EDR tools are technology platforms that can alert security teams of malicious activity and enable immediate investigation and containment of attacks on endpoints. An endpoint can be an employee workstation or laptop, a server, a cloud system, a mobile or IoT device.
EDR solutions typically aggregate data on endpoints, including process execution, endpoint communication, and user logins; analyse data to discover anomalies and malicious activity; and record data about malicious activity, enabling security teams to investigate and respond to incidents. In addition, they allow automated and manual actions to contain threats on the endpoint, such as isolating it from the network or wiping and reimaging the device.
An endpoint security tool is a software dedicated to tracking, monitoring and managing the various endpoint devices used by the organisation. While some agencies are similar to conventional corporate security software like antivirus and internet security software, endpoint security tools integrate additional features specifically designed for endpoint devices. These can include mobile device management, mobile security, instrument or memory encryption, intrusion detection, or remote wipe capabilities.
Some of the threats that endpoint security tools are designed to deal with include:
- Phishing attempts
- Suspicious websites
- Malware ads
- Drive-by downloads
- Outdated patches
- Data loss and theft
- Macro and script exploits
- Botnet attacks
- Memory-based or fileless attacks
- Advanced persistent threats
The Endpoint Security Market
An Endpoint Protection Platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware, to detect and block malicious activity from trusted and untrusted applications, and to provide the investigation and remediation capabilities needed to respond to security incidents and alerts dynamically.”
In 2018, the endpoint security market was valued at $11.18 billion, and it is predicted to reach a value of $19.69 billion by 2024. The market is characterised by:
- Enterprise adoption of SaaS-based or cloud-delivered endpoint security solutions is growing—benefits attracting companies, including computing scalability, reduced costs, and low maintenance demands.
- More endpoints with more sensitive data—the number of enterprise endpoints is growing. With increased connectivity, collaboration and data sharing, there are much higher chances an endpoint will contain sensitive organisational data.
- Endpoints are a gateway for attackers—in the past two decades, organisations invested significant resources in safeguarding the network perimeter. Attackers have found it is much easier to penetrate organisations by sidestepping network defences and directly penetrating endpoints.
- Endpoint agent consolidation—while in the past, multiple security tools were installed on endpoints, today, the trend is towards consolidation, where one platform with a single software footprint is installed on an endpoint, providing multiple security solutions, and enabling central management of security functions.
- Consolidation of EPP and EDR—Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) tools are no longer considered separate systems but are not offered together. The term Endpoint Protection Platform has been expanded to include EDR as well.
The Types Of Endpoint Security Software
There are two approaches to endpoint security, each with its strengths and weaknesses.
Endpoint protection platform (EPP)
These are designed to prevent attacks from conventional threats such as malware, zero-day vulnerabilities and memory-based attacks. EPPs detect attacks through:
- Matching threats with known malware signatures
- Blocklisting allows listing applications, URLs, ports, and IP addresses.
- Using a sandbox environment to test executable files
- Utilising machine learning and behavioural analysis to establish an operational baseline, then flagging suspicious processes or operations
A good EPP solution is cloud-managed to allow steady data collection and monitoring and remote remediation outside the office environment. A cloud-assisted EPP also relieves endpoint devices from having to store a threat database on the device memory.
Endpoint detection and response (EDR)
These are used when a breach has already occurred to contain, investigate and respond to the threat. Whereas EPP is passive software used to block endpoint security issues, EDR is an active tool used by IT to quarantine the breach and initiate automated response and remediation. EDR software works by:
- Threat intelligence, by pinpointing Indicators of Compromise (IoC)
- Providing real-time alerts about security incidents
- Incorporating a forensics and investigation component to trace affected endpoints and the origin of the attack
- Automated response and remediation
What’s The Difference Between EPP And EDR?
In general, an EPP solution acts as an endpoint’s frontline defence, much in the same manner as antivirus software does for viruses.
On the other hand, EDR solutions are designed to deal with threats that the EPP software missed. These may include new malware strains, newly discovered zero-day exploits, and other vulnerabilities not yet included in the EPP’s threat database.
- Prevent conventional threats, as well as some unknown threats (by behavioral or machine learning)
- First-line threat prevention
- Passive software that guards against known risks
- Endpoint protection is done through device isolation
- Used to respond to threats that make it past the EPP filter
- Secondary defense: Contain, investigate and respond to breaches
- Active software used by IT to hunt threats within the system
- Aggregates incident data from several endpoints to provide context for quarantine and remediation
Key Features of an EDR Solution
Where EPP fails, EDR serves as the backstop to catch threats that make it past the initial defence. This allows IT security to isolate the endpoints of entry, quarantine affected system areas, and initiate automated response and remediation.
- Threat detection: Like EPP, it should detect malicious activity and strange processes on endpoints instead of just looking for file-based malware.
- Security incident containment: Effective EDR solutions block security incidents at network endpoints to isolate attacks and stop them from spreading across the network.
- Incident response: Flagged incidents should be ranked by threat level to help IT prioritise response, especially in the face of fast-propagating threats.
- Incident investigation: It should make forensic investigation easier and faster by collecting necessary endpoint and traffic data in central data for analysis.
Eradicating Endpoint Threats
The growth of disruptive attacks such as ransomware and the migration of more persistent attackers to fileless techniques have ushered in a new age for endpoint security tools. The shift from locally managed endpoint security tools to cloud-delivered products has reduced the maintenance burden for customers, particularly as it relates to staying on top of the latest releases.
The integration of endpoint detection and response with up-front protection has brought threat hunting, incident response and better detection capabilities based on behaviour modelling rather than indicators of compromise, Gartner found. Plus, endpoint security tools are increasingly providing application and device control, vulnerability and configuration management to harden the environment, Gartner said.
As part of Cybersecurity Week 2020, CRN spoke with eight cybersecurity vendors and solution providers about what to look for when choosing an endpoint security tool. From having the ability to remove agents and detect malicious scripting to leveraging heuristics to examine the behaviour of machines rather than signature models, here are eight things companies need in an endpoint security tool.