See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/338364311

Endpoint Protection: Measuring the Effectiveness of Remediation Technologies

and Methodologies for Insider Threat

Conference Paper · October 2019

DOI: 10.1109/CyberC.2019.00023

CITATIONS READS

10 3,136

5 authors, including:

Sonali Chandel
New York Institute of Technology
14 PUBLICATIONS 213 CITATIONS

SEE PROFILE

All content following this page was uploaded by Sonali Chandel on 06 January 2020.

The user has requested enhancement of the downloaded file.

 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)

Endpoint Protection
Measuring the effectiveness of remediation technologies and methodologies for
insider threat
Sonali Chandel, Sun Yu, Tang Yitian, Zhou Zhili, Huang Yusheng
College of Engineering and Computing Sciences, New York Institute of Technology, Nanjing, China
{schandel, ysun33, ytang11, zzhou23, yhuang66}@nyit.edu

Abstract - With the increase in the incidences of data leakage, While many large organizations take a more
enterprises have started to realize that the endpoints (especially sophisticated approach towards endpoint security by using
mobile devices) used by their employees are the primary cause different, specialized products for the tasks of prevention,
of data breach in most of the cases. Data shows that employee detection, and response, a growing trend in implementing a
training, which aims to promote the awareness of protecting the single, “all-in-one” solution enables centralized management
sensitive data of the organization is not very useful. Besides, of multiple security functions instead [3]. Companies are
popular third-party cloud services make it even more difficult always looking for the software that contains all the tasks
for employees to keep the secrets of their workplace safer. This mentioned above so that it could help them defend the threat.
pressing issue has caused the emergence of a significant market
for various software products that provide endpoint data For IT decision-makers, the present time is very crucial
protection for these organizations. Our study will discuss some for increased investment in stronger endpoint protection. Of
methods and technologies that deal with traditional, negative 113 respondents in the 2018 Endpoint Security Spending
endpoint protection: Endpoint protection platform (EPP), and Priorities Survey, conducted by Barkly, advanced malware
another new, positive endpoint protection: Endpoint detection protection and prevention was by far the highest priority for
and response (EDR). The comparison and evaluation between most companies in 2018. [4]. According to 2018 Insider
EPP and EDR in mechanism and effectiveness will also be shown. Threat report, among the companies that were surveyed, at
The study also aims to analyze the merits, faults, and key least 27% agreed that the insider threat is causing much more
features that an excellent protection software should have. The
damage than ever before that too at a higher frequency. In the
objective of this paper is to assist small-scale and big-scale
companies to improve their understanding of insider threats in
same report, 53% of companies also reported that they had
such rapidly developing cyberspace, which is full of potential experienced an insider attack more than once in the last year
risks and attacks. This will also help the companies to have better or so [5].
control over their employee’s endpoint to be able to avoid any Insider threat is a generic term used for a threat to an
future data leaks. It will also help negligent users to comprehend organization's security or data that comes mostly from within
how serious is the problem that they are faced with, and how they the organization [6]. For many companies, the security of
should be careful in handling their privacy when they are surfing
information is the most significant. At the same time, insider
the Internet while being connected to the company’s network.
This paper aims to contribute to further research on endpoint
threats are the biggest target for hackers. Because they are hard
detection and protection or some similar topics by trying to to detect and can easily be manipulated to breach the firewalls
predict the future of protection products. in use. Many hackers target insiders to steal data or infiltrate
the system mostly through social engineering. In the recent
Keywords—Endpoint protection, Endpoint detection and past, many companies have been targeted this way. An
response, Endpoint protection platform, Data leakage, Privacy, example can be from Facebook, Sony, LinkedIn, and many
Insider threat, Data Breach more prominent companies.
I. INTRODUCTION There are several ways and tools to defend an
endpoint. In this paper, we will focus on two of them, namely,
Endpoint security or endpoint protection is an approach the endpoint protection platform (EPP) and endpoint detection
to protect the computer networks that are remotely bridged to and response (EDR). EPP is a platform that consists of
client devices [1]. Many electronic devices we use, such as different security tools such as antivirus, anti-malware, data
mobile phones, laptops, and tablets, are all endpoints. The encryption, personal firewalls, and intrusion prevention. EDR,
connection of laptops, tablets, mobile phones, and other with its specific function like continuous monitoring,
wireless devices to corporate networks creates attack paths for remediation, and no interference to the endpoint, has become
security threats [2]. No one wants to be disturbed or a popular way of detecting and responding accordingly when
eavesdropped when sending or receiving messages over the it comes to insider threat.
network. As a result, endpoint security has become a hot topic
for researchers in the cybersecurity area. In section I, the content of the article is briefly introduced.
In section II, the related work about insider threat is mentioned.
Laptops and mobile phones have become an essential part In section III, the essential features of the endpoint protection
of our modern life. The owner of an enterprise must figure out platform are introduced. In section IV, the drawbacks of
some features and standard methods of protecting the most endpoint protection platform are discussed. In section V,
vulnerable endpoints. A phishing link in an e-mail can give endpoint detection and response are presented. Disadvantages
access to company secrets to the hacker, and a third party of endpoint protection platform are mentioned as well. In
‘cloud’ service can quickly become the hacker’s target as well. section VI, effectiveness comparison between endpoint
protection platform and endpoint detection and response is

