Cisco’s EPP and EDR Can Protect Against Ransomware and Cyberthreats

What is EPP and EDR and How do they Stop Threats?

Cisco’s endpoint protection platform (EPP) delivers next generation AV using multifaceted prevention techniques that stops today’s complex attacks. An endpoint protection platform focuses solely on prevention.

Cisco’s endpoint detection and response (EDR) solution detects threats across your endpoint environment. It investigates the entire lifecycle of the threat, providing insights into what happened, how it got in, where it has been, what it's doing now, and how to stop it. By containing the threat at the endpoint, the EDR solution helps eliminate the threat and prevent it from spreading.

Because no EPP can successfully block 100 percent of threats, it should be paired with an EDR solution, which is why Cisco’s comprehensive endpoint security solution—Cisco Secure Endpoint—includes both EPP and EDR capabilities.

Going Deeper on Endpoint Protection Platforms (EPP)

EPP has evolved from a traditional anti-virus solution, providing preventative security on the endpoint—blocking known malware at the point of entry using built-in protection mechanisms, including signature-based malware defenses.

An EPP solution protects endpoints by preventing malware from getting onto your environment. Like a firewall blocks illicit access to the network, an endpoint protection platform solution blocks known threats to your endpoints.

However, anti-malware protection is not as simple as granting and denying access to your devices. This is because malware is clever; it can look harmless at one point and morph into something dangerous at a later time. And as we all know, malicious actors are persistent. They will try many tricks to sneak malware onto your environment, which is why also having EDR is so critical to network security.

Cisco’s EPP goes beyond traditional anti-virus solutions

Machine learning. Machine learning capabilities allow the endpoint protection platform to leverage large-scale data to determine the true malicious nature of files.

Threat intelligence. Expansive threat intelligence through Cisco Talos and telemetry from over 70M data sources that allows the EPP to leverage both historical and real-time data from billions of threats to automatically block known malefactors.

Sandboxing is Cisco's answer to zero-day threats as well as protection for unknown threats. This allows the endpoint protection platform to isolate and detonate suspect files in a safe environment and monitor the nature of the files without risking detriment to the rest of the system.

Going Deeper on Endpoint Detection and Response (EDR)

More sophisticated threats that evade perimeter defenses can wreak havoc across your network. Ransomware encrypts sensitive data and holds it hostage from the business until the financial ransom is collected. Meanwhile, malicious cryptomining sits stealthily on the network and exhausts your computing resources. An EDR solution can help you find, contain, and remove the threats fast so you can ensure the security of data on endpoints across your environment.

Key capabilities of endpoint detection and response

Detection. Threat detection is a foundational capability of an EDR solution. Upon entering your environment, you must be able to accurately detect the threat so you can contain and remove it. With continuous file analysis, an EDR solution will be able to flag offending files at the first sign of malicious behavior. If a safe file begins to exhibit ransomware activity, the EDR solution will detect it and alert your business.

Containment. After detecting a malicious file, an EDR solution must be able to contain the threat. Malicious files aim to infect as many processes, applications, and users as possible. A proper EDR solution can help contain a malicious file before testing the edges of segmented areas of the network. Once ransomware has encrypted information, your EDR needs to be able to fully contain it to mitigate the damages.

Investigation. Once the malicious file has been detected and contained, an EDR solution should investigate. Without proper investigative capabilities, your network will not gain insight into why a threat got through. Within a simulated, isolated environments such as sandboxes, an EDR solution will try to determine the nature of the file and understand the attributes of this malicious file and learn from it.

Elimination. The most obvious component of an EDR solution needs to be its ability to eliminate the threat. If you detect, contain, and investigate a threat, but cannot eliminate it, then basically your system continues to be compromised. For this reason, an EDR solution should provide retrospective capabilities, so this actionable data can be used to automatically remediate systems to their state prior to infection.

How Cisco Secure Endpoint with Built-in EPP & EDR Can Prevent Ransomware Attacks

Ransomware penetrates organizations in multiple ways, so fighting it requires a multi-front strategy. Cisco protects against ransomware with an integrated platform approach across a breadth of critical control points backed by best-in-class threat intelligence and research from Talos.

Malicious activity protection. Secure Endpoint continually monitors all endpoint activity and provides run-time detection and blocking of abnormal behavior of a running program on the endpoint. For example, when endpoint behavior indicates ransomware, the offending processes are terminated, preventing endpoint encryption and stopping the attack.

Behavioral protection. Secure Endpoint’s enhanced behavioral analysis continually monitors all user and endpoint activity to protect against malicious behavior in real-time by matching a stream of activity records against a set of attack activity patterns which are dynamically updated as threats evolve.

Exploit prevention. Memory Attacks can penetrate endpoints, and malware evades security defenses by exploiting vulnerabilities in applications and operating system processes. The exploit prevention feature will defend endpoints from exploit-based, memory injection attacks.

Dynamic file analysis. Secure Endpoint includes a built-in, highly secure sandboxing environment, powered by Cisco Threat Grid, to analyze the behavior of suspect files. File analysis produces detailed information on files.

SecureX Threat Hunting. Is a proactive analyst-centric approach to detecting hidden advanced threats. It tells the incident responders a narrative of how an attack was spotted or how it evolved and what to do next in terms of response. The purpose is to discover and thwart attacks before they cause any damage.

Ransomware investigation and response. Cisco SecureX is a cloud-native, built-in platform that connects our Cisco Secure portfolio and your infrastructure. Cisco Talos Incident Response has developed a ransomware plan of action (PoA) for incident response, tested and validated in multiple compromised environments.