Endpoint Security:
How Endpoint Protection Works

Anne Aarness - January 11, 2024

What is endpoint security?

Endpoint security, or endpoint protection, is the cybersecurity approach to defending endpoints — such as desktops, laptops, and mobile devices — from malicious activity.

An endpoint protection platform (EPP) is a solution used to detect and prevent security threats like file-based malware attacks among other malicious activities. It also provides investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.

What’s considered an endpoint?

An endpoint is any device that connects to the corporate network from outside its firewall. Examples of endpoint devices include:

  • Laptops
  • Tablets
  • Mobile devices
  • Internet of things (IoT) devices
  • Point-of-sale (POS) systems
  • Switches
  • Digital printers
  • Other devices that communicate with the central network

Endpoint security importance

An endpoint security strategy is essential because every remote endpoint can be the entry point for an attack, and the number of endpoints is only increasing with the rapid shift to remote work. According to a 2023 Forbes article, 12.7% of U.S. workers work remotely and 28.2% have adopted a hybrid work schedule. Though most workers are in-office today, it is predicted that the number of remote workers will increase to 32.6 million Americans by 2025, a sizable 22% of the U.S. workforce. The risks posed by endpoints and their sensitive data are a challenge that’s not going away.

The endpoint landscape is constantly changing, and businesses of all sizes are attractive targets for cyberattacks. This is common knowledge, even among small businesses. According to the ITRC 2023 Business Impact report, 73% of small and medium-sized business (SMB) owners reported that they experienced a cyberattack in 2022 or 2023. According to the FBI’s Internet Crime Report, the FBI received a total of 800,944 complaints in 2022, with reported losses of over $10.3 billion. According to the CrowdStrike 2023 Global Threat Report, there has been a spike in social engineering attacks, and more than 200 adversaries were tracked by CrowdStrike.

According to IBM’s “Cost of a Data Breach Report 2023,” the average data breach costs $4.45 million, a 15% increase over the last three years. The study identified that the biggest financial impact of a breach was “lost business,” making up almost 40% of the data breach average cost.

Protecting against endpoint attacks is challenging because endpoints exist where humans and machines intersect. Businesses struggle to protect their systems without interfering with the legitimate activities of their employees. And though technological solutions can be highly effective, the chances of an employee succumbing to a social engineering attack can be mitigated but never entirely prevented.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

How endpoint protection works

The terms endpoint protection, endpoint protection platforms, and endpoint security are all used interchangeably to describe the centrally managed security solutions that organizations leverage to protect endpoints like servers, workstations, mobile devices, and workloads from cybersecurity threats. Endpoint protection solutions work by examining files, processes, and system activity for suspicious or malicious indicators.

Endpoint protection solutions offer a centralized management console from which administrators can connect to their enterprise network to monitor, protect, investigate, and respond to incidents. This is accomplished by leveraging either an on-premises, cloud, or hybrid approach.

The “traditional” or “legacy” approach is often used to describe an on-premises security posture that is reliant on a locally hosted data center from which security is delivered. The data center acts as the hub for the management console to reach out to the endpoints through an agent to provide security. The hub and spoke model can create security silos since administrators can typically only manage endpoints within their perimeter.

With the pandemic-driven remote work shift, many organizations have pivoted to laptops and bring your own device (BYOD) instead of desktop devices. Along with the globalization of workforces, this highlights the limitations of the on-premises approach. Some endpoint protection solution vendors have recently shifted to a “hybrid” approach, taking a legacy architecture design and retrofitting it for the cloud to gain some cloud capabilities.

The third approach is a “cloud-native” solution built in and for the cloud. Administrators can remotely monitor and manage endpoints through a centralized management console that lives in the cloud and connects to devices remotely through an agent on the endpoint. The agent can work with the management console or independently to provide security for the endpoint should it not have internet connectivity. These solutions leverage cloud controls and policies to maximize security performance beyond the traditional perimeter, removing silos and expanding administrator reach.

Modern Adversaries and Evasion Techniques

86% of eCrime actors us evasion techniques to bypass AV software. Learn how legacy antivirus is an easy target for adversaries and techniques they use that legacy AV can’t stop.

Download Now

Endpoint security benefits

Some key benefits of endpoint security include:

  1. Endpoint protection: As digital transformation pushes more employees to work remotely, protecting all endpoints has become essential to prevent breaches.
  2.  Identity protection: Identity protection is an important benefit of endpoint security because it protects employees and other stakeholders’ sensitive data by ensuring only authorized users have the right type of access to it.
  3. Threat detection and response: With the increasing number of adversaries trying to breach organizations using sophisticated cyberattacks, quickly detecting potential threats will help speed the remediation process and keep data protected.

Endpoint protection software vs. antivirus software

Endpoint security software protects endpoints from being breached, whether they are physical or virtual, on-premises or off-premises, in data centers or in the cloud. It is installed on laptops, desktops, servers, virtual machines, and remote endpoints themselves.