978-1-7281-2542-8/19/$31.00 ©2019 IEEE 81

DOI 10.1109/CyberC.2019.00023
made. We have proposed a model with the help of some situations and factors and calculated the full effectiveness and
information that we obtained from test corporations and efficiency of them. Using our proposed model, we can obtain
conduced the formula of the effectiveness of different products. the formula of efficiency ratio of two products, and we can
In section VII, the conclusion is made, and future work is predict which one of them is more efficient under different
discussed. circumstances. In the proposed model, we obtained the
equation of efficiency ratio. Using Matlab, we drew graphs and
II. RELATED WORK curves to visualize the change of efficiency trend with the
The insider threat has already been one of the biggest evolution of different factors. This will help our readers to
problems in the field of cybersecurity in the present times. understand our research more efficiently.
Many tasks related to the insider threat has been done, and III. A PASSIVE WAY TO DEFEND THREAT: FEATURES OF
many papers have presented several ways to detect the insider
ENDPOINT PROTECTION PLATFORM
threat by proposing different models and architecture. Many
experts have tried to identify the risks by introducing new Endpoint protection platform (EPP) is a traditional,
algorithms as well. signature-based, negative endpoint protection software. The
primary mechanism it uses to protect the endpoint is to match
In [7], the author introduces a framework that uses
the signatures of threats already stored in the database to
different modules to detect insider threat based on algorithms determine if it is harmful or not. EPP is a set of software tools
and functional methods. One algorithm in [8] called GP also
and technologies that enables the security of endpoint devices
achieved this function. Another mathematical method [17]. The main procedure of treating the threat of EPP is shown
discussed in [9] claims to help in managing the authorized
in Figure 1. When the threat penetrates the firewall, the Host
admins to detect the insider threat. Some even propose that we Intrusion Detection System (HIDS) detects the threat and
could utilize a system-based architecture called directory
determine whether it is malicious or not. The malicious ones
virtualization [10] to detect the insider threat. Machine will be mitigated by Host Intrusion Protection System (HIPS).
learning is another essential aspect of the modern internet, and The following sub-section lists the main features of EPP.
in [11], a detection method based on machine learning is
discussed.
In [12], the author presents a tool called user behavior
analytics and gives a clear architecture and design idea of this
software. Some white hat hackers even think about an idea that
could utilize “decoy file” [13] to attract the insider threat’s
attention and then trap them. Different situations of insider
threat have been discussed in [14]. [15] discusses different
categories of detection tools. In [16], the author discusses the
“insider threat infiltrates database system” situation in detail
and briefly discusses how to handle the insider threat at an
early stage.
Most of these papers mentioned above focus on new methods
to detect the insider threat. It can genuinely contribute to the
development of the detection method. However, in articles [7] 
[9] [8] [11] [12], they do not mention a mature product that
could help simple consumer and clients to defend the insider Figure 1. Process of how EPP address threats
threat. In [10] and [13], they have proposed practical methods
to handle insider threat, but they did not discuss the mature A. Detection
production. Another flaw is that they are all a little outdated.
Insider threat mutates so quickly that the method they present The most significant part of the endpoint is its detection.
may no longer be useful. EPP, like traditional antivirus software, has a complete
signature identity function. There are large amounts of the
Survey papers [14, 15, 16] is related to the topic of our article. database with the virus’ signature. This database can be used
In [14], the author mainly discusses different scenarios of to identify each kind of already known viruses. The matching
insider threat attacks. However, it does not prove any solution procedure is based on different algorithms. Each security
for that. In [15] and [16], they have described some tools in company has its algorithms to detect the threat.
detail to defend the insider threat. However, they did not
mention their features and effectiveness or any comparison As we know, EPP is a union of different software. The
between those tools. Our goal is to solve all these problems mechanism used by most of them is intrusion detection.
mentioned above. Intrusion detection is a significant method of EPP. It is the
process of monitoring the events occurring in a computer
We have presented distinct and detailed information about system or network and analyzing them for signs of intrusions
different types of threat detection and response technologies in [4]. IDS can help users defend the attackers and complete the
our paper. The reader can quickly and clearly understand the procedure of intrusion detection. Signature-based detection is
functions, features, merits, and flaws of each one of them. just one of the detection methods used, but it is the most widely
Besides, we have also presented a comparison between EPP used method. HIDS monitors and collects the characteristics
and EDR through gathering information and establishing a for hosts containing sensitive information and servers running
model of our own. We have analyzed them under different public services, and suspicious activities [18]. It is the most

