In this critical and trying time our connections have become even more valuable and yet more vulnerable. What can we do to best protect the endpoints, our desktops, laptops, and mobile devices that provide the basis for our connections and ensure that our daily operations can continue? In this post we explore several methods of endpoint protection.
Endpoint Platform Protection vs. Endpoint Detection and Response
The idea of a perimeter defense dates back to the earliest days of human history. Today, that perimeter defense is still embodied in the digital world through Endpoint Platform Protection or EPP. EPP solutions can be deployed directly on endpoint devices to prevent file-based malware attacks and detect malicious activity. Often, they are cloud based, allowing continuous monitoring of incoming files and access to cloud data resources to determine verdicts on unknown objects that may be detected. This is done with signature and heuristic based scanning. Signature based scanning utilizes a database to look for known vulnerabilities but requires constant updates for newly discovered threats. If a database is out of date, then threats can be overlooked. Heuristic scanning utilizes rules and algorithms to look for commands that are often associated with malicious actions. While not requiring the number of updates as signature-based scanning this sometimes produces false positives because of the wide range of actions that could be malicious or can miss threats hidden in encrypted files. However, EPPs are still a great method for border protection based on budget but what about providing defense in depth? What is to be done when sophisticated techniques breach the border defenses and are actively within the network? Enter Endpoint Detection and Response, or EDR solutions. EDR is the response to more advanced threats, such as ransomware or resource draining cryptomining, designed to bypass perimeter defenses and cause chaos within your environment.
The foundation of EDR solutions is built upon detection through continuous file access and monitoring with comparisons to advanced threat databases. Unlike EPP, EDR solutions monitor and identify behaviors of files at several points rather than just entry into the network. Signs of irregular behavior can be analyzed and compared to prior behavior as well as later actions utilizing artificial intelligence and machine learning algorithms. This is extremely crucial for detection of advanced threats missed by signature and heuristic based detection because they can quickly morph from a benign beginning to malicious activity weeks or even month after entry.
Once an EDR platform detects suspicious activity it can then notify IT staff with a previously established framework to categorize threats and identify points of infection. Options exist to automatically stop processes running on an infected machine, segment an infected endpoint from the network, or salvage files from further attack.
Investigation and Remediation Abilities
Once EDR has categorized a threat and generated a lead. Threat analysts can then begin with a narrow focus and gather additional context to better understand what activity is happening and why. Unlike EPP, this ability to tag malicious activity on the network greatly increases the speed of which an investigation can be conducted and reduces the damage that can be done.
Overall, EDR solutions have a superior ability to detect threats because of the use of artificial intelligence and have enhanced capability in containment and remediation procedures due to automation and increased visibility into the threat environment. While more expensive than their EPP counterparts EDRs offer the best solution to protecting your environment from both the perimeter and within.
Ready to reduce the risks associated with your Cybersecurity Program? Contact us below for an informative discovery discussion.