For many years securing endpoint systems from compromise was accomplished through the use of legacy antivirus software. As technology evolved and the sophistication of attackers increased it became apparent that a more advanced solution was required. Endpoint Protection Platforms were developed to address the changing threat landscape by providing prevention capabilities based on multiple detection mechanisms.
What is an Endpoint Protection Platform (EPP)?
Defining an Endpoint Protection Platform
An Endpoint Protection Platform is an endpoint security capability designed to protect systems from compromise by preventing malicious software from executing. It is important to understand that Endpoint Protection is often used in conjunction with Endpoint Detection and Response (EDR), however they are not synonymous. The primary purpose of an EDR solution is to record events as they occur while also providing a means of threat resolution. In this way, an EDR solution is often associated with current compromises or post exploitation. An Endpoint Protection Platform however is designed as a preventative measure, monitoring all execution attempts and terminating those designated as potentially malicious. Endpoint protection is also often confused with Antivirus software, but is should be noted that an AV engine is just one possible component of an Endpoint Protection Platform.
Why is Endpoint Protection Important?
For any organization, an effective security posture is based around the concept of defense in depth. Multiple layers of defense should be implemented to ensure security even if one layer should fail. Relating to endpoint systems, an Endpoint Protection Platform is often seen as consisting of one of more base defensive layers. Automated preventions can be executed based on a detection engine, such as one powered by machine learning. A second layer of prevention within an EPP could then be based on customized prevention polices to eliminate the risk of unwanted executions that may go undetected by the automated layer. In this way, an effective EPP could prevent the bulk of endpoint threats, freeing security analysts to then conduct threat hunting exercises and respond to more advanced threats via an Endpoint Detection and Response solution.
How has Endpoint
Each EPP vendor has developed their own combination of detection technologies to meet this demand. This can include:
- Machine Learning and Artificial Intelligence
- Behavioral Analytics
- Streaming Cloud Analysis
- Traditional Signature matching
- Anomaly Detection
All with the goal of detecting and preventing the execution of both known and unknown threats.
What are the Key Capabilities to look for in an Endpoint Protection Platform?
There are many Endpoint Protection vendors on the market, each claiming that their technology is the best at preventing malicious executions. Which technology is truly the best is debatable, however an effective EPP should include certain key capabilities:
- A clear understanding of what mechanism is being utilized to identify and prevent the execution of anything deemed malicious is important since it will help you in defining the correct policies for your environment.
- The software should also include multiple response options ranging from alerting, to process termination, to automated remediation. This will allow you to set the appropriate response for each system and prevent the possible termination of critical business applications.
- Finally, your chosen EPP should include the ability to create custom preventions based on situations unique to your environment. This will ensure you are able to stop the execution of software that may not be deemed malicious but is unwanted within your environment.