Analyst Chat #130: Leadership Compass Endpoint Protection, Detection and Response (EPDR)

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is John Tolbert. He is a Lead Analyst with KuppingerCole working out of the United States. Hi, John. Good to see you.

Hi, Matthias.

Great to have you. And again, we are here to talk about a piece of research that you just finalized that has just been published. We want to talk about a Leadership Compass in the area of EPDR. First of all, John, what is behind that acronym? What is EPDR?

Well, EPDR stands for endpoint protection, detection and response. So, in years past we were all familiar with antivirus and then we had next generation antivirus and then a whole slew of other products kind of evolved in the market around that secondary functions, I guess I would call them things like an endpoint firewall, being able to have like you URL filter and to prevent users from going to known bad websites. Then came application control, which is aimed at being able to prevent regular end users from running applications that could potentially be malicious. And then system file integrity monitoring, a lot of these were separate products that developed over the last 15 or 20 years. And they all kind of got rolled into what became known as Endpoint Protection, which was all the antivirus, Next-Gen Antivirus and all these other capabilities packaged into a single product.

And then along came endpoint detection and response kind of thinking 10, 15 years ago with like the development of the Lockheed-Martin kill chain. There's only so much that can be prevented. At some point, there's an acknowledgment that the malware sometimes does make it through. And endpoint detection response solutions were designed to look for indicators of compromise. That's what we mean by IoCs there. And to be able to pull in cyber threat intelligence and be able to take suspected malicious code and send that off to a sandbox where it could be analyzed and a determination made whether or not the code was bad. EDR also has things in it like alerting and reporting mechanisms, a query interface so that security analysts can sit at a console and say, OK, I think I found something that's malicious here on this one endpoint. Is it anywhere else in my entire organization? You know, being able to run those kinds of queries, get information back in real time, and then be able to do things like say, OK, let's quarantine or delete those files or change registry settings back to the way they were before a suspicious event happened. All of that can generally be done within the console of an EDR solution.

So we have these two not competing but complementary pieces of functionality. And endpoint protection and endpoint detection and response over the last five, ten years, these have increasingly sort of grown together. There've been a lot of acquisitions in the marketplace. So the idea is to make it simpler for end user organizations to manage their endpoints, both the prevention and the detection and response functions have kind of been rolled into single stack products, generally running as a single agent on many different kinds of endpoints. I know, it's a long answer to your question.

Yeah. But it really told the story and it shows us that you're covering that market for quite a while, although this is yet another new acronym. But that also shows the combination, this merging together of different categories. You've mentioned these indicators of compromise. What are these signals these indicators that these solutions are looking at and how do they respond then?

Well, some examples of indicators of compromise might be things like changes to registry entries, Malicious operators, when they get on a machine, they want to make sure that they can persist through reboots. So they will often change entries in the registry to make sure the malicious code runs every time the machine reboots, there can be changes to the system files. You know, maybe important DLLs could change that have malicious code. That's another reason why it's good to use like system file integrity monitoring to make sure that the proper manufacturer deployed code is actually in use. There can be things like unusual use of network ports by applications. I mean, we all know that browsers should be using things like well, TCP 443, we shouldn't really be running HTTP TCP port 80 these days. But let's think about you know, other applications that have well known TCP or UDP port associations. If you have an application that starts using some strange port then you know it's probably worth checking into. Then there's just contact with known bad IPs or URLs or maybe they weren't known to be bad at the time that a user or a process on workstation accessed them. That's where, you know up to date cyber threat intelligence looking back at the logs to see you know at that time you know was that a known bad IP or not. Unusual process injections that could be a sign of a malicious code trying to inject itself into something that looks legitimate and so that it can continue running. And then sometimes we also see things like modification of module load points. It might again have a library or something that has malicious code inside. So changing where it loads from, where it loads to could be an indicator of compromise also. Those are just some examples. There's plenty more. And these things change all the time. That's why up to date cyber threat intelligence is really important for all security solutions today.

Right. And you've mentioned already, the "R" stands for responses. So these solutions are designed and created to support the security analysts either manually or even automatically by issuing commands by committing tasks on the individual system to prevent this harm from continuing or from even taking place. What could be such responses are they also changing over time?

Yeah. For EPDR Systems, of course, the focus is on the endpoints. So what can you do to mitigate or remediate problems that are discovered on the endpoint as well as collecting forensic evidence? Like I said running queries to get up to date cyber threat intel. You know, there are scripts that many of these solutions come with that can kind of help with the threat hunting. Many of these solutions also interact with IT service management solutions. You know, you can create tickets that can be tracked across the enterprise, manage those tickets. Alerting is obviously really important as well. You've got to have your SoC analysts and SoC management aware of problems that are going on. And then just looking at the the programs themselves and what what can be accomplished on the endpoint, you can obviously terminate processes. You know, most of these EPDR agents, or all of these EPDR agents run at the kernel level. So they've got pretty much full control. So they can terminate processes, they can delete or move files, roll back registry entries, isolate the nodes from the network and only allow it to talk to like the console for the EPDR solution. And then in many cases they also allow rolling back the endpoint to like a last known good state.

