White Paper

Endpoint
Protection
Buyer’s Guide
Critical Capabilities for
Modern Endpoint Protection
CrowdStrike White Paper 2
Endpoint Protection Buyer’s Guide

Table of Contents

Necessities for Today’s Endpoint Protection 3

Modern Endpoint Protection with Artificial Intelligence 3

Embracing a Cloud-Native Approach 4

The Power of Unified Protection 4

The Five Elements of Modern Endpoint Protection 5

Element 1: Prevention 5

Element 2: Detection and Response 6

Element 3: Identity Threat Detection and Response 7

Element 4: Threat Intelligence 8

Element 5: Managed Threat Hunting 9

The CrowdStrike Difference 10

Advanced Technologies 10

Single-Agent, Cloud-Native Approach 10

Unified Protection 10

Managed Security Services 11

Conclusion 11
CrowdStrike White Paper 3
Endpoint Protection Buyer’s Guide

Protecting endpoints stands out as one of the most critical security challenges in the modern
workplace. Despite this, organizations have historically treated endpoint solutions primarily as basic
device management tools, overlooking the fact that endpoints are prime targets for attackers. The
surge in remote and hybrid work arrangements has further heightened the risk, with adversaries
intensifying efforts to exploit any disparities in control and security. The proliferation of new,
often unsecured access points to networks and data, coupled with the rapid deployment of new
infrastructure, has provided threat actors with an expanded attack surface, allowing them to escalate
both the volume and reach of their activities.

According to IBM, “Various studies estimate that as many as 90% of successful cyberattacks … originate
at endpoint devices.”1 As adversaries seek to establish a foothold for launching identity-based attacks,
they are pivoting to cloud infrastructure, exploiting vulnerabilities and more.

The escalating pace and sophistication of threats have compelled security and IT teams to evaluate
their current endpoint security capabilities. Yesterday’s signature-dependent security solutions
with heavy agents, high maintenance overhead and a disjointed user experience are ineffective and
inefficient, bogging down security teams and leaving companies vulnerable to compromise.

In response to these challenges, CrowdStrike has created this guide to assist you in effectively
safeguarding your organization against modern threats. The guide aims to delineate the essential
components and elements that constitute a modern endpoint protection strategy.

Necessities for Today’s Endpoint Protection

Yesterday's techniques for detecting and blocking threats at the endpoint prove ineffective against
many tactics employed by today's attackers. Organizations can no longer reliably prevent breaches
solely through monitoring and scanning files while searching for known malicious entities — especially
within a vacuum.

Sophisticated threat actors actively seek out gaps in security silos, demanding more than just a
collection of disparate security products. To be genuinely effective, an endpoint protection solution
must be meticulously designed to enhance analyst workflows while prioritizing resilience against
threats throughout the entire attack continuum.

Modern Endpoint Protection with Artificial Intelligence

To stay ahead of modern-day adversaries, modern endpoint protection is required. The observed
average breakout time for interactive eCrime intrusion activity decreased from 84 minutes in 2022 to 62
minutes in 2023, according to the CrowdStrike 2024 Global Threat Report. AI stands as a foundational
element that distinguishes modern-day endpoint protection from legacy alternatives. With AI, your
endpoint protection can leverage models trained on trillions of data points regularly to predict and
thwart threats effectively. This capability is especially crucial when defending against fileless attacks.
The same CrowdStrike report revealed that 75% of observed attacks were malware-free in 2023, a
notable increase from 51% in 2020.

1
IBM, “What is endpoint security?”: https://www.ibm.com/topics/endpoint-security
CrowdStrike White Paper 4
Endpoint Protection Buyer’s Guide

Embracing a Cloud-Native Approach

Harnessing the data necessary to empower AI-enabled endpoint protection demands a scalable, cloud-
native platform.

A cloud-native approach facilitates the effortless aggregation, sharing and operationalization of this
information, providing the kind of anticipation, prevention, detection, visibility and response capabilities
that can outperform a determined attacker time and time again.

