Endpoint security in 2024 has advanced significantly from its “antivirus” days, when a tool had a signature of known malicious code and sounded the alarm upon detecting it.
Like stand-up comedians and retired athletes, today’s endpoint-security platforms are looking to do more acting.
Added endpoint security features like “detection and response” watch for suspicious behaviors (why is that Word doc running a script?) and initiate remediation (stop that script!).
As Chris Silva, VP, analyst, at market-intelligence firm Gartner, puts it: We’ve moved from passive tools to active passive tools.
“Tools that are going to look for behaviors and patterns, and as soon as something looks like it is moving in a direction that doesn't make sense, some action can be taken,” Silva told IT Brew.
What’s EPP, doc?
The National Institute of Technologies and Standards defines an “endpoint protection platform” (EPP) as “safeguards implemented through software to protect end-user machines such as workstations and laptops against attack.” NIST’s examples:
- Antimalware: Software that scans for known signatures of malicious code.
- Personal firewalls: Tools restricting ports and services on a device.
- Host-based intrusion detection and prevention systems: An “application that monitors the characteristics of a single host,” detecting and stopping suspicious actions.
“What has changed has been the fact that we no longer see some of the biggest threats, things like ransomware, tying back to just a bad application,” Silva said. (IBM’s 2024 report, for example, found that stolen credentials led to 16% of its studied breaches.)
Gartner defines an endpoint protection platform (EPP) as “security software designed to protect managed endpoints—including desktop PCs, laptop PCs, mobile devices and, in some cases, server endpoints—against known and unknown malicious attacks.” The software agents, deployed to endpoints, connect to centralized security analytics and management consoles.
One standard feature, according to Gartner’s definition: “Integrated endpoint detection and response (EDR) functionality enabling raw telemetry collection, detection customization, post-incident investigation and remediation.”
EPP contains two parts, Silva explained:
- The passive protection, which blocks known malicious applications and behaviors.
- The active detection capabilities, or EDR. These combine signals from the OS, applications, and user behavior to provide a picture for a security operations center (SOC) pro to validate.
Today’s vendors often provide protection tools as their base feature and offer the “EDR” at higher license levels.
Where the ‘wild’ things are
Bill Holmberg, director of IT at trucking company Wayne Transports, employs EDR to detect “out-of-bounds” behavior—say, newly installed software receiving an update from a suspicious IP address.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“This is cloud-based, and maybe hybrid-based, on prem, where it's actually getting telemetry from an agent on every endpoint, and it's saying, ‘All endpoints are clean! Nothing to see here, chief!” Holmberg said.
Some malware sneaks by the EPP’s protective mechanisms. Maybe an email contains a zip file that has no known “bad” code, but the unzipped attachment has an image with embedded script code in its metadata or pixels. Basic endpoint protection packages might miss that level of malware burial, Paddy Harrington, senior analyst, security and risk at Forrester, told IT Brew.
EDR looks for malicious patterns, he said, and asks: Why is this image running a script?
“The EPP gets most stuff. EDR is designed to run on top of that, and get everything that is missed, those behaviors that nobody has thought of yet, the things that are truly wild and out there,” Harrington told us.
EDR analyzes an endpoint’s telemetry—connected IP addresses, access locations, password-change attempts, for example—to enforce automated actions (set up by an IT team) or provide alerts for an IT team to investigate.
Where we EDR now
Other endpoint-protection technologies (and acronyms!) aim to protect an org’s growing endpoints. Mobile threat defense (MTD) products address corporate handheld devices and XDR, or extended detection and response, tools extend to assets like cloud workloads, data repositories, and gateways.
Endpoint protection platforms aren’t always on-point protection platforms. Sophos recently discovered how one ransomware group undid EDR capabilities. Even operative EPP tools require services support—someone ready to act on the warnings.
“Even if they have that expertise in-house, that expertise works normal business hours, and we know that greater than 50% of exploits take place off business hours,” Silva said.
A “future concept” that Harrington sees emerging with endpoint protection involves understanding not just expected and unexpected code behavior, but expected and unexpected user behavior. Emerging detection capabilities, he said, could learn an employee’s usual work process, and provide alerts when an employee acts outside of the profile—say, if an employee accesses a surprising application-development tool or file repo.
That kind of behavioral EDR could mean a new chapter and acronym to a decades-long timeline of endpoint-security products.
“It just so happens, we're taking the things that are easy to identify with applications and going into the chaotic world of people,” Harrington told us.