Endpoint devices played a big part in malware and ransomware attacks in 2021. According to a study covered by Help Net Security, security researchers detected more malware and ransomware endpoint infections in the first nine months of the year than they did for all of 2020. Attack scripts leveraging PowerSploit, PowerWare, and other tools were particularly prevalent in that nine-month period, having grown 10% over the previous year after having already climbed 666% compared to 2019.
Introducing EPP and EDR
In response to the findings discussed above, organizations need to consider upgrading their endpoint defenses. They can do that using End Point Protection (EPP) and Endpoint Detection Response (EDR). Both constitute an approach to the protection of computer networks that are remotely bridged to client devices. As such, they play a critical role in reducing the risk of successful attacks that exploit weakly configured endpoints and systems. These solutions alert security teams on potential cyberattacks and help with remediating misconfigurations.
Why Do Companies Need EPP or EDR?
Change is a constant in organizations’ IT environments. That said, not all changes are created the same. In fact, there are three different types of changes of which IT and security teams need to be aware on an ongoing basis.
- Internal planned changes: With an internal planned change, IT and security approve certain modifications to systems and processes. This commonly takes the form of personnel implementing vendor fixes to improve their devices’ performance and security.
- Internal unplanned changes: Not every internal change occurs with the approval of IT and security. For instance, an administrator might make a mistake on an upgrade or patch that should not be delivered. Alternatively, an IT user might change their system inadvertently or use unapproved changes to complete a work-related task.
- External changes: External changes come from external actors. As such, they generally lack the sanction of IT and security as well as pose a threat to the organization. For example, an external change occurs when malware infects an endpoint device and uses the compromised asset to phone home to its command-and-control (C&C) server.
The issue here is that IT networks are so complex these days that it it’s not always clear what each change means…or just how many changes are occurring each day on endpoint devices. This can leave organizations in a reactive posture where they’re struggling to respond to an attack that’s already in progress. More time to respond equates to more downtime, damage to the organization’s business reputation, etc.
How EPP/EDR Can Help
EPP stops known and unknown viruses and malware from infecting an endpoint device and spreading into the network. For its part, EDR is the next evolution of EPP. It often includes additional functionality such as behavioral analytics and monitoring, anti-virus, as well as detection and response capabilities.
Both EPP and EDR help IT and security teams to answer important questions such as “Is there known malware on the device?” and “Are there new applications on the device?” Personnel can then use that information to proactively reduce the risk of downtime, of intellectual property theft, and of a ransomware infection. They can also improve their ability to automatically respond to a threat if/when one does occur.
An Important Caveat
Not all EPP/EDR vendors are created the same. As an example, many endpoint protection vendors start checking devices for malware based on a list of known threats. This can work for knocking down simple attacks, but it’s not enough for advanced persistent threats (APT).
The leading EPP/EDR vendors also utilize behavioral analytics to watch how a system behaves and to alert when it starts acting “out of the norm.” This helps an organization to identify a previously unknown threat. But since the malware is already causing the device to act out of the norm, teams end up responding later than needed to in the kill chain. The malware has already changed the system(s) and is active, weaponized, and likely spreading. There’s nothing validating that the device configuration users are connecting with and the configurations of the systems they are running for protection have not changed.
EPP/EDR as Part of a Layered Security Approach
Organizations need a security strategy that complements EPP/EDR with security configuration management (SCM). That’s where Tripwire comes in. Its automated configuration monitoring solutions elevate the security and alerting capabilities of EPP solutions by automating the verification process, checking configurations in real time, as well as reporting on the when, who, and why context of the change. These capabilities facilitate Tripwire’s ability to detect the three different types of endpoint changes discussed above.
- Internal planned changes: Tripwire can monitor the changes that were made to the systems and validate those changes through API integrations with a ticketing system like Jira or ServiceNow to see if they were planned changes and who initiated them. It also delivers a risk score of the change based on the current vulnerability of the system via API connection to a SIEM.
- Internal unplanned changes: Tripwire delivers the capabilities as it does for internal planned changes with the bonus that it can bring systems back to their known good state. This reduces risk, saves IT teams time by not having to support rogue configurations, and improves process management through audit capabilities.
- External changes: Tripwire brings a deep level of understanding, auditing, and reporting to the changes taking place in the enterprise. It uses integrations with SIEMs/SOARs/ ticketing platforms to quickly identify potentially harmful changes, score the risk of those changes, as well as allow prompt response and recovery to reduce overall risk and to help to ensure optimum performance of systems.
