Definition of Endpoint Security
Endpoint security is a method of protecting networks from malicious activity that may originate from devices outside its firewalls. Endpoint security differs from traditional security in that it must happen in real-time across a large number of devices, geographic regions, and bandwidths.
Types of Endpoints
An endpoint is any device that connects to the corporate network from outside its firewall. These remote devices include:
- mobile devices
- Internet of things (IoT) devices
- Point-of-sale (POS) systems
- Digital printers
- Other devices that communicate with the central network
How Endpoint Security Differs from Antivirus
Endpoint security protects endpoint devices from being breached – no matter if they are physical or virtual, on- or off-premise, in data centers or in the Cloud. It is installed on laptops, desktops, servers, virtual machines, as well as remote devices themselves.
Antivirus falls under the umbrella of endpoint security and is generally regarded as one of the more basic forms of endpoint protection. Instead of using advanced techniques and practices, such as threat hunting and endpoint detection and response (EDR), antivirus simply finds and removes known viruses and other malware. Traditional antivirus runs in the background, periodically scanning a device’s content for patterns that match a database of virus signatures. Antivirus is installed on individual devices inside and outside the firewall.
Why Endpoint Security is a Necessity
Every remote device can be the entry point for an attack, and the number of endpoints is only increasing as the number of remote workers and IoT devices grows. Currently, over 70 percent of workers are mobile, and more than 127 devices are added to the internet every second of every day. The risks posed by endpoints are a challenge that’s not going away.
The endpoint landscape is constantly changing, and businesses of all sizes are attractive targets for endpoint attacks. This is common knowledge, even among small businesses: according to Verizon’s Mobile Security Index 2019, 88 percent of businesses with 500 or fewer employees stated their risk from mobile devices is serious now and will be worse tomorrow.
Last year, endpoint attacks were responsible for as many as half of all breaches, which is an increase of 42 percent over the previous year. POS systems, payment terminals, and ATMs are particularly attractive targets, accounting for about 20 percent of all confirmed data breaches.
Each attack costs an average of $7.12M, or $440 per endpoint, some of which can be attributed to remediation expenses but most of which results from disrupted operations and degraded productivity: 32 percent of IT and security professionals who responded to a survey by Enterprise Strategy Group identified the biggest impact of compromised endpoints as “interruptions to standard business operations” and about the same percentage named “impeding the productivity of knowledge workers” as a top concern.
Cybercriminals are alert to the opportunities and ready to adapt their tactics, techniques and procedures (TTPs).
Last year, for example, web-application (or drive-by malware) attacks against endpoint devices were the most popular attack vector, accounting for almost 20 percent of all attacks. These types of attacks do not rely on compromised credentials. Instead, attackers place malicious code on a website and lure users to visit the bait page. When a user arrives at the page, malicious files are downloaded without the user ever clicking a link or accepting a download. Nearly 10 percent of these types of attacks are successful.
Protecting against endpoint attacks is challenging because endpoints exist where humans and machines intersect. Businesses struggle to protect their systems without interfering with the legitimate activities of their employees. And while technological solutions can be highly effective, the chances of an employee succumbing to a social engineering attack can be mitigated but never entirely prevented.
Download the 2019 Global Threat Report on Adversary Tradecraft and the Importance of Speed to learn about the most significant events and trends of modern adversaries in the past year.
Core Elements of Endpoint Security Solutions
An effective endpoint security platform that provides continuous breach prevention must integrate these fundamental elements:
1. Prevention: NGAV
Traditional antivirus solutions detect less than half of all attacks. They function by comparing malicious signatures, or bits of code, to a database that is updated by contributors whenever a new malware signature is identified. The problem is that malware that has not yet been identified, or unknown malware, is not in the database. There is a gap between the time a piece of malware is released into the world and the time it becomes identifiable by traditional antivirus solutions.
Next-generation antivirus (NGAV) closes that gap by using more advanced technologies, such as AI and machine learning, to identify new malware by examining more elements, such as file hashes, URLs, and IP addresses.
2. Detection: EDR
Prevention is not enough. No defenses are perfect, and some attacks will always make it through defenses and successfully penetrate the network. Conventional security can’t see when this happens, leaving attackers free to dwell in the environment for days, weeks, or months. Businesses need to stop these “silent failures” by finding and removing attackers quickly.
To prevent silent failures, an Endpoint Detection and Response (EDR) solution needs to provide continuous and comprehensive visibility into what is happening on endpoints in real time. Businesses should look for solutions that offer advanced threat detection and investigation and response capabilities, including incident data search and investigation, alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment.
3. Managed Threat Hunting
Not all attacks can be detected by automation alone. The expertise of security professionals is essential to detect today’s sophisticated attacks.
