Relentless digitalization has resulted in a proliferation of endpoints in most enterprise networks. Conventional tools configured to protect a limited network cannot protect these spread out and complex networks. Device fragmentation and the spread of IoT means each endpoint may connect to various devices, many of which have inherent vulnerabilities.
Two popular solutions to protect endpoints are endpoint protection platforms (EPP) and Endpoint detection and response solutions (EDR). EPP are passive deployments, such as antivirus suites and firewalls that block malware and other threats that manifest on endpoint devices. EDR solutions detect threats that bypass the EPPs and take active countermeasures to end the threat.
The role of endpoint protection platforms
Endpoint protection platforms (EPP) shield the network from known malware, ransomware, zero-day vulnerabilities and other threats.
An EPP platform identifies threats by:
- Signature-based scanning. EPP tools scan the network traffic in real-time, looking to identify the signature of threat vectors. EPP vendors have the backing of proactive cyber security teams who upload the signatures of the latest threats in their database in near real-time. When a signature stored in the database matches a signature in the network traffic, the threat is present in the endpoint. The system triggers an alert and does the remedial action, such as shutting down the network.
- Machine Learning Analysis. Advanced EPP tools deploy Machine Learning algorithms to analyze binaries for malicious attributes before execution. If the algorithm confirms malicious activities, the binaries do not execute, protecting the network from the threat. Advanced ML algorithms offer protection against malicious binaries, and also LOLBin camouflages. Living-off-the-Land Binaries (LOLBins) are non-malicious binaries local to the operating system but often exploited by cybercriminals to camouflage malicious activity.
- Sandboxing Applications. Executing files in a virtual environment upfront and running the instance in real settings only when found safe is handy to protect the network from threats embedded in new and unknown applications.
- Blacklisting and whitelisting traffic or restricting access to specific applications, IP addresses, URLs or ports based on threat history and insights derived by AI algorithms and analytical tools.
- Behavioral analysis, or tracking endpoint behavior to identify a behavioral baseline and trigger alerts on abnormal behavior.
EPP constitutes the first line of defense against cyber threats. Advanced EPP tools offer effective protection against both commodity malware and advanced threats. The latest EPP platforms identify the latest, sophisticated threats, including malware exploits, malicious scripts, macros, LOLBins, and more. But EPPs suffer from several inherent limitations. Despite the best efforts, signature-based scanning, blacklisting, or even Machine Learning checks do not capture all threats.
EPP deployments make it time-consuming and costly for attackers to breach the network, with the rationale that the attackers will go away and use their energies on easier targets elsewhere. But when the attacker has a determined agenda to breach the specific network, they may easily circumvent the EPP protection. For instance, the signature-based protection approach is ineffective to safeguard against the latest threats if the attackers launch their attack before the EPP vendor updates their databases.
Also, the complex nature of today’s attack makes EPP systems inadequate. EPP systems protect each endpoint in isolation. These tools do not provide visibility at the endpoint and cannot act on a holistic network-wide basis. Many advanced persistent threats (APTs) focus on endpoints as a weak link of the security perimeter and may run from multiple endpoints. In such a situation, protecting individual endpoints will not suffice. The network security team needs complete visibility to salvage the situation.
How do EDR solutions work?
Endpoint Detection and Response (EDR) overcomes the limitations of EPP. EDR systems offer active surveillance of the network. These tools aggregate event data from endpoints across the enterprise and provide security teams with an integrated, holistic view of the threat. The integrated analytics engine analyzes such behavioral data to provide contextual information and detect suspicious behavior. When the system detects an attack, it gathers all available information and provides it to the cyber security teams. Prompt notifications to the security team enable timely countermeasures and aid forensics.
In a typical EDR system, software agents placed at endpoint devices collect data on process execution, logins, and other relevant details of the network traffic. An integrated analytics engine compares live traffic with normal endpoint behavior. Anomalies trigger follow-up action.
User-behavior analytics unearth suspicious behavior and detect compromised credentials.
Real-time threat intelligence identifies indicators of compromise and other threat actors.
Often, network security teams have low visibility and no control over remote endpoints. EDR tools fill the void. EDR tools offer continuous, proactive monitoring of the network to provide data and context for attacks spanning multiple endpoints. The analytics tool identifies the full kill chain that led the attacker to specific devices, making it easier for security teams to contain such breaches instantly. The insights help the security team:
- “Traceback” or identify other endpoints or network devices affected by the same attack.
- Implement better asset management, make thorough vulnerability assessments, and enforce application control with more control.
- Advanced network analytics make explicit user credentials, track lateral movements, highlight risky connections or user profiles, and more.
EDR tools also enable deception technology. The tool plants decoys such as fake credentials, files and connections to lure attackers. Such attacks also give insights into how networks will respond to different attacks.
The most common remedial or follow-up actions initiated by the EDR systems on detecting breaches are:
- Quarantining the endpoints under attack, allowing security teams valuable time to get their act together and counterattack.
- Executing automated scripted responses. The EDR tool orchestrates the response to attacks. It runs user-created scripts to block network access or processes, runs automated incident response playbooks for files, users, hosts, and networks, or performs any other set action to remediate the situation.
- Managing assets and performing vulnerability assessments post and before attacks to proactively secure the endpoints and networks.
EPP or EDR: Which is better?
Effective security in today’s digital age requires an integrated and holistic approach. EPP is often the first line of defense to prevent threats. It offers effective protection against known threats and some unknown threats. But EPP is a standalone, passive tool and does not provide visibility. EDRs co-opt real-time log reporting, anomaly detection, file integrity monitoring, forensic analysis, and remediation that EPPs lack. EDR works on the assumption of a breach, tracks the network continuously, and offers complete visibility to the network and latent threats. It detects a breach inside the network, enabling the security team to respond immediately and salvage the situation. Yet, leaving EDR to tackle the full range of threats is risky. The best approach is to let EPP take care of both threats, and deploy EDR as an additional layer of security to take care of the threats missed by the EPP platform.
The success of network security depends on an integrated approach, after making a thorough risk assessment. Both EPP and EDR are integral cogs in such an approach. In allegorical terms, EPP represents the front-line soldiers who guard a fort and repulse the attackers. But despite the best efforts of such soldiers, a few enemy troops breach the fortress. Every vigilant EDR comes into play. They fight the enemy on the streets to mitigate and neutralize the enemy.