Endpoint security, or endpoint protection, is the process of protecting user endpoints (desktop workstations, laptops, and mobile devices) from threats such as malware, ransomware, and zero-days.
What is Considered an Endpoint?
At its core, an endpoint is nearly any device that can be connected to a network. The common use of the term “endpoint security” typically refers to user endpoints in an enterprise. Examples of endpoint devices include:
- Mobile devices
- Smart watches
- Internet of Things (IoT) devices
- Point-of-Sale (POS) systems
- Medical devices
- Digital printers
Mobile devices (phones, tablets, Chromebooks, etc.) fall into a specialized category of mobile threat defense, while servers and VMs fall into cloud workload protection.
Why is Endpoint Security Important?
The majority of cybersecurity attacks originate at the endpoint. Cybercrime has become big business. The average cost of ransomware breach stands at $4.62 million USD (IBM Security Cost of a Data Breach Report 2021, compiling primary research conducted by The Ponemon Institute), which is more costly than the average data breach ($4.24M).
On average, a phishing attack takes 213 days to detect and 80 days to contain (Cost of Data Breach Report). 213 days is a lifetime, providing the attacker ample time to move laterally, establish persistence, conduct reconnaissance, plan, and finally execute an attack.
How Does Endpoint Protection Work?
Endpoint security consists of a piece of software, called an “agent,” installed and executed on an endpoint to protect it from and detect an attack. Endpoint protection solutions, or endpoint protection platforms (EPP), work by examining processes, system activity, and files for suspicious or malicious indicators.
Endpoint security solutions offer a centralized management console from which administrators can then connect to their enterprise network to monitor, investigate, and respond to incidents. Depending upon the solution, this is accomplished by leveraging either an on-premises, hybrid, or cloud approach.
The EPP market largely uses a SaaS management console, delivered as a cloud service instead of being installed and operated from on-prem infrastructure. The EPP agent is installed on each endpoint and communicates with the management console. The best EPP solutions provide endpoint protection and detection with or without a network connection. When a connection becomes available, endpoint telemetry is uploaded to the cloud and/or data lake for future use (such as threat hunting).
Endpoint Protection Software vs. Antivirus Software
Anti-virus software relies upon a library of signatures that an agent compares software against. Known malicious files are not allowed to execute. The problem with anti-virus is that modern threats render it ineffective:
- Fileless and zero-day attacks do not have a signature.
- Malicious files are easily modified to evade signatures.
In contrast, endpoint protection platforms (EPP) typically use machine learning and/or AI to prevent and detect sophisticated attacks, including fileless, zero-days, and ransomware. EPP also provides incident response capabilities such as investigation, triage, and sometimes remediation—and should support a wide variety of operating systems spanning Windows, Linux, and macOS.
How to Choose an Endpoint Protection Platform (EPP)
The best endpoint protection platforms use a multi-layered defense against sophisticated threats, combining signatures, static AI, and behavioral AI to protect, detect, and respond to threats in real time, at machine speed, according to security policies set by security admins.
An ideal endpoint protection solution should include the following functionalities:
Local and Autonomous
Ideally, the EPP would be local and autonomous, meaning it works equally well with or without a network connection; that is, the agent is not reliant upon cloud connectivity to the EPP/EDR management console for protection against malware, ransomware, and zero-day attacks. And, when a cloud connection becomes available, endpoint telemetry is automatically uploaded to a secure data lake, where forensic security analysts can access the data for threat hunting, incident response, and more.
Detection and Response
Look for EPP solutions which also include endpoint detection and response (EDR) capabilities in the same agent. Machine learning and AI within the agent provide real-time detection and response to complex threats, with results backed by third party testing.
Coverage Across Multiple OSes
A proper EPP solution should provide exceptional capabilities spanning multiple operating systems, not only Windows, but also legacy Windows OSes, macOS, and major Linux distributions.
Accelerate Triage and Response
Technology should make our jobs easier, our analyses more intuitive, and our incident response streamlined. Technology scales people, automatically connecting the dots of complex attacks, correlating to MITRE Engenuity ATT&CKⓇ tactics, techniques, and procedures. Triage and response procedures will benefit from AI that can recognize related events and consolidate alerts to provide global visibility and reduce alert fatigue. These features allow a cybersecurity team to focus on what matters most and reduce mean time to resolution (MTTR).
Flexible by Design
Support for multi-tenancy and flexible data retention options help customers only pay for what they need. A flexible solution will also typically be easier to implement with an existing IT infrastructure.
Integrated threat intelligence for detection and enrichment from leading 3rd party feeds in combination with proprietary feeds. Threat Intelligence is an excellent way to scale a cybersecurity team’s scope and offensive capability without adding more team members.
The Next Advancements in Endpoint Protection
EPP solutions should be multi-tenant by design, a consideration of key importance to large organizations. Comprehensive role-based access control (RBAC) is a key component of any Zero Trust security model, providing the flexibility for security administrators to provide the minimum set of privileges and access to the right users to get their job done.
An endpoint protection platform would not be much of a platform if it did not integrate with other solutions in the security stack. Look for an API-first architecture: anything a user can do in the UI should be accessible via the API. A healthy platform marketplace can be an indicator of such an API-first design.
Moreover, the platform should be able to ingest data from a variety of sources (e.g., threat intelligence, cloud workloads, IoT devices), recognizing patterns across the stack and distilling actionable insights from this data quickly and efficiently. This begins to move beyond EPP and into the realm of XDR, or Extended Data and Response.
Endpoint Mapping and How to Keep Up with Changes
Knowing what is actually connected to your network is key to cybersecurity success. Beyond just visibility, advanced device fingerprinting differentiates connected devices by their function, so a security admin will have total visibility and an up-to-date global inventory, not only among user endpoints, but also IoT and OT sensors. For example, such a solution should not only help an admin to quickly identify any user endpoints missing an EPP agent, but also to then close those gaps with configurable job automation.
Advanced Endpoint Protection with SentinelOne
SentinelOne’s Singularity™ Platform helps security professionals proactively resolve modern threats at machine speed. Singularity makes the future vision of autonomous, AI-driven cybersecurity today’s reality. To learn how SentinelOne can help your SOC more effectively manage risk across user endpoints, hybrid cloud workloads, IoT, and more. Contact us here and let’s begin the conversation tuned to your unique environment.