Information security is a topic that often resists understanding by laymen. That’s on us, as an industry—too often, the explanation of what we do and why it’s important devolves into a stew of acronyms, assembly code, and other bits of poorly-explained jargon. So, here we are to answer one of the most fundamental questions in the infosec field: What is endpoint security software?
What is Endpoint Security?
Endpoint security, or endpoint protection, is the process of protecting user endpoints (desktop workstations, laptops, and mobile devices) from threats such as malware, ransomware, and zero-days.
What is Considered an Endpoint?
In simple terms, an endpoint is one end of a communications channel. It refers to parts of a network that don’t simply relay communications along its channels, or switch those communications from one channel to another. An endpoint is the place where communications originate, and where they are received—in essence, any device that can be connected to a network.
Examples of endpoint devices include:
- Mobile devices
- Smart watches
- Internet of Things (IoT) devices
- Point-of-Sale (POS) systems
- Medical devices
- Digital printers
From a computer security perspective, “endpoint” will most likely refer to a desktop or laptop. Servers and VMs fall into cloud workload protection, while mobile devices (phones, tablets, Chromebooks, etc.) fall into a specialized category of mobile threat defense. This is due to the fact that creating and implementing security software on mobile devices is hugely different when compared to traditional endpoints.
A Brief History of Endpoint Protection
Until relatively recently, endpoint security was a bit de-emphasized in the context of information security as a whole. For the most part, malware was originally thought of as a nuisance, although a lot of malware before it—and nearly all malware since—have real teeth, designed to break equipment, destroy data, or steal it outright.
Late 80s to 90s
Even as the internet slowly started to gain widespread usage in the late 80s and early 90s, most malware samples were basically poorly-written jokes. As an example, the first virus ever to propagate via email was known as “Happy99.” When users clicked on an .exe file disguised as an attachment, the virus would modify itself into a .DLL file which would automatically replicate itself into additional emails sent from the user’s client. Its destructive payload was simply an animated display of fireworks. As such, early endpoint security products didn’t have to do much heavy lifting. Most serious intrusion attempts came over the network.
As the 90’s ended, however, a whole bunch of changes started occurring which dramatically elevated the prominence of endpoint security. First, as we’ve mentioned, there was email. Firewalls don’t work too well on email viruses, because the packets comprising an email with a malicious attachment don’t look that different from a normal email. The problem was compounded when viruses began to be embedded in Word macros. No problem—just program antivirus to automatically scan all incoming emails.
Then of course, as the 2000’s began, there was a secondary problem—Wi-Fi, and laptops. Of course, laptops were available for all of the 90’s, but up until the early 2000s, you wouldn’t expect to connect your laptop to the internet anywhere except inside the office. Suddenly, you could bring your laptop to a café or an airport and go online—and this was a problem. Users could take their laptops outside of the office, but they couldn’t take their firewall with them, because most firewalls were physical appliances embedded in the network.
The security industry tried to solve this problem by selling antivirus software bundled with software firewalls, and by making their users connect to the internet over a VPN. This sort of worked—until the rise of SaaS programs (with its accompanying bugbear, Shadow IT) revolutionized computing and made firewalls less effective by increasing, essentially, the number of open and unmonitored ports in the network.
Why is Endpoint Security Important?
Increasingly, the endpoint has become the forefront of information security—as endpoints are now the true perimeter of the enterprise. Users now have more control over their endpoints than ever. Even if they can’t install their own programs, they can use whatever tools they want in the cloud. They can choose to work from anywhere in the world. They can choose any way to communicate. This freedom of choice means that a user’s endpoint is far and away the most exposed target for any bad actor looking to target the enterprise—and, as such, it is the most important thing to protect.
The majority of cybersecurity attacks originate at the endpoint. Cybercrime has become big business. The average cost of ransomware breach stands at $4.62 million USD (IBM Security Cost of a Data Breach Report 2021, compiling primary research conducted by The Ponemon Institute), which is more costly than the average data breach ($4.24M).
