Antivirus was the first and still is the primary endpoint protection technology for Endpoint Protection Platforms (EPP). Throughout the last twenty years, there have been many other components added to EPP such as anti-malware, anti-spyware and personal firewalls, but most of these components are never even installed. Even with the added technologies there are still endpoint protection gaps, primarily because EPP is reactive and utilizes stored information or static rules to identify a threat. This means to identify a threat, the threat must be in a current database, so the EPP is really only as good as its last update. Static methodologies simply lack the flexibility to address modern-day threats, resulting in attackers easily bypassing solutions such as EPP.
Due to the gaps, EPP requirements are changing. Gartner and other analyst firms believe EPP needs greater flexibility and must include Endpoint Detection and Response (EDR) capabilities. However, traditional EPP, even when successful, doesn’t provide a security professional the means to understand the “who, what and where” of a threat. To gather that type of threat intelligence, an analyst must have complete visibility into every endpoint activity, processes, timelines and potential relationship with every endpoint in the organization.
As stated, EPP is primarily based on stored pattern and signature files to stop known threats. This is also true of newer “Next Generation AV” (NGAV), which uses machine learning with static rules and policies for threat identification, thus limiting its flexibility. NGAV has no endpoint visibility or threat intelligence to understand a threat actor’s tactics, techniques and procedures, which is necessary to defend against modern threats. As with traditional EPP, machine learning requires updates or new rules to address unknown threats, and unfortunately that only happens after a threat has been discovered and the damage has already been done.
Looking forward, it is necessary for a successful EPP to automate as much threat intelligence for detection and prevention as possible. Effective automation along with powerful EDR means analysts can spend their time investigating and improving their defense instead of only being able to react to the damage already done from a threat.
Feel free to contact E-SPIN for endpoint protection platform infrastructure, availability monitoring and security management.