KEY CRITERIA

IN EVALUATING
ENDPOINT SECURITY
ENDGAME BUYER’S GUIDE 2019
According to a recent report, the issue worrying
most enterprise CISOs is that they have no idea
how effective their endpoint security is, nor
where the gaps are, until it is too late1.
FACT S
◾◾ Your enterprise is at more risk of attack than ever2.

◾◾ The proliferation of encrypted communication reduces the effectiveness of your perimeter security – if your users
are even within your perimeter at all.
◾◾ Attackers look for the easiest point of entry by manipulating application vulnerabilities, operating system
weaknesses, lackluster device configuration and hardening, and through social engineering to subvert valid user
activities and behaviors³.
◾◾ With breaches that circumvented air-gapped networks and stringent network hygiene, the endpoint has become the
only place that attacks can be detected and prevented4.
◾◾ Stand-alone Endpoint Detection and Response (EDR) tools sing songs of enhanced security, but the majority of
organizations do not have the staffing to add complex forensic-like tools5.
◾◾ Few Endpoint Protection vendors have integrated the prevention and visibility components together well enough to
function as a cohesive platform, resulting in separate and confusing implementation and operations.

This lack of visibility makes it exceptionally hard to identify where to make changes and investments in endpoint
security. The vast range of vendors, the potential complexity of poorly described protection capabilities, and the
potential for increased operational demands placed on your security team all combine for a state that favors status
quo bias. Until it is too late.

Regardless of what stage of maturity you are at this paper will provide you with the context and knowledge to begin
asserting control over your endpoint security operations by using the three pillars that support a modern endpoint
protection strategy.

1 | PREVENTION – Automatically stop as much adversary activity as possible

2 | DETECTION – Uncover adversary activity rapidly and accurately

3 | RESPONSE – Contain the threat, repair damage, address the root cause
2 | ENDGAME

¹ Metrics are used in only about half (54%) of SOCs. ©2018 SANS™ Institute, SANS 2018 Security Operations Center Survey
² Regional Risks for Doing Business 2018. © 2018 World Economic Forum.
³ “The 2018 State of Endpoint Security Risk” Ponemon Institute LLC © Research Report, October 2018
4 8 Ways Hackers can game Air Gap Protections. DARKReading. Copyright © 2018 UBM. InformationWeek IT Network
5 62% cite lack of skilled staff. ©2018 SANS™ Institute, SANS 2018 Security Operations Center Survey
 By analyzing the content of MS Office docs and applying
1 | PREVENTION

KEY CRI T ERI A I N EVALUAT I NG END POI NT S ECURI TY

FILES, EXPLOITS, AND OFFICE DOCS
We all know that traditional Endpoint Protection was born of
signatures, and it is painfully aware to everyone that the sheer
scale of malicious files and the ease with which to alter a file
means that signatures no longer work for detecting bad files.
In the past decade, vendors have shifted to convict files based
on reputation, based on behavioral analysis, based on behavior
when detonated in a sandbox, and of course based on the
mathematical analysis performed under the broad “Machine
Learning” banner.
AV, or file-based prevention, is best known for taking place
before any code is run on the device and is typically where
machine learning (Endgame MalwareScore™) is currently most
effective. These types of prevention are typically available for
most of the traditional Windows-based portable executable
(PE) file types.
Executable files are not the only type of threat that can be
mitigated before code is run. Endgame has introduced
MacroScore™ - the first machine learning-based prevention
technology that addresses one of the most successful attack
vectors; malicious Microsoft Office documents.
machine learning classification to the script and macro actions
embedded in them, it is possible to do what many Email Security
vendors have failed to do; Accurately prevent the most prevalent
forms of phishing, ransomware, and Powershell attacks
delivered over email.
A hard lesson many organizations learned through 2017 and
2018 is that basic security hygiene like patch management is
hard to implement at scale, and adversaries use this to their
advantage to exploit unpatched or unknown application and
operating system vulnerabilities. Contrary to the hype, zero-day
vulnerabilities are less of a risk to most organizations than
the commonly known but unpatched vulnerabilities which are
targeted by malicious code in the wild.
Exploit prevention can cover a wide range of buzzwords and
phrases like virtual patching, ransomware prevention, file-less
attack prevention, and in-memory attack prevention. At a high
level it recognizes and blocks the attempts to make use of
vulnerabilities and adversary techniques that are commonly
used to steal credentials, deploy malware payloads, or encrypt
the endpoint device as part of ransomware.

