As networks evolve, so do the threats from cyberattackers. New network-capable devices mean new attack vectors for malware, ransomware, and unauthorized access attempts.
Laptops, phones, smart devices, IoT equipment, and even TVs are no longer simply “network devices” – they’re endpoints. The game has changed, which is why endpoint security solutions are necessary. If you are assessing endpoint protection tools, they should have several specific features.
What Is Endpoint Security?
Typical networks are comprised of computers, laptops, and printers. Previously referred to as “network devices,” the definition has changed over the past few years. Whereas 20 years ago, few mobile devices had access to a corporate network, now they’re probably as common as a laptop.
Consider the use of virtual machines, smart devices and Internet of Things (IoT) hardware, and network-based security equipment – they all communicate with the network. These endpoints also need security, usually delivered in the shape of endpoint protection solutions.
Various such solutions are available for a modern network. If you’re evaluating endpoint protection for your network, candidate suites should include the following:
- Firewalls, ringfencing, and network control
- Cloud storage and USB protection
- Malware detection and removal
- Ransomware detection
- Allowlisting
- Server and storage access control
- Elevation control
- Threat detection
- Endpoint device tracking
- Single management dashboard
- Compliance
With these features, an endpoint protection suite can be relied upon to ensure your network is robust and secure.
1. Firewalls, Ringfencing, and Network Control
The most obvious feature of an endpoint protection solution is the firewall. A modern firewall within a network of endpoints has more specific tasks than a traditional firewall, however.
Because users no longer work purely in the office, the corporate hardware firewall no longer offers the protection it did. But that doesn’t mean there is no place for firewalls in endpoint security solutions.
Individual devices can be protected with access controls, with custom-built policies to protect access to a device.
With network endpoints becoming more diverse, a different type of protection is required. Like firewalls, ringfencing blocks network access to applications. The difference is that ringfencing operates to hem-in applications, preventing the exploitation of known (and unknown) vulnerabilities.
Relying on per-user and per-device policies, network access can be carefully managed.
2. Cloud Storage and USB Protection
Endpoints are almost permanently attached to some form of cloud storage. This might be a local server, a leased server in the cloud, or an enterprise account with a major cloud provider.
Where cloud drives aren’t used for data storage and sharing, USB devices are the usual alternative. Both offer opportunities for cybercrime; USB devices as potential weak spots, and cloud storage is a target.
Cloud protection provides cloud-based storage and apps with defense against phishing, malware, and spam. Threats specifically targeting cloud storage should also be detected.
For USB devices, endpoint controls of devices means enabling or disabling anything that can be connected by USB. This could mean the complete ban of USB storage devices, with network-wide, device-, or user-targeted restrictions on accessing thumb drives. It can also go further, blocking any USB device you can think of, from input devices to printers, cameras, iPhones, and beyond.
If sensible solutions are to be found, endpoint security that supports cloud and USB controls is recommended.
3. Malware Detection and Removal
Protecting devices and other endpoints across your network means having a malware detection and removal solution in place.
While awareness of the risks of malware is improving, users can still be duped. Adware and RiskTool were the biggest threats in 2023 (Statista), while various Trojan malware types were also prominent. Although malware attacks fell sharply in 2020, there has been a slow increase since, with 6.06 billion attacks recorded in 2023 (Statista).
Failure to remove malware expediently can result in considerable damage to all devices on a network. Data can be deleted, ransomware admitted to the network, keystroke loggers hidden, and backdoors established. As a network has a wide selection of device types and operating systems to deal with, successful malware detection is vital.
So, what role should endpoint protection software play in keeping devices free of malware?
At the bare minimum, malware should be isolated or quarantined. The best solution is removal software that can obliterate the malware while reporting the event to similarly at-risk devices.
4. Ransomware Detection
Ransomware, perhaps the biggest cyber threat to businesses and wealthy individuals, is a key concern for SMBs, enterprises, and organizations alike. Capable of encrypting important data (as well as system files, preventing systems from booting), ransomware often proves expensive.
As decrypting the locked data is usually only possible by paying the ransom, detecting ransomware fast is important.
Unsurprisingly, ransomware can be hugely profitable for cybercriminals, with 46% of businesses paying the ransom. Consequently, it is important for endpoint protection tools to include ransomware detection, and possible removal too.
In 2020, the annual cost of ransomware was $765 million in payouts. In 2022, that figure dropped to $457 million (Statista) but remains significant. Ransomware is believed to comprise 68.42% of cyberattacks.
Ransomware detection also involves a degree of management. Identifying the type of ransomware is important, as well as communicating calmly with the attacker. If the attempt is based on older ransomware, there is a chance that the encrypted data can be unlocked with leaked or broken keys, but this is rare. Newer ransomware is less susceptible to this approach, however.
5. Application Allowlisting
An application control capability, allowlisting is related to ringfencing. Rather than controlling network or inter-application communication, however, allowlisting focuses on what specific apps, processes, and even files can access.
The name “allowlisting” refers to a network access philosophy of “deny everything.” Adopting this philosophy means access across the network is denied by default. Access is only granted where required, where there is an operation-dependent purpose.