82
common system when defending the intrusion. sharply when it is under attack.
B. Protect the infected system B. The proportion of fileless attacks is on the rise
Detection certainly is an essential part of endpoint Viruses are mutable. Hackers will develop a new virus by
protection. However, no matter how prudent users are, transforming the existing features and changing the known
sometimes they still face a situation where viruses still infect signature to avoid detection from EPP. Creating a virus with a
the system or the network through the endpoint. Organizations unique signature is a child’s play now. Thanks to the nearly
must eliminate any possibility of any external invasion through automated virus construction kits that have filled the internet
endpoint to keep their system secure. Protection function aims over the past several years [20]. Ponemon’s Institute’s State of
to eliminate the virus that has already been inside the system Endpoint Security Risk Report for 2018 exposed that 54% of
as the source that may cause significant devastation to the organizations admitted becoming a victim of a successful
system. It is crucial because if the EPP system takes no action, fileless or file-based attacks. Of all the organizations
the viruses will infect the whole system. It supplies a solution compromised, 77% were attacked by the fileless techniques.
to remedy mistakes. EPP uses another algorithm for HIPS. The report also indicated that fileless attacks are ten times
HIPS must work with HIDS. However, a very significant more likely to succeed than traditional, file-based methods. [1]
difference between HIDS and HIPS is that HIPS will
Fileless attack techniques that exploit a fundamental gap in
annihilate threats that have been identified as a malicious
the traditional endpoint security are on the rise. Current
resource of HIDS. A HIPS has a mechanism of automatically
solutions are not able to stop them [21]. If HIDS cannot match
mitigating the detected risk [19].
the signature, the HIPS will not work, which in turn will cause
C. Whitelist and Blacklist the protection system to crash completely. HIDS typically runs
on the operating system. This means it can be easily
Whitelist/Blacklist function is another vital function that compromised by malicious insiders or malware [25]. Figure 2
EPP provides. “Blacklist and Whitelist” is treated as one of the shows that the frequency of fileless attack is growing more
significant solutions for endpoint security. EPP has its rapidly than ever [21].
database about viruses. It will automatically blacklist or block
software or files that are considered malicious. With the help
of whitelist, users can still get access to the software or data as
a whitelisted application or software is marked safe for the
system or network.
IV. WHY IS THE ENDPOINT PROTECTION PLATFORM NOT
FULL PROOF?

With enormous merits, EPP is treated as a perfect guardian

of the endpoint. However, EPP begins to show its flaws faster
when confronted with advanced hacking methods. EPP uses a
massive database for virus signatures, and as a result, the
matching process creates much wastage of resources.
Sometimes the virus signatures cannot be matched on time
because viruses mutate very fast. However, the most
significant flaw of EPP is that it cannot defend insider threats,
Figure 2. The growth of fileless and file-based attacks from 2016 -2018
which have become one of the most popular methods of
hacking these days. Some weaknesses of EPP are listed in the
C. Many functions require internet
following sub-section:
‘Cloud scan’ can be a solution to avoid the occupancy of
A. A matching signature needs too many resources too many resources while scanning the signature of the known
A considerable number of viruses are developed every day. threats. However, using a cloud scan needs being connected to
An antivirus must record all the signatures of viruses to grant the cloud server and keep the device or system connected to
the security of endpoint. This also means that the database of the network all the time. For example, Data Loss Prevention
signature is so extensive that users must spend much money (DLP) is an essential component of EPP. DLP is a strategy for
on creating storage to install this database. Users also have to making sure that end users do not send sensitive or critical
invoke a significant number of resources on their devices when information outside the corporate network [22]. However, to
they wish to scan their device to be able to use the antivirus. It make DLP work, typically the EPP must connect to the internet,
is an advantage that these large numbers of threats can be or it will not work. Not only for cloud scan, but users must also
detected and dealt with. However, it also means that it can take connect to the server of the security company as this is the only
a considerable amount of resources to run through each of way user can get the latest updated data, security patches, and
these signatures and match them against a scannable resource information regarding recent threats.
(like files, network traffic, etc.) [19]. ‘Cloud scan’ is a kind of In some cases, if one endpoint has already been infected, then
method to solve the problem of resources. In this method, the the virus will spread into the system and the network very fast.
organization invokes a database of signatures from cloud to This can happen even if an employee connects the infected
match files’ signature on the local computer. Many third-party device to the corporate network unintentionally. Therefore, the
companies provide this service, and users can quickly notice employees need to be very careful when connecting to the
that the running efficiency of their devices reduces very corporate network. Sometimes, EPP cannot detect this kind of

83
threats, and as a result, cannot eliminate it either. Such type of are listed in the following sub-section:
situations can lead to a massive loss for the company.
D. Insider threats can cause more damage than external
threats
Many different reasons can lead to data leakage. However,
the main reasons for information leakage can be divided into
two categories: accidental exposure and malicious exposure
[23].
x Accidental exposure: Accidental exposure sources from
negligent actions taken by the employees such as poor
password security, unauthorized download of infected
software and applications without the IT department’s
knowledge or permission [23]. A phishing e-mail is
another widespread factor that leads to the insider threat.
Most insider threat is the employee of a company. They 
are manipulated by hackers to get the data they want. The Figure 3. Different data sources under hacker’s radar
insider threat is powerful than any external attack because
an employee can provide easy access to the company’s
system. The only solution is to educate and train the
employees and improve their awareness of data privacy
and security [6].

x Malicious exposure: Malicious exposure is another

situation that is very common when it comes to data theft.
It sources from the criminal motive such as a competing
company or revenge from a former employee who intends
to destroy the whole system of a company or at the least
the part where they have the access. They can achieve it
by releasing malicious software in the company’s network
or system. However, this behavior can be easily Figure 4. One trusted endpoint is infected
eliminated with the help of defending tools like EPP.

