Leadership Compass

Endpoint Protection Detection & Response

The KuppingerCole Leadership Compass provides an overview of a market segment and the vendors in the Endpoint Protection, Detection & Response (EPDR) market. It covers the trends that are influencing this market segment and the essential capabilities required of solutions in this space. It also provides ratings of how well these solutions meet our expectations. This report covers the previously distinct but now converged fields and product lines of Endpoint Protection (EPP) and Endpoint Detection & Response (EDR).

John Tolbert

jt@kuppingercole.com

1 Introduction / Executive Summary

Malware is and will likely continue to be a top threat and thus a top concern among business and IT security professionals. The pace of malware development and delivery has only quickened since the last iteration of this report.

Malware comes in many forms: viruses, worms, rootkits, botnets, file-less malware, ransomware, and crypto-miners are prevalent in the wild. Malware is usually, and almost by definition, an exploitation of an operating system or application vulnerability.

Ransomware attacks are still popular and evolving. Ransomware is a form of malware that encrypts users' data, demanding that ransom be paid for the return of control or for decryption keys. The newest forms of ransomware are deployed similarly to an APT campaign, with staging of ransomware on various machines throughout an enterprise and exfiltration of data prior to ransomware detonation. Needless to say, paying the ransom only emboldens the perpetrators and perpetuates the ransomware problem. Moreover, in many cases the ransomware operators do not provide working decryption keys, so paying the ransom is purely a waste of money. Over the last couple of years, some attackers have used ransomware techniques and payloads for purely destructive purposes too – rather than asking for ransom, these destructive "wiper" ransomware types simply delete or zero out data.

Much of the cybersecurity industry has, in recent years, shifted focus to detection and response rather than prevention. However, in the case of ransomware and wipers, detection is pretty easy because the malware announces its presence as soon as it has compromised a device. That leaves the user to deal with the aftermath. Once infected, the choices are to:

  • Pay the ransom and hope that malefactors return control or send decryption keys (not recommended since it doesn't always work and incentivizes criminals)
  • Wipe affected machines and restore data from backup
  • In the case of wipers, there is no choice but to rebuild from backups

Restoration is sometimes problematic if users or organizations haven't been keeping up with backups, or if backups have been contaminated by malware. Even if backups are readily available, time will be lost in cleaning up the compromised computers and restoring the data. Thus, preventing ransomware infections is preferred. However, no anti-malware product is 100% effective at prevention. It is still necessary to have good, tested backup/restore processes for cases where anti-malware fails.

Ransomware attacks often arrive as malicious links or weaponized Office docs via phishing campaigns. Disabling macros can help, but this is not universally effective since many users need to use legitimate macros. Ransomware can also come less commonly come from drive-by downloads and malvertising.

Viruses are far more sophisticated than they were decades ago. Now viruses are generally polymorphic, meaning they alter their structure to try to avoid detection upon every iteration. Viruses infect files and usually need user interaction to initiate a compromise.

Worms are malicious code that spreads across unsecured networks, relying upon unpatched, compromised applications and unprotected ports.

Rootkits are low-level malware usually implemented like device drivers in operating systems. Rootkits allow bad actors complete control of affected machines.

Botnets are collections of controlled devices, often compromised by rootkits, that are used in large numbers to magnify other kinds of attacks, such as Distributed Denial of Service (DDoS) attacks, credential stuffing, account take-overs (ATOs), or other forms of cybercrime. Botnets can be composed of PCs, servers, smartphones, IoT devices, etc.

File-less malware is a malicious innovation that seeks to avoid signature-based anti-malware scanners by propagating between machines without being written and transferred as files. Instead, file-less malware is malicious code which spreads by process or memory injection. Once on a target device, file-less malware uses native tools like PowerShell or .NET to assemble and execute the malicious payload. File-less malware attacks are still on the rise.

Crypto-jacking is the unwanted execution of crypto-mining software on user devices. Crypto-jackers capitalized on the surge of cryptocurrency prices. Crypto-jacking incidents continue as cryptocurrency prices fluctuate, annoying device owners with increased power costs and depleted batteries in the case of mobile devices. Initially, some anti-malware solutions did not identify crypto-mining software as malicious since it could be built with freely available and sometimes legitimate code.

