Endpoint Security

Endpoint Security Definition

While in the past, it was defined by any personal device used by an end user. In today's network we have lot's of IoT's such as: fridges light bulbs and smart home.

Endpoint Security History

Before networks were connected to the internet, bad actors relied on floppy disks to infect and spread malware, which later evolved to using USB stick, CDs, DVDs and USB-Connected portable devices. This method of infecting a computer was very limited and unreliable. The first endpoint security product was an Antivirus, a software that scans your storage devices for malware. The antivirus softwares were signature based, meaning that it was looking for specific characteristic, fingerprints, or signatures, of the virus. If it found something that had those characteristic, it could quarantine or delete the file. All of this changed when home and business networks began to connect to the internet. Many more attack vectors became available, such as: email phishing, infected websites, BYOD. Bad actors also began to exploit applications such as your web browser, office apps, and OS's vulnerabilities. This type of attack is called Polymorphic malware, where it is designed to change itself by mimicking or using common non malware applications to execute code.

EEP Endpoint protection platform

EEP was intended to prevent file-based malware attacks and implement other preventative controls. The method focused on stopping the malware before it executed. File based malware is a file downloaded to a device, which when opened, runs malicious code or a script. EPP provided many prevention focused services, such as antivirus, device firewall, web filtering, data protection through encryption, and device control. Device control is a technology that provides built-in security that detects, authorizes, and secures removable storage devices. Web filtering is a technology that enables network administrators to control what type of site you are permitted to visit. However, none of these techniques proved to be the ultimate remedy for endpoint infection. At the time, web filtering was thought to be the solution because it was assumed that web born malware came only from lewd websites. The possibility remained that malware could pose as an advertisement on a legitimate site.

EDR Endpoint Detection Response

Given the ever-evolving complexity of attack methods and the expanding attack surface, security professionals came to realize it was impossible to prevent all malware infections. A new strategy was developed to defend the endpoint in parallel to EPP development called EDR, Endpoint detection response. EDR is software used to detect, investigate, and respond to suspicious activities on endpoints. It began as a digital forensics investigation tool, and provided security analysts with threat intelligence information and tools needed to analyze an attack and to identify the indicators of compromise. Analysts were then able to detect malware, some of which dwelled undetected in networks for months or years. Instead of investigating an attack to learn about its anatomy, the tool was also used to detect an ongoing attack in real time. Remediation tools were also added, which enabled analysts to request more information from endpoints to ban, process, isolate endpoints, and block specific IPs. EDR grew into a true detection and response solution, but it was not without problems. The first generation EDR mostly used manual methods that were time-consuming and were too slow for fast moving threats like ransomware. The lack of integration with other security software hindered its ability to respond in an effective and timely manner. Configuring and using EDR demanded high level expertise, and the analysis of a multitude of alerts, many of which were false positives, was time-consuming for analysts. Vendors partly mitigated these issues by introducing a managed detection and response, or MDR platform, which performed basic alert triage and notified analysts via email. Still, EDR remained too slow and too complicated to become a standard tool in the antivirus's tools. Second generation EDR addressed these issues. It was designed to be policy driven and automated. Through customizable playbooks, analysts can now direct EDR to remediate difficulties both immediately and automatically. Proactively, analysts can instruct EDR to respond in a specific way should it detect a program or script that behaves suspiciously. Malicious activities trigger automatic blocks to prevent data exfiltration, encryption, and attempts to infiltrate the network. It can stop and roll back ransomware in real time without necessarily removing the device or disrupting business continuity. Security professionals quickly realized the advantages of merging EDR and EPP technologies, and most EPP definitions now include both characteristics. A single, integrated agent can prevent the majority of file-based malware at the pre execution stage, while detecting and responding to malware that evaded prevention at the post infection stage. A combined EPP and EDR solution also removes integration concerns and simplifies configuration and management for analysts. EPP and EDR software now includes other preventative controls to improve security hygiene, such as alerting analysts when endpoints don't have the latest security patch or are running unsecure applications. By identifying critical vulnerabilities, security teams can mitigate threats and apply virtual patches or create policies that apply restrictions until a software patch is installed. In addition, machine learning is now in included as part of the enhanced AV capabilities, which helps detect malware at the pre execution stage.

XDR Extended Detection Response

Detection and response capabilities apply not only to endpoints, but they can now be extended across the entire security infrastructure. This is called extended detection and response or XDR. XDR implements additional AI technology to provide machine speed detection and response capabilities to secure not only endpoints, but also the network and access layer, and the cloud.