Figure 3 [5] shows that there is a considerable increase in

hacking through endpoints to get access to a corporation’s
confidential and commercial secrets. Hackers’ attacks have
made the situation of endpoint security more severe than ever
before. Besides stealing the sensitive data, the target of these
attack varies from stealing financial information to operational
data, as these data are top secret. The leakage of these data will
cause severe data loss to a company as it makes them lose their
clients’ or employee’s data. Therefore, enterprises need to be
vigilant of insider threats [2]. The complete procedure of how
insider threat separates and infects the entire system is shown
in figures 4, 5, 6, and 7. Many attackers begin to utilize new
kinds of threat with no known signature to avoid antivirus and Figure 5. The virus infects the server through an internal network.
EPP’s detection. In such cases, the EDR becomes another
solution to protect the endpoint.
V. SOLVING MOST DRAWBACKS OF EPP: FEATURES OF
ENDPOINT DETECTION AND RESPONSE

Passively waiting for traditional security countermeasures

to detect attacks is not enough. Proactive threat hunting, led by
human security experts, is a requirement for any organization
looking to achieve or improve real-time threat detection and
incident response [24]. Endpoint detection and response (EDR)
system is an advanced, positive endpoint protection software.
Threat intelligence is an essential feature of EDR. Also, it can
supply anomaly detection and alert, remediation of the internal
network that has been infected. Also, they can utilize machine
Figure 6. Whole internal network and endpoint are infected
learning to predict and avoid the threat. Main features of EDR

84
 there are no residues of the virus. They can also repair the
damages caused by viruses to maintain the security of the
internal system.
D. Observe without interference
“No one wants to burden the endpoint with heavy client
software anymore: that was one of the antiviruses’ biggest
drawbacks.” [27]. As one of the security researchers from the
Office of Information Technology said, antivirus needs to be
installed in the user’s devices, which wastes many resources
of the endpoint. However, when it comes to EDR, it can just
execute in the kernel of the network with its endpoint detection
component. For example, a network manager can install EDR
in the company’s server instead of every device of the
employee. This will protect the entire internal network of the
 organization.
Figure 7. The process of insider threat infecting the entire internal network E. Using machine learning to detect unknown threats
Machine learning is a subset of artificial intelligence in the
A. Threat intelligence
field of computer science that often uses statistical techniques
Threat intelligence, also known as Cyber Threat to give computers the ability to "learn" with data, without
Intelligence (CTI), is organized, analyzed, and refined being explicitly programmed [28]. By using machine learning,
information about potential or current attacks that threaten an EDR also becomes a “clever” platform, which is its another
organization [25]. Avoiding risk is much safer and more advantage compared to EPP. Predictive models use
reliable than putting the available data and network under risk sophisticated analytical techniques, such as deep learning, to
and then trying to fix it. EDR is not only a protection software, understand the characteristics of malware and “predict” the
but its threat intelligence function allows it to warn corporates likelihood of malware from unknown applications. This
about the potential risks and threats. It can provide some enables them to block never-before-seen attacks with a high
information about the threat, which is collected by the server degree of certainty [26]. Machine learning can improve the
of EDR. This kind of intelligence will facilitate the elimination ability to identify the threats that they have never encountered
of the insider threat by analyzing the information and data before. In such conditions where threats are mutable, this
about the insider threats that happened in the past rather than ability may become the most significant merits of EDR and the
predicting the latent risk. reason why most companies prefer to use it now.
B. Continuous monitoring F. Highly customizable
The only way to detect abnormal endpoint behavior is Another feature of the EDR product is that it can adjust
enhancing its control. If one endpoint is infected, EDR will itself to suit a company’s environment. Every company has its
detect the unusual activity of that particular endpoint unique distinguishing environment. Scanning from the root or
immediately and isolate it instantaneously. They can supervise a folder? Are essential files stored in disk C or D? Mitigating
endpoints dynamically, which means they shall test endpoint false positives? These functions require machine learning and
incessantly and automatically. Furthermore, it can supply CPU AI ability, which exactly are the most significant advantages
protection that can defend the kernel of the server. More of EDR. “Sophisticated endpoint protection providers can take
sophisticated behavior-based protection will include visibility the burden off of the admin by developing protection models
into activities at lower levels of the system, including CPU. that are automatically tailored for each organization by using
Visibility into CPU-level is active for blocking malware that machine learning to analyze the organization’s unique
attempts to manipulate and make changes in memory, software profile” [34].
including many exploits [26]. Powerful EDR tools enable easy
access to this data, providing immediate visibility to any area Through machine learning, EDR can filter a standard
of the organization. Consistent monitoring makes it impossible software from a malware, know which part it should focus on
for the threat from spreading through the endpoint [27]. when scanning, refine its’ effectiveness as time goes by, save
more resources than an unfit, unintelligent EDR production.
C. Remediation and cleanup Because of these advantages, EDR has become very popular
Once abnormal endpoints are cleaned up, the escalation of in many organizations. Many organizations are replacing EPP
the virus stops. One may think that the whole system is clean with EDR to protect their network system. However, EDR is
and safe. However, the presence of the advanced virus can act not a panacea. Some of EDR’s drawbacks still puzzle the
as an ink drop into pure water. It will diffuse to the other part companies. Very high false-positive rates and the requirement
to infect the internal network very fast. of highly trained operators are two of the most significant
flaws of EDR.
Moreover, every residue of that can generate virus again.
This is one of the biggest drawbacks of EPP as it cannot deal How to mitigate the high false-positive rates is a crucial
with the complete internal network but only a part of the feature to estimate the effectiveness of an EDR product. High
endpoint. EDR can scan all the internal networks to guarantee frequency of false positives will lower the productivity of an
organization. “Some endpoint protection models force a trade-
off between the strength of protection and false positives - they

