Endpoint security software is a program that is installed on laptops, desktops, and/or servers that protect them from the slew of attacks that can infect the endpoint – malware, exploits, live attacks, script-based attacks, and more – with the purpose to steal data, profit financially, or otherwise harm systems, individuals, or organizations. For more information, read on…
Information security is a topic that often resists understanding by laymen. That’s on us, as an industry—too often, the explanation of what we do and why it’s important devolves into a stew of acronyms, assembly code, and other bits of poorly-explained jargon. So, here we are to answer one of the most fundamental questions in the infosec field: What is endpoint security software?
In order to answer this question, there are a number of smaller sub-questions that are equally important to address. For example: What is an endpoint? Why do endpoints need security in the first place? How does software make the endpoint secure?
Here’s a simple explanation of this fundamental building block of information security:
What’s an Endpoint?
In simple terms, an endpoint is one end of a communications channel. It refers to parts of a network that don’t simply relay communications along its channels, or switch those communications from one channel to another. An endpoint is the place where communications originate, and where they are received.
From a computer security perspective, “endpoint” will most likely refer to a desktop or laptop. Even though mobile phones and tablet devices are also technically endpoints, security professionals will usually group security for those devices under the different umbrella of “mobile security.” This is due to the fact that creating and implementing security software on mobile devices is hugely different when compared to traditional endpoints. In addition, even though much has been written about attacks on mobile devices, the danger hasn’t broadly materialized.
For much of the history of information security, endpoint protection wasn’t exactly a serious business. That’s because even up until the beginning of the 2000’s, computer viruses represented more of an adolescent prank than an attempt to steal data. As an example, the first virus ever to propagate via email was known as “Happy99.” When users clicked on an .exe file disguised as an attachment, the virus would modify itself into a .DLL file which would automatically replicate itself into additional emails sent from the user’s client. Its destructive payload was simply an animated display of fireworks.
While Happy99 was an amusing diversion, a lot of malware before it—and nearly all malware since—had real teeth, designed to break equipment, destroy data, or steal it outright. Additionally, the role of endpoint security has increasingly grown in importance—as endpoints are now the true perimeter of the enterprise.
Why is Endpoint Security Important?
Information security is comprised of many moving parts. SIEM tools help administrators keep an eye on their network without slowing down traffic. Firewalls scan connections across the enterprise perimeter and block traffic from unnecessary ports, known bad hosts, and anomalous events. Intrusion detection and intrusion prevention (IDS and IPS) software sits on the network and/or servers and performs a deeper layer of inspection to identify and block malicious events. Where does endpoint security fit into all of this?
Until relatively recently, endpoint security was a bit de-emphasized in the context of information security as a whole. As stated, most malware was originally thought of as a nuisance. Even as the internet slowly started to gain widespread usage in the late 80s and early 90’s, most malware samples were basically poorly-written jokes. As such, early endpoint security products didn’t have to do much heavy lifting. Most serious intrusion attempts came over the network.
As the 90’s ended, however, a whole bunch of changes started occurring which dramatically elevated the prominence of endpoint security. First, as we’ve mentioned, there was email. Firewalls don’t work too well on email viruses, because the packets comprising an email with a malicious attachment don’t look that different from a normal email. The problem was compounded when viruses began to be embedded in Word macros. No problem—just program antivirus to automatically scan all incoming emails.
Then of course, as the 2000’s began, there was a secondary problem—Wi-Fi, and laptops. Of course, laptops were available for all of the 90’s, but up until the early 2000s, you wouldn’t expect to connect your laptop to the internet anywhere except inside the office. Suddenly, you could bring your laptop to a café or an airport and go online—and this was a problem. Users could take their laptops outside of the office, but they couldn’t take their firewall with them, because most firewalls were physical appliances embedded in the network.
The security industry tried to solve this problem by selling antivirus software bundled with software firewalls, and by making their users connect to the internet over a VPN. This sort of worked—until the rise of SaaS programs (with its accompanying bugbear, Shadow IT) revolutionized computing and made firewalls less effective by increasing, essentially, the number of open and unmonitored ports in the network.
Increasingly, the endpoint has become the forefront of information security. Users now have more control over their endpoints than ever. Even if they can’t install their own programs, they can use whatever tools they want in the cloud. They can choose to work from anywhere in the world. They can choose any way to communicate. This freedom of choice means that a user’s endpoint is far and away the most exposed target for any bad actor looking to target the enterprise—and, as such it is the most important thing to protect.
How Does Endpoint Security Software Protect Users?
This is a bit of a tricky question. That’s because security administrators are sort of in a war on two fronts. Users can do more with their endpoints than ever before, and every new ability unlocks a new attendant danger. On the other front, these dangers are getting more dangerous—hackers are putting more time, effort, and energy into creating advanced malware than ever before.
In order to understand how endpoint security works, you have to understand how malware works. Malware itself is sent as a number of components. Usually, there are two parts to start with—the viral payload itself, which is encrypted, and a separate component that extracts the encrypted file. When a user downloads or otherwise contracts malware, the extractor will either autorun or trick the user into running it.
Once extracted, two additional malware components are revealed. First, there’s the persistence mechanism, which usually takes over legitimate operating system processes in order to ensure that the malware boots up every time the computer turns on. Then, there’s the part which actually steal user data, encrypts it, and sends it to whoever controls the malware from the other end.
All of these components have, in theory, a recognizable signature. That is to say, an antivirus program should be able to look at an encrypted file—which may just take the form of a .txt file full of letters and numbers—and essentially say, “if that file is extracted, it will turn into a copy of CryptXXX. Better delete it.”
In practice, however, traditional endpoint protection misses a huge number of viruses that are tested against it. It is extremely easy for malware authors to tweak their software until its encrypted file (known as a “hash”) doesn’t resemble anything that the software is programmed to recognize. Furthermore, hackers can modify their malware much faster than security professionals can update their software to detect the changes.
Why You Should Choose a Next Generation Endpoint Protection Solution
Traditional endpoint protection systems are hobbled against any malware that displays characteristics they don’t recognize. Next-generation endpoint protection offers something more responsive. SentinelOne, for example, works by tapping the running processes of every endpoint it’s hooked into. The idea is that while it’s quite easy for malware authors to hide the characteristics of their malicious software, its’ much more difficult to hide what they’re doing.
Here’s an analogy: it might be easy for a bank robber to disguise themselves as a security guard or a janitor. It’s much harder for them to explain away the fact that they’re shoveling money into a bag. The common actions of malware—unauthorized creation or deletion of files, attempting buffer overflows, heap spraying, etc.— are all completely transparent to SentinelOne as it monitors endpoints from the kernel space on up. What’s more, our solution keeps a record of how each suspected malware event affects a given endpoint, allowing administrators to rectify viral damage and conduct detailed digital forensics.
For more information about next generation endpoint protection, and how SentinelOne can offer comprehensive protection for both endpoint and servers, check out our white paper, the Next Generation Endpoint Protection Buyer’s Guide.
Read more about Cyber Security
- Checkm8: 5 Things You Should Know About the New iOS Boot ROM Exploit
- Info Stealers | How Malware Hacks Private User Data
- Detecting macOS.GMERA Malware Through Behavioral Inspection
- Trickbot Update: Brief Analysis of a Recent Trickbot Payload
- FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals
- Yes, Your IoT Needs Security, Too