A Fundamental Guide to Endpoint Security
By Mary Blackowiak
Anyone who uses technology in their daily lives understands that it is ever-changing, and the sentiment is especially true within the cybersecurity industry. Adversaries continue to evolve with new tactics to bypass defenses, so the methods of detecting and preventing these threats must do so at an even more rapid pace.
However, keeping up with all the changes can be quite difficult, even for the most seasoned cybersecurity professional. Today, employees conduct business from multiple devices, with some being company-issued and others being privately owned. Sensitive data is being stored across many locations or endpoints, including on devices, within corporate data centers, and in the cloud.
This means that organizations likely need more than one technology to defend their endpoints against security breaches or data loss. With cybersecurity vendors marketing a wide range of branded product names for their offers, it may be challenging to determine, which are ideal for your environment.
This article aims to help demystify the various endpoint security technologies you may come across during your research, highlight the primary differences and explain how they can complement each other.
Four Key Endpoint Security Technologies
To begin, let’s define exactly what an endpoint is. At the most fundamental level, an endpoint is any device that connects and exchanges data on a network. That could include traditional desktop and laptop computers, tablets, smartphones, printers, and servers.
Endpoints also encompass network appliances like routers, switches, or firewalls, and a wide range of IoT devices such as wearables, security cameras, sensors, and connected medical or manufacturing equipment. But we must also think beyond the physical devices and consider virtual machines that host applications and data in public or private clouds.
It is important to note that all endpoints represent entry points into the network and, therefore, can be exploited, creating opportunities for sensitive data loss. As such, they must all be accounted for when building an endpoint security strategy. The following are some of the more common endpoint security technologies you are likely to encounter:
Unified endpoint management (UEM) or mobile device management (MDM). There is a widely accepted concept within the cybersecurity industry that you cannot effectively protect what you can’t see. Therefore, the first step in building a comprehensive endpoint security policy is to inventory all the devices accessing your network, and this can be accomplished with UEM or MDM technologies. The primary difference between the two is that MDM is for iOS and Android operating systems (OS), while UEM includes those OS plus Windows and Mac operating systems--even productivity devices and wearables in some cases. Once devices are discovered and profiled, administrators will be able to apply consistent security policies across them, regardless of where the endpoint is located.
Both UEM and MDM enable organizations to set standards regarding the security posture of devices accessing the network. For example, rules can be created that a device cannot be jailbroken and must be running on the latest OS version. They can also restrict what apps the users may install and what the user is allowed to do on a managed device.
Administrators can use the management console to push operating systems or app updates to devices that are out of compliance or even to wipe devices that are lost, stolen, or that were used by former employees. However, MDM and UEM go beyond reducing risk to an organization and can be leveraged to improve user experience. These solutions allow businesses to deliver new devices to end users that are already set up, complete with all the approved applications needed to complete their job duties.
Endpoint detection and response (EDR). As mentioned above, security policies can be applied to endpoints using UEM and MDM; however, these solutions cannot detect and block threats. The purpose of EDR is real-time protection for your desktops, laptops and servers against threats such as ransomware, known and unknown malware, trojans, hacking tools, memory exploits, script misuse and malicious macros.
This technology started many years ago as antivirus software, which relied on signatures of known or already identified threats to create block lists. It evolved into what is called an endpoint protection platform, or EPP, which uses machine learning, artificial intelligence, and sandboxing technology to detect fileless or previously unseen malware (also referred to zero-day attacks). More recently, endpoint security vendors have started to add forensic and response capabilities, morphing EPP technology into what is known as endpoint detection and response or EDR.
Mobile threat defense (MTD). Mobile devices are most certainly endpoints, and they have things in common with laptops and desktops in terms of their vulnerability to attacks such as phishing and malware, but they are unique when it comes to how attacks are conducted. A few examples would be SMS messages with phishing links, malicious QR codes or unscrupulous apps. It is for this reason that mobile devices require their own dedicated security solution, commonly referred to as mobile security or mobile threat defense (MTD). MTD protects both managed and unmanaged mobile devices against four categories of threats2:
- Device: Detecting jailbroken or rooted devices, outdated operating systems, and risky configurations.
- App: Flagging apps that are known to be malicious but also those that leak or share data.
- Network: Identifying risky networks to protect against man-in-the-middle attacks, certificate impersonation, or other attacks that leverage vulnerable TLS/SSL sessions.
- Content and web: Blocking malicious links sent via email, SMS, browsers, and social media or productivity apps.
Unfortunately, MTD is a security technology that is currently underused, with a recent IDC study indicating that it was deployed by fewer than half of the surveyed SMB or enterprise businesses.1 This presents a considerable security gap considering how much sensitive information is transmitted through and stored on mobile devices. Smartphones and tablets are particularly attractive targets for attackers due to the ease of attack via SMS, email, and messaging apps, as well as a frequent lack of security controls on the device. Additionally, these devices can be leveraged as a jump point to the network, where more impactful assaults may be launched.
Cloud workload protection platform (CWPP). Digital transformation initiatives have resulted in businesses moving more applications out of the data center and into the cloud. The benefits here include lower overhead costs, increased performance and improved user experience. The most utilized cloud service providers (CSPs) are AWS, Azure and Google Cloud. 87% of organizations use multiple cloud providers and 72% have a hybrid cloud structure combining both public and private clouds.3
While this migration to cloud is necessary for future growth, it also increases the attack surface. This is because when cloud resources are publicly accessible, whether by design or error, they become a target for threat actors.4 CWPPs provide threat detection for servers, virtual machines, containers and Kubernetes clusters across all cloud environments. CWPPs protect against a wide range of attacks, including ransomware, fileless and zero-day attacks. They can alert a security administrator not just to vulnerabilities but also to compliance violations.
Determining the Proper Technologies for Your Business
You may be wondering if your organization needs all these protections. The answer could be as simple as assessing where your sensitive data is stored. Even the smallest businesses have valuable data, including customer and payment details, and for companies linked to healthcare, law, insurance or finance, there is likely even more private information that could be leveraged for identity theft.
According to a recent study, on average, an employee at a business with fewer than 100 employees will be subjected to 350% more social engineering attacks than an employee at a larger enterprise.5 Employees at businesses of all sizes may perform bookkeeping or other tasks on laptops, use tablets to process transactions or collect customer information, and use mobile phones to respond to business texts or emails.
For every organization, endpoint security should be viewed not only as a way to reduce risk, but also as a fundamental investment in ensuring business continuity.
Mary Blackowiak is the director of product management and development, Endpoint and Mobile Security at AT&T Cybersecurity.
1 IDC 2023 Mobile Security Survey
2 Lookout MTD comparison infographic
3 Flexera 2023 State of The Cloud Report
4 A Cloud Workload Protection Platform Buyer’s Guide
5 Barracuda Spear Phishing: Top Threats and Trends Vol 7