Let’s get started!
Ready to extend visibility, threat detection and response?
Get a DemoEPP Security: Prevention, Detection and Response at Your Fingertips
November 4, 2019
Last Updated:
November 20, 2024
Share on:
There is a huge proliferation of endpoints in organizations: workstations, corporate mobile devices, Bring Your Own Device (BYOD), container-based resources, cloud servers, and more. All of these are attractive targets for attackers, who can bypass the traditional security perimeter and directly target endpoints.
Until not long ago, an antivirus package was considered state of the art endpoint security. Today, legacy antivirus is still important but is only a small piece of the puzzle. In this article we explain how modern Endpoint Protection Platforms (EPP) and a new EPP Security paradigm can help prevent a wide range of evolving threats, as well as allow teams to detect and react to breaches on endpoints across the enterprise via EDR security technology.
To learn how to move beyond EPP with Extended Detection and Response (XDR) solutions, click here.
What is EPP?
Endpoint Protection Platforms (EPP) are defined by Gartner as:
“A solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.”
EPP Prevention Features
The first part of the definition – “a solution to prevent malware …” is the next logical step after traditional antivirus. EPP aims to prevent and block a wide range of threats, by providing:
- Next-Generation Antivirus (NGAV) – detects and blocks new types of malware, and malware that evades detection by modifying its binary signature.
- User and Event Behavioral Analytics – to detect anomalous or suspicious behavior on an endpoint, and other measures to block evolving threats.
- Application control, browser control and whitelisting – restricts and blocks certain applications and websites on the endpoint.
- Device control and compliance – enables security teams to remotely control endpoints, gather data from endpoints for auditing, investigation and compliance purposes, and enforce policies.
- Sandbox – an isolated location on the device where potential malware can be contained, analyzed and “detonated” in a way that does not threaten the rest of the device.
Tips From the Expert
- Leverage dynamic whitelisting for evolving environments
Traditional whitelisting can become outdated and cumbersome. Use dynamic whitelisting powered by machine learning to adapt to evolving environments, automatically updating trusted applications and processes while blocking newly detected threats. - Enable proactive threat hunting via integrated EDR
Look beyond prevention and enable proactive threat-hunting capabilities with integrated EDR. This allows your security team to investigate anomalies and uncover sophisticated threats that may evade traditional detection methods, leveraging endpoint data in real time. - Leverage dynamic whitelisting for evolving environments
Traditional whitelisting can become outdated and cumbersome. Use dynamic whitelisting powered by machine learning to adapt to evolving environments, automatically updating trusted applications and processes while blocking newly detected threats. - Enable proactive threat hunting via integrated EDR
Look beyond prevention and enable proactive threat hunting capabilities with integrated EDR. This allows your security team to investigate anomalies and uncover sophisticated threats that may evade traditional detection methods, leveraging endpoint data in real-time. - Optimize automated responses for rapid containment
Configure automated responses tailored to your environment, such as isolating infected endpoints, blocking specific IPs, or terminating malicious processes. These automated actions can drastically reduce response times, preventing the lateral spread of threats. - Incorporate behavioral monitoring for early-stage detection
Utilize user and entity behavior analytics (UEBA) within your EPP to detect deviations from normal behavior patterns. This allows you to catch insider threats, compromised credentials, or stealthy attackers who might bypass traditional prevention measures. - Integrate deception techniques into your EPP strategy
Deploy deception elements such as honeypots, fake credentials, or decoy systems to lure attackers away from real assets. Integrating deception within your EPP adds a layer of proactive defense, allowing you to gather intelligence and detect threats earlier in the attack chain. - Configure automated responses tailored to your environment, such as isolating infected endpoints, blocking specific IPs, or terminating malicious processes. These automated actions can drastically reduce response times, preventing the lateral spread of threats.