85
take a heavy-handed approach that blocks malware but also is 99.3%, and the average false-positive rate is . With the
flags much legitimate software in the process” [30]. An EDR
production with strict protection mechanism can certainly help of these data, we can divide EPP into two states:
block most of the threats, but sometimes they will treat normal x Protection—EPP detects the threat and report
software as malware as well. In such situations, it will cause successfully.
much trouble, such as not allowing access to a normal file in x Compromise—EPP does not detect threats and allow
the way it is usually done. them to invade the system successfully.
EDR is an advanced technology to deal with cyber and Protection states could be further divided into two situations:
network threats. The more advanced it is, the more the
requirement for the operators who run it. The company would x True report—threats truly invade, EPP detects it and
need to hire a highly trained operator to control the entire EDR reports.
system, which ultimately increases the cost to the company. x False-positive—there is no actual threat invasion, but EPP
Surely, it is not a very big problem for a large company but mistakes it for threat invasion and reports.
some medium or small-sized companies it becomes a We assume R as the rate for EPP to get into protection states.
significant concern, as they must consider the increasing cost We know that R is 99.3% from statistical data collected by
concerning their information security. [31] AV-C company [33], so the formula could be represented as
Table.1 concludes the summary of the main features of EPP follows:
and EDR mentioned above. 2983
⎧
Table.1. Comparison between EPP and EDR ⎪ 3000
(99.3%)
17 (1)
EPP EDR ⎨
Unification of different Actively detect and eliminate ⎪ 3000
Rationale ⎩ (0.07%)
passive functions threats
Databases of virus’ Threat intelligence function
signature Supervise endpoints dynamically Because we have to take the performance of the computer
Repair the damage caused by a into account, we assume that
virus
Functions
HIDS and HIPS
Detection Function Running in x y is the lost productivity of one company
Network Kernel x is the work efficiency of one company.
Use machine learning to detect x is the time that is needed to eliminate the threat.
Blacklist & White list an unknown threat
x is the working hours.
Highly customizable
A matching signature High frequency of false positives
needs too many will lower the productivity of the According to an eight-hour workday system implemented
resources. organization by many companies, we assume is equal to eight hours.
Therefore, the formula of the true report is:
Detection of virus
Drawbacks signature is outdated y = 12.5% (2)
The requirement of highly
Cannot defend insider trained operators
threats Considering the states of EPP and according to equation (1),
multiplying the probability of protection by the probability of
Many functions
require internet true report, we can obtain the probability of true report as
99.3% ×

VI. WHICH IS BETTER: EPP OR EDR? Considering the false positives state. The formula for false
positive is:
After the fundamental conception of two products, we will y = 12.5% ( − ) (3)
propose a model to compare the effectiveness of both.
where is the time that cannot be put to work because of
A. The EPP Model false positives. According to the services of some EPP
First, we built a model for EPP. We know that EPP is a company, they need 1-2 working days to solve the false
passive defender and uses virus signature matching to detect positives. Therefore, it can be treated in 8-16 hours.
threats. Moreover, as we mentioned in section IV earlier, two Considering the state of EPP and according to equation (1),
disadvantages stand out: multiplying the probability of protection by the probability of
x It will reduce the efficiency of the system because it takes false positive. We can obtain the probability of false-positive
too many resources, which means it will lower the as 99.3% × .
productivity of a company
x Signature-based detection will lead to false positives When it comes to the worst situation, which is a
compromised situation:
According to the statistical data from AV-TEST company y= (4)
[32], we found that the average efficiency reduced by running
EPP is 12.5%. In addition, according to statistical data from Since the probability of protection is R, and EPP has only
AV-C company [33], we found that the average protection rate two states: protection and compromise, we get the probability

