5 Traits of a Great Endpoint Security System

Managing risk requires an adaptive and agile security culture, one that binds process, technology, and people together in a way that is effective and that allows the organization to act smarter. Having the right security products in place is essential, of course, but when it comes to adding to your arsenal, how do you know that what you are buying will be effective and worthwhile?

Comparing specifications takes time and expertise, and different vendors sometimes use the same terms to mean different things. Is the latest innovation from your usual vendor actually new or is it a rebranded version of existing technology? Is the new bit of kit from a vendor you haven’t used before actually capable of doing all that it promises?

One way to start cutting through the noise is to take a high-level look at the core capabilities of the product being offered. While there’s no one-size fits all, ensuring the product has certain features will give you confidence that it can meet your organization’s needs not just for today but also for the future, as your organization’s internal and external requirements evolve over time. So what exactly are the most important traits of a great endpoint security system?

What is an Endpoint in Today’s Enterprise?

Of course, the term ‘endpoint’ covers a lot more today than perhaps when it first came into popular use. Once upon a time, organizations had workstations and servers and a firewall, and they bought products to fit that infrastructure. Nowadays, a modern enterprise has a network of devices running such things as:

  • Laptops
  • Desktops
  • Cell Phones
  • Virtual Machines
  • Cloud Containers
  • Tablets
  • Servers
  • IoT Devices

In short, an endpoint is anything that functions as one end of a communications channel. The term refers to parts of a network that don’t simply relay communications along channels, or switch those communications from one channel to another. Rather, an endpoint is the place where communications originate, and where they are received.

All of these may be connecting via a local intranet or using cloud SaaS platforms or even the public internet. You may have Single Sign On (SSO) and Zero Trust Architecture (ZTA), perhaps you are moving or have already moved your data to a public, on-premises or hybrid cloud, with endpoints connecting to your network from multiple locations around the globe.

What Enterprises Needs To Do To Stay Safe

The current realities that enterprises face are more challenging than ever before. On the one hand, there is a growing need for security, while on the other, a growing demand for business continuity, supporting large fleets of endpoint and data sources that can be anywhere, at any time.

The new reality of our work culture, where endpoints can access sensitive data regardless of where they are connected from, forces CISOs and other security leaders to rely on the security-awareness of their users and the integrity of the endpoint as the last, and sometimes the only, defence. The failure of that strategy, unfortunately, hits the headlines on a regular basis. Data breaches like that at T-Mobile, which the company recently described as “humbling for us all at T-Mobile”, resulted in the compromise of data belonging to millions of its customers, past, present and prospective.

How Cybercriminals Are Seizing the Day

What happened to T-Mobile happens to organizations of all sizes, and despite twenty years of vendors selling enterprise endpoint security products, the frequency of successful attacks is increasing rather than decreasing. How is it possible that cybersecurity has been such an unmitigated disaster, and that in 2021 even the President of the United States has said that fixing it is a top priority and essential to national and economic security?

There are a few driving factors behind the success of cybercrime, particularly ransomware. First, Microsoft Windows, which is relied on in most organizations, is full of vulnerabilities. Whether its Windows Defender, the Printer spooler service, NTLM authentication, Exchange server or any number of other MS software products, attackers have invested in and found ways to exploit holes in these software products to attack organizations. Even if you’re one of those rare organizations that is not a “Windows shop”, there’s a good chance that someone in your supply chain is.

Meanwhile, attackers have been spurred on by the incentives of big rewards with little risk, lurking in countries where the authorities are not interested in making arrests for attacks on Western organizations, and cashing out cryptocurrency with impunity.

Compounding these problems are other factors like the underground trade of weapons-grade malware and the proliferation of Ransomware-as-a-Service products sold at low prices in bulk quantities.

But perhaps by far the biggest problem in this new threatscape is that organizations are trying to defend against modern threats with outdated technologies in some cases, and the wrong approach in others: relying on legacy AVs that criminals learned to bypass in the first instance or “Next-Gen” solutions that rely on a human analyst to beat machine-speed malware on the other. The SolarWinds breach showed that companies relying on either of these approaches could not be defended.

5 Traits of a Great Endpoint Security System

Endpoints are at the heart of every organization, and defending them is the only way to win the cybersecurity battle. There are products out there that have learned the lessons of the last 20 years of cybercrime and which have been shown to be effective against even the most sophisticated of threats. But how can you tell the right product from the wrong product? Let’s consider five essential characteristics needed by any modern security solution.

Rapid Threat Hunting with Storylines
Time always seems to be on the attacker's side, but security analysts can get ahead by hunting threats faster than ever before.

1. A Proactive Approach to Novel Threats

By far the biggest weakness in security products of the past was the reliance on malware signatures. The main problem with these, of course, is that they are reactive. The process of creating a signature starts from seeing a threat active in the wild (which means enterprises are getting compromised by it) before any protection is in place. Then, there is a race against the clock to write the signature and then to push it as an update to all the endpoints. Faced with a novel threat, the entire product becomes dead weight.

If the past five years of ransomware have taught us anything, it is that this approach, which was developed in the 90s and 2000s, cannot keep organizations safe today. For that reason, some vendors have turned to machine learning models and behavioral AI to allow us to identify patterns and similarities common to malicious files and malicious behavior, regardless of origin.

