By Mike Buckley | Presales Security Consultant at Nettitude
What is an Endpoint
Firstly, what is an endpoint? An endpoint is usually a device which communicates with the network to which it is connected. This can be a myriad of devices including, laptops, mobiles, tablets, servers etc. As the attack vectors vary hugely depending on where we focus, this blog will primarily target the laptop/desktop world. Risks to all endpoints may be similar, but the mitigations are very different.
Why are Endpoints a Problem for Security?
When we talk about endpoints as a high security risk – why is this? The answer is simply because there are fallible human beings bashing away at the keyboard with no real idea of the impact that their actions are having beyond what is presented to them on their screen. Users can attend all the security awareness training available to them, but that just reduces the risk, it does not remove it completely. So, taking the assumption that it’s a “when” rather than an “if”, what can we do to mitigate the fallout?
Types of Endpoint Protection and Detection software
There are two types of product aimed at addressing the risks endpoints face, Endpoint Protection Platform (EPP) and Endpoint Detect and Response (EDR).
EPP tools have evolved from traditional signature based Anti-Virus tools. Everybody hates Anti-Virus endpoint protection and security software, or it seems that way when I talk to our customers about it. Common complaints include poor detection capability while at the same time consuming precious CPU resource, hopefully the days of laptops burning legs when the Anti-Virus was performing a weekly scan are long gone, but the memory lives on. It has been very interesting to watch the development of EPP over the last few years. Niche players entered the EPP market, bringing in new capabilities such as zero day detection, cloud based management and elements of EDR. Initially the leaders in EPP (by market share at least) were very slow to react, as a result many people were running two agents, one to cover the zero day threats and another one – not so much to cover the signature based attacks but to continue the use of features like media encryption, host based IDS etc that the established vendors had added to their solution as they matured. However we now see what I would call the traditional vendors in the Anti-Virus space now working on a more level playing field with their own zero day prevention and EDR capabilities. Of course we also have Microsoft who seem to be on a mission to conquer the endpoint security world, and when do they ever fail? (let’s not talk about Vista!).
Firstly, what is EDR? It’s still a relatively new technology concept, well relative to Anti-Virus anyway the market place is immature. EPP is easy to understand, prevent the attack, whether it’s signature or behaviour based, report on the alert, end of event. EDR can be so much more than that. Want to see what your endpoints are doing at a forensic level? Process creation/termination, registry key changes, module loads, network activity, all tied back to individual processes. This consolidated visibility across a whole network of endpoints allows instant detection of malicious activity and crucially in the event of an incident allows investigators to get instant forensic access and also maybe the ability to quarantine infected hosts.
As a consequence of the EDR space immaturity, there are huge differences in capability between products, acquisitions of start ups by larger vendors is still a thing and we generally find customers aren’t really clear on what they want out of the product. The EPP vendors tend to keep the EDR fairly light touch, a full EDR solution requires a specialist skillset and that would not necessarily sit with the administrator of an EPP product, of course they may not mention that in their sales pitch…..
Do you need both EPP and EDR for sufficient endpoint protection & visibility? The requirement for EPP has been established for many years, for EDR less so. This is changing though. SOCs are now offering EDR tools as standard, I no longer have to evangelise EDR, it’s already understood why there is a need for it, customers now want to see a demonstrable difference between vendors and will choose accordingly. You can now also have both in one agent, even the fully capable EDR products have embraced the world of EPP, I no longer have to hear “oh, not another agent for us to manage”. While EDR and EPP continue to evolve both now plays a crucial role in protecting the endpoint from the humans operating it.
If you have questions and think you may need expert help, our Security & Network Solutions team are on hand to assist you – speak to an expert today!
To find out more about what Nettitude can do to address the problem of data protection, take a look at our cyber strategy & data protection services.
Ready to get started? Get in touch with the team here.