Security Architecture

Endpoint Protection Platforms (EPP)

EPP evolved as a response to advanced persistent threats and zero-day threats that old signature-based antivirus (AV) software could not stop. These platforms leverage advanced algorithmic capabilities inherent in artificial intelligence and machine learning and very often are delivered as subscription-based, cloud-managed solutions that include lightweight agents for endpoints.

EPPs detect, investigate and prevent known and zero-day file-based, fileless, and script-based threats – those that detonate immediately and those that dwell for days or months in a network before activating. In addition to being very powerful computing platforms that are constantly supplied with new data from global repositories, they integrate well with other on-premises and cloud-based security hardware and software tools for sandboxing, application control, data loss prevention, endpoint detection and response, and — very critical — with next-generation firewalls (NGFW).

In fact, EPPs are steadily growing to comprise all of those processes and technologies in a holistic framework. Here we drill down on two: Data Loss Prevention (DLP) and Endpoint Detection and Response (EDR).

Data Loss Prevention (DLP)

DLP encrypts and obfuscates sensitive data and prevents it from leaving the confines of approved corporate network resources. It monitors data at rest, data in use, and data in transit by identifying, classifying, and tagging the information. Built on rules and policies inside of a centralized management framework, DLP automatically triggers actions — such as alerting, encryption, or even purging data – to maintain system integrity.

DLP addresses three critical objectives: personal information protection, intellectual property protection, and data visibility.

The first, personal information protection, is a fundamental component of prominent regulatory compliance frameworks, including the European Union’s General Data Protection Regulations (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLBA), the Payment Card Industry Data Security Standard (PCI-DSS), and many more.

Because protecting personally identifiable information (PII) forms the basis of these government regulations, DLP is helpful on two fronts: It actually protects the PII in question and it provides compliance teams with the visibility and reporting capabilities required by auditors.

Endpoint Detection and Response (EDR)

EDR solutions also deliver on three critical points: endpoint data collection, anomaly detection, and analysis.

EDR systems pick up indicators of compromise (IoCs) on endpoints and are helpful in identifying threat techniques and blocking attacks. Built-in alerting and forensics capabilities keep staff informed in real-time while providing critical context about events. Many systems also help security teams discover potentially compromised endpoints and devices with “trace back” capabilities.

Next-Generation Firewalls (NGFW)

NGFWs retain the same purpose as their stateful inspection forebears – to consistently protect users, data and network resources from attack – but their integrated and powerful inspection, defense and prevention capabilities now dwarf those devices released just a generation ago.

TechTarget, a technology content and marketing company, sums up the features of NGFWs this way: “NGFWs combine many of the capabilities of traditional firewalls — including packet filtering, network address translation (NAT) and port address translation (PAT), URL blocking, and virtual private networks (VPNs) — with quality of service (QoS) functionality and other features that are not found in traditional firewalls. These include intrusion prevention, SSL and SSH inspection, deep-packet inspection, and reputation-based malware detection, as well as application awareness.”

Available as either physical or virtual appliances – or even delivered via the cloud as a SASE solution – now-ubiquitous NGFWs are core to every security architecture. No longer relegated to simple port and protocol inspection of north-south network traffic to detect malware or miscreants, NGFWs supply critical capabilities for establishing and supporting a comprehensive Zero Trust security strategy.

They allow security administrators to create and automatically enforce granular controls for what users and devices are able to do or access; enable microsegmentation of network and application flows to limit damage in the event of a breach; integrate with and boost the efficacy of 3rd party threat-intelligence solutions and technologies like SD-WAN; and — oh yes — they detect and prevent advanced threats stemming from malware, phishing, and other vulnerability exploits like buffer overflows, port scans and command-and-control maneuvers.