86
of compromise as 1-R, where R is 99.3%. Therefore, the rate finally get the average productivity loss as:
of compromise states happens at 0.07%.
y=R∙ ( ) (7)
Then we calculate the weighted average of all the three cases,
and finally get the average productivity loss, which is as While taking the actual state of most EDR products, we
follows: decide to change the domain of R to [0.5, 1]. As most EDR
y = 0.124 − 0.007 + 0.0007 (5) productions defense rate is higher than 95%, so, it means that
R should not be between 0 and 0.5. In our model, we assume
Using equation (5), we used Matlab to draw the trend ( ) = 1 − . Based on the above assumption, we get
map. In figure 8, we find that the intercept of Y-coordinate figure 9.
(loss) is 2, and the value of Y increases slightly with the
increase of X. The reason for the trend on this chart is that the
probability of compromise is very low. So, even if (time
that is needed to eliminate the threat) changes a lot, it will not
have such a big impact on the company's economic losses.
The reason why Y interception starts from 2 is that running
EPP will cause the system to run slowly, which will lead to a
decrease in productivity.

Figure 9. The trend of EPP loss ( is 8h, and is 1)

As shown in Figure 9, with the increase in R, the loss of the

company reduces dramatically. When R reaches 1, and Loss
reaches to 0, all the viruses are defended.
After taking values of multiple times in MATLAB and
experimenting, we found that, if the parameters are too large
or too small, the trend will fluctuate in either a very large or a
minimal range, and =10 is the most reasonable value,
Figure 8. The trend of EPP loss ( is 8h, is 24h, is 1) which can make the image show its trend in a reasonable
B. The EDR model range. So, in this graph, we assume = 10h as the average
time for most EDR products to clean up the invasive viruses.
We know that the EDR system defends a threat very However, we know that varies from one virus to virus, so
actively. The basic concept of EDR is that it can gain some we decided to take this unknown value into account and draw
threat intelligence to help users predict the potential threat and
a 3D figure. In figure 10, we can see that with the increase of
then protect it in advance.
R and , the loss of the company will increase, which fits
We assume R as the possibility of EDR to get into the real situation and verify the effectiveness of our model.
protection states The value domain for R should be [0, 1] as
it is a possibility. We design a specific parameter ( ) for
EDR. ( ) is the function of R, which represents the
reduction as a proportion of the invasive time of the threat.
For example, when a virus invades and causes system
paralysis (a state where the machines cannot work) for 1 hour,
EDR can reduce the severity of virus invasions by collecting
intelligence, thus reducing the severity of paralysis events.
When ( ) = , the virus can only paralyze the system
for half an hour. R is inversely proportional to ( ), but both
of them are smaller than 1. The higher the probability of R,
the more information it has. Which means, the shorter the time
of system paralysis. Therefore, the formula of EDR is:

y= ( ) (6)

Then we calculate the weighted average of the two cases and Figure 10. The trend of EDR loss ( is 8h, and is 1)