On average, a phishing attack takes 213 days to detect and 80 days to contain (Cost of Data Breach Report). 213 days is a lifetime, providing the attacker ample time to move laterally, establish persistence, conduct reconnaissance, plan, and finally execute an attack.
How Does Endpoint Protection Work?
Endpoint security consists of a piece of software, called an “agent,” installed and executed on an endpoint to protect it from and detect an attack. Endpoint protection solutions, or endpoint protection platforms (EPP), work by examining processes, system activity, and files for suspicious or malicious indicators.
Endpoint security solutions offer a centralized management console from which administrators can then connect to their enterprise network to monitor, investigate, and respond to incidents. Depending upon the solution, this is accomplished by leveraging either an on-premises, hybrid, or cloud approach.
The EPP market largely uses a SaaS management console, delivered as a cloud service instead of being installed and operated from on-prem infrastructure. The EPP agent is installed on each endpoint and communicates with the management console. The best EPP solutions provide endpoint protection and detection with or without a network connection. When a connection becomes available, endpoint telemetry is uploaded to the cloud and/or data lake for future use (such as threat hunting).
How Does Endpoint Security Software Protect Users?
This is a bit of a tricky question. That’s because security administrators are sort of in a war on two fronts. Users can do more with their endpoints than ever before, and every new ability unlocks a new attendant danger. On the other front, these dangers are getting more dangerous—hackers are putting more time, effort, and energy into creating advanced malware than ever before.
In order to understand how endpoint security works, you have to understand how malware works. Malware itself is sent as a number of components. Usually, there are two parts to start with—the viral payload itself, which is encrypted, and a separate component that extracts the encrypted file. When a user downloads or otherwise contracts malware, the extractor will either autorun or trick the user into running it.
Once extracted, two additional malware components are revealed. First, there’s the persistence mechanism, which usually takes over legitimate operating system processes in order to ensure that the malware boots up every time the computer turns on. Then, there’s the part which actually steals user data, encrypts it, and sends it to whoever controls the malware from the other end.
All of these components have, in theory, a recognizable signature. That is to say, an antivirus program should be able to look at an encrypted file—which may just take the form of a .txt file full of letters and numbers—and essentially say, “if that file is extracted, it will turn into a copy of CryptXXX. Better delete it.”
In practice, however, traditional endpoint protection misses a huge number of viruses that are tested against it. It is extremely easy for malware authors to tweak their software until its encrypted file (known as a “hash”) doesn’t resemble anything that the software is programmed to recognize. Furthermore, hackers can modify their malware much faster than security professionals can update their software to detect the changes.
Endpoint Protection Software vs. Antivirus Software
Anti-virus software relies upon a library of signatures that an agent compares software against. Known malicious files are not allowed to execute. The problem with anti-virus is that modern threats render it ineffective:
- Fileless and zero-day attacks do not have a signature.
- Malicious files are easily modified to evade signatures.
In contrast, endpoint protection platforms (EPP) typically use machine learning and/or AI to prevent and detect sophisticated attacks, including fileless, zero-days, and ransomware. EPP also provides incident response capabilities such as investigation, triage, and sometimes remediation—and should support a wide variety of operating systems spanning Windows, Linux, and macOS.
Why Choose a Next Generation Endpoint Protection Solution?
Traditional endpoint protection systems are hobbled against any malware that displays characteristics they don’t recognize. Next-generation endpoint protection offers something more responsive. SentinelOne, for example, works by tapping the running processes of every endpoint it’s hooked into. The idea is that while it’s quite easy for malware authors to hide the characteristics of their malicious software, it’s much more difficult to hide what they’re doing.
