WatchGuard EPDR review: Tough cloud-managed endpoint security

Best known for its fire-engine red business UTM security appliances, WatchGuard also offers a complete family of endpoint protection solutions. Moving into this space when it acquired Panda Security's Adaptive Defence 360 four years ago, WatchGuard's EPDR (endpoint protection, detection, and response) consolidates an extensive range of endpoint security measures and a few you won't find elsewhere.

The EPDR suite is completely modular so you can start with EPP (endpoint protection) which includes essential virus, malware and exploit protection, web filtering plus device controls. The EDR (endpoint detection and response) module delivers protection against advanced threats such as zero-day malware and ransomware and provides automated AI-driven prevention, detection, containment, and response services.

Along with APT (advanced persistent threat) protection, EDR enables WatchGuard's unique zero-trust application service which analyses and classifies every application being run on endpoints and only blocks ones it doesn't know about while it analyses them in the background. EDR also provides Mitre ATT&CK telemetry and mapping for analyzing suspicious events and an investigation area for IOAs (indicators of attack),

The EPDR version on review essentially brings the EPP and EDR modules together. All modules support the optional Windows patch management and data control add-ons and a key feature is they are cloud-managed from the same portal as WatchGuard's Firebox UTM appliances, wireless access points, and ThreatSync XDR service.

WatchGuard EPDR review: Agent deployment

We're already thoroughly familiar with WatchGuard's Cloud portal as we use it to manage the lab's Firebox appliances. If you haven't tried EPDR before, you can go to the Dashboard or Administration pages and request a 30-day trial and use WatchGuard's free non-intrusive risk assessment service that evaluates and reports on your current security posture.

With our full EPDR license applied, we accessed the service from the Endpoints portal page and started to deploy its agents. Platform support is tops as you can download agents for Windows, macOS, and Linux systems plus apps for iOS and Android mobiles, or send an email to users with a download link.

WatchGuard makes deployment even easier as the first system to receive an agent becomes a discovery client. It automatically lists all discovered LAN systems in the EPDR portal so you can choose your targets and push the agent to them with one click.

You can send a QR code to Android users for the mobile security app which provides malware protection and a clever anti-theft feature that secretly emails a photo of the user after three failed unlock attempts. For iOS device support, EPDR provides an integral MDM (mobile device management) server for the Apple push notification service and certificate signing requests.

WatchGuard EPDR review: Policy-based security

All security services are controlled by EPDR policies and protection starts the moment the agent is installed as each endpoint is assigned the default policy. This can't be modified but it's easy enough to clone and customize it by defining functions such as firewall rules, active security services plus update frequencies, enabling advanced protection for app tracking, setting removable device controls, and activating the Windows shadow copy service for recovering ransomware encrypted files.

WatchGuard has improved its web filtering service as this policy section offers nearly 130 URL categories to block or allow and it now includes entries for websites that use generative AI. Computers booted into safe mode can be protected with anti-tampering policies and a new feature is endpoint access enforcement which monitors Windows endpoints and alerts you to high-risk inbound and outbound connections with unprotected systems. Computers booted into safe mode are protected with anti-tampering policies and you can stop the agent being uninstalled by applying a centrally managed password.

You can initially set policies to run in an 'audit' mode so they passively gather information about app usage. A 'hardening' mode allows pre-installed unknown apps to run but blocks them from accessing external data sources while the 'Lock' mode fully protects against zero-day attacks and new malware strains.

We asked WatchGuard how it avoids the CrowdStrike fiasco and it advised us that four hours prior to their release, daily updates are tested in a staging area comprising thousands of devices. EPDR also protects against dodgy Windows patches with options to run update tasks first on computers designated as test systems.

WatchGuard EPDR review: Threat defences

The portal's dashboards show your security posture clearly with graphs and charts for endpoint status, trusted apps, malware, exploits, and PUPs. The risk dashboard provides an at-a-glance view of all endpoints deemed to be compromised and you can drill down and see a breakdown of detections for individual systems along with CPU, memory, and storage utilization graphs plus a software inventory.

EPDR responds quickly to suspicious activity as when we ran our malware and exploit test suite on our Windows 10/11 endpoints, the agent blocked them all and posted events in the portal's security dashboard in a few seconds. Email alert speed has been improved as we received warnings within one minute of positive detections.

Moving to the IOA dashboard, we could view details of attacks and browse mappings to the Mitre ATT&CK matrix. This showed all threat activity including reconnaissance, detected lateral movement, and data exfiltration attempts, and provided a full analysis and recommendations for remedial actions.

The patch management module is well worth considering as it takes over all update processes, shows which endpoints are missing critical and important updates, and can apply them immediately or schedule them for later. The data control module is also fully integrated into the EPDR cloud portal and uses profiles to determine what it should search for and monitor with download links provided for the Microsoft Filter Pack which is required to scan and index personal data in Office documents.

WatchGuard EPDR review: Is it worth it?

WatchGuard's partners such as GuardSite offer full price transparency with fixed term and subscription licences available. Value looks good with a one-year subscription for 1-50 devices costing around £45 each dropping to £32 for 251-500 devices.

EPDR is a smart cloud-hosted endpoint protection solution that combines great platform and mobile support with a wealth of security features. It's easy to deploy and manage and we find it particularly appealing as we can manage it from the same cloud portal as our WatchGuard UTM security appliances.