KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Endpoint security is a foundational element of cybersecurity architectures that is even more important today than in decades past. All end-user computers, smartphones, and tablets should have Endpoint Protection Detection & Response (EPDR) clients installed, preferably with up-to-date subscriptions. Servers and virtual machines/desktops should be protected as well. Windows platforms are still the most vulnerable, though there is an increasing amount of malware for Android. It is important to remember that Apple's iOS and Mac devices are not immune to malware, and as market share increases, particularly for Mac devices, the amount of malware for that platform has increased too.
What drives the need for EPDR? Ransomware is a top-of-mind concern for CISOs and cybersecurity professionals globally. It has unfortunately turned into a profitable business for cybercriminals. They now deliver ransomware-as-a-service with a well-defined business model with job specializations.
Malware comes in many forms: viruses, worms, rootkits, botnets, file-less malware, ransomware, and crypto-miners are prevalent in the wild. Malware is usually, and almost by definition, an exploitation of an operating system or application vulnerability.
Ransomware attacks are increasing in frequency. Attackers have diversified their targets. Now businesses, small and large, non-profits, and government agencies face this threat daily. Ransomware, in the traditional sense, is a form of malware that encrypts users' data, demanding that ransom be paid for the return of control or for decryption keys. Most forms of ransomware are deployed similarly to an Advanced Persistent Threat (APT) campaign, using phishing, other social engineering, or compromised credentials to get into their victims’ assets. They may then stage ransomware on various machines throughout an enterprise and exfiltrate data before ransomware detonation. In years past, some ransomware operators did not provide working decryption keys, so paying the ransom was purely a waste of money. This has changed somewhat since cybercriminal outfits have started to function like businesses: they must provide “customer” service to victims. Some attackers have used ransomware techniques and payloads for purely destructive purposes too – rather than asking for ransom, these destructive “wiper” ransomware types simply delete data.
Alternatively, attackers may simply infiltrate victims’ assets, then copy and exfiltrate data with the threat of leaking customers’ personal information or intellectual property if ransoms are not paid. The advantage for the attackers is that it does not matter if the victims have good backups, they could still leak the exfiltrated data if ransoms are not paid. In these cases, they may pose as uninvited penetration testers. This technique is becoming more popular. In any case, paying the ransom only emboldens the perpetrators and perpetuates the ransomware problem. Cyber insurance policies are commonly acquired by all kinds of organizations to offset the costs of cyber-attacks, sometimes including ransom payments. However, to qualify for cyber insurance, organizations must demonstrate that they have cybersecurity measures in place.
Backups are of course still an important part of cyber hygiene. Restoration is sometimes problematic if users or organizations have not been keeping up with backups, if restore process are not defined and have not been tested before, or if backups have been contaminated by malware. Cybercriminals have gotten adept at finding and encrypting data backed up to the cloud. Even if pristine backups are readily available, time will be lost in cleaning up the compromised computers and restoring the data. Thus, preventing ransomware infections and the compromises that lead to such events is preferred. However, no anti-malware product is 100% effective at prevention. It is still necessary to have defense in depth.
Ransomware attacks often arrive as malicious links or weaponized Office docs via phishing campaigns. Disabling macros can help, but this is not universally effective since many users need to use legitimate macros. Ransomware can also come less commonly from drive-by downloads and malvertising.
Other malware types are still out there. Viruses are far more sophisticated than they were decades ago. Now, viruses are polymorphic, meaning they alter their structure to try to avoid detection upon every iteration. Worms are malicious code that spreads across unsecured networks, relying upon unpatched, compromised applications and unprotected ports. Worms are back in the news since researchers have found that AI LLMs (Large Language Models) can easily generate that type of code. Rootkits are low-level malware, usually implemented like device drivers in operating systems. Rootkits allow bad actors complete control of affected machines. Rootkits usually arrive in the form of a Trojan, software disguised as to its true intentions.
Botnets are collections of controlled devices, often compromised by rootkits, which are used in large numbers to magnify other kinds of attacks, such as Distributed Denial of Service (DDoS) attacks, credential stuffing, account take-overs (ATOs), or other forms of cybercrime. Botnets can be composed of PCs, servers, smartphones, IoT devices, etc.