All end-user computers, smartphones, and tablets should have Endpoint Protection (EPP) clients installed, preferably with up-to-date subscriptions. Servers and virtual desktops should be protected as well. Windows platforms are still the most vulnerable, though there are increasing amounts of malware for Android. It is important to remember that Apple's iOS and Mac devices are not immune from malware, and as market share increases, particularly for Mac devices, the amount of malware for that platform will increase too.

Endpoint Detection & Response (EDR) solutions look for evidence and effects of malware that may have slipped past EPP products. EDR tools are also used to find signs of malicious insider activities such as data exfiltration attempts, left-behind accounts, and open ports. EDR solutions log activities centrally, allow administrators to examine endpoints remotely, and generate reports often complete with attribution theories and confidence levels.

Additionally, as part of the detection process, EDR also enables querying and evaluation of Cyber Threat Intelligence (CTI), event correlation, interactive querying of nodes across the customer environment, live memory analysis, and activity recording and playback. EPDR helps to automatically uncover attacks and enables security teams to understand what is happening from start to finish by consolidating all relevant information into a single view.

For the response phase, EDR solutions can provide alerts and reports, create attribution theories with confidence levels, update detection rules, shut down offending processes, delete or move files, automatic quarantine of assets suspected of having been compromised, and even rollback of compromised endpoints to known good states.

EDR solutions offer customizable levels of automation for investigations and remediation. The most functionally complete EDR solutions perform continuous monitoring, anomaly detection and categorization, proactively hunt for threats across an enterprise, and create cases then alert human analysts. When analysts take the case, they find up-to-date event lists, correlation across all affected nodes, timeline views, and pertinent CTI within their main screen.

Over the course of the last 5 or so years, EPP and EDR toolsets, and in some cases, vendors, have been converging into EPDR (Endpoint Protection Detection & Response).

EPDR solutions must be tightly integrated with other tools in vendor suites and should interoperate with security analytics tools such as Security Incident and Event Management (SIEM) and Security Orchestration Automation & Response (SOAR) tools. To achieve this integration, most EPDR suites support CEF, REST APIs, and syslog. Interoperability with IT Service Management (ITSM) solutions enables organizations to rely on a single system for ticket creation and management. Across the surveyed vendors, support for SIEM is widespread, with some support for SOAR, followed by limited interoperability with ITSM systems. A subset of EPDR solutions essentially outsource orchestration and automation to SOAR products.

XDR (eXtended Detection & Response) solutions are an emerging category of security tools that are designed to consolidate and replace multiple point solutions such as Endpoint Protection Detection & Response (EPDR), Network Detection & Response (NDR), Cloud Workload Protection Platform (CWPP), Intrusion Detection Systems (IDS) & Intrusion Prevention Systems (IPS), Distributed Deception Platforms (DDP), and Unified Endpoint Management (UEM). XDR solutions will also need to draw on telemetry from IAM systems, particularly User Behavioral Analytics (UBA) and Identity Governance and Administration. In our definition and view, XDR must encompass endpoint, network, and cloud aspects. This means that XDR solutions must have agents for endpoints, sensors for networks, and agents for cloud instances and containers. 

The MITRE ATT&CK Framework is a comprehensive look at all the various TTPs that malicious actors use to compromise systems for the purpose of data exfiltration. Many security vendors contribute to MITRE ATT&CK and many of their tools map detections to the various steps and techniques to facilitate analysis within their product interfaces.

A number of different, independent testing regimes exist that vendors can participate in to demonstrate the effectiveness of their products. AV-Comparatives, AV-Test, and ICSA Labs run tests focusing on malware detection and prevention. They also run in-depth tests to simulate the kinds of scenarios business users encounter. MITRE.org has conducted four in-depth tests designed to show the efficacy of EDR solutions. KuppingerCole reviewed test results as published by these organizations for vendors examined below.

