What is endpoint security and how does it work?
Endpoint security forms part of a broader cybersecurity program that is essential for all businesses, regardless of size. It has evolved from traditional antivirus software to comprehensive protection from sophisticated malware and evolving zero-day threats. But what is it, how does it work, and what do businesses need to know?
What is endpoint security?
Endpoint security, or endpoint protection, refers to securing endpoints — such as desktops, laptops, and mobile devices — from cybersecurity threats. Endpoints can create entry points to organizational networks which cybercriminals can exploit. Endpoint security protects these entry points from malicious attacks.
Why is endpoint security important?
In recent years, the number of endpoints within businesses has increased. This has been especially the case since the Covid-19 pandemic, which has led to increased remote working around the world. With more employees working from home or connecting to public Wi-Fi on the go, enterprise networks now have more endpoints than ever. And every endpoint can be a potential entry point for attacks.
Businesses of all sizes can be targets for cyberattacks. It is increasingly difficult to protect from attacks that enter through endpoints, such as laptops or mobile devices. These devices can be hacked, which in turn can lead to data breaches. It’s estimated that 70% of successful data breaches originate on endpoint devices. As well as causing reputational damage, data breaches can be costly: a 2020 report by Ponemon, commissioned by IBM, found that the average cost globally of a data breach is $3.86 million (and more in the US). Data is often the most valuable asset a company has — and losing that data, or access to that data, can put the entire business at risk.
Not only is the number of endpoints increasing — driven by the rise in remote working — but businesses also have to contend with an increase in the number of types of endpoints, thanks to the growth of the Internet of Things.
Businesses need to protect their data and ensure visibility into advanced cyber threats. But many small and mid-sized businesses lack the resources for continuous monitoring of network security and customer information and often only consider protecting their network once a breach has already taken place. Even then, businesses can focus on their network and infrastructure, leaving some of the most vulnerable elements — that is, endpoint devices — unprotected.
The risks posed by endpoints and their sensitive data are an ongoing cybersecurity challenge. Moreover, the endpoint landscape is evolving, and businesses — small, medium, and large — are targets for cyber attacks. That’s why it’s important to understand what endpoint security is and how it works.
How does endpoint security work?
The terms endpoint protection, endpoint security, and endpoint protection platforms are often used interchangeably to refer to centrally managed security solutions organizations use to protect endpoints. Endpoint security works by examining files, processes, and systems for suspicious or malicious activity.
Organizations can install an endpoint protection platform — EPP — on devices to prevent malicious actors from using malware or other tools to infiltrate their systems. An EPP can be used in conjunction with other detection and monitoring tools to flag suspicious behavior and prevent breaches before they take place.
Endpoint protection offers a centralized management console to which organizations can connect their network. The console allows administrators to monitor, investigate and respond to potential cyber threats. This can either be achieved through an on-location, cloud, or hybrid approach:
On-location: An on-location or on-premises approach involves a locally-hosted data center that acts as a hub for the management console. This will reach out to the endpoints via an agent to provide security. This approach is seen as a legacy model and has drawbacks — including creating security silos, since administrators can typically only manage endpoints within their perimeter.
Cloud: This approach enables administrators to monitor and manage endpoints through a centralized management console in the cloud, which devices connect to remotely. Cloud solutions use the advantages of the cloud to ensure security behind the traditional perimeter — removing silos and enhancing administrator reach.
Hybrid: A hybrid approach mixes both on-location and cloud solutions. This approach has increased in prevalence since the pandemic has led to increased remote working. Organizations have adapted their legacy architecture and adapted elements of it for the cloud to gain some cloud capabilities.
EPPs that use the cloud to hold a database of threat information free endpoints from the bloat associated with storing this information locally and the maintenance required to keep these databases updated. A cloud-based approach is also quicker and more scalable. Some larger organizations may need on-premises security for regulatory reasons. For smaller and mid-sized businesses, a cloud-based approach is probably more suitable.
Endpoint security software usually includes these elements:
- Machine-learning to detect zero-day threats
- An integrated firewall to prevent hostile network attacks
- An email gateway to safeguard against phishing and other social engineering attempts
- Insider threat protection to guard against threats from within the organization, either malicious or accidental
- Advanced antivirus and anti-malware protection to detect and remove malware across endpoint devices and operating systems
- Proactive security to facilitate safe web browsing
- Endpoint, email, and disk encryption to protect against data exfiltration
Ultimately, endpoint security offers a centralized platform for administrators, improving visibility, simplifying operations, and allowing threats to be quickly isolated.
As well as the acronym EPP, you will also come across the acronym EDR in relation to endpoint security. EDR stands for ‘endpoint detection and response’. In general, an endpoint protection platform or EPP is considered passive threat protection, whereas EDR is more active since it helps investigate and contain breaches that have already occurred. An EPP will protect each endpoint by isolation, whereas an EDR will provide context and data for attacks that span multiple endpoints. Modern endpoint security platforms typically combine both EPP and EDR.
What is considered an endpoint?
A network endpoint is any device that connects to an organization’s network from outside its firewall. Examples of endpoint devices include:
- Desktop computers
- Mobile devices
- Internet of Things devices
- Digital printers
- Point of sale (POS) systems
- Medical devices
Essentially, any device which communicates with the central network can be considered an endpoint.
FAQs about endpoint security
Common questions related to endpoint security, endpoint protection and EDR security include:
What is EDR?
EDR stands for ‘endpoint detection and response’. This is sometimes known as ’endpoint threat detection and response’ or ETDR. EDR is an endpoint security solution that continuously monitors end users’ devices to detect and respond to online threats such as malware and ransomware.
How does EDR work?
Once EDR technology is in place, advanced algorithms analyze user behaviors on your system. These algorithms will look for and flag signs of suspicious behavior. Once the alarm has been raised, an investigation begins to determine if a hit is genuine or a false positive. If malicious activity is found, the algorithms track the path of the attack back to the point of entry. The end-user is notified with suggested actions and recommendations to implement.
What is XDR vs EDR?
XDR stands for ‘extended detection and response’. Whereas EDR focuses on protecting endpoints, providing in-depth visibility, and threat prevention for a particular device, XDR security takes a broader view by integrating security across endpoints, cloud computing, email, and other solutions.
What is the difference between EDR and EPP?
EDR refers to ‘endpoint detection and response’ while EPP stands for ‘endpoint protection platform’. EPP solutions are proactive, whereas EDR is reactive. Endpoint protection platforms prevent security threats to specific devices. Endpoint detection and response solutions detect and respond to threats that your EPP and other security tools missed. Modern endpoint security platforms typically combine both approaches.
What is the difference between EDR and antivirus?
Antivirus is typically a single program that scans, detects, and removes cyber threats such as viruses and different types of malware. EDR security systems serve a much broader function. EDR includes antivirus and security features like a firewall, whitelisting tools, and monitoring tools to provide comprehensive protection against online threats. The role of EDR is to protect the various endpoints of an organization’s digital network.
The threat landscape is becoming more complicated, as hackers generate new ways to access and steal information or trick employees into disclosing sensitive information. Given the reputational and financial damage a data breach can cause, endpoint security is a must-have for businesses of all sizes. Kaspersky offers a range of endpoint security solutions for businesses, which you can view here.