Keeping Your Organization Safe With Endpoint Protection

May 9, 2022

• A unified approach to advanced endpoint management, behavioral analytics and secure configuration monitoring positions an organization to better identify real threats, reduce time to response and move left in the kill chain.
• The forensic capabilities of secure configuration management and monitoring provide the data needed to help fortify the infrastructure and harden resources against future attack.

Last year alone, endpoint devices played a major role in both malware and ransomware attacks. According to a WatchGuard Threat Lab study, security researchers detected more malware and ransomware endpoint infections in the first nine months of 2021 than they did for all of 2020. The study also notes that as hybrid workforces become the norm, having a strong perimeter will no longer be enough to mitigate threats.

What Are EPP and EDR?

Given these findings, it’s imperative that organizations take a hard look at their endpoint defenses and harden their systems. They can do so using Endpoint Protection (EPP) and Endpoint Detection Response (EDR) – both protect computer networks that are remotely bridged to client devices. EPP and EDR play a critical role in reducing the risk of successful attacks that exploit weakly configured endpoints and systems. These solutions provide real-time notification of potential cyberattacks and help with remediating misconfigurations.

Responding to Change

Change is a constant in IT environments. That said, not all change is created equal. In fact, there are a few different kinds of change that IT and security teams need to be aware of on an ongoing basis.

Internal planned changes: With an internal planned change, IT and security teams approve certain modifications to systems and processes. This commonly takes the form of teams implementing vendor fixes to improve device performance and security.

Internal unplanned changes: Not every internal change occurs with the approval of IT and security. For instance, an administrator might make a mistake on an upgrade or patch that should not be delivered. Alternatively, an IT user might change the system inadvertently or use unapproved changes to complete a work-related task.

External changes: External changes come from outside the organization. As such, they generally lack the oversight of IT and security and typically pose a threat to the organization. For example, an external change occurs when malware infects an endpoint device and uses the compromised asset to phone home to its command-and-control (C2) server.

IT networks continue to grow in complexity and it’s not always clear what each change means, or even how many changes are occurring each day on endpoint devices. This poses a major challenge and can leave organizations in a reactive posture in the event of an attack. More time required to respond can result in prolonged downtime, damage to the organization’s business reputation, etc.

Implementing EPP/EDR

EPP helps stop known and unknown viruses and malware from infecting an endpoint device and spreading into the network. EDR is the next evolution of EPP. It often includes additional functionality, such as behavioral analytics, user monitoring, anti-virus and detection and response capabilities.

Both EPP and EDR help IT and security teams to answer important questions, such as “is there known malware on the device?” and “are there new applications on the device?” They can then use this information to reduce the risk of downtime, intellectual property theft or ransomware infection. It also improves the ability to automatically respond to a threat when it inevitably happens.

EPP/EDR as Part of a Multi-Faceted Security Approach

Not all EPP/EDR vendors are the same. For example, many endpoint protection vendors check devices for malware based on a list of known threats. This approach can work for knocking down simple attacks, but it’s not enough for advanced persistent threats (APT). The leading EPP/EDR vendors provide an added layer by using behavioral analytics to watch how a system behaves and to alert when it starts acting differently.

Organizations also need a security strategy that complements EPP/EDR with secure configuration management (SCM). Automated configuration monitoring elevates the security and alerting capabilities of EPP solutions by automating the verification process, checking configurations in real time and reporting on the when, who and why context of changes. These capabilities drive detection of the three different types of endpoint changes discussed above.

A unified approach to advanced endpoint management, behavioral analytics and secure configuration monitoring positions an organization to better identify real threats, reduce time to response and move itself to the left in the kill chain. The forensic capabilities of secure configuration management and monitoring provide the data needed to help fortify the infrastructure and harden resources against future attack.