enterprise security

SecurityTrails Blog · Dec 01 2020 · by Sara Jelen

Endpoint Security and Endpoint Detection and Response - EDR

Reading time: 11 minutes
Listen to this article

While the traditional network perimeter has, for some time, been extended to include a large number of different endpoints, many organizations still struggle to put proper security protocols in place to protect them. And whenever security controls are lacking, attackers rejoice.

One study shows that a worrisome 30% of IT professionals don’t know how many endpoints there are in their organization, and those who do know report an average of 750 endpoints. And that’s only the average. Many organizations have a much greater number of endpoints—and maintaining visibility and security controls over each proves a difficult challenge.

Combine this with an uptick in attacks against endpoints, and we can see that traditional methods of endpoint security aren’t working for current IT environments.

So what can organizations do to provide appropriate protection in this area? Let’s find out.

What exactly are endpoints?

Endpoints are physical devices that are, you guessed it—the end points on a network. They are the connected devices that all of the users on the network use. Their numbers keep growing; more and more organizations use different devices to carry out different tasks, and with the current switch to working remotely and users accessing the network from all possible devices, both professional and personal, we don’t foresee the growth of endpoints slowing down.

Comon endpoint devices

What is endpoint security?

Endpoint security refers to the practice of securing endpoints of end-user devices to ensure protection against cyber threats and risks. Endpoint security services include those commonly used in enterprise environments as well as those used in consumer and private network environments, such as antivirus solutions, firewalls and web and email filtering. Although these are all considered endpoint security services, endpoint security has evolved from those more traditional solutions to providing more comprehensive protection against advanced malware and zero-day attacks.

Endpoint security plays an important role in organizations of all sizes. It helps them protect critical systems and sensitive and proprietary information, and makes sure all users on the network, including employees and customers, are protected from cyber attacks. Endpoint security works by allowing security teams visibility into organization’s endpoints, and is designed to defend against physical and digital attacks, analyze traffic and files shared to and from these devices in real-time, and detect, protect and prevent against different types of cybersecurity threats.

The most common attack vectors in endpoint security

Endpoints are vast and each of them can be a viable point of entry for attackers. Some of the frequently forgotten ones, like the fax machine, can be easily exploited, especially when they lack appropriate protection measures (as fax machines often do). And attack vectors in endpoint security are as vast as the number of endpoints themselves.

To increase your familiarity, here are some of the more common ones and what to do about them:

Employees

Your most valuable asset, your people, is also the most dangerous link in the security chain and presents a big risk to your endpoint security. Devices are endpoints and used by people, which means they can also be abused by them—whether with malicious intent or merely resulting from a moment of negligence. And as we mentioned above, one factor adding to the possibility of weak endpoint security is the involvement of remote employees. Remote employees log onto the organization’s network from outside the premises, opening up more entry points for malware to get into the network.

The only sure way to get your team and all your employees to participate in endpoint security, and prevent them from overturning it, is to ensure they get appropriate cybersecurity training. Part of this is by maintaining a strong, sustainable cybersecurity culture in the workplace. This is achieved through showing what the implications of bad security posture means for the entire organization and its members, as well as making it accessible and easily understood by even non-security folk.

To learn more about best practices for creating and maintaining cybersecurity culture in your organization, and for guidelines on how security awareness training should look, we highly recommend you read our post: “Cyber Security Culture: Why It Matters for Your Business”, that examines this area in further detail.

BYOD policies

More and more organizations continue to establish bring-your-own-device (BYOD) policies in the workplace. These policies provide employees with the comfort of working on their own devices, and benefit organizations by lessening the need for on-premises devices. While this new culture is widely embraced, it does bring with it certain cybersecurity risks.

Mobile devices are one of the most common attack vectors in endpoint security, and BYOD policies increase the presence of mobile devices and unsecured private laptops. Private devices don’t usually aren’t following security practices and policies, and can go unprotected for months while employees use them to access an organization’s premises and network. They reduce the visibility of the devices on a network as well as the visibility of data going in and out of those devices.

Fortunately, endpoint security solutions enforce data loss prevention and increased visibility over all devices accessing the network, and can even enforce data encryption such that only authorized users can access it.

Internet of things (IoT)

Tying right into BYOD policies, Internet of things, or IoT, devices are slowly becoming one of the most common attack vectors in endpoint security for organizations. This arrives hand-in-hand with the fast-tracked adoption of these devices; reports cite that by 2025 more than 75 billion IoT devices will be connected to the web. These devices rarely have security measures, protection or frequent updates on their software and firmware.

With this rise in both consumer and enterprise IoT devices, it’s easy to see how easily they become entry points for attackers trying to penetrate an organization’s network. A significant component of endpoint security is adding visibility into network-connected IoT devices, along with providing patch management to ensure any updates for the firmware and software are applied in a timely manner.

Applications

We all need numerous applications to execute our everyday tasks. It’s unavoidable for any professional role. Employees often download the apps they need from different sources, but they do it without consulting with the security team or considering policies governing the downloading of applications, if there are any. So if a suspicious source is used to install these applications without alerting the security team, attackers can gain access to the network, and move through the network undetected.