Machine learning models can be trained to effectively deal with the majority of commodity malware seen today, much of which is not written from scratch but often reuses successful code from earlier samples. While ML alone cannot be relied on to catch all malware pre-execution, it is a great way to keep endpoints safe from common attacks without relying on the need for frequent updates to security signatures.

Behavioral AI supplements ML models by identifying patterns of behavior typical of cyberattacks. For example, almost all ransomware will, at some point, exhibit some combination of the following behaviors:

  • Detect and try to remove backups and shadow copies
  • Encrypt large numbers of files
  • Prompt the user with a message (eg., ransom note)
  • Communicate with a remote server

Behavioral AI seeks to recognize such patterns of behavior even if the activity appears to be coming from inside the network or from some other source that is not file-based.

Making sure that your security product has the ability to proactively detect the unknown via machine learning and behavioral AI is the first trait you should look for in a great security product, but there’s a caveat: avoid solutions that rely on the Cloud connectivity to offer those features as cybercriminals can easily disconnect a device while deploying their attack. Look for a product with behavioral AI and ML engines that work locally on the endpoint and are able to make decisions at machine speed for the greatest endpoint protection

2. Automatic Mitigation Without Human Intervention

Detection is only one half of the puzzle that needs to be solved for reliable endpoint security. A solution that can detect but relies on human beings to intervene in order to protect is of little use in the enterprise. You need a solution that is capable of automatically mitigating and remediating malicious activity on the device, so the user can keep on working and not spend their day working with IT to clean up the mess.

Many security products struggle with this aspect, including some of the market leaders. Some vendors offer remote access tools integrated within the endpoint security solution that may ease the IT burden somewhat, but that still requires a manual flow with delay and disruption an accepted part of life. What if your security product could detect security incidents and clean them up without the need for any human intervention whatsoever? Computers were built to automate the tiresome parts of our lives, and autonomously mitigating detected threats shouldn’t be beyond a so-called “Next-Generation” product.

Ask your endpoint security vendors about what automated mitigations are available, and don’t forget to ask what happens in the case of a missed detection, too! A great endpoint security system should be able to unquarantine a false detection just as easily as quarantining a real detection.

3. Multi-Site, Multi-Tenancy Flexibility

The art of managing large fleets of devices and data points is not an easy task. Add on top of that remote geographical locations, different time zones, and in the case of global teams, sometimes even language barriers and you have a complexity that cannot be effectively managed by shoehorning it into some security vendor’s rigid vision of what your organization should be like.

To manage, respond and collect data from your global sites requires a product that supports multi-tenancy and multi-sites, allowing local teams to inherit from the main policy, but also to manage locally when it makes sense to do so, supporting local needs without compromising the needs of others in the organization.
Multi-tenancy is not only a need for large global teams, either. The way modern enterprises are growing today, this flexibility is required more than ever even for smaller and fast-growing teams.

4. Plug the Gaps With Auto-Deploy

One of the easiest routes to compromise is simply devices without proper endpoint protection, and in modern day enterprises, it’s unfortunately a common reality that IT admins and security administrators simply do not know everything that is on their networks. Many compromises have occurred simply because an attacker found an unprotected server somewhere that everybody inside the organizaton had forgotten about.

In an analysis of a cyberattack on his organization, the CISO of ANU explained:

“The actor built a shadow ecosystem of compromised ANU machines, tools and network connections to carry out their activities undetected. Some compromised machines provide a foothold into the network. Others, like the so-called attack stations, provided the actor with a base of operations to map the network, identify targets of interest, run tools and compromise other machines.”

With a vast organization spanning multiple sites and multiple sub-networks, the only effective solution is to ensure you can map the network, and fingerprint devices in such a way that you can not only determine what is connected, but also what is unprotected. Armed with that knowledge, you need a security solution that can do the heavy lifting of deploying agents to plug the coverage gap. Security teams are often stretched way too thin and need sensible automation to help them do their job more effectively.

Therefore, make sure that your endpoint security product offers an automated means of quickly and reliably finding deployment gaps and installing the solution.

5. Visibility

Even when all the above needs are met, there is still a lot to discover about what is happening on your endpoint. The problem of visibility is not new, but with the shift to a more digital way of life, the amount of data we all generate requires more efficient ways to index, correlate, and identify malicious activities at scale.

This is why the best endpoint security systems are now moving beyond EDR and into XDR, which helps organizations address cybersecurity challenges from a unified standpoint. With a single pool of raw data comprising information from across the entire ecosystem, XDR allows faster, deeper and more effective threat detection and response, collecting and collating data from a wider range of sources.

When evaluating vendors offering XDR, there’s a few things to look out for. An effective XDR platform needs to work seamlessly across your security stack, utilizing native tools with rich APIs. It should offer out-of-the-box cross-stack correlation, prevention, and remediation and enable users to write their own cross-stack custom rules for detection and response. Beware vendors offering immature or rushed solutions that may be nothing more than old tools bolted together. Your XDR should offer a single platform that allows you to easily and rapidly build a comprehensive view of the entire enterprise.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.


The endpoint security market is booming. Gartner predicts that the cybersecurity spend will exceed $150 billion this year alone. On the other hand, we hear almost every day about yet another enterprise being compromised.

Closing this gap requires better tools, but also better collaboration between us, defenders, and the security layers we use. SentinelOne is checking all the boxes mentioned in this post and if you work for the enterprise, our team will be happy to share a dedicated demo and help you move to the best solution available now to keep your network safe.