When considering endpoint security strategies, it’s incredibly common to have an endpoint protection platform (EPP) in place. Let’s face it – Anti-virus (AV) is the OG endpoint security solution. Over the years, these tools have evolved into next generation antivirus (NGAV) and endpoint detection and response (EDR). What that really means is that vendors have added machine learning (ML) and artificial intelligence (AI) to boost the automation and analytics capabilities to identify and block malware. But let’s simplify this alphabet soup – we’re talking about an agent that sits in the kernel with the intention of blocking malware.
Let’s take a look at 3 different perspectives on how cyber attackers, users, and IT administrators look at this strategy.
Cyber attackers expect these solutions to be in place. EPP and EDR tools are pretty good at blocking basic attacks, and the added ML/AI has helped to detect some never-before-seen malware too, but a sophisticated attacker will easily bypass these walls. For example, an attacker can target unpatched vulnerabilities or the core operating system of the device. An attacker can gain a foothold on the machine with one of these attacks and not be blocked by an EPP/EDR tool.
We’re all used to operating on laptops with some variation of these tools running. Haven’t we all been in the middle of updating a spreadsheet or responding to an email when an antivirus tool pops up with an “update” notification? While we know these tools are helping in the background, they are annoying and cause disruptions and downtime.
IT administrators have their own list of challenges with these solutions. Historically these solutions have been offered as multiple agents which bloat the device and reduce performance. Many of these tools require hands-on maintenance, continuous fine-tuning, even dedicated security analysts to interpret results and take action when necessary. On the bright side, EPP/EDR vendors are coming out with lighter agents and even agentless solutions as well as services offerings like threat hunting that add value to the overall solution.
THE BOTTOM LINE
You should never turn your back on an “OG.” There’s a reason EPP solutions are so prevalent and it’s because they work at blocking attacks and reducing the noise for the security teams. However, these won’t stop persistent attackers and they have significant operational overhead.
We’d love to hear your thoughts! How are you benefiting from EPP/EDR? What combination of tools are you using?