The Power of Unified Protection

As organizations strive to keep pace with the escalating speed of adversaries, many opt to expand their
array of security tools to monitor and manage their entire attack surface. Unfortunately, the addition
of more tools often introduces more problems, as organizations attempting to close security gaps may
experience poor security outcomes and may need to allocate additional resources to managing various
tools. On average, organizations have nearly 50 security tools in their environments, with some having
more than 140.2 And according to the CrowdStrike 2024 State of Application Security Report, 70% of them
struggle to keep up with the volume of alerts. Moreover, adversaries thrive in the gaps between tools,
exploiting vulnerabilities and finding ways to remain undetected in fragmented environments.

When seeking a modern endpoint security solution, it's important to consider one that unifies key
elements and capabilities. Unified, tightly integrated capabilities can provide complete attack visibility
and enable teams to quickly understand threats and take decisive action. Teams can triage, investigate
and remediate faster with a comprehensive, unified source of truth. The agent should also be unified,
enabling organizations to expand their security over time without the need to add additional agents in the
future. This allows security teams to activate new protections in seconds, all while utilizing the same agent
deployed on Day One. As organizations intensify efforts to combat increasingly sophisticated attacks,
the ability to surface information effectively becomes paramount. Unified protection allows you to query
vast data across your entire security posture, extracting the information needed to make better, faster
decisions.

These necessities should be a focus when selecting your endpoint security solution. With these
considerations in mind, we will now explore the five elements that constitute modern endpoint protection,
including the key capabilities a modern endpoint protection solution should possess and the features
required for those capabilities to be effective:

• Prevention

• Detection and Response

• Identity Threat Detection and Response (ITDR)

• Threat Intelligence

• Managed Threat Hunting

2
IDC, How Many Security Tools Do Organizations Have, and What Are Their Consolidation Plans? Document number: #US51973524, Mar 2024,
https://www.idc.com/getdoc.jsp?containerId=US51973524
CrowdStrike White Paper 5
Endpoint Protection Buyer’s Guide

The Five Elements of Modern Endpoint Protection

Element 1: Prevention
Protect against malware and fileless attacks with next-generation antivirus (NGAV)

There are sound reasons why traditional, malware-centric endpoint protection products simply do not
provide an adequate level of protection against today’s threats and adversaries.

Malware-centric protection fails to address the increasingly sophisticated tactics employed by

modern adversaries, particularly in the realm of fileless and malware-free techniques. According to the
CrowdStrike 2024 Global Threat Report, 75% of attacks observed in 2023 were malware-free, reflecting a
continuing upward trend.

An effective endpoint protection solution needs to solve this challenge by expanding beyond merely
identifying and addressing known malware. It should:

• Protect against known and unknown malware using technologies such as machine learning (ML) that
do not require daily updates and can generalize defenses against never-before-seen attacks.

• Look beyond malware and fully leverage behavioral analytics to automatically look for signs of an
attack and block them as they occur.

• Protect endpoints against all types of threats — from known and unknown malware to fileless and
malware-free attacks — by combining all necessary technologies for ultimate protection.

Key Capabilities Required Features

• Protection powered by AI and ML to prevent known and unknown malware,

adware and potentially unwanted programs (PUPs)

Detection of advanced and • Advanced behavioral analysis with indicators of attack (IOAs)
unknown threats, including
• High-performance memory scanning
fileless attacks
• Exploit mitigation

• Automated malware analysis (e.g., sandboxing)

• Signatureless technology to eliminate the need for time-intensive updates

Speed to outpace adversaries
• A single, lightweight, unified agent for fast deployment and instant protection

• Understanding of the scope and impact of threats found in your environment

• Visibility into threats at the adversary level

Integrated threat intelligence
• Threat severity assessments for prioritization

• Threat analysis with recovery steps to resolve incidents

CrowdStrike White Paper 6
Endpoint Protection Buyer’s Guide

Element 2: Detection and Response

Uncover advanced threats faster with endpoint detection and response (EDR)

While NGAV is an important first line of defense for an organization, it is not foolproof. No NGAV solution, no
matter how advanced, can outright prevent every threat, particularly in the face of never-before-seen attacks
or those that take advantage of stolen credentials or trusted tools.

