to reach out to my team at all hours of the day/night.”
– Cosy Lavalle, IT Infrastructure Manager, Progress Residential
Single Pane of Glass
“The IR and threat hunting functionality available empowers our team to move quickly and conclusively while benefiting from a cloud-based console under a single pane of glass. It’s a game changer for the team.”
– Eric Samuelson, Senior IT Manager, Lithium
Keeping Up With Threats
“[EPP] is exactly what enterprises need to maintain continuity in the face of today’s biggest cyber threats. With [EPP], we are able to quickly investigate, respond, and remove our outdated AV solutions.”
– Steven Lentz, CISO, Samsung Research Americas
Cybercriminals are very successful at using malware to achieve their goals for the simple reason that most traditional antivirus tools use static analysis as a primary security tactic. However, these tools only can identify known samples – and today, with the rapid development of new malware every day, the majority of it now appears as unknown files. Attackers use various techniques like packing, or compressing, to change aspects of the malware so it looks different than known threats. As such, the attacks easily slip through antivirus defenses.
This is where next-generation endpoint security – and behavior analytics – comes in. The good news about malware is that how it operates within a system or device will eventually appear different than normal user behavior. Therefore, with big data and machine learning zeroing in on anomalies, potential malware can be identified as out-of-the-norm and potentially malicious.