How to Choose an Endpoint Protection Platform (EPP)

What is an Endpoint Protection Platform (EPP)?

Organizations operating a large number of endpoints, such as employee workstations, workstations, and mobile devices, must establish an endpoint security strategy. Typically, a key part of this strategy is the use of endpoint protection platforms (EPP), solutions that protect endpoints against malware and other malicious activity. EPPs also offer investigation and remediation abilities that are required to rapidly respond to security incidents.

Endpoint protection platforms provide multiple detection tools that range from the standard indication of compromise (IOC) solutions to more advanced behavioral analysis techniques based on machine learning. Modern solutions are cloud-based, covering endpoints both on the corporate network and outside the corporate perimeter.

EPPs typically provide cloud-based threat data, meaning that endpoint agents do not need to maintain local IoC databases. Instead, they refer back to a constantly-updated cloud resource to obtain context on security events.

Why is Endpoint Protection Important?

Most endpoint protection platforms employ one or more layers of defense. Defense in depth is a concept that now guides most organizational IT security mechanisms. It establishes multiple layers of defense, so that even if attackers succeed in breaching one or more layers of security, additional layers exist, deeper within the perimeter, to mitigate the threat.

Automated detection uses patterns and correlation engines, and in modern platforms, machine learning-based behavioral analysis. If the detection layer does not detect a risk, a second layer within the EPP uses custom prevention policies, such as whitelists and blacklists, to avoid execution of malicious software, or software containing vulnerabilities.

In this way, EPP can hinder basic endpoint threats independently, leaving security analysts free to hunt down advanced threats using endpoint detection and response (EDR) technology, which is commonly bundled as part of EPP solutions.

Learn more in our detailed guide to Endpoint Detection and Response (coming soon)

How Do EPP Solutions Work?

One of the biggest threats to endpoints is malware. Malware can come from many sources, but most often, it infects a machine when a user clicks a link or opens a malicious email attachment. Once in the environment, malware tries to infect as much data and processes as possible.

A main goal of endpoint protection platforms (EPP) is to protect endpoints by preventing malware from entering the environment. Just as firewalls prevent unauthorized network access, EPP solutions can block malware and other known threats on endpoints.

Antimalware protection has evolved beyond legacy antivirus. Modern malware is evasive and often cannot be detected by traditional, signature based approaches. For this reason, modern EPP utilizes a combination of advanced anti-malware features, including:

  • Behavioral analysis—machine learning capabilities allow endpoint protection platforms to analyze large amounts of data, to determine whether files have the potential to be malicious, or exhibit unusual behavior, even if not detected as malware.
  • Threat intelligence—by integrating with cloud-based threat intelligence databases, EPPs can automatically block known malicious elements with up-to-date data on billions of threats, threat actors and traffic sources.
  • Sandbox—allows endpoint protection platforms to quarantine suspicious files in a secure environment. In this environment, the endpoint protection platform can safely detonate a file and monitor its characteristics, without risking damage to other parts of the system. Learn more in our detailed guide to sandbox security.

How to Choose an Endpoint Protection Platform

Here are a few key features you should evaluate when selecting an EPP solution.

Multiple Threat Detection and Remediation Approaches

An EPP platform should include several integrated detection and remediation solutions. These should cover:

  • Anti-malware signature scanning
  • Web-browser security
  • Threat vector blocking for fileless malware blocking
  • Credential theft monitoring
  • Rollback remediation.

Platforms are increasingly employing endpoint detection and response (EDR) and data loss prevention (DLP) for both threat detection and remediation. Whereas EDR effectively monitors endpoint events, collating the data for future analysis, DLP prevents leaking sensitive data from the organization’s servers.

Real-Time Threat Data

EPPs should provide a comprehensive, constantly updated database of threats and threat actors. This data can be used directly to prevent attacks (as in malware and attack patterns), or can be correlated with other data to detect and block sophisticated attacks. Prefer a vendor that has an independent security research team, but also pulls data from other sources to increase coverage.

Integration Framework

Endpoint protection needs to integrate with other parts of the security stack. Third-party products may provide intrusion prevention, DLP, EDR, and other capabilities. The EPP solution also needs to be able to integrate with systems that provide data about endpoints outside the corporate network—for example, mobile device management (MDM) and cloud monitoring systems.

Centralized Management

An EPP solution should provide a single pane of glass providing visibility into all endpoints and related security tools. There should be one interface enabling configuration, alert management, visibility into security incidents, and endpoint protection metrics across the enterprise, such as number of security events detected and prevented.

EPP vs EDR Solutions

Endpoint detection and response (EDR) provides an additional line of defense after EPP preventative measures. EDR assumes a breach is underway. It conducts behavior-based detection and gives security analysts the tools to respond to a security incident on endpoints.

A few key differences between the two types of solutions:

  • EPP presents a more passive approach, while EDR is proactive
  • EPP operates without supervision, while EDR must be operated by expert security staff
  • EPP focuses on each endpoint in isolation, while EDR, aggregates data from across the entire enterprise, detecting threats that affect multiple endpoints

Ideally, organizations should employ EDR and EPP together. While EPP provides comprehensive protection for a wide range of threats, when breaches do happen, the tools provided by EDR are essential for detecting and mitigating the threat in time.

Learn more in our detailed guide to EDR vs EPP (coming soon)

Enhancing Endpoint Security with Hysolate

Hysolate Workspace provides you with a fully isolated and secured VM on your Windows10 endpoint device, to keep access to sensitive systems and data secure, so you can work productively on your host operating system, while keeping access to your company’s data secured and protected.

Workspace is installed on user endpoints, but is managed from the cloud, so you can quickly and easily deploy it and scale it across your company, customizing policies for each team and their needs. Unlike cloud-based traditional VDI or DaaS solutions, Workspace provides a great native user experience, with no lag or latency issues, even when using communication and productivity applications like Slack and Zoom.

This improves endpoint security as enterprise access is done exclusively from within an isolated corporate OS, while risky activities happen on another separate OS, without the need to monitor personal/private user activity or to fully manage the user’s device.

Request a demo to find out more how Hysolate can help secure your endpoint devices, while your team can work productively.