The next level of protection is EDR with built-in native extended detection and response (XDR). Previous
incarnations of threat detection solutions focus on basic functionality for endpoint monitoring. These legacy
monitoring tools frequently create extra work for analysts, inundating them with raw, unenriched telemetry and
alerts with very little actionable information. The more complicated the security tools, the greater the likelihood
that a security gap will be created and go unnoticed until there’s a breach.

Modern EDR addresses these issues. Modern EDR unlocks enterprise-wide visibility by unifying and streamlining
security analysis, investigation and remediation into one easy-to-use console. Additionally, built-in native XDR
extends security data correlation, analysis and workflows beyond the endpoint to encompass other native
capabilities such as identity threat prevention. This enhances visibility around advanced and evasive security
threats and allows for a more seamless and accurate response. EDR with built-in native XDR dramatically
improves threat visibility, accelerates security operations and eases the ever-present security staffing burden.

To outpace today’s adversaries, organizations must use EDR to optimize threat detection, investigation, hunting
and response enterprise-wide, and they must use native XDR to extend visibility and control across key attack
surfaces. When evaluating options, look for an EDR solution that includes XDR capabilities so it has the best
coverage over your full endpoint estate and beyond.

Key Capabilities Required Features

• Enterprise-wide search

• Cross-domain data correlation beyond the endpoint

Full attack visibility • Intuitive and comprehensive alert visualization — displays full attack history in a process tree
with drill-down and pivot capabilities

• Attack steps mapped to a standard industry attack framework such as MITRE ATT&CK®

• Captures raw events, even when not associated with alerts and detections
Detection of attacks • Operates in kernel mode for full visibility and to eliminate blind spots
that circumnavigate
prevention • Centralized data repository to enable advanced detection

• Automatic detection based on behavioral analysis such as IOAs

• Automated triage with intelligent prioritization of malicious and attacker activity

• Correlation of individual events into incidents

• Intelligent, AI-powered investigation recommendations

• Flexible data retention period for events

Incident triage and
• Fully customizable real-time and historical search capabilities
investigation analysis
• Cross-domain context

• Remote access to — and the ability to interact with — endpoints in real time

• Ability for analysts to collaborate and work together on incidents in real time from any location

• Correlation of context to identify suspicious behavior and potential at-risk endpoints

• Ability to network-contain endpoints

• Ability to quarantine files

Accelerated remediation • Ability to run commands on suspicious endpoints remotely and in real time
and response • Ability to take response actions for other native capabilities across domains

• API to integrate with the customer’s existing orchestration/case management systems

• Customizable alert notifications

CrowdStrike White Paper 7
Endpoint Protection Buyer’s Guide

Element 3: Identity Threat Detection and Response

Stop modern identity-based attacks in real time

If your endpoint protection doesn’t include identity security, you’re leaving the door open to opportunistic
adversaries. With the continued rise of malware-free attacks, adversaries are hunting for gaps between
how endpoints are secured and identities are managed. In many cases, adversaries aren’t breaking in,
they’re logging in. Once they know how to steal identities — and the privileged access credentials that go
with them — they can quickly gain access undetected.

Organizations use identity solutions to gain visibility into the security hygiene of their identity infrastructure,
such as Microsoft Active Directory and Entra ID. This helps proactively prevent identity-based threats before
they start. It is critical to identify compromised passwords, over-privileged accounts and other security
gaps that can leave your organization exposed. By unifying endpoint protection and identity security, you
can also get insights into possible attack paths that adversaries can exploit across the network.

