The question “What is Endpoint Security?” seems innocent enough, but answering it triggers a few complex conversations. These span hardware and software, network architecture, network security and more. This article offers some insights, and hopefully some clarity, on this deceptively simple issue.
What is an “Endpoint”?
As the term suggests, is a point in space at the end of something—in this case a computer network. If you imagine a network as a bunch of wires emanating from a central place like a data center, the end point is the machine at the end of one of those wires. In real life, it isn’t neat and clean, but that’s the general idea. Endpoints are devices, along with their software, that are the outer edges of a network:
• Laptops—our laptop PCs are invariably network endpoints. We can use them to access corporate networks.
• Phones—smartphones, which are really just miniature computers, are also network endpoints. They can be set up to connect you to corporate networks.
• Networked Office Appliances—These include devices like printers and routers. They, too, are connected to the network. A wide variety of Internet of Things (IoT) devices also form endpoints, e.g. digital security cameras, sensors and so forth.
• Servers—Though they seem to be buried in the core of the network rather than at its edges, servers are almost always endpoints. They, too, are devices connected to the network.
What do all of these devices have in common? They are all entry points into the network. This makes them useful, but also vulnerable. Given their position as gateways to valuable digital assets, endpoints are frequently the target of hackers.
Why Is It Called ‘Endpoint’ Security?
Protecting the endpoint from malicious actors is an extremely important area of IT security. It’s known as “endpoint security.” It’s more than just one activity though. Endpoint security is actually a combination of practices that range from installing anti-virus software to threat detection at the endpoint to digital forensics. Mostly, though, the term “endpoint security” connotes the overwhelming need for security at the endpoint—however it’s done.
Why is Endpoint Security Important?
Endpoint security is important because any network-connected device exposes itself to multiple threat vectors. IT organizations recognize this risk. Indeed, according to industry research, 55% of organizations are reporting an increase in endpoint security risk. At the same time, only about half of organizations are confident in their endpoint security posture. Even companies that have endpoint security are not convinced of its efficacy. According to Sophos, a provider of endpoint security solutions, 75% of organizations infected with ransomware were running up-to-date endpoint protection.
Endpoints embody a number of vulnerabilities. Hackers have different objectives when they attack an endpoint. In some cases, their goal is to take over the endpoint’s operating system. That way, they can use the endpoint as a staging area for penetration of the network. At other times, the attacker might want to spy on the endpoint’s user in order to steal network login credentials. With the credentials in hand, the hacker can log into the network without arousing any suspicion.
The typical attack chain for an endpoint involves installing malware on the device. In most cases, this occurs when the endpoint user clicks on a malware-bearing link or downloads malware in a file, such as a PDF document. To the end user, it’s as if nothing has happened. Indeed, the attacker wants the endpoint user to continue on with his or her work so they can use a functioning, but compromised endpoint to breach the network.
Endpoint Security for Remote Devices
Remote work creates a few wrinkles for endpoint security. In some cases, a remote worker is relying on a personal machine for work, so the company has to provision endpoint protection software that is compatible with the user’s personal device–and make sure they’re using it.
Remote device authentication is also part of the endpoint protection mix in this scenario, even if it’s not about endpoint security solutions per se. Being able to authenticate a remote worker is a critical step in ensuring endpoint protection. Without strong authentication, a malicious actor could impersonate the remote worker and breach the network by establishing a fake but realistic-looking endpoint.
For remote workers who do sensitive work like system administration or financial transactions, some companies have even taken the step of provisioning a dedicated remote access device. This might be a PC that’s “hardened” and unable to download files or read emails. It can only log into privileged, protected sub-networks. Some vendors have even created a single PC with a split regular/hardened pair of virtual machine operating systems as a way to provision a privileged device that’s also convenient for standard corporate work.
The Client and Server Model
Endpoints may function in client/server software architectures. The endpoint device can run client software that enables the user to interact with server software on the network. Accounting software or ERP often uses this model. The risk comes from an attacker gaining unauthorized access to client software. So positioned, the attacker can harvest data from the server in a breach.
Endpoint Security Components
Endpoint security solutions are highly varied, depending on the risk they are trying to mitigate. The following are some of the most common endpoint security components:
• Device Protection—Software that defends the device itself from operating system takeover. In some cases, device protection will also involve shielding firmware from unauthorized updates. Keeping endpoints patched is essential to keep them safe from known exploits.
• Network Controls—The network can reveal an endpoint attack even if it is not readily visible on the endpoint itself. This may emerge from increased or suspicious network traffic at the endpoint.
• Application Controls—Applications running on the endpoint need protection from attackers. Application controls can do things like enforce two-factor authentication (2FA) for application users at the endpoint.
• Data Controls—Endpoints are usually both the entry and exit points for data breaches. The hacker uses one endpoint to gain access to data and then uses a different endpoint to exfiltrate stolen data. Data controls make this harder to do by restricting data access and export.
• Browser Protections—Given the prevalence of web phishing attacks, e.g. malicious URLs, browser protections can help defend endpoints by restricting access to suspicious URLs or creating an isolated “sandbox” where they can “explode” URLs before letting any data from the website on the endpoint.
Difference Between Endpoint Security and Antivirus Software
Endpoint security and antivirus software overlap in purpose and functionality, but they are not the same thing. Viruses are a threat vector for endpoints, so anti-virus is almost always part of endpoint security. However, just having anti-virus software running on an endpoint does not do much for its security posture.
Endpoint Protection Platforms
Securing endpoints has become a big enough job that dedicated solutions now offer security managers tools to handle the many different tasks required to protect large numbers of endpoints. These are the endpoint protection platforms. They vary quite a lot in terms of functionality, but most enable the user to establish security policies for endpoints and then enforce them in bulk. For instance, if a company decides that every endpoint should be running a particular kind of anti-malware or safe browser software, the endpoint protection platform will scan all the endpoints to determine which endpoints are not running the required software. It can then usually install the software remotely. The end user may not even be aware of what’s happening.
Difference Between Endpoint Security for Consumers and Businesses
There are endpoint protection solutions for consumers as well as for business. The consumer form is much simpler, as one might expect. It’s designed to keep the owner’s device safe and protect a home network. In contrast, business endpoint security solutions can be fantastically complex.
Endpoint Encryption and Application Control
Some endpoint security solutions enable IT managers to enforce data encryption at the endpoint. This is often part of a broader set of application controls. For example, if an end user is running business software on an endpoint, the application may store sensitive business data on the endpoint. Even if it’s only on the endpoint temporarily, the data is vulnerable to breach. With encryption, the data has a higher level of protection against theft.
What is Endpoint Detection and Response (EDR)?
As security technology advances, some vendors have come out with endpoint detection and response (EDR) solutions. An EDR solution “watches” the endpoint, looking for security problems or anomalous behavior that might indicate an attack or compromise. For example, if an endpoint is only active during business, but then it starts to be busy in the middle of the night, this might suggest an attack is underway. EDRs often use Artificial Intelligence to spot such potential security incidents.
The “R” in EDR refers to the ability of the solution to initiate a response to an attack. This might be as simple as notifying someone that there’s a suspected problem. Some EDRs have automated response capabilities, where they can block networks’ access or power down an endpoint that’s suspected of being compromised.
Is Your Endpoint Security Up to the Task?
Endpoint security is becoming more urgent as companies adopt Bring Your Own Device (BYOD) policies. These really should be called Bring Your Own Endpoint. BYOD adds to endpoint insecurity. At the very least, the policy creates a need for better endpoint monitoring and security policy enforcement.
Is your endpoint security up to the task? If you’re paying attention, you will understand that even quite serious efforts can fall short in this age of persistent, sophisticated attackers. However, there are certain basic standards that one should meet. These include endpoint patch management, endpoint monitoring, anti-virus and basic application controls at the endpoint.