Evaluating EPP in the Time of XDR

Type carbonblack
Reporter Gordon Jones
Modified 2020-03-17T15:15:38


The endpoint detection and response (EDR) market is not only more critical than ever, it is also going through the biggest period of innovation in its history – bigger than when EDR was first introduced by Carbon Black 7 years ago. This next wave of innovation is about extending EDR beyond the endpoint – and baking it into the fabric of the modern application, cloud, and mobile world. This is at the heart of why VMware and Carbon Black have come together.

The big EDR news of 2020 will be about extending EDR beyond the endpoint into other sources of telemetry and other control points such as: the network, the user, and the application. It’s about factoring in greater context about applications and infrastructure. Some call this extended EDR – or XDR. The combination of the Carbon Black team with VMware – the digital foundation of mobility, cloud and modern application frameworks – is in the strongest position of anyone to execute on this vision.

Evaluating EPP in 2020 means evaluating EDR

The top industry analysts agree that you need your EPP solution to deliver the visibility, detection, and remote response capabilities pioneered by EDR solutions.

Gartner made the distinction:

> In the 2019 Magic Quadrant for Endpoint Protection __Platforms, capabilities traditionally found in the endpoint detection and response (EDR) market are now considered core components of an EPP that can address and respond to modern threats.1

And similarly, IDC notes in their recent Endpoint Security perspective:

> When evaluating EDR, the conversation is as much about EPP — expectations for EPP have grown dramatically, refusing to let the use of an EDR compensate for the possible shortcomings of EPP.2

EPP cannot be effective today without the behavioral analytics EDR used to make security teams successful against living-off-the-land attacks. As stated later in the report, “blocking malicious patterns of use of approved applications (e.g., PowerShell), browsers, and system memory” should now be considered standard for EPP. Every organization uses their applications differently, so adapting your prevention to your environment’s behavior is key.

Some of the specific EDR feature criteria IDC suggests2 you evaluate in EPP demonstrates this:

  • Continuous recording of events such as file create/update/delete, running processes, registry changes, and CLI arguments
  • Data storage capabilities, either on endpoints, in an on-premise server, or in the cloud (Cloud is increasingly preferred as it enables more powerful correlation — indeed across more than one customer environment.)
  • Integration of and/or ability to ingest third-party threat intel
  • Graphing relationship interface to visualize the connectivity of seemingly disparate IOCs in a historical timeline of a chain of events (causality)
  • Detection using machine learning and analytics, application behavior validations, and validation of IOCs

Evaluating EDR in 2020 means evaluating XDR

As VMware we’re now able to reinvent EDR and take our success beyond the endpoint into other sources of telemetry and other control points such as: the network, the user, and the application. The IDC excerpt above continues:

> EDR thus creates value by extending the view beyond initial boundaries of the endpoint. The "manifest destiny" of EDR is to be a tool that provides cross-platform visibility and response, stopping maliciousness that cannot be detected with endpoint activity and telemetry alone.

The same high expectations you have for telemetry and behavioral analytics from an endpoint need to expand across your infrastructure and network. The value can be immediate for detection and investigation, but it multiplies as more IT teams are pulled into the effort to harden systems and secure the organization on a larger scale. A couple of XDR features are already in IDC’s2 for evaluating EPP:

  • Context-enhanced visibility. This is of course self-explanatory. However, efficacy must be viewed through the lens of our previous discussion. EDR needs to be able to detect malicious activity that EPP is not expected to detect and block. Almost by definition, EDR must leverage data that is outside of the endpoint.
  • Click-down attack chain visualization tools to allow investigators to pivot — including from one environment to another (e.g., endpoint to network view)
  • Ability to run simple and complex queries on activity across the infrastructure

To read the full IDC Perspective and the rest of the evaluation criteria, download your copy of the report here.

1_ Gartner, Magic Quadrant for Endpoint Protection Platforms, August 2019._

2__IDC, Frank Dickson, Michael Suby, Endpoint Security 2020: The Resurgence of EPP and the Manifest Destiny of EDR, January 2020, IDC #US45794219

The post Evaluating EPP in the Time of XDR appeared first on VMware Carbon Black.