ITDR solutions help organizations detect and respond to identity-based threats in real time. These threats
can include ransomware, lateral movement, service account misuse, Pass-the-Hash (PtH), Golden
Ticket attacks and more. When evaluating ITDR solutions, it is critical to ensure the ability to stop lateral
movement, including hybrid lateral movement from on-premises to cloud environments and from managed
to unmanaged devices. You should be able to create policies that correlate with the attack paths you’ve
identified and leverage known adversary tactics, techniques and procedures (TTPs).

Though it is critical to stop adversaries with real-time identity protection, organizations must continue to
enable business productivity in the process. That’s why applying risk-based conditional access — through
multifactor authentication (MFA) — needs to be included in the ITDR solution. The solution should allow you
to establish baselines of normal user behavior to quickly identify anomalies as sophisticated adversaries
move across endpoints and identities. Then, you can enforce MFA to increase security without disrupting
legitimate users.

Key Capabilities Required Features

• Ensure visibility across cloud (Microsoft Entra ID or Okta), on-premises Microsoft

Active Directory and hybrid identity stores

Reduce identity store attack • Automatically classify all identities (i.e., human and service accounts)
surface • Gain insights into identity store hygiene, including potentially compromised
accounts

• Identify possible identity-based attack paths that can be exploited

• Detect and respond to identity threats across your estate

Detect and prevent identity- • Create policies that correlate with the attack paths and known adversary TTPs
based threats • Address vulnerabilities inherent in cloud and Active Directory identity stores

• Ensure that ITDR is included in managed threat hunting

• Enable risk-based MFA

Enable conditional access • Extend MFA protection to legacy apps/tools

• Digest risk scores to establish baseline risk posture

CrowdStrike White Paper 8
Endpoint Protection Buyer’s Guide

Element 4: Threat Intelligence

Stay ahead of adversaries by knowing how and why they attack

Without threat intelligence integrated into your endpoint protection, it becomes challenging for both
protection technologies and security professionals to keep up with the latest threats and proactively
defend against them.

Threat intelligence elevates NGAV and EDR/XDR detections to the next level, not only revealing what
happened on the endpoint but exposing the "who, why and how" behind the attack. Understanding the
threat at this level is crucial for staying ahead of future attacks and increasing the cost to the adversary.
Moreover, threat intelligence furnishes security teams with the information necessary to comprehend,
respond to and resolve incidents more swiftly, thereby accelerating investigations and incident remediation.

When assessing endpoint protection, it's essential to look beyond security infrastructure. Actionable threat
intelligence must be an integral part of the total solution. Customers should ensure that the intelligence
seamlessly integrates into the endpoint protection solution and that its consumption can be automated.

Key Capabilities Required Features

• Threat intelligence built into the EDR/XDR solution to ensure no additional

Extended endpoint administration or deployment is required
integration • Automatic forwarding of all quarantined files from the endpoint to threat intelligence
for immediate investigation

• Malware sandbox analysis and malware search

Automation and
simplification of incident • Prioritization for patching critical systems
investigations
• Ability to pivot across the security platform to view attack context

• Automatically generated custom indicators of compromise (IOCs) and intelligence on

Sharing of custom IOCs for threats relevant and unique to an environment, delivered within minutes
security orchestration
• Automatically ingested third-party IOCs

• Identification of adversaries focused on attacking your business, region or industry

Adversary identification
• Adversary intent and capability data for future attack prediction
CrowdStrike White Paper 9
Endpoint Protection Buyer’s Guide

Element 5: Managed Threat Hunting

Outpace the adversary with 24/7 expert hunting

Proactive threat hunting, led by human security experts powered by AI, is a must for any organization
seeking to achieve or enhance real-time threat detection and incident response.

Threat hunting plays a crucial role in the early detection of attacks and adversaries. Instead of relying
on reactive, preset defenses, human-led investigations actively search for suspicious activities, avoiding
passive reliance on autonomous solutions to detect and alert automatically. This approach enables
organizations to identify malicious activity early and thwart attacks before irreparable damage occurs.

