Endpoint protection is the practice of securing all devices that connect to a network to ensure that they can’t serve as points of access to the network for malicious actors.
Remote workers have long used mobile phones, laptops and tablets to connect to the corporate network and get things done. But today, there are so many connected endpoints, from smartwatches to printers and servers to sensors. All of those devices help make businesses more productive, but they also provide hackers with more ways to infiltrate networks to install malware and steal data.
With so many different endpoints — any physical wireless device connected to a network qualifies — innovative hackers and cloud-based resources render most companies essentially perimeterless. This leaves companies with the unenviable task of finding better ways to keep their data, intellectual property and employees safe. It’s not easy; a Ponemon Institute study found that during 2019 alone, 68% of organizations experienced one or more attacks on endpoints that successfully compromised data and/or IT infrastructure. The proliferation of edge devices makes this even more difficult; a survey from Tripwire found that 99% of respondents struggle to secure IoT and IIoT devices.
What Is Endpoint Protection?
Endpoint protection solutions are designed to protect endpoints by detecting, analyzing, blocking and/or containing attacks in progress. This can include both known and unknown malware. Endpoint protection solutions typically include some combination of these types of protection:
- Antivirus and anti-malware: Detects, protects and remediates malware across multiple endpoint devices and operating systems.
- Endpoint, email and disk encryption capabilities: Ensures that endpoints, email full disks, folders or files are fully encrypted at all times.
- Machine learning capabilities: Compares past attack data with current data patterns to determine potential threats.
- Data classification and data loss prevention: Ensure that data is correctly classified by sensitivity and other relevant information so it can be authenticated and authorized for use accurately.
- Integrated firewall: Prevents unauthorized access into or out of a network.
- Email gateway: Email server that protects organizations or users against phishing and social engineering attacks.
- Threat forensics: Data that helps help administrators quickly isolate and mitigate infections.
- Centralized endpoint management platform: Software that consolidates management of all endpoint management into one configurable dashboard.
Benefits of Endpoint Security
- Protection of valuable data
- Protection of company reputation by avoiding data loss
- Reduction of downtime associated with security breaches
- Ability to ID and fix security gaps
- Improved patch management
- Increased visibility into the devices connected to the network
Endpoint security tools bring numerous benefits. Securing sensitive and/or valuable data on the endpoints being managed by an endpoint protection system lends a measure of protection for company reputation (not to mention the protection against associated financial loss). And, by avoiding security breaches on their devices, end users avoid associated downtime as well. Endpoint security tools also help ID and fix security vulnerabilities, including those addressed by software patches. These tools also enable IT teams to identify and monitor devices connected to the network. Failing to manage such devices leaves them open to attack by hackers.
How Does Endpoint Protection Work?
There are many different approaches to endpoint protection, and organizations often choose more than one of these, or solutions that combine many. The main options are:
- Endpoint protection platform (EPP): EPPs typically examine files as they enter the network from any device (client software is installed on every endpoint device), with the goal of identifying and mitigating malware that uses file-based and fileless exploits. If found, the platform can allow or block software, scripts and processes. EPP platforms also can analyze device activity, application and user data to detect and prevent threats. Some EPPs also can collect and report inventory, configuration and policy management of endpoint devices; handle operating system security like disk encryption and firewall settings; scan endpoint devices for vulnerabilities; and manage security patches. Security administrators tend to like these, because they operate through a centralized console installed on a server or network gateway. This way, security administrators can control security individually for each device remotely. Some EPPs include EDR capabilities (see below) while others don’t.
- Endpoint detection and response (EDR): This type of solution can often detect and manage threats that EPP software can’t, helping to mitigate them after they occur. EDR solutions monitor, identify and analyze activity data (often using machine learning) from endpoints that could indicate a threat; automatically respond to identified threats to remove or contain them and notify security personnel; and include analysis and forensics capabilities to research identified threats and search for suspicious activities. Most EDR solutions are ready to go when installed with minimal configuration and include pre-built dashboards and workflows.
- Extended detection and recovery (XDR): Considered by many to be the next generation of EDR, XDR solutions tend to use artificial intelligence to help security operations teams find and respond to advanced threats. Typically, these solutions help different security solutions see, share and analyze data so they can more effectively detect threats and deliver a coordinated response that covers the entire attack surface. They also start with an assumption that a threat already exists and actively search for threats using advanced analytics processes powered by AI and machine learning.
