Explaining endpoint protection options

Endpoint Protection is a phrase that you may have heard but don’t necessarily know what it means. Fear not. We’re here to explain.

Keeping your computer safe used to be easy. Install antivirus. Job done. If you were being really careful then you also sat behind a firewall to block unwanted traffic.

Things have changed and now protection for your computers and devices comes in so many different flavours and levels of sophistication that it’s hard to keep track of what the options are and what level you should have.

In this blog we’ll explore the different kinds of endpoint protection and what they do.

Antivirus

Antivirus software is a foundational element of endpoint security. It targets known malware using signature-based detection. This means that when the software finds a file during a scan that matches one in its database, it flags it as malicious and either quarantines it or simply deletes it.

Antivirus usually scans files as they are downloaded, or installed. It also runs regular in depth scans of your system that look at all the files on your computer. It has limitations though as it can’t penetrate password-protected and encrypted files.

Antivirus also relies on regular updates to stay effective. It needs to update its database with the latest threats that security researchers have discovered before it can then identify them on your system. This means that won’t pick up novel threats that haven’t already been discovered elsewhere, analysed and added to a database of known threats.

Anti-Malware

Anti-malware tools go beyond viruses and detect other malicious software like worms, trojans, and spyware. They use the same method of signature-based detection as antivirus and so anti-malware suffers from the same limitations.

The terms antivirus and anti-malware are often used interchangeably as it’s very rare, in fact probably impossible, to find a pure antivirus today.

Endpoint Detection and Response (EDR)

EDR is the next evolution of anti-malware. It doesn’t solely rely on databases of known threats; instead, it monitors your device for abnormal behaviour that might indicate something is amiss.

Importantly, when it detects something unusual happening it will automatically respond to the threat by containing it and providing a threat analysis that your IT team can investigate.

This technology relies on AI and provides a much more robust level of protection than traditional Anti-malware.

The reporting from these tools is invaluable when it comes to analysing suspected attacks. EDR can produce visual representations of the activities that it thinks are linked together and form the suspicious pattern. This allows IT experts to deeply dive into anything that is flagged to determine whether there is a genuine threat.

It isn’t perfect however, and will sometimes falsely flag something as suspicious. This can be frustrating when you want to be able to get on with work, however, the general feeling is that it is safer to cause some minor inconvenience to allow something to be checked. The alternative could be costly for your business. As an example, EDR may see you opening an email attachment in Outlook, downloading and installing a file attachment, then accessing your banking website. It would look at these steps and say “hold on, something seems like it might be fishy” and block your banking website access until you’ve decided whether it’s safe to proceed.

Managed Detection and Response (MDR):

MDR services integrate the AI powered EDR approach with human expertise.

The ‘Managed’ in MDR refers to the backing of an outsourced Security Operations Centre (SOC). A SOC is a team of dedicated security experts whose sole job is to monitor and respond to cyber threats.

A SOC provides 24/7 continuous monitoring, threat detection, and incident response.

Depending on your pre-agreed scope with a SOC they will either review all flagged activity and alert you to any reports that they feel are genuine and need your input, or they can proceed to remediate the threat themselves.

This level of protection is probably the highest that a small business would realistically need, or be able to access. When obtained from an MSP you can benefit from their economies of scale to bring the cost of having MDR backing down. The SOC provides permanent piece of mind for you. You know that someone always has an eye on your devices even when someone clicks on a malicious link in an email using their business device at 2am.

Intrusion Detection Systems (IDS)

IDS is a separate tool entirely. Instead of looking for malware on devices, it monitors network traffic for suspicious activity. If it spots irregular movements of data it can flag them for attention and potentially block the traffic.

Generally, this is only necessary for enterprise companies who have large networks with many endpoints and locations.

Extended Detection and Response (XDR):

XDR solutions expand on EDR and IDS by integrating data from multiple security sources, including your network, cloud, and email. This gives it a comprehensive overview of your IT and allows it to look for suspicious activity that might be spread across your entire network, or beyond.

Reporting from these tools is extensive. IT teams can monitor the movement of all traffic across their network and review logs of every mouse click, every file opened, and every process that each device has made. This gives them incredible levels of detail for analysis during and post-incidents.

Generally, XDR solutions are fairly expensive and tend to be aimed at enterprise-level organisations rather than SMEs.

Summary

While traditional antivirus focuses on known threats, EDR and MDR offer more dynamic approaches to cybersecurity and XDR is an enterprise level solution that scans your entire digital environment to keep you safe from threats.

It is worth being aware that many products from EDR onwards will include additional functionality that can be turned on (usually for extra cost too) that can include:

• web filtering which blocks websites using either a predefined list or real-time analysis. It can protect you from sites known harbouring malicious software, insecure sites, or which relate to particular topics such as drugs or alcohol. If you’ve heard about URL filtering, this is a more granular version of web filtering that allows you to block specific websites based on their web address.
• Vulnerability scanning identifies weaknesses in your network that can be exploited by criminals. It looks for unpatched software with known issues, open ports to the internet that could let hackers in and other weaknesses
• Software firewalls provide another level of protection for your device over and above your operating system's built-in firewall.

If you have any specific questions around keeping your devices and data safe then get in touch with us for a chat. Our All-in-one IT support includes everything that most businesses need to work safely and securely online.