What is an endpoint?
In the world of information technology (IT), an endpoint is any device (be it a laptop, phone, tablet, or server) connected to a secure business network. When you connect to a network, you’re creating a new endpoint.
In a perfect world, employees in the office and working remotely (through a VPN, for example) should be able to log and get their job done safely, but that isn’t always the case. Every endpoint is a soft spot that cybercriminals can take advantage of and gain unauthorized access to the network. It could be through an exploit, phishing attack, spyware, Trojan, malspam, or other form of malware. Endpoint protection is the business of hardening endpoints against potential cyberattacks.
How does endpoint protection work?
Modern endpoint protection (aka endpoint security) generally has eight key features. These features both define how endpoint protection works and, in some cases, differentiate it from consumer-oriented antivirus or anti-malware—even some early forms of endpoint protection too.
- Machine learning. Machine learning is an algorithm that, when fed enough data, allows a machine with endpoint protection to start recognizing patterns in a given data set. In turn, the machine can begin classifying new data in accordance with the patterns it’s learned. As it applies to endpoint protection, the machine can analyze the data it’s receiving back from a group of endpoints and use those insights to determine if a particular program is malicious. In short, if it acts like malware, it probably is malware. And the more endpoints there are, there’s more data to learn from, and the smarter the machine gets at classifying threats.
- Behavioral analysis. The difference between machine learning and behavioral analysis is subtle. In both cases, the machine is looking for patterns of behavior indicative of malware. With behavioral analysis, however, the machine is specifically looking for benign applications being used in abnormal ways to spread malware. Take, for example, your email client suddenly spamming all your contacts or macro exploits running shell commands in Microsoft Office. Those actions and actions like that are both good indicators for malware. Behavioral analysis stops them
- Known attack detection. Also known as signature matching, known attack detection compares potentially malicious programs against a list of known threats. Signatures are good at stopping less sophisticated attacks without a lot of fuss. Signatures, however, are not effective against zero-day attacks. That said, it’s another welcome layer of threat blocking that doesn’t add a lot of bloat to a program.
- Exploit mitigation. A strong exploit mitigation layer uses various application hardening techniques to stop attackers from exploiting software vulnerabilities in an endpoint. In turn, stopping them from getting root access and remotely executing code on the endpoint
- Cloud-based centralized management. While early forms of endpoint protection were designed to be installed locally, or on-premises, modern day versions are built for the cloud. Cloud-based solutions are quick to deploy, easy to manage, and scalable. As your business grows there’s no need to staff up or buy more hardware to keep your endpoint protection running, just buy more licenses and let your endpoint protection software provider do the work. Compare this with an on-premises solution: You own the data and the hardware, but it’s up to your in-house IT team to maintain it.
- Automation. Cyberattacks happen fast. By the time a human user has any idea what’s going on, the damage is already done. Take, Emotet, for example. The banking Trojan lands on your network and seeks out endpoints, data backups, and network shares onto which it deploys its secondary ransomware payload. You’ll only know something is wrong when half the company is locked out of their files or computers. The beauty of automation is that once an administrator dials in the security settings and policies, the protection process is largely automated. Basic security actions like detection, protection, and remediation happen with as much or as little human involvement as the user desires.
- Single agent architecture. Endpoints can become weighed down with resource hogging, potentially unnecessary bloatware. With single agent architecture you get get a lightweight program that’s easy to deploy and easy to manage. But the primary benefit is the ability to see every endpoint on the network through a single pane of glass.
- Remediation. The unfortunate reality is that there’s no such thing as 100 percent protection. As such, a good endpoint protection program should include remediation capabilities. Removing active malware is a given, but remediation should also include malware artifacts and troublesome persistence mechanisms that might allow a threat to come back after superficial remediation.
Latest news on endpoint protection
- 5 tips for building an effective security operations center (SOC)
- When Endpoint Detection and Response (EDR) is not enough
- SMBs lack resources to defend against cyberattacks, plus pay more in the aftermath
- Enterprise incident response: getting ahead of the wave
What’s the difference between endpoint protection and antivirus?
