Endpoint Security -Antivirus, EPP & EDR

Endpoint threat landscape

Cybercriminals relentlessly target end-user devices such as desktops, laptops, and mobile devices or the Internet of Things (IoT) devices to gain an entry into the corporate network. In numerous ways, endpoints are compromised and often become hacker’s gateway into the corporate environment. It is an undeniable fact that end-user protection and endpoint security is one of the most crucial aspects of cybersecurity. Such protection is critical since the majority of successful network breaches traverse through the compromised endpoints, whether due to an individual falling for phishing or malware downloads to more sophisticated threats like DDoS, macro payloads, or script exploits. To defend against such threats, endpoint security tools have become an essential ingredient of modern IT security.

Endpoint Security Tool

Traditionally endpoint security solutions have used antivirus, cryptographic protocols, NAC & various traffic monitoring tools. The modern-day endpoint Security tools include EPP/EDR solutions to protect myriad endpoint devices used by the organization. Many endpoint security tools integrate endpoint management capabilities that allow for the discovery, provisioning, updating, and troubleshooting of endpoint devices connecting to the enterprise network from a central location. And, there is “Mobile threat defense” or MTD solution that solely focuses on securing mobile devices.

Some of the threats that endpoint security tools deal with:

Human faults:

• Phishing attempts
• Suspicious websites
• Malware ads
• Ransomware
• Drive-by downloads
• Outdated patches
• Data loss and theft

Advanced attacks:

• DDoS
• Macro and script exploits
• Botnet attacks
• Memory-based or file-less attacks
• Advanced persistent threats

Protection with Antivirus

Traditionally, antivirus or AV software has been sufficient to protect your organization’s endpoints along with cryptographic protocols that encrypt emails, files, and other crucial data. AV software scans computers for malware, quarantines them, and then removes them from the machine. AV offers three kinds of scans to detect malware:

• Signature scan: AV compares the hash of each program to those it knows. If it matches that of a malicious program, the piece of software is quarantined & deleted.
• The heuristic scan: This scan is based on the behavior of a program. This is useful to identify unknown malware that is not yet in the AV provider’s databases. When the program starts, side by side, it is also launched in a sandbox for behavioral analysis. The program is quarantined and the user is notified when suspicious actions such as deleting files, spawning a large number of processes are found.
• The integrity scan: At regular intervals and whenever a file is modified, AV starts new scans to ensure that files are not corrupted by malicious code.

The advantage of an AV solution is that it is inexpensive, relatively easy to configure and to use, and provides just enough protection to workstations for occasional use.

Limitation of AV

Since its inception, AV has evolved a lot in the detection and neutralization of viruses and malware. Modern AV suites can defend against threats like ransomware, adware, and spyware, and other kinds of malicious software. However, the fundamental technology of AV software has not really changed. The new functionalities are simply added in an overlay resulting in heavy footprints both in memory and other computational resources.

The biggest limitation of AV software is its inadequacy in detecting malware when the signature isn’t listed in its database. AV software is ineffective against file-less attacks where malware does not leverage traditional executable files and abuse tools built-in to the operating system to carry out attacks. Then there are zero-day vulnerabilities where the attacker releases malware before the AV vendor has had the opportunity to create a patch to fix the vulnerability. Real-time malware detection and defending against network-borne attacks were never been a focal point for typical AV software.

Endpoint protection platform

Endpoint protection platforms or EPP aims to guard against conventional malware, ransomware, file-less attacks, and zero-day vulnerabilities. EPPs typically provide passive endpoint protection using tools such as data encryption, potentially with some data loss prevention capabilities, antivirus, and firewall protecting the endpoint. EPP retains the traditional antivirus features such as signature & heuristic scans and adds more advanced capabilities such as:

• Behavioral analysis — EPP solutions can establish an operational baseline of endpoint behavior using machine learning and identify behavioral anomalies in relation to the baseline.
• Static analysis — can analyze program binaries to find malicious traits using machine learning algorithms.
• Memory monitoring: Analyze in real-time if a program isn’t corrupting the memory of the system or of another program.
• Whitelisting and blacklisting —Access control capabilities such as black & whitelisting applications, URLs, ports, and IP addresses. firewall, whitelisting tools, monitoring tools
• Verification of indicator of compromise: Identify traces of files or registry keys that could be linked to a prior known attack.

