Headline
How to Establish & Enhance Endpoint Security
Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.
Source: Dzmitry Skazau via Alamy Stock Photo
Because of their large attack surface made up of different sets — including laptops, desktops, mobile devices, and servers — endpoints are becoming the primary targets of increasingly sophisticated attacks. This diversity is further complicated by the variety of operating systems (OSs) being run on those devices. In addition, the location of these devices is often no longer tied only to company networks, due to the increase in hybrid and remote work, and more server workloads moving to the cloud.
To meet the growing needs of security teams, the endpoint security market is constantly evolving, albeit at an incremental rate recently. Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.
Below are four areas for security professionals to focus on to establish and enhance their endpoint security. While not a comprehensive list, this should help security experts, both new and established, understand the core concepts around endpoint security.
Baseline Security
Endpoint protection starts with strong baseline security. Organizations must make optimal use of all of the features their OSes and applications provide that can help with endpoint protection. To do this, security experts should:
Use consistent application deployment methods: Restrict application deployments to known sources. Layer on a workflow for updating and maintaining approved applications.
Perform configuration management: Configure OSes and applications for security. For example, use hardening guidelines and manage browser add-ons and client applications’ security capabilities.
Use auditing and logging: Understanding events on an endpoint starts with auditing and logging the right security events, and with having a process in place to monitor for security events. Aim to establish a single source of truth for endpoint status.
While providing a foundation for baseline security, this list is not exhaustive. Security leaders should also look into actions that include managing vulnerabilities for all OSs and managing backups.
Endpoint Detection and Response
Endpoint detection and response (EDR) tools store and monitor endpoint events to detect and hunt for suspicious behaviors, and also provide response capabilities to those events. Common events that are monitored include, but are not limited to, execution events, registry events, file events, and network events.
EDR, in its purest form, does not interrupt running processes; instead, it analyzes the resulting events to search for known indicators of compromise or patterns that indicate malicious behavior.
EDR tools can be likened to a data recorder, or “black box,” for the endpoint devices on which they are installed. These tools gather telemetry data about the activity happening on those devices and make it available for examination later. Of course, storing the recorded data is not nearly enough — an EDR tool must also be able to present the data to an administrator in a way that enables further analysis using both automated and human-driven means.
Automated Moving Target Defense
Automated moving target defense (AMTD) is an emerging technology that focuses on constantly changing the attack surface of a system or network. AMTD makes it harder for attackers to identify and exploit vulnerabilities by dynamically modifying the process structure, memory space, system configurations, software stack, or network characteristics. This proactive approach helps to improve cyber defense and mitigate the risk of successful attacks.
Endpoint defense with AMTD can include:
Enhancing memory defense through morphing or enhanced randomization
Augmenting confidential computing enclaves with AMTD proactive defense
Enhancing runtime software hardening (polymorphism of code or inputs)
Automatic endpoint self-healing from known good files storage
Applying AMTD to file storage or storage access channels (command and storage polymorphing)
AMTD for endpoints and endpoint software is a set of technologies that make it harder for attackers to reverse engineer and exploit endpoint OSes and software technologies. AMTD works by introducing unpredictable and frequent changes in the attack surface of the applications and OSs on which it is used.
Mobile Threat Defense
The mobile attack landscape has continued to grow and change with the increase of smartphone and tablet sales, and with the proliferation of bring-your-own-device arrangements in enterprises. Every year, we see new statistics claiming hundreds of percentage points of growth in mobile malware.
The MTD market includes vendors that use some combination of the following mobile protection methods for Android and iOS:
- Behavioral anomaly and configuration detection
Protection against device attacks, network attacks, and malicious and leaky apps
Mobile anti-phishing protection
OS-, hardware- and application-based vulnerability assessment, monitoring, and compliance
Crowdsourced threat intelligence
Baseline security, EDR, AMTD, and MTD are just a few crucial tools security leaders can use to improve their endpoints’ resilience against attacks. There continue to be many other layers of security designed to contribute to the protection of endpoints, and security leaders must take a holistic approach, as this topic is foundational for enterprises who will need to adjust their strategy for changing and increased variation in devices, agile work environments, and increasingly sophisticated security threats.
About the Author
Director Analyst, Gartner
Eric Grenier is a Director Analyst at Gartner working in the Technical Professionals Security Technology and Infrastructure team, focusing on Endpoint Security including endpoint protection and endpoint detection and response.