Jeremy Matthews, Regional Manager, Panda Security, says there is continued interest from the South African market in the convergence of Endpoint Protection Platforms (EPP) with Endpoint Detection and Response (EDR) solutions to strengthen what is considered the most vulnerable part of the ICT infrastructure.
Matthews was presenting Panda Security's position on the topic of EDR as a subset of endpoint security at the ITWeb Security Summit 2019 hosted in Sandton, Johannesburg this week.
"Traditionally what we've seen happen is lots of expenditure in a whole range of categories of security ... people putting money into perimeter security, identity and access management. And endpoint has become somewhat neglected, we've put antivirus on our endpoints and that's the only defence mechanism that we have on endpoints. Meanwhile, as we know, the whole world is changing and the concept of the perimeter doesn't exist as it used to do," said Matthews.
He cited a Data Breach Investigations Report from Verizon which reflected a timeline of how increasingly endpoints have become the target.
"It kind of makes sense because it is such a vulnerable part of your ICT infrastructure ... so easy for hackers to acquire credentials. Once a hacker has access to an endpoint, he or she can pretty much go anywhere. There are lots of tools that can be used to start escalating privileges, traversing through the organisation, and causing absolute havoc and stealing data IP," he said.
Matthews added that the EDR market is expanding rapidly as the demand for endpoint security increases amid an evolving threat landscape, marked by the proliferation of malware and ransomware.
This is where EDR is being positioned to add the visibility, analysis and telemetry required by businesses to know who or what is behind an attack, and why – which is functionality not built into EPP.
Matthews said while EPP or antivirus is premised on what is known and that is a weakness, it still plays an important role.
"Your EPP, which is the term we commonly use nowadays for antivirus, characteristically it is patent-based, signature-based protection and it is premised typically on blacklisting techniques, and what is known. And of course that is the whole weakness of EPP technologies, is that they are premised on what is known. That said, they still serve a critical role, particularly in terms of dealing with commoditised malware.
"What you'll find is that EPP solutions typically involve a stack of solutions, so it is not just about antivirus... you'll find you've got a personal firewall, you've got device control, web filtering, you've got data loss prevention, it depends on who the vendor is and their particular stack. But the bottom line, in general terms, EPP is a reactive technology and it is about blocking. It doesn't increase the level of protection, it is a kind of shield, a defensive mechanism in what has become a very limited context," Matthews said.
EDR, by comparison, will involve the recording of endpoint process and the ability to rapidly identify indications of attack and compromise, he continued.
One of EDR technology's key characteristics is the monitoring of endpoint processes and looking for policy violations. Another is once an incident is detected, with far deeper telemetry and analysis, is the ability to contain an incident on the endpoint – to isolate the endpoint.
"Ideally still being able to communicate with that endpoint, there's no point in shutting off the endpoint if you can't do anything with it in terms of communication yourselves. We need to be able to investigate incidents, you need the tools to be able to establish indications of compromise – both in technical terms (as far as the technical changes that have occurred on the endpoint) and then critically in business terms, coming through ideally to be able to do attribution to who the adversary is. We really need to know if we're being attacked, by whom and why," said Matthews.
Industry pundits foresee the general convergence of EPP with EDR.
"What we are seeing as a market trend is EPP vendors are now adding EDR capability into their products and interestingly EDR vendors are extending the scope, adding EPP capability. The Gartner prediction is that in not many years' time, we'll see a converging of EDR and EPP technology generally," said Matthews.
As competition increases among IT security vendors – irrespective of their core focus or approach – this will fuel the need to differentiate said Matthews and managed services on technology will become critical, as will delivery.