WatchGuard EPDR review: An incredible range of security measures

WatchGuard has a fine reputation in the network security space and its acquisition of Panda Software has allowed it to complement its firewall appliances with enterprise-grade endpoint protection. Three versions are available; we reviewed the top EPDR (endpoint protection, detection and response), which delivers a heap of security measures including some you'd be hard-pushed to find elsewhere.

You won't need to worry about extra management overheads. EPDR is fully integrated into the WatchGuard Cloud portal, so you can remotely monitor and manage all your Firebox appliances, security policies, wireless access points and endpoint protection services from one console.

Instead of relying on reactive signature updates, EPDR analyses and classifies every app being run and blocks those it doesn't know about. It won't stop them running permanently as WatchGuard's cloud service runs background checks on the app and instructs the endpoint client to let it through if it is cleared as safe.

Initially, EPDR can be run in a passive audit mode to gather information about your everyday apps. When you're happy with the results, you can enable a "hardening" mode that allows pre-installed unknown apps to run but blocks them from accessing external data sources, or choose the Lock mode to fully protect against zero-day attacks and freshly released malware EPDR provides file, web and email anti-malware scanners and teams them with a Windows client firewall, removable device controls and a Windows shadow copy service for recovering ransomware-encrypted files.

The web content-filtering service uses the same database as WatchGuard's Fireboxes and offers 118 URL categories that can be blocked or allowed. The main cloud portal provides a status overview of all licensed products, and selecting the EPDR heading opens a new page with full access to all functions. Agents for Windows, Linux and macOS systems can be pulled down directly from the console's Computers page, or you can email users with a download link.

A nice touch for LAN deployment is that the first system to receive an agent is automatically nominated for network discovery duties. Using a Windows 10 PC as a discovery client, we left it to scan the network, selected desktops and servers from the list and pushed the agent to them.

You can send a QR code to Android users for the mobile security app, which provides malware protection and a clever anti-theft feature that secretly emails a photo of the user after three failed unlock attempts.

New to EPDR is iOS support, where it provides a built-in mobile device management (MDM) service for Apple's push notification service and certificate signing requests. The portal dashboard provides an overview of your security posture with charts and graphs for endpoints, trusted apps, malware, exploits, PUPs, apps currently being examined and a rundown of website access. WatchGuard's new "indicators of attack" service maps threats to the Mitre ATT&CK matrix and shows their evolution from reconnaissance and access through to detected lateral movement and data exfiltration attempts.

Policies control all endpoint security services and can be assigned to individual computers and custom groups. Threat responses are quick: when we ran our ransomware simulator on protected Windows clients, warnings were posted in the dashboard in one minute with email alerts flying in 15 minutes later.

WatchGuard's EPDR isn't the cheapest option but it makes up for this with an incredible range of security measures. Smart detection and response services harden threat protection even further and seamless integration with the cloud portal allows all WatchGuard security products to be managed from one place.