If your professional inbox looks anything like mine, it’s likely inundated with marketing and sales emails from endpoint protection vendors discussing their solution and how it will protect you from the latest threats. The acronyms used will vary depending on what the solution does and how it protects the endpoint, but one thing they all have in common is they exist to protect the endpoint from malware.
In this blog post, I’ll attempt to help you understand what these terms mean, the differences between them and will touch on why a solid endpoint protection solution is invaluable to have as part of your security stack.
Why the Need?
If you read about cybersecurity best practices or have attended any talks on cybersecurity, you’re likely familiar with the concept of security in layers. Without going into too much detail, you’re essentially looking to place as many protective layers as possible between the sensitive information that you have and the attackers trying to exfiltrate, delete, or encrypt it.
Mail protection, firewalls, and DNS filters are a few common solutions that organizations will use to protect their organizations. While these are all important and necessary, it’s difficult to beat the benefits of having a solid endpoint protection solution. For example, unless you’re doing SSL deep inspection on your firewall, you’re blind to seeing the contents of anything coming across via HTTPS. With endpoint protection, there’s no need to inspect the traffic since it’s already decrypted when it hits the endpoint. Another example of this is the supply chain attacks that have been referenced in the headlines lately. No amount of mail protection, firewalls, or DNS filters will protect organizations from disaster should they be hit with an attack that comes through an update pushed through a vendor. Some of the more advanced types of endpoint protection can stop these attacks.
Types of Endpoint Protection
Since endpoint protection comes in various forms, it’s important to understand the differences between solutions to know what type you want for your organization.
Signature-based solution that detects malware based on signatures pushed down by vendor.
- Easy to deploy
- Susceptible to new variants of malware and zero-day attacks
- Ineffective against fileless attacks
- Scans can consume a lot of local resources
Combination of AI (Artificial Intelligence) and ML (Machine Learning). Focused on prevention.
- Ability to protect against fileless attacks
- No need to update signatures
- More tuning needed up front than traditional AV (more false positives)
- If something gets past the NGAV and you don’t also have an EDR solution accompanying it, then you’ve been breached
- Difficult to correlate across multiple endpoints to understand entire scope of attack
(Endpoint Detection and Response)
Provides additional capabilities outside of a NGAV solution to protect the endpoint. Focused on protection.
- Widely supported across applications, services, and websites
- Some solutions provide real-time protection from threats that make it past AV or NGAV
- Threat Hunting capabilities
- Remediation capabilities to remove malware from centrally managed console
- Best when combined with a NGAV
- Only sees security information from the endpoint’s perspective.
(eXtended Detection and Response)
Advancement upon EDR. Gathers additional data outside of endpoint as well (NAC, NGFW, WAF, etc.)
- Currently offers the most visibility when it comes to correlating security information
- Automation to reduce workload on security staff
- Pricier than EDR solutions
- Additional planning and implementation time is necessary to setup tie-ins to products outside of the endpoint
Signature-based AV solutions still provide some protection to organizations, but with the evolution of threats, it’s hard to say how long they’ll continue to offer peace of mind. As you can see from the chart above, pure NGAV solutions do have some holes and are best when combined with an EDR solution. XDR solutions are the latest and greatest. They’re able to provide many of the benefits of an EDR solution but expand upon it by incorporating security information from other components outside of the endpoints.
A combination of NGAV and EDR can provide a high degree of protection against today’s threats and therefore is a solid choice. If you have the extra money to spend and are wanting to leverage security information from outside of your endpoints, an XDR solution may be a better fit than a combined NGAV with EDR.
In the end, even the best endpoint protection available, will not absolve organizations of the need for layered security. There are still things that endpoint protection can’t protect against, thus making it necessary to keep additional solutions in place to help thwart attack methods used by threat actors.
Venyu is Here
As always, if you have additional questions or would like someone to discuss endpoint protection solutions in more depth with you, please open a support case using the customer portal or schedule a consultation.