87
C. Comparison of EPP and EDR some disadvantages of EPP as well, which includes
After obtaining the data and figures for EDR and EPP, we overutilization of resources, signature-based detection
combined them into one figure and compared their efficiency. methods, and requirement of the internet as a must to run many
functions. However, the most important and the most
In figure 11, we can see that there is an intersected
significant threat is that it cannot defend the insider threat.
boundary between EPP and EDR. Through solving the
When a virus infiltrates into the internal network, EPP is not
simultaneous equations of function (5) and function (7). We the right solution anymore.
got that the equation of boundary is as follows:
On the contrary, EDR can do what EPP cannot do. EDR is
0.8240 an expert in dealing with the insider threat. It can gather
= (8) different information; develop its intelligence to help detect
( ) − 0.0007
the abnormal endpoints to eliminate insider threats. It also
overcomes some disadvantages that EPP has, such as
occupying too many resources. However, it cannot do what
EPP can do too. A primary problem of EDR is that it cannot
prevent the endpoints from being infected. In other words, it
cannot handle external threats very well, and it cannot monitor
what happens to one specific endpoint. Prevention always goes
beyond remediation. In some difficult situations, when a virus
can infect an endpoint countless times, the EDR is not the right
solution at all.
In our proposed models, we find that the loss caused by
EPP will be the least, and the loss will not increase according
to the increase of threat severity. The reason is that the high
detection rate makes most threats unable to penetrate the
computer in depth. However, since EPP can reduce the speed
of system operation, once opened, it has to incur a small loss.
However, even so, these losses are perfectly acceptable
Figure 11. The combined trend of EPP and EDR loss ( is 8h, is 24h and compared to the enormous damages threatened by the
is 1, the red plane is EDR, and the blue plane is EPP) intrusion.
Therefore, at the left of this boundary, the blue plane is Secondly, in the EDR model, we noticed that EDR is the
above the red plane, which means that the loss in EPP is only product that may not lead to a loss but can completely
higher than the EDR. This is an exceptional situation that the defend against the threat. However, it all depends on the
success rate R, of EDR, is high, and the paralysis time caused efficiency of EDR products. There are a few cleaning
by threat is short. So, the best choice under such mechanisms. So, once the active prediction fails, threat
circumstances is EDR, and the prerequisite is: intrudes into the system, which will cause severe loss to the
whole system. So, we suggest that we should consider the pros
0.8240 and cons carefully when choosing EDR products.
< (9)
( ) − 0.0007 Thirdly, which one to choose between EPP and EDR?
From our final formula, we can see that the effectiveness
When it comes to the right of the boundary, the red plane is comparison between EPP and EDR involves two influencing
higher, and the best choice, in that case, is EPP. The factors, which are the time that is needed to eliminate the
prerequisite is: threat ( ) and the probability the EDR can actively predict
0.8240 (R). We suggest that priority should be given to the accuracy
> (10)
( ) − 0.0007 of active defense of EDR if its accuracy can approach 1, or the
time needed to clear the virus is very short, which will not
EDR, once compromised, will be paralyzed for a long time. cause significant loss to the enterprise, and the efficiency of
Therefore, the increase in the rate of this plane is significant. EDR will be higher than that of EPP. In other cases, EPP is
Once defense succeeds, it does not have to bear the cost of more efficient than EDR.
slowing down the system. Thus, the loss of productivity could However, to analyze the actual effectiveness of EPP and
be as low as zero. EPP is the opposite; it pays the price but EDR, we had to put many factors into consideration. The
runs stable, and it will not be influenced by threat dramatically. success rate of EDR is a crucial element to consider whether
to use this product or not. When the success rate is high, and
VII. CONCLUSION AND FUTURE WORK
the paralysis time caused by the risk is low, it is better to use
We have several methods to defend insider threat. However, EDR. However, if anything is different and either of the two
the most popular way that is being widely accepted is EPP and conditions is contrary, it is better to choose EPP. Most EDR
EDR. We found that they have different effects in different providers can guarantee high success detection and defense
situations. EPP is good at dealing with external threats. EPP probability, and the company must defend the threat. We
can effectively protect endpoints through its component strongly suggest that both products should be taken into
function such as HIDS, HIPS, and antiviruses. It can detect and consideration to ensure the safety and security of a company.
eliminate risks outside the system itself. There are certainly

