Endpoints, such as employee workstations, servers, and mobile devices, are becoming a major entry point for corporate networks. The increasing use of cloud-based computing resources, and the transition to remote work, is making the endpoint threat more important than ever.
Endpoint protection safeguards endpoints against malware, data leaks, zero-day exploits, and other threats. Some endpoint protection solutions require deployment of software agents on endpoints; others monitor network-device interactions.
Most solutions provide a central console for administrators to monitor and manage endpoint activity and allow security teams to define rule-based policies that can be enforced across all endpoints in the organization.
5 types of Endpoint Protection
1. Anti-Malware Solutions
Anti-malware solutions detect and prevent known threats such as viruses, adware, or trojans. Modern solutions use behavioral analysis, based on machine learning, to identify suspicious software that behaves like malware, even if it does not match any known threat signature.
Many organizations deploy anti-malware as a component of broader endpoint protection platforms (EPP), which also include capabilities like application control, content filtering, ransomware protection, and endpoint detection and response (EDR) capabilities.
2. Application Control
Application control and monitoring solutions can restrict applications installed and executed on a device. Application monitoring involves creating whitelists of permitted applications, blacklisting forbidden ones, and greylisting—temporarily rejecting—applications that could pose a threat. Some solutions provide a sandbox, an isolated environment in which suspicious applications can be executed and investigated, without risk to the user’s applications and data.
3. Network Access Control
Any unknown device that connects to your network poses a threat. Network access control helps define which devices and users are able to connect to which parts of the network. Enforcing access limitations, monitoring access attempts, and oversight of all connected devices and applications minimizes risk.
Modern network access solutions, based on a zero-trust security model, are emerging as a new category called zero trust network access (ZTNA). ZTNA solutions go beyond traditional access control, performing micro-segmentation of the network, and providing selective access to each user and device depending on the least privileges’ principle.
4. Cloud Perimeter Security
Cloud computing has led to an exponential increase in the number of endpoints. Because cloud endpoints are often exposed to public networks by default, it is critical to create a security perimeter around cloud resources. This is done by setting up private networking in the cloud, using tools like virtual private clouds (VPC), security groups, and identity and access management (IAM).
5. Disk and Endpoint Encryption
Laptops, removable drives, and other storage media are sometimes lost, stolen, or otherwise compromised by attackers. Encrypting data on endpoints can prevent it from falling into the wrong hands. Many endpoint protection solutions offer encryption as part of their feature set and enabling encryption for all endpoints adds an important layer of security.
Endpoint Protection Strategies and Best Practices
Monitor and Observe Process Executions
Make sure security teams have visibility into all activity on an endpoint—running processes, files being accessed, open sockets, and so on. Detailed forensic information, such as command lines executed, process hashes and ancestry, are very important in investigating and responding to malicious activity. Data on process execution should be combined with threat intelligence to identify and respond to threats on endpoints.
Monitor Authentications on Endpoints
User authentication events on the endpoint can help identify attackers or unauthorized users. Security analysts should inspect authentication data, and attempt to differentiate between real users and attackers. It is especially useful to establish a behavioral baseline—for example, to determine which users regularly login to a server. Many compliance standards require monitoring and auditing of authentications to sensitive systems.
Pay Attention to BYOD
Today it is extremely common for organizations to implement a bring your own device (BYOD) strategy, allowing employees to use their personal computers, laptops, and mobile devices to work. In addition, modern networks have large numbers of connected devices, such as printers or other office equipment, smart building devices, industrial sensors, wearables, and more.
Related Read: To which risks are a remote workforce exposed?
Attackers will seek out and target devices that have an active network connection yet are unsecure. Your endpoint protection strategy must take these new types of devices into account. Because you have limited control over employee personal devices, you will need to explore other BYOD security options, such as network segmentation and zero trust authentication methods.
Limit Privileges for Endpoints
Implementing the least-privilege model ensures that each user and each endpoint only have the minimum level of access required to do their job. This is an important part of building a zero-trust environment. In this environment, attackers who compromise an endpoint cannot access other critical systems, preventing lateral movement on the network.
To avoid hurting end user productivity, define granular policies with whitelists and blacklists, specifying which group of users should have access to what privileges, both on their personal device, on the network and on business-critical systems.
Deploy SIEM Solutions
In a large organization with hundreds or thousands of endpoint devices, it is important to implement a centralized logging system that can capture data from endpoints, raise alerts, and feed data from endpoints for analysis and response by the security operations center (SOC). Recording data on individual devices is not useful if you cannot aggregate the data and make it centrally accessible.
Security information and event management (SIEM) solutions not only centralize logs for monitoring and compliance purposes, but can also identify vulnerabilities, calculate risk based on potential incidents, and even automatically execute security responses. SIEM systems integrate security tools across the enterprise, including anti-virus, access control, firewalls and intrusion detection/prevention systems (IDS/IPS), making it easier to manage endpoint security.
Update Systems Promptly
When a vendor releases a security update for their application, the vulnerabilities addressed by the update are already well known to the attacker community. Attackers frequently scan networks and devices for known vulnerabilities, making it critical to apply security updates as soon as they are available.
Because applying patches across large numbers of endpoints is slow and laborious, many organizations implement automated patch management systems. As soon as security updates are available, these systems can push them to endpoints. It is equally important to maintain visibility over which endpoints are patched and can be considered healthy, and which, for whatever reason, are running out of date software or firmware.
In this article, I reviewed common types of endpoint protection solutions, including anti-malware, application control and network access control. In addition, I provided several best practices you can immediately implement to improve endpoint security in your organization:
- Monitor process executions on endpoints, identify anomalous processes and put the tools in place to stop and contain malicious processes.
- Monitor authentications on endpoints, to identify anomalous activity like repeat logins or privilege escalation.
- Manage BYOD devices carefully and find strategies for reducing the threat to business-critical systems.
- Limit privileges, ensuring that each endpoint and user has the minimal privileges they actually need to perform their role.
- Deploy SIEM solutions, aggregating endpoint security events with data from other security tools to gain better visibility of endpoint attacks.
- Update hardware and software on endpoints using an automated process, to ensure that you are protected against the latest vulnerabilities.
I hope this will be of help in your journey to secure endpoints for your organization.