What Is an Endpoint Protection Platform (EPP)?
An endpoint protection platform (EPP) is a collection of endpoint security tools, typically including advanced antivirus, data loss prevention, endpoint detection and response (EDR), and data encryption. These technologies work together on endpoint devices to prevent malware attacks and other malicious activity. EPP solutions prevent and identify security threats; they can also help security teams investigate and respond to security incidents as they happen.
An advanced EPP solution uses multiple detection endpoint technologies, combining behavioral analysis and threat intelligence. It can identify unknown and zero-day threats as well as known attack signatures. Modern EPPs are deployed to endpoints via software agents, but are managed in the cloud and provide a central web-based console.
How EPP Solutions Work
One of the biggest threats to endpoints is malware. Malware typically infects a device when a user clicks a malicious link in an email, downloads and executes an infected file, or visits a malicious website. Once inside the environment, malware tries to infect as many system processes and data points as possible.
Endpoint protection platform solutions prevent malware from entering your environment and protect your endpoints. Endpoint protection platform solutions block known threats to your endpoints, and can also identify unknown or zero-day threats.
EPP solutions use several strategies to identify and block threats. One strategy is behavioral analysis, which involves establishing a behavioral baseline for the endpoint and using it to identify suspicious or unusual activity, even if it does not match a known threat signature. Another is threat intelligence — EPP can integrate with feeds containing data about threat actors and their tactics, techniques, and procedures (TTP), and use them to identify threats.
Another tactic to capture unknown threats is sandboxing. Most EPP solutions have a security sandbox that can quarantine suspicious files in a secure environment. In the sandbox environment, the EPP can safely “detonate” a file and monitor its activity without compromising the rest of the system.
EDR vs. EPP Solutions
Endpoint detection and response (EDR) is a security technology that continuously monitors endpoint devices and workloads and provides visibility into real-time activity on endpoints. This allows cybersecurity teams to quickly and efficiently identify and respond to cyber threats such as ransomware, malware, and endpoint compromise.
EDR is considered a safety net that catches threats that could not be detected or blocked by other defenses on the endpoint.
EDR tools provide advanced endpoint threat detection capabilities, including event data discovery, alert classification, threat hunting, malicious behavior detection, and threat containment. They allow security teams not only to identify and investigate attacks, but also to take action remotely to contain and eradicate the threat.
The relation between EPP and EDR is that endpoint protection platforms might contain an EDR solution or feature. This allows the EPP not only to identify anomalous events, but also support security teams in investigating and mitigating breaches at early stages, before they can do damage.
Typically, you will not choose between EPP and EDR. Instead, the choice is:
Using a basic EPP solution that only has preventive measures and does not support EDR.
Using an advanced EPP solution that also includes EDR — typically at additional cost.
Related content: Read our guide about EDR security
How to Choose EPP Software
Endpoint security solutions provide three main functions-attack prevention, detection, and remediation-managed through one platform. However, each platform may have different characteristics suitable for one use case but not relevant for another.
To choose the most suitable endpoint protection platform for your use case, you must first inventory all endpoint security products in your existing stack. If you discover multiple outdated security tools, you should evaluate these tools to determine which you should keep and how they fit into your endpoint protection implementation.
Multiple Threat Detection and Remediation Approaches
An endpoint protection platform provides multiple threat detection and remediation functions integrated into one platform. Common EPP capabilities include web browser security, malware signature scanning, attack vector blocking to prevent fileless malware, rollback remediation, and credential theft identification.
Each EPP vendor offers a unique collection of capabilities, using different detection and remediation techniques. However, most vendors utilize EDR and data loss prevention (DLP). The EDR function monitors endpoint events and stores this data for later analysis, and the DLP function prevents end users from sharing sensitive information externally.
EPPs are usually based on frameworks that support sharing information between security tools, including third parties already installed in the stack. Common security third-party products include DLP, EDR, and intrusion prevention systems (IPS).
An open EPP architecture helps achieve visibility into all endpoint devices and endpoint security tools across the organization, letting you monitor everything using one dashboard or console. Setting up this collaborative information sharing between multiple products facilitates rapid detection and remediation of threats.
An EPP must provide a centralized console for managing endpoints and security functions. Centralization provides visibility into security threats as well as compliance issues and helps relieve IT teams from the burden of moving between screens to manually analyze threat information.
The ideal EPP console provides a user-friendly and configurable dashboard that includes alerts, key performance indicators (KPIs), and current security status. It should enable users to drill down into each endpoint and threat easily.