Although critical, threat hunting is only as good as the threat intelligence on which it’s based. Threat
hunting must be informed by the intelligence gathered from an organization’s environment to identify
novel attacks, misuse of remote access tools, credential compromises, insider threats and more. When
evaluating a threat hunting solution, ensure that it’s intelligence-led and can be applied across both
endpoint and identity protection.

Unfortunately, a lack of resources and a shortage of security expertise make proactive threat hunting
unattainable for most organizations. According to the 2023 ISC2 Cybersecurity Workforce Study, nearly
4 million additional cybersecurity workers are needed to effectively secure assets.3

Understaffed internal teams struggle to maintain 24/7 monitoring for adversary activity, and often, they
lack the capability to efficiently respond to highly sophisticated attacks. This can lead to prolonged
investigation times with fewer alerts handled promptly, ultimately resulting in extended dwell times and an
increased risk that attackers will successfully achieve their goals.

Managed threat hunting addresses this challenge by providing an elite hunting team. This team not only
identifies malicious activities that may have been overlooked by automated security systems but conducts
thorough analyses and provides customers with response guidelines. When considering a modern
endpoint security solution, it's crucial to choose one that seamlessly enables managed threat hunting.

Key Capabilities Required Features

• Experienced and dedicated threat hunters providing 24/7 threat hunting services

• Assistance during incidents and guidance on what to do next, including potential

mitigation suggestions on detections

24/7 human expertise • Ability to find novel threats that no other systems have detected

• Immediate access to threat intelligence experts for faster analysis

• Automatic and native integration with threat intelligence for ultimate efficiency

• Integration with endpoint security

• Ability to pinpoint the most urgent threats in the environment across both endpoint
Visibility into missed alerts and identity

• Enhanced closed-loop communications to ensure important alerts are noticed

3
ISC2 Cybersecurity Workforce Study 2023: How the Economy, Skills Gap and Artificial Intelligence are Challenging the Global Cybersecurity Workforce,
https://media.isc2.org/-/media/Project/ISC2/Main/Media/documents/research/ISC2_Cybersecurity_Workforce_Study_2023.pdf
CrowdStrike White Paper 10
Endpoint Protection Buyer’s Guide

The CrowdStrike Difference

Armed with an understanding of what capabilities you need from a modern endpoint security solution, let’s
look at CrowdStrike’s approach to modern endpoint security.

Advanced Technologies
Since the company’s founding in 2011, CrowdStrike has pioneered the use of AI and ML in cybersecurity
to solve customers’ most pressing challenges. CrowdStrike's endpoint protection solution incorporates
innovative technologies — including AI/ML, behavior protection and exploit mitigation — to thwart the rapidly
evolving TTPs adversaries use to breach organizations. This encompasses commodity malware, zero-day
malware and even advanced malware-free attacks.

Through the use of AI/ML, CrowdStrike avoids dependence on signature-based methods or IOCs, which
can result in "silent failure" and allow data breaches to occur. Instead, CrowdStrike adopts behavioral
approaches that actively search for IOAs, ensuring that the business is alerted to suspicious activities before
a compromise takes place. AI-powered IOAs are the latest evolution of CrowdStrike’s industry-first IOAs,
expanding protection with the combined power of cloud-native machine learning and human expertise.
AI-powered IOAs use the speed, scale and accuracy of the cloud to rapidly detect emerging classes of
threats and predict adversarial patterns, regardless of the tools or malware used.

Single-Agent, Cloud-Native Approach

The single CrowdStrike Falcon® agent is built on a scalable, cloud-native platform that is easy to deploy and
manage. All Falcon platform modules are designed to utilize the same lightweight agent, which is unobtrusive
and allows organizations to seamlessly deploy new defenses without the need for additional agents.

In conjunction with the single, lightweight agent, CrowdStrike's endpoint protection delivers faster
deployment times, improved endpoint performance and greater operational ease for the IT team due to its
cloud-native approach. Deployed in minutes, the Falcon platform operates from Day One without the need
for constant signature updates, on-premises management infrastructure or complex integrations, and it
functions without interrupting your existing antivirus during migration.

