Our new Data Protection Platform now combines Endpoint Protection Platform (EPP) with Endpoint Detection and Response (EDR) as well as Application Communication Control into one effective security platform.
The Sad Story of EPPs
I’m sure that at this point you’re rolling your eyes. C’mon, Effective EPP? Even Gartner has its doubts about EPP, per Gartner’s Magic Quadrant for Endpoint Protection Platforms, February 1, 2016: “When 44% of reference customers for EPP solutions have been successfully compromised, it is clear that the industry is failing in its primary goal: blocking malicious infections. Yet only a few of the EPP vendors are taking radical steps to improve the detection accuracy of their solution. Presumably, protecting 60% of customers has somehow become the industry benchmark for success.”
Yes, that’s the sad story of EPPs. Incredibly, EPP spending is set to more than $3.2B. Annually.
The Habits of Highly Effective EPPs
The issue is that we continuously look at these tools as protecting against the infiltrators from coming in (i.e. AVs, anti-exploitation, personal firewalls, sandboxes, whitelisting, etc.). It’s this approach that generates too many “indications” on the unknowns (good or bad) that anyone can possibly follow, leading EPPs to fail. None of these tools can put a stake in the ground and accurately say – ah ha, this really is malicious.
However, if you can focus your efforts on looking just at data-related activities and identifying whether that performed activity is malicious or not, then there’s the proof – you’ve just caught the threat actor with their hand in the cookie jar. Handcuff that hand and don’t let it grab that cookie. As simple as that. No indicators, no maybes, no numerous alerts that send you rushing to respond.
Let’s spell out that acronym again. Endpoint Protection Platform. If I’m protecting the endpoint from damage which comes in the form of data theft, data tampering or ransom, then there you have it – an Endpoint Protection Platform. An effective one, that is.
Effectiveness Reaches EDR
It’s already a given that the endpoint is compromised. This of course led to the flourishing of EDR platforms - Endpoint Detection and Response platforms. The problem is that the detection aspect won’t help you when trying to prevent the next headline. After all, you’re now in a race against time to get to the source of the alert, investigate it, analyze and finally, remediate. And all the while knowing that you may also be embarking on a wild goose chase as the threat actors might already have gotten away with your data and you’re going to be left dealing only with the cookie crumbs.
What has effective got to do with EDR? That’s where preventing the consequences in real-time comes in again. As an example, let’s consider this approach in context of one of the greatest malware trends of the past year – ransomware. Preventing the consequences of the attack in real-time means that even if you’re infected with the ransomware you can continue working as-usual knowing that no malicious encryption will ever happen. I’m really proud to say that we’re the only product that can generically solve ransomware. It goes back to the heritage of our platform and OS research. I won’t delve into the details – you can find them here.
With our newly added remediation capabilities, you don’t just prevent the threat actor from stealing or tampering with your data, but you can also remediate.
Effective AND Reduces the Threat Surface
After speaking to a multitude of customers, prospects and analysts, I can undoubtedly say that whitelisting applications drives the world crazy. It’s the complexity to deploy, to maintain and then comes… the inevitable complaint calls from employees to grant their applications with permissions to do their job. Or listen to music.
Looking at the business environment though, it really doesn’t make sense to try and control ALL applications. Re-thinking it makes us realize that our risk is not that the developer listens to music while working, but rather that these applications establish an outbound communication channel that you really don’t want to have open in your network. With that in mind, the solution becomes simple – let your employees run ANY application and only block unauthorized applications from communicating.
This application communication control scenario works really well with servers. You know your users will invariably deploy multiple tools and applications on it. They can go ahead and do that. You just know that no unauthorized application will communicate outbound. You’ve now reduced your threat surface to look only on authorized applications that communicate outbound. Now you can work to ensure that those authorized applications are not abused by threat actors. See, effective security.
These are exciting times. Version 2.0 was the result of speaking to customers, hearing their challenges, brainstorming ideas and new approaches and all in all, a hard work to solve some big business and technological challenges. I’m excited that our customers are already benefiting from this, and others are currently joining the wagon. I would love to give you the grand tour as well, so feel free to schedule a demo.