Computers, VOIP phones, laptops, POS systems, any individual devices--also referred to as “endpoints”--come in a variety of shapes and sizes. Each endpoint provides an important function to your business. While defense at the network-level is crucial, defense at the endpoint-level is equally important.
Left exposed, your endpoints can serve as an entry-point of attack. Endpoints are not uniform, so defense can be complicated. There may be endpoints in your environment that run on different operating systems like Windows, Mac, or Linux; some may be old, and some may be new. Certain endpoints need to be accessible to all employees, while others only need to be accessible to a few. In our new era of remote work, certain endpoints may need to be accessible remotely.
Given the variety of endpoints, the right endpoint solution should be able to fit them all. Beyond security…..and prevent the need for site visits. The two main components of endpoint defense are (1) Management and (2) Security
Your organization has a variety of employees with a variety of roles. Access Management controls (1) who has access to your endpoints and (2) what their rights or privileges are. Interns do not need the same access and control as your network administrator. Access should be customizable based on an individual's role in your organization. This begins with assigning usernames and passwords to particular employees. User credentials control the entrance to your endpoints, and act as a first line of defense against unauthorized actors from breaking in. Default credentials should be updated with proper usernames and passwords. Then, specific access rights can be configured based for those log in credentials. Access should also be able to be configured based on the device itself. Your endpoint defense tool should make assigning these credentials and privileges easy. Proper password management is the cornerstone of many compliance mandates such as PCI, HIPAA, and NIST. Your endpoint defense solution should have the ability to update passwords periodically and enable and disable user access as employees join or leave your organization. Privileges should be able to be escalated or de-escalated based on management decisions. The ability to enable or disable two-factor authentication (2FA) should come standard, and log-on and log-off behavior should be tracked to detect suspicious activity. Automated lockouts should be configured if the wrong credentials are inputted beyond a certain number of times to block brute-force attacks. If all of these features come standard, your endpoint defense solution has robust access management.
Configuration is a set of uniform security policies that harden your systems against attack and free up resources. Your endpoint defense tool should simplify configuration. As a first step, you cannot configure all of your devices if you do not have an accurate inventory of all of your devices. Your endpoint solution should give an accurate inventory of each and every device on your network. Once you have an inventory of your devices, you can then do an inventory of the applications running on those devices. Endpoints often have redundant applications running in the background. These applications are not intentionally malicious, but can be exploited during a cyberattack. The best security framework is to assume that any application that can be exploited as a vector will be exploited as a vector. It is important to do an inventory of which applications you consider “business-critical,” and then deactivate applications that fail to meet this criteria. Once the initial mapping is done, your endpoint defense tool should be able to disable these applications as an automated policy. Aside from making your endpoints more secure, this will also free up resources and extend the longevity of your devices. From a hardware perspective, active ports can be physically exploited. Thus, any hardware ports that do not serve a business-critical function should also be disabled. Implementing the right update policy keeps your endpoints a step ahead of known vulnerabilities. However, updating and patching endpoints is cumbersome. The right endpoint defense tool should streamline the patching process. Patches should be able to be tested in a sandbox environment to diagnose if anything “breaks,” and then rolled out to different groups of devices if found safe. An advanced feature is to pause and reverse the process if patching goes awry. We detail this more in the patching section of Unified Endpoint Management.
Clear decisions come from clear data. Your endpoint management tool should be able to pull data from individual endpoints and aggregate it into a centralized dashboard. Ideally, data should be visible for the entire mosaic of endpoints but also have the capacity to zoom individual endpoints into focus. Whether you have an in-house or outsourced Security Operations Center (SOC), this ability is crucial. Instead of wasting time cleansing and parsing data, your data becomes clear and actionable, and security specialists can concentrate on protecting your systems. Aside from data being clear, making sure it is centralized is key. Having data siloed in different buckets slows response times. Your security specialists will have to switch between applications if alerts are in more than one place. Your dashboard should be able to mesh different forms of data into a single, clear reporting dashboard. There may be a variety of security applications running on each endpoint (XDR, AV/AM, Firewalls), but the data from these security apps should all feed into the same dashboard. With a “single-pane-of-glass” for all endpoint security data, your security specialists will be able to mount a more rapid response to threats. The ability to create a “single-pane-of-glass” is crucial not only for security but also effective endpoint management. Read more about how a clear, centralized dashboard can make endpoint management more effective in Unified Endpoint Management.