Unified Protection
One of the most important factors to consider when selecting an endpoint protection solution is how it will
integrate within the broader cybersecurity architecture without adding complexity or requiring any on-
premises management infrastructure.

The Falcon platform is designed as a highly modular and extensible offering that assists customers in
addressing new security challenges with a single agent and without the need to re-architect or re-engineer
their architecture, eliminating the friction associated with security deployments.

More and more organizations are rethinking their cybersecurity strategies and are looking for a more
integrated approach. An example of this is unifying endpoint protection and ITDR to remove coverage gaps
and the complexity that comes when these solutions are deployed separately. With unified protection that
includes endpoint and identity, you can reduce risk and improve productivity. By having unified endpoint and
identity security, organizations can respond to threats up to 85% faster, offsetting up to 5,000 investigation
hours annually.4

4
Expected results and actual outcomes are not guaranteed and may vary for every customer. Expected benefits are based on aggregated averages from over 100
Business Value Assessment (BVA) and Business Value Realized (BVR) cases conducted with CrowdStrike Enterprise customers and completed by CrowdStrike’s
Business Value team from 2018 to December 2022. BVAs are a projected ROI analysis based on the value of CrowdStrike compared to the customer’s incumbent
solution. BVRs are a realized ROI analysis for customers deployed for 6+ months using customer inputs and recorded telemetry.
CrowdStrike White Paper 11
Endpoint Protection Buyer’s Guide

Beyond unifying endpoint protection with ITDR, research shows that unifying security products has
significant benefits. In a recent study conducted by IDC that analyzed the value of unifying Falcon modules,
security teams found that their security operations improved by helping them identify 96% more potential
threats in half the time. Additionally, security teams' ability to keep up with adversaries was enhanced,
making them 2x more effective and enabling them to investigate/respond 66% faster.

Managed Security Services

This white paper discusses the critical capabilities necessary for a modern endpoint security solution.
However, depending on the unique needs of different organizations, these critical capabilities may be best
delivered through managed detection and response (MDR). Many organizations face challenges in hiring,
training and retaining cybersecurity staff, hindering them from implementing a mature security program
or focusing on key business initiatives. MDR can help bridge this gap by providing the right expertise,
streamlined processes and advanced technology to allow organizations to maintain a robust security
posture around the clock.

CrowdStrike Falcon® Complete Next-Gen MDR provides 24/7 protection and elite expertise powered by
the AI-native Falcon platform. Operating as a seamless extension of customer teams, Falcon Complete
Next-Gen MDR delivers expert platform management and monitoring as well as advanced threat detection,
investigation and response across all key attack surfaces, including endpoint, cloud and identity. With
integrated intelligence and threat hunting delivered by CrowdStrike Falcon® Adversary OverWatch, Falcon
Complete Next-Gen MDR delivers protection against even the most sophisticated threats and accelerates
mean time to respond (MTTR), helping organizations close the cybersecurity skills gap.

Conclusion
The endpoint protection landscape has undergone a significant evolution, propelled by the increasing
sophistication of cyber threats and the dynamic nature of modern work environments. Paired with the five
critical capabilities outlined in this buyer's guide, the Falcon platform's advanced technologies;
single-agent, cloud-native approach; unified protection; and managed security services position
CrowdStrike as a leader in the realm of modern endpoint security. As organizations navigate the evolving
threat landscape, adopting a comprehensive solution that aligns with the outlined necessities becomes
imperative for achieving robust protection and resilience against contemporary cyber threats.

Start Free Trial

CrowdStrike White Paper 12
Endpoint Protection Buyer’s Guide

About CrowdStrike
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with the
world’s most advanced cloud-native platform for protecting critical areas of enterprise risk — endpoints
and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform
leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched
telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and
remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid
and scalable deployment, superior protection and performance, reduced complexity and immediate time-
to-value.

CrowdStrike: We stop breaches.

© 2024 CrowdStrike, Inc. All rights reserved.