- Incorporate behavioral monitoring for early-stage detection
Utilize user and entity behavior analytics (UEBA) within your EPP to detect deviations from normal behavior patterns. This allows you to catch insider threats, compromised credentials, or stealthy attackers who might bypass traditional prevention measures. - Integrate deception techniques into your EPP strategy
Deploy deception elements such as honeypots, fake credentials, or decoy systems to lure attackers away from real assets. Integrating deception within your EPP adds a layer of proactive defense, allowing you to gather intelligence and detect threats earlier in the attack chain.
Which Types of Attacks Can EPP Prevent?
The preventive side of an EPP solution can block many types of attacks, including:
- Malware with known attack signatures (detectable by legacy AV)
- Zero-day malware or malware without a known attack signature
- Fileless attacks
- Ransomware
- Exploits of known software vulnerabilities
- Code injection
- Rootkits and backdoors
EPP with EDR for Detection and Response
The second part of the Gartner definition – “provide investigation and remediation capabilities” – talks about Endpoint Detection and Response (EDR) technology, which helps security teams react to incidents that occur on endpoints, gather information and take immediate action to contain and mitigate them.
To many in the industry, EPP is only about preventive measures that can block threats on endpoints. But in Gartner’s holistic definition, EPP also includes EDR.
Preventive EPP vs EDR - What is The Difference?
Keep in mind that in the modern definition of EPP, EPP includes both the preventive aspects and also EDR components that allow security teams to respond if a security breach has also occurred.
The differences between these two parts of EPP solutions can be summarized as follows:
| Preventive EPP is a first-line defense that “just works”, it blocks threats without requiring active involvement from security staff. It focuses on protecting each endpoint individually | EDR helps deal with ongoing attacks that have already occurred. It helps security staff identify and respond to security incidents, by aggregating endpoint data from across the enterprise, and executing automatic or manual actions on the endpoint to mitigate the threat. |
Below we show the main system components of the preventive part of EPP platforms, vs. the EDR part.
| Components of Preventive EPP | Components of EDR |
|---|---|
| Legacy antivirus | Data collection via software agents |
| Next-Generation Antivirus | Detection engine to discover anomalies on the endpoint |
| Device Firewall | Data analytics to identify security incidents |
| Application Control | Threat intelligence |
| Device Control | Automated incident response |
| Sandbox |
How to Choose the Right EPP Solution
Before evaluating EPP solutions, do some research about your needs:
- Take an inventory of your endpoints and understand which operating systems they are running, which are the applications most commonly used by your users.
- Investigate which threats have affected your company and industry in the recent path. Decide if fileless attack prevention and EDR are a priority for you.
- Understand which existing tools you have (for example, firewall, threat intelligence platform, SIEM) and how the EPP solution could integrate with them.
- Understand how many endpoints you have, now and in the foreseeable future, and what will be the license price for EPP, which may depend on capabilities used
Capabilities checklist
Create a checklist and identify, for each of the vendors you are evaluating, who has the points below that are most significant you:
| Infrastructure Capabilities | Prevention Capabilities |
|---|---|
|
|
Learn more in our detailed guide to advanced endpoint protection.
Endpoint Protection—Prevention, Detection and Protection with Cynet 360
Cynet 360 is a security solution that includes a complete Endpoint Protection Platform (EPP), including Next-Generation Antivirus (NGAV), device firewall, advanced EDR security capabilities and automated incident response. The Cynet solution goes beyond endpoint protection, offering network analytics, UEBA and deception technology.
Cynet’s platform includes:
- NGAV—blocks malware, exploits, LOLBins, Macros, malicious scripts, and other known and unknown malicious payloads.
- Zero-day protection—uses User and Entity Behavior Analytics (UEBA) to detect suspicious activity and block unknown threats.
- Monitoring and control—asset management, endpoint vulnerability assessments and application control, with auditing, logging and monitoring.
- Response orchestration—automated playbooks and remote manual action for remediating endpoints, networks and user accounts affected by an attack.
- Deception technology—lures attackers to a supposedly vulnerable honeypot, mitigating damage and gathering useful intelligence about attack techniques.
- Network analytics—identifying lateral movement, suspicious connections and unusual logins.
Learn more about the Cynet 360 security platform.