Signature detection technology remains the staple of endpoint protection. Although it is not capable of identifying advanced, novel threats, signature detection is a proven technique for identifying and blocking known threats. Every NGEP platform should include this core capability, and administrators should ensure that the platform receives daily signature updates from the vendor to protect systems against newly identified threats.

Behavioral monitoring approaches move beyond signature detection to analyze system behavior. If users start taking unusual actions, or if software behaves in an unexpected way, this may indicate a threat that managed to evade signature detection capabilities and gain a foothold in a system. Behavioral monitoring may detect these advanced threats and automatically quarantine them or flag them for further investigation.

Machine learning technology allows endpoint protection platforms to learn from past activity, creating new cybersecurity knowledge that can feed behavioral monitoring approaches. NGEP platforms that incorporate machine learning and artificial intelligence develop models of both user and system behavior over time and refine those models as behavior evolves. This active learning approach improves the accuracy of behavioral monitoring and accommodates natural changes that occur within an organization.

Centralized management is an important core component of NGEP platforms. Endpoint protection provides security at the endpoints distributed throughout an organization, but these distributed endpoints must be centrally managed. Centralized management lets administrators control the configuration of NGEP deployments, push security policies to endpoints and receive alerts generated from agents that reside on endpoints around the world. Centralized management facilitates reporting that can quickly spot trends and help administrators adapt and refine security controls.

Device control capabilities allow administrators to move beyond configuring the NGEP platform itself and use the platform to modify the security configuration of endpoint operating systems and hardware. For example, many threats enter an organization through malware that resides on USB sticks and other removable media. Device control technology can disable USB ports on endpoints, prohibiting users from accessing removable media without first seeking administrator intervention. 

Application control technology brings administrative control to the software running on endpoints. This may be through a simple blacklisting approach that uses signatures of known malicious (or unwanted) software and prevents users from launching blacklisted applications. Whitelisting, in which users are prevented from launching any software that does not appear on a list of approved applications, is a more effective approach, but it places an extra burden on administrators and may impose unacceptable constraints on user behavior.

Vulnerability protection seeks to supplement enterprise vulnerability management programs by proactively identifying missing patches, misconfigurations and other issues on Windows, Mac and Linux endpoints that attackers might exploit. In many cases, NGEP platforms may also trigger automated remediation of detected vulnerabilities, quickly correcting a problem before it leads to a security incident.

Threat intelligence provides NGEP platforms with access to real-time threat information. NGEP vendors are uniquely positioned to receive reports of malicious activity from thousands of clients across industries and around the world. Threat intelligence capabilities automatically analyze this information and deploy immediate updates to a vendor’s client base, allowing organizations to block IP addresses, update malware signatures and identify new adversary tactics quickly, providing rapid detection of evolving threats.

Endpoint detection and response capabilities allow organizations to automate significant portions of their incident response efforts, automatically redeploying defenses to protect systems and providing enhanced threat information to security professionals responding to an incident. EDR capabilities often integrate with security orchestration, automation and response platforms as a component of a well-rounded automatic response strategy. 

Root cause analysis and reporting features allow analysts to go beyond a basic response and drill down into the root causes of an incident. This capability is particularly important during the remediation and lessons-learned phases of an incident. After the immediate damage is contained, responders can perform a deep dive into the conditions that allowed an incident to occur and use this information in two ways. First, they can remediate the direct issues that contributed to the incident, preventing another attacker from following the same path to compromise. Second, they can extract generalized lessons from that experience, search for related pathways that an attacker might exploit in the future and remediate those proactively, blocking compromise attempts before they take place.

Threat hunting plays a crucial role in the toolkit of forward-thinking organizations that wish to ferret out the presence of sophisticated attackers on their networks. Some NGEP platforms offer advanced threat hunting capabilities, giving cybersecurity teams real-time access to endpoint information that provides vital clues during threat hunting exercises. Automation capabilities also allow the rapid notification of threat hunting teams when suspicious activity occurs on any endpoint in the organization, reducing the dwell time of attackers on compromised systems.