With allowlisting enabled across endpoints on your network, only trusted files and applications can be accessed and run. Meanwhile, unknown data is blocked, along with unrecognized activities and applications that appear to behave oddly.
Allowlisting can cover everything from data stored on local and network devices to specific applications (anything from virtual machines to media editing and design tools). If a role doesn’t require a word processor, then the user is not allowed to run the word processor. Similarly, if the word processor is not able to open a specific file, then this can be blocked from being opened.
The key benefit of allowlisting is the minimal overhead. Once a profile is configured, the allowlist software manages how apps run and access data on the network. Other than minor configuration adjustments, further interaction should be occasional.
6. Server and Storage Access Control
Not all endpoints can be found on a desk, or mounted on a wall. Some of them are hugely important, such as storage devices. Storage control tools are a vital component of endpoint protection suites, designed to prevent access to stored files and databases.
As with cloud and USB storage, these resources are targets for cyberattacks, so pose a challenge.
Whether standard network servers or network-attached storage, mail servers, or intranet, endpoint security tools should feature access control. As many users are likely to require access to network storage from a variety of locations, virtual private network (VPN) connections should be configured.
Preventing unauthorized access to business-critical resources is usually achieved using private endpoints.
Support for private endpoints and VPNs is a desirable feature for endpoint security products.
7. Elevation Control
Successful protection of endpoints also requires elevation control. This is a sysadmin-controllable adjustment of permissions and credentials for applications. Elevation control solutions are centered on the applications, rather than user accounts.
This more granular approach means that users benefit from having the ability to install updates. The permissions can be time-based or conditional, however, thereby ensuring a robust environment.
Another benefit of elevation control is the reduced overhead for technicians. If the user can run updates, there is no need to assign a visit, dial-in remotely, or spend time on the deployment server to handle updates.
Elevation control has uses beyond updating software and often comes with a request system. A user can apply for access to specific applications that have not already been installed.
As with the management of system users, elevation control requires regular audit of application permissions. Overlooking incorrect (inadequate or generous) permissions can result in problems later on.
8. Threat Detection
Where specific malware detection and removal isn’t an option, a more holistic alternative, threat detection, might be.
Endpoint threat detection (often referred to as Endpoint Detection and Response or EDR) is a continuous monitoring system that finds and responds to malware, ransomware, and other intrusions. It can also spot unusual activity from known software applications.
It achieves this by monitoring activity on endpoint devices, and looking for unusual and suspicious behaviors. So, standard activities like running and using applications can be permitted, but unusual actions are blocked. Activity is logged, with data analytics used to find and determine the difference between safe and malicious actions.
Any EDR feature in your chosen endpoint protection software should do more than spot threats, however. Suspicious activity should be validated as such, the threat quarantined, and other endpoints checked for similar risks.
Information gathered during such incidents can also be logged for reporting purposes.
9. Endpoint Device Tracking
Endpoint protection systems should ideally include a device tracking feature.
Missing devices are a massive data security issue. While printers and security cameras are less likely to get mislaid, any device that can be carried can be stolen.
The status of hardware isn’t necessarily obvious, however. Devices might be taken on holiday or overseas meetings; endpoint security tools should be set up to receive status notifications that reflect this.
Any endpoints that have been confirmed lost or stolen can be remotely wiped if they remain online. Furthermore, information can be gathered before wiping. For example, the location can be recorded, along with audio and video from the mic and camera.
A useful additional feature might be integration with an existing MDM solution. This can help to ensure that management of the lost asset is effectively dealt with and written off.
10. Single Management Dashboard
Another feature your endpoint security solution should have is an easy-to-access management dashboard. This could be a server-based client app or a browser-based feature that can also be accessed remotely.
This isn’t a deal-breaker, as the integrity of the network is paramount. However, an accessible, easy-to-use dashboard can make management of the endpoint security simpler and more flexible. If the dashboard supports multiple levels of authority, it can be accessed by sysadmins with different levels of responsibility. Each profile might be focused on a specific task, or provide elevated control over endpoint security, depending on the sysadmin.
While an endpoint protection tool needs plenty of actual security features, a unified dashboard is the best management solution.
11. Endpoint Policy and Compliance
Another item that isn’t a security feature as such, compliance solutions ensure that policies are applied and enforced across a network.
Because endpoints are potential vulnerabilities, strict endpoint guidelines should be conceived. Designed to accommodate external (legal) regulations and internal best practices, compliance requirements should be applied to all endpoints.
Various standalone endpoint policy solutions are currently available. While endpoint protection software at the time of writing doesn’t typically include policy compliance, this is a feature that will almost certainly be included in the future.
Why Do Endpoint Protection Solutions Need These Features?
It’s easy to assume that your chosen endpoint protection solution already includes security features. While some of these features are probably included, it’s unusual to find an endpoint protection system that has them all.
Even the best endpoint security software doesn’t include all of these features. Consider this list a shopping list, a collection of features that should be included.
Alternatively, you might believe that the security features included with existing software are adequate. Even if this is the case, effectively evaluating both options can avoid issues when the worst happens.