By Olivia Cahoon
As the threat landscape becomes increasingly advanced, endpoint protection is now more important than ever. It addresses adaptive security architecture tasks like hardening, investigation, incident detection, and incident response. Enterprises invest in endpoint protection platforms (EPPs) to protect endpoints, prevent data breaches, and combat modern threats.
According to Gartner, by 2021 EPPs will provide automated, orchestrated incident investigation and breach response. Separate, stand-alone endpoint detection and response (EDR) solutions will focus on managed security service provider and large enterprise security operations center environments.
The Role of EPP
Data protection is increasingly difficult as ransomware and malware use advanced techniques to compromise endpoints. Today, it’s more difficult to decipher the good, the bad, and the unknown.
To complicate matters, users increasingly access corporate resources from a variety of locations, devices, and services in the cloud. EPPs address endpoint security issues with solutions that secure and protect endpoints against malware and ransomware attacks. According to a Trend Micro Spokesperson, it also provides multi-dimensional protection to guard against all threat types, with a cross-generational blend of threat protection technologies like machine learning, behavioral analysis, vulnerability protection, and traditional signature detection.
Operating on endpoint devices, EPPs are designed to prevent cyberattacks, detect malicious activity, and prove investigation and remediation when responding to cybersecurity incidents, says Ori Ammar, senior director of sales engineering, Kaspersky Lab North America. These solutions vary in features and capabilities depending on the organization’s size. As a result, Ammar says it’s important to understand the full benefits to the different types of EPP before making any purchasing decisions.
“Overall, EPP plays a key part in an organization’s overall strategy in protecting against advanced threats and targeted attacks,” he explains. “To stay relevant in today’s challenging threat landscape, EPP must also provide next-generation features such as behavior analysis, cloud lookup, and machine learning.”
EPP solutions feature advanced malware and ransomware protection to protect endpoints on or off of the corporate network. A Trend Micro Spokesperson offers, “it protects against malware, trojans, worms, spyware, and ransomware; and adapts to protect against new unknown variants as they emerge.”
Primary features for EPP solutions include a variety of threat detection technologies like application control, behavior monitoring, exploit prevention, machine learning, sandbox analysis, and web and file reputation, shares a Trend Micro Spokesperson.
One of the most important features in endpoint protection is multi-layered security. “Through a multi-layered approach, businesses can achieve a balance between performance and efficient protection,” says Ammar. This includes features for anti-ransomware and anti-exploit protection which block account takeovers, lower exposure to attacks, neutralize rootkits, identify attacks and intrusions, and prevent exposures via networks. “Only through a multi-layered approach can businesses of all sizes achieve true cybersecurity.”
While primary features have always consisted of runtime and scheduled tools for finding known malware, EPP now monitors never-before-seen malware with pattern recognition, machine learning, and exploit prevention technologies, says Sam Curry, chief security officer, Cybereason. Recently, primary features expanded to include software for monitoring and tracking post-execution behaviors and activities for centralized monitoring, response, and hunting from the newer EDR toolkit.
EPP solutions include a variety of secondary features that touch upon several areas. Curry believes secondary features fall into two categories; features focused on the integrity of the endpoint and the those that are not. “Those that have extended primary features and had their day in the sun include personal firewall features, host intrusion prevention systems, and device control features.” Others include endpoint-based, nom-mission critical functions that are security related like data leakage prevention, vulnerability management, and full disk encryption features.
Secondary features vary depending on the EPP solution but are often similar to primary features for EDR. “Also, the ability to continuously record the right security events on and endpoint and provide that information seamlessly to the security team,” says Rick McElroy, security strategist, Carbon Black. He believes EPP solutions should have capabilities for responders to take action on the endpoint, to find the root cause of an attack, and rapidly remediate the threat.
Other secondary features include mobile device management (MDM), EDR, malware analysis, and remote monitoring and management (RMM). Trip Nine, product marketing manager, Comodo Cybersecurity, says that some EPP solutions have RMM capabilities to offer fuller managed services to an organization. RMM offers troubleshooting system issues and monitoring RAM/CPU usage.
Organizations that demand a centralized capability to deploy, manage, and respond to endpoint threats benefit from EPP solutions. Doron Aronson, director of global communications, Malwarebytes, says organizations seek specific capabilities like a single pane of glass console for full lifecycle attack prevention, detection, and remediation; proactive threat protection from all types of attacks at all stages of the attack chain; and to minimize risk of data breach.
According to Ben Reed, product marketing manager, ESET, we are now at point where it doesn’t really help to discuss one sector versus another—all are targeted in one way or another, regardless of size or function. “As long as you have data on computers and/or an internet connected device, you are going to be a target,” he explains. While some data may be worth more than others, cybercrime has evolved to monetize the theft of all data forms. “Credential to a WordPress server or an email server, bank account, or an air miles account—these are all monetizable on the dark web.”