We’ve covered what endpoint protection is. So, what is antivirus? The term “antivirus” gets thrown around a lot as a catchall term for any kind of cybersecurity. As it happens, computer viruses are more of a legacy threat than a modern-day scourge. Yes, antivirus protects against old-fashioned computer viruses, but it can also stop the threats most people are worried about today; e.g., Trojans, ransomware, adware, malvertising, malicious websites, etc. This is where we get the word “anti-malware,” which attempts to bring the terminology in line with what the technology actually does. So, when most people say “antivirus,” they’re probably referring to “anti-malware.”
With the terminology out of the way. Let’s get down to brass tacks.
Modern consumer and business antivirus/anti-malware applications both use a blend of signature-based and behavioral analysis to detect threats. With signature-based detection potential threats are checked against a list of known malware. If the program’s signature matches a known threat, it’s blocked. Signature-based detection is accurate and presents minimal risk of false positives. If, by chance, a strain of malware slips past the signature detection layer, machine learning steps in and stops the malware from getting a foothold. As mentioned earlier, if it acts like malware, it probably is malware.
That said, antivirus/anti-malware is only one piece of what you expect to find in a good endpoint protection solution.
To understand how endpoint protection differs from antivirus, it helps to compare the two different use cases; i.e., an individual consumer protecting their home network versus a system administrator charged with securing a medium-to-large sized business. The primary differentiator here is centralized management.
The consumer at home downloads an antivirus (or anti-malware) program, dials in the protection, and schedules or performs scans as needed. With active threat blocking and automatic software updates there’s not much the consumer needs to do after the initial setup. The only caveat? The consumer must install the security application on each device and set up each device individually. According to Deloitte’s 2019 “Connectivity and Mobile Trends” survey, US households have an average of 11 Internet-connected devices. That may sound like a lot, but it’s generally manageable.
Now, let’s examine the business network. A 2018 LogMeIn survey of IT professionals across Europe and North America found an average of 750 endpoints per organization, comprising servers, computers, and mobile devices. Tellingly, 30% of IT professionals surveyed didn’t even know how many endpoints they managed. A small security team can’t give the same kind of hands-on attention typical of a home user to every endpoint. Moreover, with businesses spread across multiple locations and employees working remotely, it’s not at all possible to get hands-on, literally or figuratively, with every endpoint.
For most businesses, a cloud-based solution is in order, offering unlimited scalability, easy deployment, and robust reporting. Regardless of how big the network is, how many employees work remotely, and how many employees choose to BYOD (bring your own device)—endpoint protection can handle it.
Why do companies need endpoint protection?
Take a quick scan of infosec news sites on any given day and you can see why companies need endpoint protection. According to Malwarebytes Lab’s 2020 State of Malware Report, attacks on businesses went up 13 percent from 2018 to 2019 while consumer attacks actually went down two percent year over year, showing a marked shift away from consumer attacks, towards business targets. Cybercriminals know which side of the bread is buttered.
Ransomware detections, for instance, are higher than ever, due largely to the Ryuk, Phobos, GandCrab, and Sodinokibi ransomware strains. And it’s not just the big name, Fortune 500 companies getting hit. Organizations of all sizes are being targeted by cybercriminal gangs, lone wolf threat actors, hacktivists, and state-sponsored hackers looking for big scores from companies with caches of valuable data on their networks. Again, it’s the value of the data, not the size of the company. Local governments, schools, hospitals, and managed service providers (MSPs) are just as likely to be the victim of a data breach or ransomware infection.
Consider the average cost of a data breach. The 2019 IBM “Cost of a Data Breach Report” puts the number at $3.92 million. In the US the number is even higher at $8.19 million.
With this sobering data in mind, endpoint protection, like Malwarebytes Nebula for example, is crucial to protecting your endpoints, your employees, your data, the customers you serve, and your business from a dangerous array of cyberthreats and the damage they can cause.