Endpoint Security

1. What is Endpoint Security?

Endpoint Security is the protection of endpoints such as desktops, laptops and mobile devices from exploitation by malicious actors.

Among the threats to which endpoints are exposed are the infiltration of malware or a remote access Trojan (RAT). Unwanted data leakage or the connection of external mass storage devices can also compromise the confidentiality of corporate data.

The package of measures usually consists of

• Technical measures on the end device,
• Technical measures in the corporate network and
• Organisational measures for the users

together.

The digital transformation of companies with a steadily increasing number of mobile workstations, the adaptation of the cloud and the increased attack surface increase the need for protection. Endpoint protection thus continues to gain relevance since they are often the entry point of cybersecurity threats.

2. Measures to protect end devices

Technical measures for user devices are often marketed by manufacturers as Endpoint Protection Platform (EPP). These can include preventive, detective but also reactive measures such as:

• Protection against malware and ransomware (signature-based and behaviour-based).
• Protection of administrative permissions
• Desktop firewalls
• Client-side IDS/IPS
• Web filtering systems
• Application isolation through virtualisation
• Data Loss Prevention (DLP)
• Management of external devices such as USB sticks

The most important organisational measures for users include regular security awareness training on current threats such as phishing. Security policies for handling end devices, external data storage or the corporate network must also be included.

To support network security, additional measures such as IDS/IPS, web proxies, phishing detection can support endpoint security.

The advantage of network-based measures is the reduction of resource consumption on the endpoints due to fewer agents and broader, network-based visibility.

3. Endpoint Protection Platforms (EPP).

An endpoint protection platform is designed to prevent threats such as known malware and advanced threats such as fileless attacks and ransomware. Sure, zero-day exploits tend not to get caught, but basic IT hygiene can be achieved. One detects malicious activity using several techniques:

• Signature: threat detection using signatures from known malware.

Static analysis: analysing binaries and looking for malicious characteristics before execution with machine learning algorithms.

• Behavioural analysis: EPP security solutions can detect behavioural anomalies even when there is no known threat signature.
• Whitelisting and Blacklisting: - Blocking access or allowing access only to specific IP addresses, URLs, applications and processes.
• Sandbox: Testing for malicious behaviour of files by running them in a virtual environment.

These endpoint security solutions offer other more passive protection features such as disk encryption, host-based firewalls and data loss prevention features.

Many of these solutions work cloud-based without an on-premises management server to ensure continuous monitoring even in a work from home environment. With some providers, not only the management is outsourced to the cloud, but also parts of the detection functions themselves. The endpoint agent no longer needs to maintain a local database with all known IOCs (Indicators of Compromise). A cloud API is sufficient to classify unknown objects.

Vendors of these classic endpoint device platforms include Broadcom (Symantec), Microsoft, Trend Micro, SentinelOne, Sophos, Crowdstrike. A constantly updated list can be found at Gartner.

4. Endpoint Detection and Response (EDR)

EDR solutions complement EPP platforms by also including the temporally upstream suspicious activity and the temporally downstream incident response in the monitoring.

This is also reflected by the letters D and R in EDR.

The main functions of an EDR platform are:

• Continuous monitoring and collection of activity data from endpoints that may indicate a threat,
• Automated response to detected threats, supported by machine learning/artificial intelligence and other threat intelligence sources such as the MITRE-ATT&CK framework,
• Notification of the SOC team if a threat is detected; and
• Act as a forensics and analytics tool to investigate detected threats and look for suspicious activity.

For endpoint protection, EDR software specifically provides more visibility and influence over attacks with current malware compared to traditional EPP/anti-virus software.

The providers of EDR endpoint security software include many manufacturers already listed in the previous EPP section ( EDR list by Gartner).

Admittedly, the line on the vendor side is blurring between EPP software and EDR software, as features of both product lines are often merged into one integrated product. As a result, endpoint protection based on each vendor's own DER/EPP software is defined a little differently.

Comparison Endpoint Protection Platform vs. Endpoint Detection & Response

Feature	Endpoint Protection Platform (EPP)	Endpoint Detection & Response (EDR)
Target	Prevention of known threats and maybe a few unknown ones	Improve visibility and capability of incident response activities on the endpoint
Influence	Low	Active detection of threats possible
Security incident support	Passive threat protection	Supports security incident handling as an incident response tool

5. MDR and XDR

The EDR platform provides excellent insight and visibility to the in-house security team to ensure monitoring of the infrastructure. To fully utilize its potential, sufficient resources are needed, which can be difficult to acquire within one's own team.

• Managed Detection and Response (MDR): adds an external human component to an EDR platform, ideally by a team of IT security experts.
• Extended Detection and Response (XDR): XDR software solutions extend the good endpoint security that EDR generates to the entire IT infrastructure of an organisation. Cloud infrastructure, mobile devices and network devices are also considered. This unified visibility simplifies IT security management and also security policy enforcement.