The advantage of EPP over AV is it can be cloud-managed thus having a smaller footprint. A good cloud-assist EPP solution relieves endpoint devices from having to store a threat database on the device memory.

Limitation of EPP

EPP software passively protects endpoints with minimal supervision from the security team and barely offers any insight into the endpoint activities. The downside of this approach is that the security team is unable to actively hunt threats, investigate breaches, and respond to incidents with EPP solutions that solely focus on prevention.

Endpoint detection and response

Endpoint detection and response or EDR solutions are designed to compensate for the EPP limitation. EDR provides visibility and operational tools for security teams to detect, investigate, and respond to breaches that make it past the EPP defense. These may include new malware strains, newly discovered zero-day exploits, and other vulnerabilities that are not yet part of EPP’s threat database.

Most EDR solutions offer four key capabilities:

• Threat detection: Threat detection abilities similar to EPP solutions. EDR solution provides a trail of forensic evidence about threat behaviors which reveals the detailed scope and scale of an attack.
• Security incident containment: EDR solution provides visibility into the potential attacks and threats, monitor them in real-time. This helps the security team cut off the attack in its nascent stages to contain breaches at the network endpoint.
• Incident response: Providing real-time visibility and alerts about security incidents and prioritization of flagged incidents which enables the security team for faster response and remediation.
• Incident investigation: Collects comprehensive data on potential attacks from endpoints & builds a central repository that greatly facilitates forensic investigation & and incident response.

How EDR Works

1. EDR aggregates incident data from multiple endpoints to provide context for quarantine and remediation, unlike the EPP solution that protects each endpoint in isolation.
2. It usually runs on the client-server model where software agents are installed on the host to continuously monitor data and report on the potential threats. Endpoint data collected by agents are stored on a centralized database for further analysis, investigation, or reporting.
3. EDR depends on behavioral analysis, AI/ML algorithms & Cyberthreat Intelligence to analyze and detect threats. Like EPP, machine learning assisted behavioral analysis of the EDR identifies suspicious behavior of the user or a program such as spawning a large number of processes, access to registry keys, execution of system administration, etc. Thanks to the autonomous and self-learning ability of AI/ML, EDR can more efficiently detect and stop cyber threats such as malware, ransomware, viruses, file-less attacks, etc. EDR also uses CTI or Cyber ​​Threat Intelligence to its advantage. CTI is human intelligence where security researchers continuously learn and provide intelligence on newer types of viruses, malware, and other threats.
4. EDR systems are being designed to be compatible and integrate with other security tools. This integrated approach allows you to correlate data pertaining to network, endpoint, and SIEM providing centralized security to continuously monitor threats across all the endpoints in the network.

Comparing EPP and EDR Solutions

EDR is based on “the assumption of the breach”. It is used when a breach has already occurred. Whereas, EPP can prevent threats before they strike the endpoint. These two types of endpoint protection systems are complementary to each other. Many combine these two approaches into one holistic security solution where EPP vendors include EDR capabilities to their product and vice versa.

Holistic endpoint security should consider all possible endpoint risks, thus EPP-EDR products are often used in tandem with other endpoint security tools such as device management and tracking solution to protect against threats like device loss, physical theft, or social engineering deceits.

Beyond endpoint security?

EDR solutions are not quite effective in countering the breaches where threat actors already sneaked into an organization’s network. For example, BIOS-level malware can dodge EDR and its activity may not be captured in logs. In such cases, one should consider using NDR tools that can spot the malicious actor as soon as it starts interacting with another system in the network.

EPP-EDR solutions don’t focus on the network, servers, cloud, or SaaS applications. Curious about security techniques that can ensure protection in your entire cyberspace, check out my next blog on NDR & XDR.