Managed threat hunting is conducted by elite teams that learn from incidents that have already occurred, aggregate crowdsourced data, and provide guidance on how best to respond when malicious activity is detected.
4. Threat Intelligence Integration
To stay ahead of attackers, businesses need to understand threats as they evolve. Sophisticated adversaries and advanced persistent threats (APTs) can move quickly and stealthily, and security teams need up-to-date and accurate intelligence to ensure defenses are automatically and precisely tuned.
A threat intelligence integration solution should incorporate automation to investigate all incidents and gain knowledge in minutes, not hours. It should generate custom indicators of compromise (IoCs) directly from the endpoints to enable a proactive defense against future attacks. There should be a human element as well, comprised of expert security researchers, threat analysts, cultural experts, and linguists, who can make sense of emerging threats in a variety of contexts.
The Importance of Cloud-Based Architecture
1. Single, lightweight agent
Endpoint security is complicated, but the solution should not be. A single lightweight agent that can be deployed immediately and scaled quickly with little effect on endpoint performance is the best approach.
2. Machine Learning
The solution should incorporate machine learning that provides the ability to record and learn from new attacks. This ability makes it possible to crowdsource intelligence about attack techniques on a massive scale and in real-time.
3. Enhanced Manageability
Cloud-based endpoint security reduces management overhead in a number of ways. For example, the upgrade process for a traditional solution depends on the vendor’s schedule, which can occur over a timeframe as long as a year.
Over that year, attackers are continuing to evolve their techniques, so by the time the upgrade is implemented on customer systems, it is already out of date. Cloud-based platforms are updated in real time and their algorithms are adjusted constantly. The version in use is always the latest version.
4. Protection On or Off Network
With remote workers, virtualization, and the cloud, assets are not always connected directly to the corporate network. That’s why it’s more important than ever for a complete endpoint solution to be capable of detecting threats even when the device is off-network or offline. Without full visibility across on- and off-network devices, your defense will be riddled with blind spots and numerous opportunities for adversaries to fly under the radar.
CrowdStrike’s cloud-based architecture offers constant visibility into endpoint vulnerabilities without the need for resource-intensive network or host scans. Whether on- or off-network, on- or off-premises, or in the cloud, the lightweight Falcon sensor supports data processing and decision making on the endpoint. Using machine learning on the local host, the agent can protect against known and zero-day malware, exploit blocking, and hash blocking.
5. Keep Tabs on Adversaries
Today’s attackers are well-funded and business-like. They buy traditional endpoint security solutions and install them in mock environments so they can figure out how to bypass their defenses.
But they can’t do the same with a solution built on a cloud-based architecture because, even if the attackers acquire and install the solution’s endpoint sensors, their attempts to break the system will be observed by the solution provider. The tables are turned – instead of the attackers figuring out how the solution works, the defenders are learning how the attackers think.
Endpoint Security for the Threats You Face Now
Organizations want fast and continuous detection, prevention, and response. That requires unobstructed visibility across all endpoints and the ability to prevent sophisticated attacks in real-time and block persistent attackers from compromising their environments and stealing data.
CrowdStrike offers a new approach to endpoint security. Unlike traditional security solutions, CrowdStrike’s Falcon Endpoint Protection Enterprise unifies the technologies required to successfully stop breaches, including true next-gen antivirus and endpoint detection and response (EDR), managed threat hunting, and threat intelligence automation, delivered via a single lightweight agent. Falcon Enterprise includes the following modules:
- CrowdStrike’s NGAV solution, Falcon Prevent™, has a 100 percent rating for detecting both known and unknown samples of malware with a false positive rate of zero percent. Falcon Prevent is the industry’s first “NGAV Approved” endpoint solutions, as noted by Gartner, Forrester, and other industry analysts.
- Falcon Insight™ EDR collects and inspects event information in real time to prevent and detect attacks on endpoints. Built on CrowdStrike’s cloud-native architecture, Falcon Insight records all activities of interest for deeper inspection, both on the fly and after the fact, so security teams can quickly investigate and respond to incidents that evade standard prevention measures.
- The CrowdStrike Falcon Overwatch™ team elevates detection beyond automation. With one of the most seasoned teams in the industry and CrowdStrike Threat GraphTM, a database that processes over 1 trillion events per week, Falcon Overwatch identifies and stops over 30,000 breach attempts per year. When a threat is discovered, the Overwatch team can take action within seconds.
- CrowdStrike’s Falcon X platform makes predicative security a reality by integrating threat intelligence and endpoint protection. Suitable for businesses of any size, Falcon X provides the ability to instantly analyze any threats that reach an organization’s endpoints. With Falcon X, organizations finally have the ability to get ahead of adversary activity, and stay ahead.
Want to see CrowdStrike’s Falcon Platform in action? Click the button below to watch an on-demand demo of the CrowdStrike endpoint protection platform.