The shocking realization that organizations are coming to is that cyberattacks have become immune to standard antivirus. This is leaving endpoints at risk of infection and compromise, which is why many people think of endpoint protection platforms (EPP) as AV 2.0. Many think that after the saying "AV is dead" that the AV companies rebooted their solutions to a new acronym. This isn't exactly the case. Leading security software providers took into consideration the reason why people believed AV was dead and adjusted accordingly. The primary change was made to shift the focus from signature-based protection to software that protects endpoints based on events, but neither of that works without a security operations center monitoring and managing the activity.
As mentioned, EPP and AV solutions do not have the same capabilities including;
- Threat prevention (blocking malware without using a signature)
- Automatic event protections, such as file quarantine and host isolation
- Detecting suspicious activity (not signature based) on the machine
Today, customers need advanced, Next Generation endpoint protection backed by a Security Operations Center to alert, investigate, and help remediate advanced threats. To get off the wheel of compromise and cleanup, you need the right technology and an accountable team to ensure the technology is properly deployed, configured and managed, which is easier said than done. You need a Managed Endpoint Protection Platform that replaces traditional AV solutions and provide advanced capabilities, integration a SIEM, with 24x7 expert SOC support to stop threats.
What Your EPP Must Include:
When it comes to vetting EPP solutions or managed EPP services, it's important to make sure that it has these following capabilities and features:
The ability to block known and unknown threats. This means blocking threats not just based on the signature but what it is doing. Some examples include:
- Blocking of communications to known malicious IPs (such as command and control networks).
- Blocking of events that are attempting to remove or alter the EPP software without your approval.
- Blocking of events based on the behavior or process it is attempting.
Ability to integrate with other solutions: As mentioned above, endpoint security is not a stand-alone solution. It should be able to communicate with other technologies and teams. Some examples include:
- Sending alerts to a ticketing system
- Sending log data to a SIEM
- Sending activity to network monitoring solution
- Integration with vulnerability management systems
Ability to work with, or add on, Endpoint Detection and Response capabilities. The system needs advanced capabilities to threat hunt, detect advanced threats, and store and record system behaviors. You will need this capability at some point. Picking an EPP solution with this capability (either as an add on or integrated into another solution) is imperative.
Ability to quarantine files and machines: When an event is happening sometimes the best course of action may be to isolate the machine or file from the rest of the network.
Backed by a SOC and SIEM 24x7x365. When you vet EPP as a managed service, it should integrate to a SIEM solution that is backed by a team of security experts in a Security Operations Center who are monitoring your endpoints 24x7x365 and available for support and remediation.
Benefits of EPP
When you vet the right EPP solution provider for your organization, not only will it help your secure your endpoints from cyber threats, but you’ll receive several positive outcomes that will benefit your organization, including;
- Full visibility into endpoints on your corporate endpoints and access them whenever you need.
- Rest easy knowing a security expert is managing your endpoints 24x7x365 and will alert you if a threat is detected and blocked.
- Directly integrate with a Security Information Event Management (SIEM) tool.
- No disruption to your current IT environment.