By Joshua Brant
Endpoint Detection and Response (EDR)
Entity and User Behavior and Analytics (EUBA)
Artificial Intelligence (AI)
Machine Learning (ML)
The array of terminology and acronyms used to describe endpoint security is extensive. While these terms may seem complicated or esoteric, I hope to simplify the endpoint security lexicon to create a clearer picture of the actual concept and how it has evolved with changes in the threat landscape.
Endpoint security refers to the practice of defending an organization’s data that is processed or stored on internal or (primarily) remotely connected devices, including laptops, PCs, smartphones, tablets and IoT systems. The original endpoint security tool was Antivirus (AV), made by software vendors such as McAfee and Norton. We’re all very familiar with antivirus tools and have long seen their value in protecting our computers and other technology devices. For many years, antivirus was the primary, and often only, tool required for PC protection.
As was the case then and even now, traditional antivirus tools evaluate software signatures and compare them to known malicious software signatures - blocking when necessary to prevent infection. This works well for detecting malware that has already been identified but does not work well for new malware and does not keep up with the pace at which attackers modify code to evade AV detection.
Additional mechanisms, such as heuristic analysis, were later added to antivirus solutions to better equip them for detecting previously unknown malware – which did improve efficacy of the software.
Over time, heuristic analysis and other AV software advancements were still not able to keep up with the rapid changes in attackers’ strategies and motives, requiring additional protection capabilities to provide comprehensive endpoint protection. Solution providers modified their offerings to incorporate new tools – creating a class of software security products called Endpoint Protection Platforms (EPP).
These platforms generally included tools like personal firewall, host intrusion prevention systems, application whitelisting, encryption, patching and data loss prevention – in conjunction with AV. The combination of these capabilities created deeper protection layers and security controls for safeguarding enterprise endpoints from different types of security threats.
Traditional AV vendors such as Symantec, Trend Micro, Kaspersky and Sophos remain major players in the EPP space and while theirs and others’ EPP solutions have been far more successful than traditional AV, threat actors have continued to accelerate the varieties and severity of attacks. Due to the bad actors’ efforts, detection events have reached a pace that is often too fast for a human to evaluate in real time – ushering in the use of Artificial Intelligence and Machine Learning in the form of Endpoint Detection and Response (EDR) solutions.
(Machine learning is a subset of artificial intelligence. There are many great online resources explaining these technologies, so I won’t attempt it here.)
Not all EDR tools work in the same manner or offer the same capabilities as others, but all solutions have the same purpose: to provide a means for continuous monitoring and analysis to identify, detect, and prevent advanced threats.
EDR solutions monitor endpoint and user behaviors (EUBA), along with user, system, and network events. They process this data locally or on a centralized management platform to compare it to baseline behaviors or databases of known Indicators of Compromise (IOC) to recognize threats and rapidly respond to attacks.
Most are purpose-built to utilize cloud-based analytics and threat Intelligence information to enable a dynamic, proactive approach to endpoint security. This creates a situation where only the most pressing issues are required to be escalated for human attention and analysis. Numerous EDR products are available today, including those from vendors such as Carbon Black, Crowdstrike, Cybereason, Digital Guardian, and FireEye, to name a few.
As new EDR vendors and endpoint security solutions come to market, cyberattacks on endpoints continue to increase in number and complexity. And, as organizations continue their digital transformation, they offer a larger attack surface for the bad guys. Gartner estimates that we will see 20 billion connected devices by 2020, but only 40 million endpoints have EDR solutions deployed today. As threats and defenses continue to evolve, security practitioners must understand endpoint security capabilities to determine the best solution for their business moving forward.
This solution may include decisions on whether EPP is a necessity and should be augmented with EDR, or whether an EDR alone is enough. It is important that they understand how all aspects of the endpoint security solution (features, usability, integration, value, etc.) fits into their overall security strategy.
We can provide a free consultation on your security solution. Just fill out the form below.
About the author
Joshua Brant is our Cyber Security Strategist; he focuses on helping customers identify gaps and achieve security goals. Prior to joining LRS, Joshua served for years as Chief Information Security Officer for a manufacturing corporation. He holds multiple certifications in the area of Information Security, including CISSP, CISM, CEH and CCISO.