An Endpoint Protection Platform is an endpoint security capability designed to protect systems from compromise by preventing malicious software from executing. It is important to understand that Endpoint Protection is often used in conjunction with Endpoint Detection and Response (EDR), however they are not synonymous. The primary purpose of an EDR solution is to record events as they occur while also providing a means of threat resolution. In this way, an EDR solution is often associated with current compromises or post exploitation. An Endpoint Protection Platform however is designed as a preventative measure, monitoring all execution attempts and terminating those designated as potentially malicious. Endpoint protection is also often confused with Antivirus software, but is should be noted that an AV engine is just one possible component of an Endpoint Protection Platform.
For any organization, an effective security posture is based around the concept of defense in depth. Multiple layers of defense should be implemented to ensure security even if one layer should fail. Relating to endpoint systems, an Endpoint Protection Platform is often seen as consisting of one of more base defensive layers. Automated preventions can be executed based on a detection engine, such as one powered by machine learning. A second layer of prevention within an EPP could then be based on customized prevention polices to eliminate the risk of unwanted executions that may go undetected by the automated layer. In this way, an effective EPP could prevent the bulk of endpoint threats, freeing security analysts to then conduct threat hunting exercises and respond to more advanced threats via an Endpoint Detection and Response solution.
For many years securing endpoint systems from compromise was accomplished through the use of legacy antivirus software. As technology evolved and the sophistication of attackers increased it became apparent that a more advanced solution was required. Endpoint Protection Platforms were developed to address the changing threat landscape by providing prevention capabilities based on multiple detection mechanisms.
Each EPP vendor has developed their own combination of detection technologies to meet this demand. This can include:
All with the goal of detecting and preventing the execution of both known and unknown threats.
There are many Endpoint Protection vendors on the market, each claiming that their technology is the best at preventing malicious executions. Which technology is truly the best is debatable, however an effective EPP should include certain key capabilities:
