Top Endpoint Security Technologies
According to a 2020 Ponemon/Morphisec Study, 68% of organizations have experienced one or more endpoint attacks that have successfully compromised data assets and/or IT infrastructure over the last two years. Moreover, anti-virus / anti-malware solutions reportedly miss an average of 60 percent of attacks, Of the attacks that compromised an endpoints, 80%characterize the attack as a zero day (for which signature-based antivirus/anti-malware is ineffective), but 17% say it was known, and 3% are unsure.
While traditional AV/anti-malware remains an important security layer, it is just one layer that helps create a holistic, multi-layered endpoint security approach. Together, your endpoint security solutions should protect against both internal and external threats, whether on-prem, connecting remotely, physical, virtual, or in the cloud.
Here are the core endpoint security solutions, ordered by priority:
Antivirus / antimalware are perhaps the most traditional and well-recognized forms of endpoint protection. AV / antimalware typically works by scanning traffic to a device and/or the device’s content for patterns that match a database of virus signatures. While many IT thought leaders have touted the demise of AV, it remains widely deployed. Basic antivirus software provides detection and protection against known threat signatures. Today, most AV and anti-malware solutions have evolved to incorporate some advanced protection methodologies that incorporate heuristics, behavioral analysis, and even machine learning. Enterprise AV / antimalware solutions are typically installed on a wide array of devices, including servers, desktops and laptops, gateways, and more. These solutions, which may include “next-generation AV”, are centrally managed from the corporate network in most instances. Some devices, such as smartphones, require specialized AV solutions that work at the device-level only. However, one limitation with AV is that many types of endpoints, such as IoT, lack the computing necessary to install and run AV, though cloud-based AV deployments may be of some use in these cases. Other well-known drawbacks of solutions in this class include a hit to device or network performance when the solution is running, a high number of missed threats, and a large number of false positives and security alerts that hinder IT’s ability to respond to what is important. ‘Next-generation’ solutions tend to avoid some of these issues by leveraging cloud processing and foregoing the use of bloated agents. Some solutions also include sandboxing capabilities, which allow for quarantine of an unknown/suspicious program and running it in isolation to see if malicious characteristics present themselves.
Privileged Access Management (PAM) solutions manage privileges/privileged access for users (human and machine), endpoints, systems, applications, processes, etc. PAM solutions also monitor, manage, and record activity occurring during privileged sessions. While there are many point solutions in this space, complete PAM platforms are comprised of the following three functional areas:
- Privileged Credential/Password Management, also called Privileged Account & Session Management (PASM), solutions enable automated discovery and onboarding of all privileged accounts, secure access to privileged credentials and secrets for humans and machines, and auditing of all privileged activities. Privilege credential management solutions also eliminate embedded passwords in IoT, applications, DevOps tools, etc. and replace them with API calls, or in the case of DevOps and CI/CD toolsets, implement dynamic secrets. Session monitoring and management capabilities empower organizations to audit all activity and home in on and pause or terminate suspicious sessions. By enforcing password security best practices across all types of credentials (passwords, secrets, SSH keys, etc.), privileged credential management solutions eliminate or mitigate threats such as password reuse, pass-the-hash (PtH), and stolen credentials. They also create unique and complex passwords able to withstand automated cracking tools, and that are never revealed to the end user.
- Endpoint Privilege Management, also called Privilege Elevation & Delegation (PEDM), solutions combine least privilege management and advanced application control capabilities to condense the endpoint attack surface, eliminate unwanted lateral movement, and minimize threat windows by applying just-in-time access models. Endpoint privilege management can be applied to Windows, Mac, Unix, Linux systems, network devices, IoT, and more. These solutions remove admin rights from end-users and dynamically elevate access to applications just for the moments needed. Endpoint privilege management solutions are also used to securely elevate applications via powerful rules engines and comprehensive exception handling. Some solutions can also enable passwordless administration, which is the ability to perform administrative functions on an endpoint without the need for privileged or administrator credentials. Endpoint privilege management is a powerful technology that protects endpoints from insiders as well as a range of sophisticated external threats such as, fileless/living off the land (LoTL) attacks, ransomware, zero day attacks, and more. The combination of application control and privilege management can also be used to eliminate, or at least put controls around, shadow IT.
- Secure Remote Access solutions enable organizations to extend PAM best practices to remote access. These solutions apply least privilege and robust audit controls to all remote access required by employees, vendors, and service desks. With secure remote access PAM solutions in place, users should be able to quickly and securely access any remote endpoints, running any platform, located anywhere. The granular privilege control and specialized security capabilities of this software far transcends that of VPNs, which it often replaces. By integrating with the privileged password management component of PAM solutions, vendor credentials can also be securely managed (rotated, encrypted, etc.) from a centralized vault, and injected when needed so the vendor never sees them. Secure Remote Access PAM solutions also provide granular auditing to make traditionally complex requirements straightforward.
Comprehensive privileged access management solutions deliver powerful threat reduction and risk mitigation across an organization’s entire privilege universe. PAM solutions can be deployed on-prem, in the cloud, or hybrid. They can also a key requirement of any zero trust initiatives.
Endpoint protection platforms (EPP) are generally comprised of a multilayer set of security technologies managed through a centralized console. These solutions aim to protect against multiple threat vectors across an enterprise’s endpoint estate. Many EPPs leverage the cloud to perform analysis, eliminating any processing hit to endpoints. Endpoint protection platforms can be delivered as SaaS and managed remotely, or they can be installed directly on devices with central management software hosted on a server. EPP solutions typically perform scanning of files via an advanced AV/antimalware engine that protects against signature-based attacks and that incorporates behavioral analysis to expand threat protection. EPPs usually incorporate endpoint firewalls that help tightly control network traffic through specific ports on the individual endpoints. Endpoint protection platforms may also incorporate basic application control (whitelisting, blacklisting), sandboxing (executing files in a virtual environment to inspect for malicious behavior before allowing them to run), and machine learning capabilities.
Endpoint management encompasses a range of solutions and processes around managing the lifecycle of endpoints. Endpoint management solutions may be capable of discovering, onboarding/registering, provisioning, updating, monitoring, and troubleshooting of endpoint devices connecting to the enterprise network from a central location. Solutions in this category include mobile device management (MDM), enterprise mobility management (EMM), unified endpoint management (which may integrate a number of capabilities, including MDM, EMM, etc.). While point solutions like MDM, and EMM (which usually includes MDM and other technologies) work across certain types of mobile devices, UEM solutions strive to wrap lifecycle management capabilities around a diverse array of both traditional and emerging devices, including servers, desktops, mobile devices, IoT, and more. Endpoint management solutions play a key role in optimizing device performance, ensuring correct configurations, and establishing a consistent baseline of device hygiene. These solutions also allow for remote management and can even wrap security controls, such as remote data wipe, anti-tampering, and geo-tracking that provide protection in the event a device is lost or stolen.
Endpoint detection and remediation (EDR) solutions continuously inspect files and applications that enter a device to extend protection beyond simple signature-based threats. This includes protecting against some types of ransomware, zero-day threats, fileless malware, and more advanced attacks. In contrast to EPP solutions, EDR solutions can provide a deeper level of advanced threat analysis and forensics, and they play a bigger role in containing and responding to a security incident or breach event once it has already occurred. However, one of the drawbacks of EDR solutions can be a high number of false positives and security alerts.
Encryption is an essential feature for both data security and endpoint security. Simply defined, encryption is the process of encoding data (including passwords) so that it is unreadable and unusable unless the possessor of the data has the correct decryption key. As encryption cracking tools have become more powerful, encryption methodologies have had to evolve. While encryption capabilities are important components of many endpoint security solutions (PAM, DLP, endpoint firewalls) as well as natively on device firmware and software, there are also standalone solutions designed to encrypt endpoint data. Endpoint encryption software typically either protects individual files, or is applied across the entire hard drive, known as full disk encryption.
Application control solutions protect endpoints, most commonly end-user devices and servers, from executing unauthorized applications. Traditionally, these solutions make use of allow lists (whitelists), block lists (blacklists), and greylists. Greylisted applications are applications that have been identified, but have not been added to allow or block lists. Special security rules may be put in place so that greylisted applications can run in some circumstances, as needed.
Application control solutions may also be able to enforce granular control over application usage—such as allowing a particular user/endpoint to execute a certain subfunction of an application, while disabling or blocking the execution of other application functions for that user/endpoint. Cloud-based reputation services may also be leveraged to determine whether or not an application is safe to run. Application control can be sold as a point solution, or be included in other platforms, such as endpoint privilege management, or next-generation firewalls (NGFWs). Integration within these other platforms often allows for natural augmentation of the capabilities that provide advanced application protection. Application control solutions must be finely calibrated to enable seamless use of authorized applications for legitimate use cases, while preventing against malware, ransomware, and other threats.
Patch management solutions automate the process of downloading patches, identifying the endpoints, applications, or other software that need the patches, and then—usually after testing of the patches and if then given verification from a human—applying the patches. While patches may need to be manually applied in some instances, automating the process as much as possible helps organizations scale to meet the thousands of vulnerabilities across their endpoint estate. When dealing with a dangerous vulnerability for which an exploit already exists in the wild, time is of the essence, so automation is key. Patch management is a core part of vulnerability management and is often tightly integrated with enterprise vulnerability management solutions.
Vulnerability management (VM) solutions provide a proactive approach to discovering, analyzing, and remediating vulnerabilities. Drawing from vulnerability databases (CVE, etc.) these solutions perform vulnerability scans that deliver a snapshot of the vulnerabilities found across the endpoint environment. VM solutions put context around the risk that helps the organization evaluate the scope and level of risk posed by the threat, weighing that against the mitigation options for the vulnerability. Vulnerability scans generally only represent a moment-in-time snapshot, though some scans that are low-impact on resources may run continuously. Scans often need to run on sensitive resources that require privileged access. These are called credentialed scans as they require injection of credentials to be run. Due to the highly sensitive and privileged nature of such scans, the credentials should be injected into the VM solution using an enterprise privileged credential management solution. Credentialled scans tend to uncover more dangerous threats than credential scans. While the vulnerability scanning processes themselves can be highly automated and, depending on the solution, scale across the entire IT infrastructure, human input is typically required to ultimately determine and initiate the best course of action. Of course, most vulnerability management solutions are dependent on databases of known vulnerabilities (signatures) and provide limited, if any, protection against zero-day threats. A good vulnerability management tool should be continuously updated with the latest vulnerability signatures.
Web filtering solutions, which can include URL filtering and more, put controls around the sites that users can access via their browsers and help mitigate the human element in threats. Organizations can block content by category and/or blacklist certain URLs. Employees reaching a blocked page will typically see a message informing them why access to the request page has been restricted. Web filtering solutions can protect endpoints from visiting malicious sites that pose a risk of infection. Web filtering can also block content that a company deems inappropriate, which in some settings, such as k-12 schools, may be required by compliance.
Data Loss Prevention (DLP) solutions aim to prevent leakage or unauthorized transmission of data. DLP analyzes context and content to help ensure only the right individual or systems can access the data. Some use cases for DLP include preventing a user from:
- Uploading or downloading unauthorized information from a USB
- Accessing a sensitive file attachment in an email when using a personally-owned device
- Emailing a sensitive document (such as containing financial results) to an individual who is not authorized to receive it
- Inappropriately sharing sensitive content with a teammate or other individual over a messaging app—even if the app itself is authorized by the organization
DLP can be deployed across many types of endpoints and systems, including end-user devices, servers, and gateways, and is an important endpoint data protection technology. DLP leverages encryption and uses rules-based structure, database fingerprinting, and other techniques to make fast, accurate decisions about the legitimacy of data access requests. DLP solutions can also send alerts of inappropriate data access requests to the appropriate IT or compliance personnel.
Penetration (Pen) Testing solutions allow security teams and researchers to simulate attacks against an environment and probe for potential vulnerabilities to provide information useful to hardening the organization’s defenses. Pen testing is a highly proactive methodology that is part of an overall vulnerability management program. Some vulnerability management solutions may have built-in pen testing features. Pen testing is a useful way to find potential threats that other tools may miss, or just to better understand how potential changes to IT infrastructure and endpoint configurations could create new attack pathways.
Endpoint firewalls/host-based firewalls are software that runs on endpoints. This is in contrast to the types of firewalls (stateful, packet filtering, next-generation, etc.) more closely associated with network security. Endpoint firewalls are sometimes referred to as “personal firewalls” and they may be installed on and protect desktops, laptops, and servers. Endpoint firewalls inspect traffic, apply rules, and may even be able to perform behavioral monitoring to protect the endpoint from malware and attacks originating either within or outside of the corporate network. A web application firewall (WAF) is a subtype of endpoint firewalls and is used to protect endpoint-hosted applications and web services, such as WordPress, from SQL injections and other malicious attacks.
Anti-spyware detects, prevents, and removes unwanted software, including adware. While organizations tend to purchase anti-spyware (if they purchase it at all) as an add-on module to their anti-virus solutions, standalone software also exists, but is generally consumer-grade.