88
 In this paper, we introduced some concepts of EPP and EDR [16] Elisa Bertino, Gabriel Ghinita, “Towards mechanisms for detectio
and established a model for both of them, but there are many n and prevention of data exfiltration by insiders: keynote talk pa
per, “Proceedings of the 6th ACM Symposium on Information,
challenges and flaws that we could not address because of the Computer and Communications Security, Hong Kong, China,2011
limitations of the time, data and resources. However, as we , pp.10-19
know, threats and anti-threat methods are developing rapidly, [17] Techopedia, “Endpoint Protection Platform”, Available: https://ww
so the following needs to be done in the future: w.techopedia.com/definition/30918/endpoint-protection-platform-epp
x All the contents mentioned in this paper need to be [Accessed: March .11,2018]
updated and supplemented in time. [18] Liao, Hung Jen, et al. "Intrusion detection system: A comprehensive
review." Journal of Network & Computer Applications 36.1(2013):16-
x We also did some tests and data to verify the accuracy and 24.
deviation of our model. There are still many factors that
[19] Sean Wilkins, “A Guide to Choosing an Endpoint Protection Sol
should be taken into consideration in future tests. ution,” Available: http://www.tomsitpro.com/articles/endpoint-protec
x We can improve our model and help some scholars to tion-solutions,2-820.html [Accessed: March .11,2018]
strengthen their theory as well if some company can [20] David Strom, “7 trends in advanced endpoint protection”, Availa
release more data about their production. ble: https://www.networkworld.com/article/3089858/endpoint-protect
ion/7-trends-in-advanced-endpoint-protection.html [Accessed: March
REFERENCE .11,2018]
[21] Ponemon’s Institute. “The 2017 State of Endpoint Security Risk,” pp2,
[1] Margaret Rouse. “Endpoint security management”, Available: end
2017.
point security management [Accessed: September .16,2018]
[22] Margaret Rouse. “data loss prevention (DLP),” Available:
[2] TechTarget, “Endpoint security management.” Available: https://se
https://whatis.techtarget.com/definition/data-loss-prevention-DLP
archsecurity.techtarget.com/definition/endpoint-security-management
[Accessed: September .17,2018]
[Accessed: March .11,2018]
[23] “Accidental or malicious insider threat: staff awareness makes the
[3] The Barkly team, “Endpoint Protection for the Mid-Market:3 Trends
difference,” Available:
Driving Big Changes”, Available: https://blog.barkly.com/endpoint-
https://www.itgovernance.co.uk/blog/accidental-or-malicious-insider-
protection-trends-2018-mid-market [Accessed: July .15,2018]
threat-staff-awareness-makes-the-difference/ [Accessed: September
[4] Barkly. “Endpoint Protection was the #1 spending priority in 2018”, .16,2018]
pp1-2, 2018.
[24] CrowdStrike. “2018 Global Threat Report”, pp79, 2018.
[5] Cybersecurity insiders. “2018 Insider threat report”, Available: htt
[25] S. Chandel, M. Yan, S. Chen, H. Jiang and T. Ni, "Threat Intelligence
ps://www.cybersecurity-insiders.com/portfolio/insider-threat-report/ [
Sharing Community: A Countermeasure Against Advanced Persistent
Accessed: March .11,2018]
Threat," 2019 IEEE Conference on Multimedia Information Processing
[6] L. Xiangyu, L. Qiuyang, and S. Chandel, "Social Engineering and and Retrieval (MIPR), San Jose, CA, USA, 2019, pp. 353-359.Barkly.
Insider Threats," 2017 International Conference on Cyber-Enabled “Endpoint Protection Buyer’s Guide,” pp5-7, 2018.
Distributed Computing and Knowledge Discovery (CyberC), Nanjing,
[26] Lital Asher-Dothan, “Seven essential elements of modern endpoin
2017, pp. 25-34. Copyright © 2017, IEEE
t security,” Available: https://www.cybereason.com/blog/7-elements
[7] Zhang, Hongbin, et al. "An Active Defense Model and Framework of -of-modern-endpoint-security [Accessed: March .11,2018]
Insider Threats Detection and Sense." International Conference on
[27] Samuel, Arthur. "Some Studies in Machine Learning Using the Game
Information Assurance & Security IEEE Computer Society, 2009:258-
of Checkers." IBM Journal of Research and Development. 3 (3): 210–
261.
229.
[8] Due to C. Le, Sara Khanchi, A. Nur Zincir-Heywood, Malcolm
[28] Fortinet. “FORTIGUARD 2018 THREAT PREDICTIONS,” pp 4-7,
I. Heywood, "Benchmarking evolutionary computation approaches to
2017.
insider threat detection, “Proceedings of the Genetic and Evolutionary
Computation Conference, Kyoto, Japan,2018, pp.1286-1293 [29] Barkly, “Endpoint Protection Buyer’s Guide,” pp8-9, 2017
[9] Yuqing Sun, Ninghui Li, Elisa Bertino, “Proactive defense of insider [30] Arcticwolf. “Endpoint Detection & Response Is Not Enough”,
threats through authorization management, “Proceedings of 2011 Available: https://arcticwolf.com/resources/endpoint-detection-and-
international workshop on Ubiquitous affective awareness and response-is-not-enough/ [Accessed: September .25,2018]
intelligent interaction, Beijing, China,2011, pp.9-16 [31] AV-TEST, “AV-TEST Product Review and Certification Report
[10] William R. Claycomb, Dongwan Shin, “Detecting insider activity using – Sep-Oct/2018” Available: https://www.av-test.org/en/antivirus/bus
enhanced directory virtualization, “Proceedings of the 2010 ACM iness-windows-client/windows-10/october-2018/kaspersky-lab-endpoi
workshop on Insider threats, Chicago, Illinois, USA,2010, pp.29-36 nt-security-11.0-184137/ [Accessed: January.11,2019]
[11] Tabish Rashid, Ioannis Agrafiotis, Jason R.C. Nurse, “A New Take on [32] AV-C, “Real-World Protection Test July-November 2018”. Availa
Detecting Insider Threats: Exploring the Use of Hidden Markov ble: https://www.av-comparatives.org/tests/real-world-protection-test-
Models, “Proceedings of the 8th ACM CCS International Workshop on july-november-2018/ [Accessed: January.11,2019]
Managing Insider Security Threats, Vienna, Austria,2016, pp.47-56
[12] Tabish Rashid, Ioannis Agrafiotis, Jason R.C. Nurse, “A New Take on
Detecting Insider Threats: Exploring the Use of Hidden Markov
Models, “Proceedings of the 8th ACM CCS International Workshop on
Managing Insider Security Threats, Vienna, Austria,2016, pp.47-56
[13] Jonathan Voris, Jill Jermyn, Nathaniel Boggs, Salvatore Stolfo,
"Fox in the trap: thwarting masqueraders via automated decoy
document deployment, “Proceedings of the Eighth European Workshop
on System Security, Bordeaux, France,2015, Article No. 3
[14] Kenneth Brancik漓Gabriel Ghinita漓"The optimization of situation
al awareness for insider threat detection, "Proceedings of the Firs
t ACM Conference on Data and application security and privacy,
San Antonio, TX, USA,2011, pp.231-236
[15] Ameya Sanzgiri, Dipankar Dasgupta, "Classification of Insider
Threat Detection Techniques, “Proceedings of the 11th Annual Cyber
and Information Security Research Conference, Oak Ridge, TN,
USA,2016, Article No. 25

89

View publication stats