Endpoint detection and response - Learn about it now

According to Gartner, an endpoint protection platform (EPP) is a solution used to “prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.”

What’s considered an endpoint?

An endpoint is any device that connects to the corporate network from outside its firewall. Examples of endpoint devices include:

  • Laptops
  • Tablets
  • mobile devices
  • Internet of things (IoT) devices
  • Point-of-sale (POS) systems
  • Switches
  • Digital printers
  • Other devices that communicate with the central network

Why Endpoint Security is Important

An endpoint security strategy is essential because every remote endpoint can be the entry point for an attack, and the number of endpoints is only increasing with the rapid pandemic-related shift to remote work. According to a Gallup Poll, a majority of US workers were remote in 2020, with 51% still remote in April of 2021. The risks posed by endpoints and their sensitive data are a challenge that’s not going away.

The endpoint landscape is constantly changing, and businesses of all sizes are attractive targets for cyberattacks. This is common knowledge, even among small businesses. According to a study conducted by Connectwise in 2020, 77% of 700 SMB decision makers surveyed worry they will be the target of an attack in the next six months.

Last year, according to the FBI’s Internet Crime Report, they received an increase of 300,000 complaints over 2019, with reported losses over $4.2 billion.

The Verizon 2021 Data Breach Investigations:

The Verizon 2021 Data Breach Investigations Report found “Servers are still dominating the asset landscape due to the prevalence of web apps and mail services involved in incidents. And as social attacks continue to compromise people (they have now pulled past user devices), we begin to see the domination of phishing emails and websites delivering malware used for fraud or espionage.”

Each data breach, costs on average $3.86 million globally with the United States averaging at $8.65 million per data breach according to Ponemon’s “Cost of a Data Breach Report 2020” (Commissioned by IBM). The study identified the biggest financial impact of a breach was “lost business,” making up almost 40% of the data breach average cost.

Protecting against endpoint attacks is challenging because endpoints exist where humans and machines intersect. Businesses struggle to protect their systems without interfering with the legitimate activities of their employees. And while technological solutions can be highly effective, the chances of an employee succumbing to a social engineering attack can be mitigated but never entirely prevented.

How Endpoint Protection Works

The terms endpoint protection, endpoint protection platforms (EPP), and endpoint security are all used interchangeably to describe the centrally managed security solutions that organizations leverage to protect endpoints like servers, workstations, mobile devices, and workloads from cybersecurity threats.

Endpoint protection solutions work by examining files, processes, and system activity for suspicious or malicious indicators. Endpoint protection solutions offer a centralized management console from which administrators can connect to their enterprise network to monitor, protect, investigate and respond to incidents. This is accomplished by leveraging either an on-premise, hybrid, or cloud approach.

The “Traditional or legacy. approach

Is often used to describe on-premise security posture that is reliant on a locally hosted data center from which security is delivered. The data center acts as the hub for the management console to reach out to the endpoints through an agent to provide security. The hub and spoke model can create security silos since administrators can typically only manage endpoints within their perimeter.

With the pandemic-driven work from home shift, many organizations have pivoted to laptops and bring your own device (BYOD) instead of desktop devices. This along with the globalization of workforces, highlights the limitations of the on-premise approach. Some endpoint protection solution vendors have in recent years shifted to a “Hybrid” approach, taking a legacy architecture design, and retrofitting it for the cloud to gain some cloud capabilities.

The third approach is a “Cloud-native” solution built in and for the cloud. Administrators can remotely monitor and manage endpoints through a centralized management console that lives in the cloud and connects to devices remotely through an agent on the endpoint. The agent can work with or independently to provide security for the endpoint should it not have internet connectivity.

These solutions leverage cloud controls and policies to maximize security performance beyond the traditional perimeter removing silos and expanding administrator reach.

Endpoint Protection Software vs. Antivirus Software

Endpoint security software protects endpoints from being breached – no matter if they are physical or virtual, on- or off-premise, in data centers or in the Cloud. It is installed on laptops, desktops, servers, virtual machines, as well as remote endpoints themselves.

Antivirus is often part of an endpoint security solution and is generally regarded as one of the more basic forms of endpoint protection. Instead of using advanced techniques and practices, such as threat hunting and endpoint detection and response (EDR), antivirus simply finds and removes known viruses and other types of malware .