Antivirus is often part of an endpoint security solution and is generally regarded as one of the more basic forms of endpoint protection. Instead of using advanced techniques and practices, such as threat hunting and endpoint detection and response (EDR), antivirus simply finds and removes known viruses and other types of malware. Traditional antivirus runs in the background, periodically scanning a device’s content for patterns that match a database of virus signatures. Antivirus is installed on individual devices inside and outside the firewall.

What Legacy Endpoint Security Really Costs

Download this white paper to learn how legacy solutions are leaving security teams short.

Download Now

Core functionality of an endpoint protection solution

Endpoint security tools that provide continuous breach prevention must integrate these fundamental elements:

1. Prevention: NGAV

Traditional antivirus solutions detect less than half of all attacks. They function by comparing malicious signatures, or bits of code, to a database that is updated by contributors whenever a new malware signature is identified. The problem is that malware that has not yet been identified — or unknown malware — is not in the database. There is a gap between the time a piece of malware is released into the world and the time it becomes identifiable by traditional antivirus solutions.

Next-generation antivirus (NGAV) closes this gap by using more advanced endpoint protection technologies, such as AI and machine learning, to identify new malware by examining more elements, such as file hashes, URLs, and IP addresses.

2. Detection: EDR

Prevention is not enough. No defenses are perfect, and some attacks will always make it through and successfully penetrate the network. Conventional security can’t see when this happens, leaving attackers free to dwell in the environment for days, weeks, or months. Businesses need to stop these “silent failures” by finding and removing attackers quickly.

To prevent silent failures, an EDR solution needs to provide continuous and comprehensive visibility into what is happening on endpoints in real time. Businesses should look for solutions that offer advanced threat detection and investigation and response capabilities, including incident data search and investigation, alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment.

3. Managed threat hunting

Not all attacks can be detected by automation alone. The expertise of security professionals is essential to detect today’s sophisticated attacks.

Managed threat hunting is conducted by elite teams that learn from incidents that have already occurred, aggregate crowdsourced data, and provide guidance on how best to respond when malicious activity is detected.

4. Threat intelligence integration

To stay ahead of attackers, businesses need to understand threats as they evolve. Sophisticated adversaries and advanced persistent threats (APTs) can move quickly and stealthily, and security teams need up-to-date and accurate intelligence to ensure defenses are automatically and precisely tuned.

A threat intelligence integration solution should incorporate automation to investigate all incidents and gain knowledge in minutes, not hours. It should generate custom indicators of compromise (IOCs) directly from the endpoints to enable a proactive defense against future attacks. There should also be a human element composed of expert security researchers, threat analysts, cultural experts, and linguists, who can make sense of emerging threats in a variety of contexts.

The importance of cloud-based architecture

Cloud-based architecture provides the following benefits when it comes to endpoint security:

list of benefits of cloud-native endpoint security

Learn More

1. A single, lightweight agent that allows for simple scaling

2. Machine learning, which provides the ability to learn from new attacks

3. Enhanced manageability with real-time updates

4. Protection on or off the network to avoid blind spots

5. The ability to keep tabs on adversaries and learn how they think

5 Capabilities to Secure Against Endpoint Risk

Download this eBook to uncover five key capabilities for a modern endpoint security approach.

Download Now

CrowdStrike’s advanced endpoint protection

Organizations want fast and continuous detection, prevention, and response. This requires unobstructed visibility across all endpoints and the ability to prevent sophisticated attacks in real time and block persistent attackers from compromising environments and stealing data.

CrowdStrike offers a new approach to endpoint security. Unlike traditional security or network security solutions, CrowdStrike’s endpoint security solution unifies the technologies required to successfully stop breaches, including true next-generation antivirus and EDR, managed threat hunting, and threat intelligence automation — all delivered via a single lightweight agent. CrowdStrike Falcon® Endpoint Protection Enterprise includes the following modules:

  • CrowdStrike’s NGAV solution, CrowdStrike® Falcon Prevent™, has a 100% rating for detecting both known and unknown samples of malware and a false positive rate of 0%. Falcon Prevent is the industry’s first “NGAV Approved” endpoint solutions, as noted by Gartner, Forrester, and other industry analysts.
  • CrowdStrike Falcon® Insight XDR collects and inspects event information in real time to prevent and detect attacks on endpoints. Built on CrowdStrike’s cloud-native architecture, Falcon Insight records all activities of interest for deeper inspection, both on the fly and after the fact, so security teams can quickly investigate and respond to incidents that evade standard prevention measures.
  • CrowdStrike Falcon® Adversary Intelligence makes predicative security a reality by integrating threat intelligence and endpoint protection. Suitable for businesses of any size, Falcon Intelligence provides the ability to instantly analyze any threats that reach an organization’s endpoints. With Counter Adversary Operations, organizations finally have the ability to get ahead — and stay ahead — of adversary activity.

Learn More

Interested to see the CrowdStrike Falcon® Platform in action? Watch the on-demand demo of CrowdStrike endpoint protection platform. Watch Demo


Anne Aarness is a Senior Manager, Product Marketing at CrowdStrike based in Sunnyvale, California.