Although all organizations should have an EPP, Robert Fernandez Friera, product manager, Panda Security, says the most targeted industries include healthcare, finance, logistics, public sector, retail, and utilities. He offers, “really any company with valuable client data or intellectual property can be a major target.”
Cybercriminal aggression, ransomware growth, and sabotage attacks drive the demand for modern EPP solutions. Thom Vanhorn, senior directory marketing, CounterTack, says that in 2017, Symantec reported 357 new malware variants introduced. “That’s almost one million new malware variants introduced each day with the goal of evading signature-based antivirus solutions,” he explains.
Malware-based threats target and leverage endpoints to enter organizations. The EPP serves as the last line of defense against threats that evaded the rest of the security infrastructure, says Aronson. She believes demands for EPP are driven by an evolving threat landscape and increasingly sophisticated attack vendors and techniques.
Additionally, ransomware attacks like WannaCry and sabotage attacks like NotPetya demonstrate how quickly new attacks can permeate through a network and bring business operations to a standstill, says Vanhorn. “In a recent report of organizations from small- and medium-sized business (SMB) to large enterprises, Ponemon reports that the average cost of a data breach is $7.4 million,” he reveals.
In 2017, container shipping giant Maersk was victimized by NotPetya. NotPetya is a virus that freezes users’ computers by locking hard drive MFT and MBR sections. The virus held data for ransom by demanding untraceable ransoms to be paid in Bitcoin. “This fast-moving attack shut down 49,000 endpoints before Maersk could respond,” says Vanhorn. Business operation stopped for two weeks with an estimated revenue loss over $300 million.
According to McElroy, ransomware is the latest example of how vulnerable most endpoints can be and how legacy antivirus isn’t enough. “Security teams need a platform to prevent, detect, respond to, and predict threats. Legacy solutions have proven to be inadequate, which has driven innovation in cybersecurity.”
Additionally, human error and malicious employ activity pose risks for organizations. According to Aronson, the 2017 Ponemon Cost of Data Breach Study indicates global average cost of a breach is $3.62 million involving an average of 24,000 records.
EPP traditionally consisted of antivirus solutions that scanned disks in search of malware and analyzed files to determine if they contained malware. While effective at detecting and preventing known malware variants, Paul Zimski, director product marketing, McAfee, says they left organizations exposed to new malware and file-less attacks.
“From the 1980s onward, the industry was built on the premise of antivirus,” shares Nine. EPP prevented what was known as bad but allowed good and unknown processes into the system. “The amount of unknown files which turn out to be malicious has skyrocketed in recent years. The industry has coined the phrase ‘zero-day threats’ from this problem,” he adds.
Today’s threat landscape changes daily and evolves to combat EPP software’s progress. “When EPP software can stop one attack, malware authors innovate new ways to prevent their attacks from being detected,” reveals Andy Patel, researcher, F-Secure. New threat methods are based on vulnerability disclosures, white/black hat research, and testing against EPP software. Patel believes threat researchers discover EPP’s new tactics and improve their software—continuing the threat cycle and increasing demands for EPP software to evolve as well.
According to Verizon DBIR 2017, by some accounts only 51 percent of breaches in 2017 leveraged malware, shares Zimski. “One study suggests that 29 percent of the attacks in 2017 were file-less. Yet the fact remains that file-based attacks are still a challenge that can’t be ignored with over 870,000 unique payloads encountered per day.”
Users now look to solutions that consolidate traditional EPP with EDR capabilities. “EDR employs the continuous monitoring of OS behavior,” says Zimski. It includes capabilities like suspicious powershell processes executing, external network connections, and privilege escalation. “EPP solutions are consolidating on-disk, OS behavior and in-memory technologies into a single threat detection platform.”
Patel agrees and says other recent drivers for EPP innovation include meltdown/specter speculative execution vulnerabilities found in common CPUs, a trend toward malicious websites using TLS, and the use of windows tools like powershell and wmic to perform file-less attacks on systems.
Released in July 2016, Carbonblack (Cb) Defense is a product built upon Carbonblack’s cloud-based endpoint security platform, the Predictive Security Cloud. “Prevention capabilities in Cb Defense combine numerous technologies and incorporate EDR data to identify attacks even if the attack has never been seen before,” says McElroy. Cb Defense major components include streaming prevention, live response and remediation, managed threat hunting, and attack detection, investigation, and visualization. It’s intended for SMBs to large enterprises. Tiered pricing starts at $44 per seat.
Comodo was released in 2010 for SMB, commercial, and enterprises. It’s anti-malware technologies include antivirus, whitelisting/blacklisting, host intrusion prevention system, behavioral learning/AI, Comodo EDR, and Kernel level auto-containment. “With Comodo’s patented auto-containment technology, we bulletproof you down to hour zero every time—solving the malware problem,” says Nine. Comodo also offers remote monitoring and management, server monitoring, patch management, MDM, and Ticketing ServiceDesk. It’s available for $39 per endpoint per year.
