By Andrew Roberts, Chief Cybersecurity Strategist, cStor
Protecting our endpoints used to be easy. As the threat landscape continues to evolve and become more complex, so must our endpoint protection platforms. Here’s an overview of how endpoint protection has changed over time and where it’s headed.
Initially, the biggest component of endpoint protection was signature-based antivirus software that recognized malicious files and blocked them. Those days are long gone. The bad guys developed tactics, techniques and procedures (TTPs) that can easily circumvent old antivirus technology. Signature-based antivirus products became commoditized, where one is just as bad as the others and the only real differentiation is price.
This ushered in a new era in endpoint security, where next-generation antivirus manufacturers formed two distinct camps – Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) products.
The EPP manufacturers believed that the best way to protect endpoints was still the preventative approach – identify malware and block it from executing before it does any harm. They focused their efforts on building new technologies to recognize malware without the need for constantly updating signature files. The most successful of these developed products that relied heavily on artificial intelligence (AI) and machine learning (ML) to sniff out the malicious code and stop it dead. This approach was a vast improvement over signature-based technologies, achieving advertised success rates of well over 99%.
The EDR manufacturers took a different path. They assumed that, no matter what, some malware was going to get through. Instead of focusing their efforts on prevention, they instead turned their attention to very quickly identifying infected endpoints and immediately taking corrective action to stop the spread and minimize the impact.
While both tactics resulted in significant technological advances and brought endpoint security to a new level, neither was a complete solution. EDR platforms still needed some sort of prevention or they would spend all their time reacting. EPP solutions, even with their ability to block nearly 100% of threats, still missed some of the malicious code – if only .01% of a billion viruses get through, that’s still a lot that get through.
Both factions have recognized their shortcomings and are taking corrective action, creating a third-generation of products. EPP products are adding detection and response capabilities, and EDR products are adding prevention capabilities. This is good news for business…products are becoming more robust and we no longer need to choose between EDR and EPP or make the effort to integrate two types of products.
Just because we can prevent, detect and respond to malware does not mean the job is done. There is more to protect on the endpoint. We should still consider encrypting every endpoint to protect the data stored on it’s hard drives. Data Loss Prevention (DLP) software can help us ensure that data leaks do not occur from the endpoint. We also need to take steps to make sure we know who is really using the endpoint and be certain they are authorized to take the actions they are performing. Encryption and DLP solutions have been available for a while now, and some of the EPP/EDR manufacturers are developing exciting technologies around identity. The future looks bright for our endpoints.
Navigating the Waters
With new technologies emerging at an amazing pace, choosing and endpoint solution can be difficult. It’s best to work with a partner that can help you find the best solution to fit your current and future needs. A good partner will have knowledge of several available products and doesn’t jump too quickly into the product demonstrations. They should be willing to spend time with you to identify all your needs and wants first. Once the true requirements are uncovered, product selection becomes much easier and you will be more comfortable with your decision.