Enforcing clear and continuously monitored security policies around installing new applications on an organization’s endpoints will ensure that no app of suspicious origin makes its way onto the device. Additionally, pre-approved sources for any new applications can be provided to let employees know where they can turn if in need of a new app on their device.

What is endpoint detection and response (EDR)?

Remember when we mentioned that antivirus, firewall and web filtering are considered endpoint security solutions, while the practice has evolved into referring to more advanced and sophisticated methods of protecting endpoints? We were actually talking about endpoint detection and response, or EDR.

The term was first coined by Anton Chuvakin in 2013 at Gartner to refer to security solutions that were emerging at the time, tools that primarily focused on detecting and investigating suspicious activities and other problems on endpoints.

Endpoint detection and response tools are designed to complement traditional endpoint security methods with a focus on detection, investigation and response capabilities. Moreover, EDR tools focus on enhancing an organization’s visibility into their endpoints and securing the network. By using a centralized management system, organizations can not only improve their visibility but also their response times, especially to zero-day and advanced persistent threats, which is exactly where traditional solutions fall short. Most of today’s sophisticated threats are able to evade perimeter defenses quite easily, and traditional endpoint security solutions and anti-virus software are limited to detecting threats by already-known signatures. EDR solutions, however, use predictive analysis and advanced threat detection to detect new threats.

EDR solutions detect threats across an organization’s environment, and investigate the lifecycle of each threat. This provides insights into how the threat evaded defenses, where it entered, how it’s behaving in the network, how to triage it, and how to stop it. These solutions then contain the threat at the endpoint, preventing it from spreading across the system and wreaking havoc on critical parts of the system.

Some of the key capabilities of effective EDR solutions include suspicious activity detection, security incident investigation, alert triage and suspicious activity validation, as well as threat hunting and the ability to stop malicious activity where it’s detected.

Benefits of endpoint detection and response

EDR solutions are vast, with numerous capabilities. They also offer a number of different features that improve an organization’s resilience to cyber attacks, with benefits that include the following.

Benefits of endpoint detection and response

Integration with other tools

EDR solutions are versatile and compatible with other security tools in an organization’s tool set. Integrating EDR solutions with SIEM tools, threat intelligence feeds, security, malware analysis, and the like, provides an all-encompassing network defense. EDR solutions can also be integrated into DevOps cycles so developers can hunt down security threats and tackle them as quickly as possible.

It’s tremendously important to implement an EDR solution for network defense as EDR is just that—a tool to protect your network perimeter, and not the entire system. That’s why it’s crucial to integrate EDR with other security solutions that go beyond the network, such as encryption tools.

Visibility into your environment

We mentioned that one of the key components of endpoint detection and response tooling is the increased visibility across all endpoints on an organization’s network. To meet business requirements, organizations have expanded their networks with endpoints that number in the hundreds of thousands. And a greater perimeter and attack surface means that malicious attackers have a greater number of entry points to the network.

EDR solutions are able to meet the demands of large networks. They monitor all endpoints in real time, providing visibility into activity and data movements across the entire perimeter. This effort provides security teams with intel on a given threat and the attackers involved as they attempt to penetrate the network, empowering the team to stop the attackers at the entry point.

Ability to assess and react to security incidents

As mentioned above, security teams can discover threats at their point of entry. Additionally, this means they can also investigate the threat, see how it was able to get to the endpoint, how it got in, what it was doing inside the network and at the same time, triage the threat and prevent it from causing any real damage to the network. EDR solutions are also designed to automate data collection and gain contextual information about security incidents and their origin, and quickly take appropriate steps to react to them.

With better insight and improved reactivity to security incidents, security teams are now able to develop more effective incident response practices which are continuously updated with the latest data on potential threats. This knowledge allows security teams to identify threats while still in their initial phases in the network environment. Once obtained, this forensic data is further used to empower EDR tools to help in future investigations.

Prevention of cyber attacks

An effective EDR solution offers the prevention of cyber attacks while equipping organizations to properly respond to unknown threats by using behavioural analysis of all network traffic. These techniques allow EDR solutions to go further than traditional perimeter and endpoint solutions that can’t detect zero-day and unfamiliar threats.

Final words

It’s often said that the perimeter is going away, and that’s true in the sense that what has worked in the past, what’s considered traditional endpoint security, just isn’t cutting it for modern enterprise. This is why next-gen solutions in the form of endpoint detection and response tools are needed for any organization that desires a multi-layered and complete system of network defense.

Remember that EDR solutions are only focused on endpoints. That alone isn’t enough to protect against sophisticated threats, so introducing and integrating this variety of tool is only one step in the right direction, as an important complement to your other security defenses.

Endpoints aren’t the only part of your network you need to have visibility over. Attack Surface Reduction provides visibility and monitoring across all digital assets and shadow infrastructure in order to get a jump on threats and eliminate risks. Contact us to learn more.

Sara Jelen Blog Author
SARA JELEN

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.