This Leadership Compass covers solutions that contain capabilities found in both EPP and EDR products.

1.1 Highlights

The top findings from this edition of the Leadership Compass on EPDR are:

  • The majority of the products and services surveyed have interfaces that are aligned with MITRE ATT&CK, indicating its widespread acceptance as a standard for conceptualizing cyber-attack Tactics, Techniques, and Procedures (TTPs).
  • The shift to vendor cloud-hosted management continues.
  • Not all EPDR vendors offer a complete set of secondary protection functions, such as URL filtering, app controls, device controls, endpoint firewalls, and system file integrity monitoring.
  • Malware detection models powered by Machine Learning algorithms are the norm, innovation is evidenced by those utilizing Deep Learning (DL), with behavioral detection models powered by Machine Learning (ML) algorithms varying in capability by vendor.
  • The level of automation possible directly within EPDR products and interoperability with SOAR platforms varies within the field. Mature organizations will want to give extra consideration to these features.
  • The evolution of EPDR into XDR has begun, and some vendors are well on their way, but many vendors have a long way to go on their roadmap for this to come to fruition.
  • The Overall Leaders in EPDR are CrowdStrike, Cybereason, ESET, Microsoft, SentinelOne, Sophos, and Symantec (by Broadcom).
  • The Product Leaders in EPDR are CrowdStrike, Cybereason, ESET, Microsoft, SentinelOne, Sophos, and Symantec (by Broadcom).
  • The Innovation Leaders in EPDR are CrowdStrike, Cybereason, ESET, Microsoft, SentinelOne, Sophos, and Symantec (by Broadcom).
  • The Market Leaders in EPDR are CrowdStrike, ESET, Microsoft, SentinelOne, Sophos, and Symantec (by Broadcom).

1.2 Market Segment

This Leadership Compass covers solutions that can detect and prevent malware from executing on endpoints, have built-in firewalls, perform URL filtering, application allow/deny listing, and the full gamut of typical EDR functions such as monitoring for IoCs, file analysis, registry analysis, alerting/reporting, attribution theory creation, threat hunting, and remediation. Solutions which offer EPDR functions as part of a larger suite as well as specialized/standalone EPDR packages are considered. For standalone EPDR, interoperability with other components of security and IT environments will be addressed.

1.3 Delivery Models

EPDRs solutions are made of two primary components: agents on the endpoints and a management console. Endpoint agents are designed per operating system, such as Microsoft Windows versions 7, 8, 10; Windows Server 2008+; MacOS 10 and 11; the various flavors of Linux, Cloud Workloads, Virtual Desktops, and mobile devices. A few vendors maintain agents for deprecated Windows versions such as XP and Vista. Management consoles are used by administrators to deploy, monitor, activate/deactivate certain features, and push updates; by SOCs and management to get current status; and by analysts for investigations. Management consoles for on-premises deployment are usually Windows Server or Linux based. Most vendors offer management consoles as SaaS. Licensing is generally per endpoint.

1.4 Required Capabilities

This report describes the basic capabilities that all solutions should support in terms of use cases, which are:

  • Detection and prevention of malware execution and subsequent compromise
  • Secondary endpoint protection capabilities such as
    • Endpoint firewall
    • URL filtering
    • Application allow-listing/deny-listing
    • System file integrity monitoring
  • Detection of IoCs such as
    • Registry and system file changes
    • Unusual use of network ports by applications
    • Contact with known bad IPs and URLs
    • Unusual process injections
    • Modification of module load points
  • Integration of Cyber Threat Intelligence and sandbox services
  • Alerting and reporting mechanisms
  • Query interface for investigations and threat hunting
  • Console for admins, analysts, and threat hunters
  • Manual and automatic response functions
    • Run CTI queries
    • Collect forensic evidence
    • Run scripts to support threat hunting, incident response, and systems management
    • Create cases and open tickets
    • Alert SOCs and analysts
    • Terminate processes
    • Update detection rules based on findings
    • Delete or quarantine files
    • Remove registry entries
    • Isolate nodes
    • Rollback endpoints to known good states
Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.