When thinking about anti-malware products, most people think Norton, McAfee, Webroot, Trend Micro and so on, but not too many people think of WatchGuard. Don’t they just make firewalls? Actually, that’s no longer the case.
For years, WatchGuard has had anti-malware software that talks to the firewall, known as Threat Detection and Response (TDR). With TDR already in place, why would you also need Endpoint Protection Detection and Response (EPDR)? The truth is, EPDR could be the layer of protection that puts you ahead of sophisticated threats when other anti-malware measures miss the mark.
WatchGuard acquired Panda Security in early 2020 with the intent to integrate it into their products, bringing both their hardware and software detections to a new level. Since WatchGuard makes firewalls (a security appliance) it makes sense that they’d offer a software-based security product.
How is EPDR Different?
We need to look at more traditional anti-malware products to know how EPDR is different. When we refer to anti-malware, that encompasses anti-virus. The traditional anti-malware software uses definitions or signatures to match malware and remove it.
Some products must download and install definitions, and some products, like Webroot, are cloud-based so they’re always up-to-date. This is how most anti-malware products have operated for years, and for the most part it works. But the threat landscape is changing, and more and more cyberattacks are happening every day. Isn’t it time the anti-malware product changes with the new landscape?
Now, I’m not saying the other products on the market are bad. We still have clients that utilize Webroot and that’s fine. Webroot is a good product but there are some other things that traditional anti-malware software might miss if something is brand new, like zero-day malware. Some products have features to block scripts and check links that you click on, but most of the time those link checkers require a browser add-in.
EPDR incorporates cloud-based signatures for malware, viruses, potentially unwanted programs (PUPs), root kits and more. There is also an engine that can block scripts, just like with traditional anti-malware software. But what makes EPDR different are monitoring tools that watch for processes, services and when configured, a zero-trust application model. But what does zero-trust mean?
“Known Bad” Software and Zero-Trust
“Known bad” software are threats with characteristics that allow them to be identified and flagged. Most anti-virus products need to have a signature to detect known bad software. If it’s not classified as known bad, it must be safe, right? Not so fast. Enter the zero-day ransomware.
Let’s say the software isn’t detected as known bad so it’s allowed to run. Now your system is encrypted, and your day has been ruined. With EPDR, if something is not known bad, it must be verified as “known good,” in accordance with the zero-trust model.
EPDR has definitions of hundreds of thousands of known good programs, including Adobe, iTunes, Google Chrome, etc. EPDR lets known good programs run but if the system doesn’t know if it’s good or bad, then it’s not allowed to run at all. In that case, EPDR uploads that unknown application to the cloud where it undergoes AI machine learning algorithms. It analyzes the program, and in 99.98% of cases, can determine if it’s good or bad. In the other 0.02% of cases, it goes to a human for a code review.
If the software comes back known good, the system automatically adds it to the global list and you’ll be able to run that program. If the program is flagged as bad, it gets added to the malware list and flagged as malware for other future users.
This concept makes a lot of sense—if you have known bad, why not have known good and then research everything in between? This model allows zero-day malware, scripts or other malicious stuff to be blocked, thus neutralizing the threat and keeping your network safe.
Additional EPDR Features
Regarding link-checking, with EPDR there is no add-in. EPDR monitors all traffic coming in and going out and can stop certain things from loading (as pre-defined by the administrator). This can be anything from malicious links, adult content, social media, etc. Most of the time you have to pay extra for web filtering software, but with EPDR it’s all included.
Other features of EPDR include a managed software firewall (replacing the job of the Windows firewall), device control such as preventing USB sticks from being used (this could also be controlled by group policy in a domain-joined environment), email attachment scanning, a convenient cloud managed web portal, analytics and reporting, remote commands (such as reboot or isolation mode) and more.
We are always on the lookout for products that offer that next level of security, and in the case of EPDR we feel certain this offering will take our clients’ security to the next level.
Our Technology Solutions Group includes a team of cyber security experts. We’re happy to meet with you for a free cyber security assessment of your organization’s IT infrastructure. Or, you can contact us online or call 410.685.5512 with any questions.