What Is an Endpoint?
An endpoint is any device that resides at the end point of a network connection and can communicate on that network. This includes desktops and laptops, servers, mobile devices, IoT technology, and more. In short, an endpoint is anything on your network that can receive and transmit data.
Endpoint Cybersecurity Risks
Endpoints pose a difficult challenge to an organization’s IT and security teams. The make and model of endpoints vary widely, as does the operating system, the apps or programs installed on them, and the security habits of each endpoint user. The rise of hybrid work has increased these challenges, as endpoints have become more mobile than ever before.
Common attack types leveraged by cybercriminals against endpoints include phishing, ransomware, and malware. Endpoints are also frequently lost or left unattended, offering threat actors ample opportunity for exploit.
What is Endpoint Security?
Endpoint security, also known as endpoint protection, is an umbrella term for a larger subset of technologies with varying approaches to how they monitor and safeguard these end devices.
In this entry, we’ll focus specifically on a recent development in this space — endpoint detection and response, or EDR.
What is Endpoint Detection and Response?
Developed to overcome the limitation of antivirus, the original endpoint security tool, endpoint detection and response (EDR) records critical activity like process executions, command line activity, running services, network connections, and file manipulation on endpoints to observe behaviors and flag suspicious ones that fall outside the normal behavior.
This is where the “detection” part of EDR comes in.
When a suspicious action occurs, the EDR agent installed on the endpoint will trigger an alert, letting the security professional know that something potentially malicious has been detected. The idea being that — although the attack itself may change — the behavior of malicious software and malicious actors often remains the same.
Additionally, EDR allows the security professional to act once a detection has occurred — the “response” part of endpoint detection and response. While features vary by vendor, most include the ability to isolate the host system from the rest of the network to prevent the attack from spreading to other endpoints in the environment.
Beyond the isolation capability, some vendors offer more advanced responses including terminating processes or killing services. The ability to take these actions on an endpoint should be approached cautiously as there are situations where they may result in additional harm to the host system or business operations.
Limitations of EDR
Although EDR drastically improves on the flaws of antivirus, it is not without some drawbacks of its own. It places an outsize emphasis on detection of threats rather than the prevention of them, recording the actions taking place on the endpoint and triggering an alert when suspicious activity is detected.
Unfortunately, detection alone does not guarantee that the threat is mitigated.
Consider an environment that utilizes EDR but has limited security staff. This staff may be tasked with validating and responding to a high volume of alerts. This results in a delay between the time an alert is generated and the time an analyst responds to it. This is known as alert fatigue and can be hugely detrimental to an organization.
EDR vs. Endpoint Protection Platforms (EPP)
Endpoint Protection Platforms (EPP) were developed to build off what was seen as the best benefits of EDR and antivirus. EPPs record actions occurring on the endpoint in the same fashion as EDR. These actions are then processed against a database of known suspicious behaviors in near real-time, as with antivirus.
When it is assumed that a malicious action is about to occur, the EPP agent will interfere and prevent the threat from executing.
Prevention is the key differentiator between EDR and EPP. Where some EDRs may include the ability to develop specific preventions, it is primarily a reactive tool, designed to record endpoint activity and detect potential threats. EPP takes the proactive approach of focusing on prevention. In this way it often only records enough activity to allow it to decide if an action should be prevented from executing.
By following this approach, EPP can prevent a range of both malware and actions attempted by threat actors.
This is not to say that there are no potential drawbacks to EPP, however. There is a balance that these platforms must find between preventing legitimate actions that simply appear suspicious versus allowing threats to run for fear of preventing business activities from being executed.
In many cases these platforms will allow the customer to set their own standards for prevention. This can result in some environments lowering their prevention threshold, resulting in greater cyber risk.