CounterTack EndPoint Protect Platform was introduced in 2013 as a predictive EDR solution. In 2018, Vanhorn says the company intends to consolidate EDR capabilities with EPP capabilities to deliver NexGen EPP, introduce NexGen Antivirus, and migrate to SAP HANA. “SAP HANA will deliver the most scalable solution,” he offers. CounterTack’s EPP features Digital DNA in-memory behavior analysis and predictive analytics. The solution has a starting price of $60 per endpoint.
Released in 2014, Cybereason Deep Hunting Platform is designed for global 5000 enterprise organizations across all verticals. It features a purpose-built architecture, dynamic database, and modern, full security stack. Cybereason’s dynamic database is a centralized, in-memory graph database that evolves as new data is collected. According to Curry, it constantly correlates elements across organization endpoints and monitors millions of relationships between data points every second. Cybereason Deep Hunting Platform is available as tiered pricing per endpoint.
The newest version of ESET Endpoint Security was released in January 2018. Intended for all market sizes, ESET’s management server is preconfigured to best practices including 90 reports and dashboards, 30 pre-created policies, and ten notification templates. It offers automated detection, cloud malware protection system, network attack protection, and exploit blocker. Pricing is based off seat size and starts at $38.
The latest version of F-Secure’s Protection Service for Business was released in March 2018. “Our solutions scale from small to large customers with a majority of customers ranging from 100 to 5,000 seats,” says Patel. It features built-in patch management, password manager, and MDM. Price varies based on region and volume.
Kapersky Endpoint Security for Business Version 11, was released in April 2018 for mid-segment to large enterprises. “The product offers enterprise-ready scalability allowing for the management of up to 100,000 endpoints through a single server installation,” says Ammar. Kapersky Endpoint Security delivers multi-layered, scalable protection against different attack vectors including known, unknown, and advanced threats. It includes Kapersky Security Center for intuitive policy-based management of virtualized, physical, and mobile IT infrastructure security. Basic pricing is $49.20 per node and volume discounts apply.
Released in June 2017, Malwarebytes Endpoint Protection features application behavior protection and hardening, anomaly detection machine learning, exploit mitigation, payload analysis, ransomware mitigation, and web protection. Aronson says its designed for SMB, mid-market, and enterprises across all industries. Malwarebytes Endpoint Protection is powered by Malwarebytes best-informed telemetry.
McAfee Endpoint Security 10.5.4 was released in April 2018 for enterprise, commercial, and SMB markets. It offers advanced signature-less defense techniques, an open platform philosophy, single agent single consoler operational efficiency, and integrated prevention, detection, and response capabilities. “Machine learning, behavioral analysis, containment, and memory protection are applied to prevent and detect zero-day malware as well as file-less and exploit-centric attacks both before and after they manifest on endpoints,” says Zimski. Starting MSRP is $60 per node perpetual.
Panda Security released Panda Adaptive Defense 360 in 2015 for markets from SMB to enterprise key accounts. It integrates all available preventive protection technologies and EDR features into a single agent. It also provides two managed security services without additional or hidden costs; Threat Hunting Service and 100 percent Attestation Service. According to Friera, it’s available from approximately $83.89 USD with price depending on license ranges.
Released in 2012, Trend Micro Smart Protection Suites features multiple layers of detection methods for deployment. Designed for 100 to 100,000 users, it features layered protection for servers, networks, and users. Smart Protection Suites protects all user activities to reduce the risk of sensitive information loss. It offers advanced protection with endpoint security, email and collaboration security, web security, and mobile security. Pricing starts at $38 per use per year.
Sophos Endpoint protects all devices, on premises or in the cloud, on one simplified management console. It removes detected malware automatically and isolates compromised devices in order to prevent damage. Sophos Endpoint doesn’t rely on signatures to catch malware, which means it catches zero-day threats without affecting device performance. It is available on Sophos deployment options including Sophos Central and Sophos Enterprise Console.
Symantec Endpoint Protection 14 is a complete endpoint security solution for the cloud generation. It protects endpoints from all attack vendors at industry leading efficacy with a single agent architecture and realizes integrated cyber defense at scale. The solution is a signature-less technology that features advanced machine language, memory exploit mitigation, and behavior monitoring. It also includes global intelligence network, reputation analysis, emulator, and secure web gateway integration.
Today’s malware and ransomware attackers advance threat techniques to steal valuable data and funds. EPP serves as a security shield with features like machine learning, exploit prevention, application control, and multi-layered approaches. In today’s world of evolving threats, it’s important to get protected before a virus strikes.
Nov2018, Software Magazine