What to Look for in Endpoint Protection
In deciding on an endpoint detection system, it really comes down to deciding whether to invest in best-of-breed point solutions for EPP, EDR or XDR and other types of endpoint security like antivirus/anti-malware, URL filtering, browser isolation and application control; or choosing a combination tool.
Each has its pros and cons. While best-of-breed tools ensure that you are getting exactly what your need from each tool, integrating these tools isn’t always easy. It can also be more expensive to maintain multiple tools. For organizations with very specific requirements, though, this can be a good approach.
Combination tools like integrated managed detection and response platforms can also be a good choice. These platforms tend to be robust and fully functional, but they also can be missing some best-of-breed features that some companies consider important. Today, most major security vendors offer combination platforms that combine EPP and EDR or EPP and XDR. Examples include Symantec Endpoint Security Enterprise and Symantec Endpoint Security Complete, Cisco SecureX, CrowdStrike Falcon, Cybereason Defense Platform, Microsoft Defender for Endpoint, Sophos Central, Trend Micro’s Apex One, and Bitdefender GravityZone.
Examples of Endpoint Protection in Action
There are countless ways that organizations can use endpoint protection solutions. Here are just a few:
A wireless backhauling specialist replaced its existing mobile device management (MDM) solution to keep up with its growing bring-your-own-device (BYOD) workforce, which wasn’t always diligent about following mobile security policies. The company needed a better way to enforce mobile security policies on all devices without interrupting mobile productivity and collaboration. It also was looking for deeper visibility into threats and malicious networks via reports and dashboards. The company settled on Symantec Endpoint Protection Mobile, which can identify and automatically act on threats and integrate with any enterprise MDM.
Reversing a Growing Phishing Trend
A construction company whose users were experiencing growing numbers of virus-embedded URLs in phishing emails needed a way to ensure that malware attacks on endpoints would be immediately detected and mitigated. The company tested many products and ended up choosing Bitdefender GravityZone to protect, harden and analyze endpoints across Microsoft Windows workstations and virtual servers, and GravityZone Elite Security to protect construction accounting, productivity, email and several cloud-based service applications running on endpoints.
Protecting Corporate Reputation
Salespeople working for a large global commercial real estate firm began experiencing more frequent social engineering attacks, where hackers were impersonating managers and tricking victims into transferring funds. To ensure the security of users’ devices, which access corporate networks from multiple connections and clients, the company needed better alerts of anomalous events on endpoints and a way to automate agent updates and policy changes. The company implemented the CrowdStrike Falcon on all endpoints, along with Falcon Overwatch for managed threat hunting. The solution helped identify high-risk activities so the company could mitigate them and increase customer satisfaction.
Endpoint Visibility for Edge Devices
A water utility needed a way to better protect the endpoints that helped provide water to nearly 400,000 people. The goals included improving visibility into the endpoints controlling its industrial control system environment, adopting a more efficient threat-hunting program, and the ability to detect threats that don’t have signatures by using behavioral analysis. The utility chose Cybereason’s EDR solution deployed both in the cloud to protect computers and servers on the provider’s corporate network, and on premises to protect computers operating the industrial control systems.
Protecting Against Ransomware and Zero-Day Attacks
A university dedicated to keeping its assets and students safe needed a way to combat the ongoing threat of ransomware and reduce the risk of damage from zero-day and other malware attacks. Security staff were particularly interested in behavior detection technology that went beyond .DAT signatures and dynamic application containment (DAC) functionality to help keep potential threats quarantined while they were being analyzed. Because the university had long been a McAfee user, it was an early adopter of McAfee Endpoint Security for its 10,000 endpoints. In addition to the features the university first cited, the solution also has a threat prevention module, which combines static code and dynamic analysis (malware sandboxing) to detect threats. The result has been a significant uptick in detected and blocked files and a reduction in ransomware.
More organizations are embracing endpoint detection and prevention in some form, and for good reason. The changes of the past few years, including a pivot to remote work, increasingly sophisticated threats and customer demands for security, are leaving businesses no choice.