File-less malware is a malicious innovation that seeks to avoid signature-based anti-malware scanners by propagating between machines without being written and transferred as files. Instead, file-less malware is malicious code which spreads by process or memory injection. Once on a target device, file-less malware uses native tools like PowerShell or .NET to assemble and execute the malicious payload. File-less malware attacks are still on the rise.
Endpoint Protection Platforms (EPPs) are an evolution from the antivirus programs of old and even the “next generation” antivirus (NGAV) systems from a decade or more ago. Antivirus programs were generally signature-based, meaning that they could scan for known virus patterns. NGAV systems began harnessing the power of Machine Learning (ML) algorithms to detect and classify malware. ML-based detection became imperative due to the exponentially proliferating varieties of malware: with thousands and then millions of variants of malware, human analysts could not keep up. EPP systems are NGAV plus secondary features such as endpoint firewalls, URL filtering to prevent users from communicating with known bad domains, application controls to prevent malicious executables from running, and system file integrity monitoring.
Endpoint Detection & Response (EDR) solutions search for evidence and effects of malware that may have slipped past endpoint protection / antivirus products. EDR tools are also used to find signs of malicious insider activities such as data exfiltration attempts, left-behind accounts, and open ports. EDR solutions log activities centrally, allow administrators to examine endpoints remotely, and generate reports, often complete with attribution theories and confidence levels.
Additionally, as part of the detection process, EDR also enables querying and evaluation of Cyber Threat Intelligence (CTI), event correlation, interactive querying of nodes across the customer environment, live memory analysis, and activity recording and playback. EPDR helps to automatically uncover attacks and enables security teams to understand what is happening from start to finish by consolidating all relevant information into a single view.
The MITRE ATT&CKÒ Framework is a comprehensive approach that addresses all the various TTPs that malicious actors use to compromise systems for the purpose of data exfiltration. Many security vendors contribute to MITRE ATT&CK, and many of their tools map detections to the various steps and techniques to facilitate analysis within their product interfaces.
For the response phase, EDR solutions can provide alerts and reports, create attribution theories with confidence levels, update detection rules, shut down offending processes, delete or move files, automatic quarantine of assets suspected of having been compromised, and even rollback of compromised endpoints to known good states.
EDR solutions offer customizable levels of automation for investigations and remediation. The most functionally complete EDR solutions perform continuous monitoring, anomaly detection and categorization, proactively hunt for threats across an enterprise, and create cases then alert human analysts. When analysts take the case, they find up-to-date event lists, correlation across all affected nodes, timeline views, and pertinent CTI within their main screen.
EPP and EDR toolsets have converged into EPDR (Endpoint Protection Detection & Response).
EPDR solutions must be tightly integrated with other tools in vendor suites and should interoperate with security analytics tools such as Security Incident and Event Management (SIEM) and Security Orchestration Automation & Response (SOAR) tools. To achieve this integration, most EPDR suites support CEF, REST APIs, and syslog. Interoperability with IT Service Management (ITSM) solutions enables organizations to rely on a single system for ticket creation and management. Across the surveyed vendors, support for SIEM is widespread, with some support for SOAR, followed by limited interoperability with ITSM systems. A subset of EPDR solutions essentially outsource orchestration and automation to SOAR products.
Several independent testing regimes exist that vendors can participate in to demonstrate the effectiveness of their products. AV-Comparatives runs various extensive tests focusing on malware detection and prevention. They also run in-depth tests to simulate the kinds of scenarios business users encounter. MITRE.org has conducted four in-depth tests designed to show the efficacy of EDR solutions. KuppingerCole reviewed test results as published by these organizations for vendors examined below. Notes about vendors’ participation in these independent testing scenarios will be included where relevant throughout chapter four.
This Leadership Compass covers solutions that contain capabilities found in both EPP and EDR products.
Which organizations need EPDR? All of them, from small, sole proprietors to multinational corporations, non-profits, and from small city and county governments to national governments. The EPDR market is large, and it has been for decades. It will continue to grow as the number of deployed assets increase and the threats increase.
For information on our research practices, see KuppingerCole Leadership Compass Methodology.