Here’s an analogy: it might be easy for a bank robber to disguise themselves as a security guard or a janitor. It’s much harder for them to explain away the fact that they’re shoveling money into a bag. The common actions of malware—unauthorized creation or deletion of files, attempting buffer overflows, heap spraying, etc.— are all completely transparent to SentinelOne as it monitors endpoints from the kernel space on up. What’s more, our solution keeps a record of how each suspected malware event affects a given endpoint, allowing administrators to rectify viral damage and conduct detailed digital forensics. These features are a small part of why we’ve even been named a Leader in the Gartner Magic Quadrant for Endpoint Protection.
How to Choose an Endpoint Protection Platform (EPP)
The best endpoint protection platforms use a multi-layered defense against sophisticated threats, combining signatures, static AI, and behavioral AI to protect, detect, and respond to threats in real time, at machine speed, according to security policies set by security admins.
An ideal endpoint protection solution should include the following functionalities:
Local and Autonomous
Ideally, the EPP would be local and autonomous, meaning it works equally well with or without a network connection; that is, the agent is not reliant upon cloud connectivity to the EPP/EDR management console for protection against malware, ransomware, and zero-day attacks. And, when a cloud connection becomes available, endpoint telemetry is automatically uploaded to a secure data lake, where forensic security analysts can access the data for threat hunting, incident response, and more.
Detection and Response
Look for EPP solutions which also include endpoint detection and response (EDR) capabilities in the same agent. Machine learning and AI within the agent provide real-time detection and response to complex threats, with results backed by third party testing.
Coverage Across Multiple OSes
A proper EPP solution should provide exceptional capabilities spanning multiple operating systems, not only Windows, but also legacy Windows OSes, macOS, and major Linux distributions.
Accelerate Triage and Response
Technology should make our jobs easier, our analyses more intuitive, and our incident response streamlined. Technology scales people, automatically connecting the dots of complex attacks, correlating to MITRE Engenuity ATT&CKⓇ tactics, techniques, and procedures. Triage and response procedures will benefit from AI that can recognize related events and consolidate alerts to provide global visibility and reduce alert fatigue. These features allow a cybersecurity team to focus on what matters most and reduce mean time to resolution (MTTR).
Flexible by Design
Support for multi-tenancy and flexible data retention options help customers only pay for what they need. A flexible solution will also typically be easier to implement with an existing IT infrastructure.
Integrated threat intelligence for detection and enrichment from leading 3rd party feeds in combination with proprietary feeds. Threat Intelligence is an excellent way to scale a cybersecurity team’s scope and offensive capability without adding more team members.
The Next Advancements in Endpoint Protection
EPP solutions should be multi-tenant by design, a consideration of key importance to large organizations. Comprehensive role-based access control (RBAC) is a key component of any Zero Trust security model, providing the flexibility for security administrators to provide the minimum set of privileges and access to the right users to get their job done.
An endpoint protection platform would not be much of a platform if it did not integrate with other solutions in the security stack. Look for an API-first architecture: anything a user can do in the UI should be accessible via the API. A healthy platform marketplace can be an indicator of such an API-first design.
Moreover, the platform should be able to ingest data from a variety of sources (e.g., threat intelligence, cloud workloads, IoT devices), recognizing patterns across the stack and distilling actionable insights from this data quickly and efficiently. This begins to move beyond EPP and into the realm of XDR, or Extended Data and Response.
Endpoint Mapping and How to Keep Up with Changes
Knowing what is actually connected to your network is key to cybersecurity success. Beyond just visibility, advanced device fingerprinting differentiates connected devices by their function, so a security admin will have total visibility and an up-to-date global inventory, not only among user endpoints, but also IoT and OT sensors. For example, such a solution should not only help an admin to quickly identify any user endpoints missing an EPP agent, but also to then close those gaps with configurable job automation.
Advanced Endpoint Protection with SentinelOne
SentinelOne’s Singularity™ Platform helps security professionals proactively resolve modern threats at machine speed. Singularity makes the future vision of autonomous, AI-driven cybersecurity today’s reality. To learn how SentinelOne can help your SOC more effectively manage risk across user endpoints, hybrid cloud workloads, IoT, and more. Contact us here and let’s begin the conversation tuned to your unique environment.