CORE PREVENTION COMPETENCIES TO LOOK FOR:

Pre-execution blocking without
a reliance on cloud-look up or
signature distribution ensures full
protection at all times, wherever
the endpoint is.
Prevent malicious Microsoft Office
files before they have a chance to
cause damage and loss.
Increase the scope of prevention
by preventing adversary behaviors
and system tool misuse, not just
file-based threats.
3 | ENDGAME

2 | DETECTION
ADDRESSING ADVERSARY ACTIVITY
With the rapid pace of change in today’s threat landscape,
organizations need to consider not just the accuracy and
efficacy of the malware prevention and adversary detection
available, but also the efficiency of workflow needed to scale
towards a security operations approach, without demanding
complex training and without placing success pre-requisites
on hiring experienced Digital Forensics and Incident Response
(DFIR) staff.
As no solution is able to guarantee complete prevention, it
is critical to evaluate how the solution responds when these
defenses are compromised. By comparing their existing
security program to the MITRE ATT&CK™ matrix6, organizations
can identify gaps in program coverage and prioritizing the
improvement of necessary skills, processes, and technologies
to eliminate them. The ATT&CK framework is built in such a
way that organizations can choose where to prioritize things
based on their threat model, and based around other mitigating
controls deployed across their enterprise.
Endgame pioneered the use of the ATT&CK framework as an
embedded part of the Endgame platform, and many other
vendors are starting to follow suit. But highlighting an attack
CORE DETECTION COMPETENCIES TO LOOK FOR:
Validate how easily a junior
analyst can use your EPP to
answer: “is anyone misusing searching, automatically detects
Powershell in the enterprise?” suspicious activity, and provides
6 "How to Develop a Plan for MITRE ATT&CK" on our website: https://pages.endgame.com/the-best-plan-of-attack.html
“
"EDR USERS REPORT THAT, ALTHOUGH THEIR
TOOLS WERE INSTRUMENTAL IN 'DETECTING THE
UNDETECTABLE, THEY ALSO DELIVERED MANY
OTHER ALERTS THAT WERE NOT ACTIONABLE IN
THEIR ENVIRONMENTS.'"
"ENDPOINT DETECTION AND RESPONSE ARCHITECTURE
A N D O P E R AT I O N S P R A C T I C E S ” – D E C E M B E R 1 3 , 2 0 1 8 ,
GARTNER RESEARCH
technique is only part of a valid solution. Alert fatigue is a real
problem for organizations of all sizes, simply adding new alerts
for detections is not going to help. Especially when you consider
the use of common system tools can be flagged as suspicious.
Enterprises will find much greater value in platforms that
enrich the alerts with data and context related to the incident.
Endgame provides all of the information needed to quickly and
accurately triage an alert, using visual representations of the
origin and full extent of the incident, allowing analysts to act
faster and with great confidence.
A single platform that delivers Capabilities that allow
incident investigation and organizations to reduce “Time to
Detection” and “Time to Contain”
by automatically providing
guided threat hunting. easy to parse context about a
security incident.
4 | ENDGAME
 the root cause and identifying any other related incidents
3 | RESPONSE

KEY CRI T ERI A I N EVALUAT I NG END POI NT S ECURI TY

impacting other devices.
CONTAIN, REPAIR, REMEDIATE
Pivoting from a single incident, to investigating the root cause
When a security incident is detected and triaged, the most
broadly across hundreds of thousands of endpoints requires
important step a responder can take is to stop adversary or
access to historical data. Many vendors provide a basic level
malware from spreading any further. Isolating a device can be
of “free” data retention. Most, and especially those with an all-
as simple as unplugging the device from the network or shutting
cloud approach can only provide the bare minimum of storage.
the endpoint down. However it’s highly likely that the responder
When the average dwell time is over 100 days, retaining data for
will need further access to perform remediation so the EPP must
a mere week will not give organizations the ability to perform
be able to completely restrict network communication but retain
true root cause analysis. It is these cases that result in the
the ability to securely investigate and interact with the device.
repeat of a successful attack with the same malware by the
Strong EPP will provide analysts with a guided response to same adversary, because it was not possible to identify patient
resolve alerts in seconds and provide the ability to further zero the first time.
investigate by way of file retrieval, deletion, quarantine,
Aside from data retention, the location of storage is a vital
terminating processes, and the ability to easily block similar
consideration. Many organizations require data sovereignty
malicious activity across the entire endpoint infrastructure.
guarantees, and security conscious enterprises look for the
The guided response can assist in rolling back any changes that
ability to control what data is stored where – whether it is on the
were made by the adversary and highlight the root cause of the
endpoint, on a local server, or stored in the cloud. Rather than
problem so that remediation can be taken to prevent it occurring
conform to an “all or nothing” cloud approach, the data storage
again. It can also indicate when it is a better use of time and
and retention should fit the customer’s unique demands.
resource to reimage or restore from backup, before remediating

CORE RESPONSE COMPETENCIES TO LOOK FOR:

The ability to immediately
isolate any device, restricting
network traffic to just the
incident responders toolset and
investigation platform, wherever
the endpoint is.
Investigation data must be retained
for a useful period – 7 days is not
sufficient when the average dwell
time is >90 days – and data should
be stored in locations that meet
the needs of complex, security
conscious data privacy laws
and regulations.
Capabilities that allow
organizations to reduce the
“Time to Contain” and “Time to
Respond” by providing strong,
kernel-level host isolation and
vendor guidance on the most
appropriate response actions.

ABOUT ENDGAME
Endgame’s converged endpoint security platform is transforming security programs — their people, processes and technology — with the most
powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before information theft.
Endgame unifies prevention, detection, and threat hunting to stop known and unknown attacker behaviors at scale with a single agent. For more
information, visit www.endgame.com.

@ENDGAME ENDGAME WWW.ENDGAME.COM