Endpoint devices played a large part in malware and ransomware attacks in 2021. According to a study covered by Help Net Security, security researchers have detected more malware and ransomware endpoint infections. in the first nine months of the year than all of 2020. Attacks Scripts that use PowerSploit, Cobalt Strike, and other tools were particularly prevalent in that nine-month period, growing 10% in last year after climbing 666% compared to 2019.
Introducing EPP and EDR
In response to the findings discussed above, organizations need to consider upgrading their endpoint defenses. They can do that using End Point Protection (EPP) and Endpoint Detection Response (EDR). Both constitute an approach to the protection of computer networks that are remotely bridged to client devices. As such, they play a critical role in reducing the risk of successful attacks that exploit poorly configured endpoints and systems. These solutions alert security teams to potential cyberattacks and help remediate incorrect configurations.
Why Do Companies Need EPP or EDR?
The change is consistent with the IT environments of organizations. That said, not all changes are made the same. In fact, there are three different types of changes that IT and security teams need to be aware of on an ongoing basis.
- Internally planned changes: In an internally planned change, IT and security approved some specific changes to systems and processes. This is usually in the form of staff implementing vendor fixes to improve the performance and security of their devices.
- Internal unplanned changes: Not all internal changes happen with IT and security approval. For example, an administrator may make a mistake with an upgrade or patch that should not be delivered. Alternatively, an IT user may inadvertently modify their system or use unapproved changes to complete a work -related task.
- External changes: External changes come from external actors. As a result, they generally lack IT and security sanctions as well as organizational threats. For example, an external change occurs when malware infects an endpoint device and uses the compromised home phone asset on its command-and-control (C&C) server.
The issue here is that IT networks are so complex these days that it’s not always clear what each change means… or how many changes take place each day on endpoint devices. This can leave organizations in a reactive posture where they struggle to respond to an attack that is already taking place. More time to respond equals more downtime, damage to the organization’s business reputation, etc.
How EPP/EDR Can Help
EPP prevents known and unknown viruses and malware from infecting an endpoint device and spreading over the network. In part, EDR is the next evolution of EPP. It often includes additional functionality such as behavioral analytics and monitoring, anti-virus, as well as detection and response capabilities.
Both EPP and EDR help IT and security teams answer important questions such as “Is there known malware on the device?” and “Are there new applications on the device?” Staff can then use that information to actively reduce the risk of downtime, of intellectual property theft, and of ransomware infection. They can also improve their ability to automatically respond to a threat if/when it occurs.
An Important Caveat
Not all EPP/EDR vendors are created equal. As an example, many endpoint protection vendors are beginning to check devices for malware based on a list of known threats. It can work for dropping simple attacks, but it is not enough for advanced continuous threats (APT).
Leading EPP/EDR vendors also use behavioral analytics to watch how a system behaves and to alert when it starts behaving “out of the ordinary.” This helps an organization identify previously unknown threats. But because the malware is already causing the device to behave abnormally, teams end up responding later than necessary in the kill chain. Malware has altered the system (s) and is active, armed, and likely to spread. No one verifies where device configuration users are connecting at the configurations of the systems they operate for protection have not changed.
EPP/EDR as Part of the Layered Security Approach
Organizations need a security strategy that adapts EPP/EDR to security configuration management (SCM). That’s where Tripwire comes in. Its automated configuration monitoring solutions increase the security and alerting capabilities of EPP solutions by automating the verification process, checking configurations in real time, as well as reporting on when, who, and why the context of the change. These capabilities facilitate Tripwire’s ability to detect the three different types of endpoint changes discussed above.
- Internally planned changes: Tripwire can track changes made to systems and validate those changes through API integrations in a ticketing system like Jira or ServiceNow to see if these are planned changes and who initiated these. It also delivers a change risk score based on current system vulnerabilities via an API connection to an SIEM.
- Internal unplanned changes: Tripwire delivers capabilities as it does for internally planned changes with the bonus that it can return systems to their known good condition. It reduces risk, saves IT teams time by not necessarily supporting rogue configurations, and improves process management through audit capabilities.
- External changes: Tripwire brings a deep level of understanding, auditing, and reporting on changes taking place in the enterprise. It uses integrations with SIEM/SOAR/ticketing platforms to quickly identify potentially harmful changes, mark the risk of those changes, as well as allow immediate response and recovery to reduce overall risk and to help ensure optimum performance of systems.
Learn more about Tripwire’s endpoint security capabilities.