What is an endpoint?
In the world of information technology (IT), an endpoint is any device (be it a laptop, phone, tablet, or server) connected to a secure business network. When you connect to a network, you are creating a new endpoint.
In a perfect world, employees in the office and working remotely (through a VPN, for example) should be able to log and get their job done safely, but that isn’t always the case. Every endpoint is a soft spot that cybercriminals can take advantage of and gain unauthorized access to the network. It could be through an exploit, phishing attack, spyware, Trojan, malspam, or other form of malware. Endpoint protection is the business of hardening endpoints against potential cyberattacks.
How does endpoint protection work?
Modern endpoint protection (aka endpoint security) generally has eight key features. These features both define how endpoint protection works and, in some cases, differentiate it from consumer-oriented antivirus or anti-malware—even some early forms of endpoint protection too.
- Machine learning. Machine learning is an algorithm that, when fed enough data, allows a machine with endpoint protection to start recognizing patterns in each data set. In turn, the machine can begin classifying new data in accordance with the patterns it is learned. As it applies to endpoint protection, the machine can analyse the data it is receiving back from a group of endpoints and use those insights to determine if a particular program is malicious. In short, if it acts like malware, it probably is malware. And the more endpoints there are, there is more data to learn from, and the smarter the machine gets at classifying threats.
- Behavioural analysis. The difference between machine learning and behavioural analysis is subtle. In both cases, the machine is looking for patterns of behaviour indicative of malware. With behavioural analysis, however, the machine is specifically looking for benign applications being used in abnormal ways to spread malware. Take, for example, your email client suddenly spamming all your contacts or macro exploits running shell commands in Microsoft Office. Those actions and actions like that are both good indicators for malware. Behavioural analysis stops them
- Known attack detection. Also known as signature matching, known attack detection compares potentially malicious programs against a list of known threats. Signatures are good at stopping less sophisticated attacks without a lot of fuss. Signatures, however, are not effective against zero-day attacks. That said, it is another welcome layer of threat blocking that doesn’t add a lot of bloat to a program.
- Exploit mitigation. A strong exploit mitigation layer uses various application hardening techniques to stop attackers from exploiting software vulnerabilities in an endpoint. In turn, stopping them from getting root access and remotely executing code on the endpoint
- Cloud-based centralized management. While early forms of endpoint protection were designed to be installed locally, or on-premises, modern day versions are built for the cloud. Cloud-based solutions are quick to deploy, easy to manage, and scalable. As your business grows there is no need to staff up or buy more hardware to keep your endpoint protection running, just buy more licenses and let your endpoint protection software provider do the work. Compare this with an on-premises solution: You own the data and the hardware, but it’s up to your in-house IT team to maintain it.
- Automation. Cyberattacks happen fast. By the time a human user has any idea what is going on, the damage is already done. Take, Emotet, for example. The banking Trojan lands on your network and seeks out endpoints, data backups, and network shares onto which it deploys its secondary ransomware payload. You will only know something is wrong when half the company is locked out of their files or computers. The beauty of automation is that once an administrator dials in the security settings and policies, the protection process is largely automated. Basic security actions like detection, protection, and remediation happen with as much or as little human involvement as the user desires.
- Single agent architecture. Endpoints can become weighed down with resource hogging, potentially unnecessary bloatware. With single agent architecture you get a lightweight program that is easy to deploy and easy to manage. But the primary benefit is the ability to see every endpoint on the network through a single pane of glass.
- Remediation. The unfortunate reality is that there is no such thing as 100 percent protection. As such, a good endpoint protection program should include remediation capabilities. Removing active malware is a given, but remediation should also include malware artifacts and troublesome persistence mechanisms that might allow a threat to come back after superficial remediation.