Traditional antivirus runs in the background, periodically scanning a device’s content for patterns that match a database of virus signatures. Antivirus is installed on individual devices inside and outside the firewall.

Core Functionality of an Endpoint Protection Solution

Endpoint security tools that provides continuous breach prevention must integrate these fundamental elements:

  1. Prevention: NGAV: Traditional antivirus solutions detect less than half of all attacks. They function by comparing malicious signatures, or bits of code, to a database that is updated by contributors whenever a new malware signature is identified. The problem is that malware that has not yet been identified, or unknown malware, is not in the database. There is a gap between the time a piece of malware is released into the world and the time it becomes identifiable by traditional antivirus solutions. Next-generation antivirus (NGAV) closes that gap by using more advanced endpoint protection technologies, such as AI and machine learning, to identify new malware by examining more elements, such as file hashes, URLs, and IP addresses.
  2. Detection: EDR: Prevention is not enough. No defenses are perfect, and some attacks will always make it through defenses and successfully penetrate the network. Conventional security can’t see when this happens, leaving attackers free to dwell in the environment for days, weeks, or months. Businesses need to stop these “silent failures” by finding and removing attackers quickly. To prevent silent failures, an Endpoint Detection and Response (EDR) solution needs to provide continuous and comprehensive visibility into what is happening on endpoints in real time. Businesses should look for solutions that offer advanced threat detection and investigation and response capabilities, including incident data search and investigation, alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment.
  3. Managed Threat Hunting: Not all attacks can be detected by automation alone. The expertise of security professionals is essential to detect today’s sophisticated attacks. Managed threat hunting is conducted by elite teams that learn from incidents that have already occurred, aggregate crowdsourced data, and provide guidance on how best to respond when malicious activity is detected. 
  4. Threat Intelligence Integration: To stay ahead of attackers, businesses need to understand threats as they evolve. Sophisticated adversaries and advanced persistent threats (APTs) can move quickly and stealthily, and security teams need up-to-date and accurate intelligence to ensure defenses are automatically and precisely tuned. A threat intelligence integration solution should incorporate automation to investigate all incidents and gain knowledge in minutes, not hours. It should generate custom indicators of compromise (IoCs) directly from the endpoints to enable a proactive defense against future attacks.

There should be a human element as well, comprised of expert security researchers, threat analysts, cultural experts, and linguists, who can make sense of emerging threats in a variety of contexts.

The Importance of Cloud-Based Architecture

  1. Single, lightweight agent: Endpoint protection is complicated, but the solution should not be. A single lightweight agent that can be deployed immediately and scaled quickly with little effect on endpoint performance is the best approach.
  2. Machine Learning: The solution should incorporate machine learning that provides the ability to record and learn from new attacks. This ability makes it possible to crowdsource intelligence about attack techniques on a massive scale and in real-time.
  3. Enhanced Manageability: Cloud-based endpoint security reduces management overhead in a number of ways. For example, the upgrade process for a traditional solution depends on the vendor’s schedule, which can occur over a timeframe as long as a year. Over that year, attackers are continuing to evolve their techniques, so by the time the upgrade is implemented on customer systems, it is already out of date. Cloud-based platforms are updated in real time and their algorithms are adjusted constantly. The version in use is always the latest version.
  4. Protection On or Off Network: With remote workers, virtualization, and the cloud, assets are not always connected directly to the corporate network. That’s why it’s more important than ever for a complete endpoint solution to be capable of detecting threats even when the device is off-network or offline. Without full visibility across on- and off-network devices, your defense will be riddled with blind spots and numerous opportunities for adversaries to fly under the radar. Cloud-based architecture offers constant visibility into endpoint vulnerabilities without the need for resource-intensive network or host scans. Whether on- or off-network, on- or off-premises, or in the cloud, the lightweight Falcon sensor supports data processing and decision making on the endpoint. Using machine learning on the local host, the agent can protect against known and malware, zero-day exploits, and hash blocking.
  5. Keep Tabs on Adversaries: Today’s attackers are well-funded and business-like. They buy traditional endpoint security solutions and install them in mock environments so they can figure out how to bypass their defenses. But they can’t do the same with a solution built on a cloud-based architecture because, even if the attackers acquire and install the solution’s endpoint sensors, their attempts to break the system will be observed by the solution provider. The tables are turned – instead of the attackers figuring out how the solution works, the defenders are learning how the attackers think.