Endpoint Detection and Response is also crucial for the right endpoint management tool. Endpoint Detection and Response is a mesh of human and AI capabilities. Unlike threat hunting which looks at the beginning stages of an attack, EDR looks for signs of an attack that have evaded initial detection and is further downstream. A Security Operations Center (SOC) typically sits behind EDR services. SOCs consist of teams of security specialists who watch for, investigate, and respond to security incidents, 24x7. Think of a SOC as a firehouse, and the security specialists as firefighters. If there is a virtual “fire” on your network or endpoints, the firefighters in the SOC respond around the clock to put it out. Through the AI component of EDR, behavior on individual endpoints is modeled out. If abnormal behavior that breaks the “norm” for an endpoint occurs, the AI component alerts human security specialists who investigate further. To give a tangible example, imagine an accountant named Jean who uses her web browser and Microsoft Excel every day from 9am-5pm. If files on Jean’s computer start undergoing military-grade encryption at 3am, this is clearly an abnormality. A robust EDR program would flag this as a potential ransomware attack, automatically quarantine her computer from connecting to the rest of the network, and send out a red alert to human security specialists at the Security Operations Center (SOC). If a breach or “fire” occurs on an endpoint, tracing how it slipped through your defenses allows you to better prepare for future attacks. Your endpoint defense solution should also have forensic capabilities, the ability to track down the origins of an attack on each endpoint. Putting in place this layer ensures that as new threats are identified, you can adapt your systems to identify and thwart such attacks in the future.
The security applications running on your endpoints can generally be classified into two categories: defensive and offensive. Each layer of security added to your endpoints decreases the odds of a breach. For the ideal combination of defensive and offensive capabilities, you can read about Defense-In-Depth in our Omega Unify page. From an offensive standpoint, threat hunting is crucial for securing your endpoints. We go into detail about Threat Hunting solutions here. Threat Hunting searches for activity indicating the initial stages of a cyberattack, thwarting it early on. Hackers often try to exploit your endpoints in a stealth way to evade traditional defenses such as EDR, SOCs, and AV/AM. Threat hunting is a manual process done by human security specialists. By cutting the attack at its root, threat hunting prevents a full on invasion of your endpoints and networks. Threat Hunting is crucial on its own, but is not a replacement for defensive layers for your endpoints. There are several components of a robust defensive endpoint security program. Having a firewall at the network level is crucial, but individual endpoints should also have a host-based firewall to block malicious traffic. At a bare minimum, an antivirus and antimalware (AV/AM) program should be running on each endpoint. Anti-virus blocks known threats with inoculation scripts that already exist, whereas anti-malware automatically detects and blocks malicious activity that mimics known threats.
Major cyberattacks come without warning. Nearly overnight, catastrophic breaches can ripple through an entire industry. The primary target often acts as a source of contagion. During these incidents, it is critical for teams to be agile to prevent from being caught flat footed. Following major breaches such as the FireEye Breach (2021), the Colonial Pipeline Attack (2021), and others, kill scripts were developed to fight back. These kill scripts can be deployed to inoculate your endpoints against the methods of attack used against the primary target of a major breach. Time is of the essence post-attack. The right endpoint solution should be able to deploy kill scripts to thousands of endpoints within minutes or hours. Teams that fail to enact defensive maneuvers put themselves at risk of becoming counted among the fallout following a major attack. Deploying scripts helps defend your endpoints, but also makes managing them easier. Read our Unified Endpoint Management page to learn how deploying scripts to your endpoints can automate time-consuming tasks.