OK, so quite a range of potential responses. You've described the market and the market, as you said, is changing. And I assume that the products that are out there, they vary in individual characteristics and what they have as capabilities.
But in the end, when you're writing a Leadership Compass, you have to come to a common denominator to a set of criteria to apply to all of them. What were these criteria that you could use to make sure that this varying market of products or market segment is judged fairly and adequately regarding these different types of products?

Yes. So let's look how we would define these broadly into the prevention, protection and then the detection and response features, for the Leadership Compass we have spider charts that show relative effectiveness in the different categories. So here are the categories that I decided to use. One was on malware prevention. That's trying to determine whether or not a piece of code is malicious before it runs or maybe while it's running so that it can be shut down before real damage occurs. There's also those secondary endpoint protection functions like application control and URL filtering. Not all the vendors have a full range of secondary EPP functionality within the platforms. But then on the EDR side, there's the ability to detect compromises, facilities to allow SoC analysts to do investigations. And then those responses and like you were saying they can be manual or in some cases scripted, automated. And then overall management of those platforms.

Right, interesting. Before we show some of the results which we this time actually do, I want to really highlight the fact that this Leadership Compass is not something that is to be read, to look to the upper right corner of a quadrant or to the right area of a diagram to identify the best product around. But the Leadership Compass is always designed to support organizations in finding the right product for their use cases and for their application infrastructure. So it needs to be read with a more skilled eye as well and apply your own requirements. Having said that, when we look at the market, what were the vendors that you were looking at and how did they score overall? Although it might not be the perfect match for any organization.

Yeah. We had quite a few vendors in the field and we took a look at all those capabilities listed before. And that's how we generate the positioning on the charts here. And you're right. I mean, there are it's not all about who's in the top right. Each vendor has a good number of customers and are satisfying their customers with the functionality that they provide. But based on the criteria that we've identified, I thought we would just kind of quickly step through these charts. So that those who are watching can kind of get a feel for what the overall market and the product and the innovation graphics look like.

Right. So if you look at the first of all, of course, it's important also for the vendors, the overall leaders. This means, this is the combination of all the individual scores that you applied, all put together into one scale. And how does that look like? What is important to highlight here?

The cverall leadership covers product, innovation and market. And then the nine functional categories that we look at below that. So it's kind of an amalgamation of all the the different scores and ratings below it. And that's how the overall leadership positioning is placed.

Right. I think more interesting when it comes into more details is these combined scores that we have and then we end up with quadrants where there's two dimensions to be looked at. And you've mentioned the the product leaders, which is in that graphics that we see right now is combined with the overall ratings so that the strength of the product itself, not the market position, not the innovation, but the product as a whole is mapped to the overall rating. And I think that's also an important factor to to look at when it comes to to judging these products from the overall rating and the product rating. Anything to add or to highlight from your side regarding that chart?

No, this is just intended to sort of be a quick look at the positions. I think it's important for those who are interested in EPDR solutions to actually look at the accompanying text on these as well, to understand exactly what each vendor does, what strengths, what challenges they have.

Okay, great. And while we're talking, we have a quick glance also at the innovation leaders. I want to point out that this Leadership Compass, there is much, much more information in there. It's not just this graph. There's lots of diligent work that that made its way into these individual assessments of the products and the vendors. And it's it's out. It has been published. It is available for our subscribers at our website kuppingercole.com. And it's highly recommended for those who are interested in products in that market segment that they had over to our website and just try to find your Leadership Compass in EPDR solutions and apply it to their own use cases and their own architecture and infrastructure.

Any final thoughts that you would like to share? Did the market chang very much? Of course, we have this new term, but has it matured, have new players arrived? And what was your view, your outlook on that market and how do you expect it to change over time for the next edition of that Leadership Compass?

You know, it is mature and has been mature for quite a while. There are occasionally new entrants into the market and as we were saying before, there are groupings of functionality, EEP and EDR companies are getting together through acquisitions, mergers. I think the trend ahead is going to be around XDR. I think EEP functionality really needs to be a part of that. But also NDR needs to be a part of that. But yeah, we're going to keep an eye on the market and see how both it evolves and where the hype goes around this as well. But it's definitely something that absolutely everybody needs because the biggest form of malware that we hear about these days is ransomware. And it is a real and growing threat that hasn't really gotten, it hasn't diminished in its power or frequency. So everyone really needs EPDR solutions in their enterprises.

Great. Thank you very much. And thank you also for this diligent work that you do. All these analysts that do these Leadership Compasses and Market Compass documents have my highest respect because I know that this is really a huge amount of work to to do to bring justice to all these solutions and to to look at that market segment as a whole. And so for that today, thank you very much John, for sharing your insight into that market and your work. And great to see it published. Looking forward to seeing you soon for another episode. And I'm really looking forward to having you again in this podcast. Thank you for your time and thank you for joining me today, John.

Thank you.

Bye bye.