Anyone that utilizes technology in their daily lives understands that it is ever-changing, and the sentiment is especially true within the cybersecurity industry. Adversaries continue to evolve with new tactics to bypass defenses, so it is necessary that the methods of detecting and preventing these threats do so at an even more rapid pace.
However, keeping up with all the changes can be quite difficult, even for the most seasoned cybersecurity professional. The way in which we work has changed not just in where but also in how. Today employees conduct business from multiple devices, with some being company-issued and others being privately owned. Sensitive data is being stored across many locations including on these devices, within corporate data centers, and in the cloud. This means that organizations likely need more than one technology to defend their endpoints against security breach or data loss. With cybersecurity vendors marketing a wide range of branded product names for their offers, it may be challenging to determine which are ideal for your particular environment.
This article aims to help demystify the various endpoint security technologies you may come across during your research, highlight the primary differences, and explain how they can complement each other. This is not intended to be an exhaustive list and it should be noted that there are some technologies that may fall into more than one category, for example, endpoint and cloud security.
Four Key Endpoint Security Technologies
To begin, let’s define exactly what an endpoint is. At the most fundamental level, an endpoint is any device that connects and exchanges data on a network. That could include traditional desktop and laptop computers, tablets, smartphones, printers, and servers. Endpoints also encompass network appliances like routers, switches, or firewalls, and a wide range of IoT devices such as wearables, security cameras, sensors, and connected medical or manufacturing equipment. But we must also think beyond the physical devices and consider virtual machines that host applications and data in public or private clouds.
Although this may seem trivial, it is important to note because they all represent entry points into the network that can be exploited and opportunities for sensitive data loss. As such, they must all be accounted for when building an endpoint security strategy. The following are some of the more common endpoint security technologies you are likely to encounter:
Unified endpoint management (UEM) or mobile device management (MDM):
There is a widely accepted concept within the cybersecurity industry that you cannot effectively protect what you can’t see. Therefore, the first step in building a comprehensive endpoint security policy is to inventory all the devices accessing your network, and this can be accomplished with UEM or MDM technologies. The primary difference between the two is that MDM is for iOS and Android operating systems (OS), while UEM includes those OS plus Windows and Mac operating systems--even productivity devices and wearables in some cases. Once the devices are discovered and profiled, administrators will be able to apply consistent security policies across them, regardless of where the endpoint is located.
A key feature of both UEM and MDM is that they allow an organization to set standards regarding the security posture of devices accessing the network. For example, rules can be created that a device cannot be jailbroken and must be running on the latest OS version. They can also restrict what apps the users may install and what the user is allowed to do on a managed device. Administrators can use the management console to push operating systems or app updates to devices that are out of compliance, or even to wipe devices that are lost or stolen or that were used by former employees. However, MDM and UEM go beyond reducing risk to an organization and can actually be leveraged to improve user experience. These solutions allow businesses to deliver new devices to end users that are already set up, complete with all the approved applications needed to complete their job duties.
Endpoint detection and response (EDR):
As mentioned above, security policies can be applied to endpoints using UEM and MDM; however, these solutions lack the ability to detect and block threats. The purpose of EDR is real-time protection for your desktops, laptops, and servers against threats such as ransomware, known and unknown malware, trojans, hacking tools, memory exploits, script misuse, malicious macros, and others.
This technology started many years ago as antivirus software, which relied on signatures of known or already identified threats to create block lists. It evolved into what is called an endpoint protection platform, or EPP, which utilizes machine learning, artificial intelligence, and sandboxing technology to detect fileless or previously unseen malware (also referred to zero-day attacks). More recently, endpoint security vendors have started to add forensic and response capabilities, morphing EPP technology into what is known as endpoint detection and response, or EDR.
Mobile devices are most certainly endpoints, and they have things in common with laptops and desktops in terms of their vulnerability to attacks such as phishing and malware, but they are unique when it comes to how attacks are carried out. A few examples would be SMS messages with phishing links, malicious QR codes, or unscrupulous apps. It is for this reason that mobile devices require their own dedicated security solution, commonly referred to as mobile security or mobile threat defense (MTD). MTD protects both managed and unmanaged mobile devices against four categories of threats:
- Device: Detecting jailbroken or rooted devices, outdated operating systems, and risky configurations
- App: Flagging apps that are known to be malicious but also those that leak or share data
- Network: Identifying risky networks to protect against man-in-the-middle attacks, certificate impersonation or other attacks that leverage vulnerable TLS/SSL sessions
- Content and web: Blocking malicious links sent via email, SMS, browsers, and social media or productivity apps
Unfortunately, MTD is a security technology that is currently underutilized, with a recent IDC study indicating that it was deployed by fewer than half of the surveyed SMB or enterprise businesses. This presents a considerable security gap considering how much sensitive information is transmitted through and stored on mobile devices today. Smartphones and tablets are particularly attractive targets for attackers due to the ease of attack via SMS, email, and messaging apps as well as a frequent lack of security controls on the device. Additionally, smartphones and tablets can be leveraged as a jump point to the network, where more impactful assaults may be launched.
Cloud workload protection platform (CWPP):
Digital transformation initiatives have resulted in businesses moving more applications out of the data center and into the cloud. The benefits here include lower overhead costs, increased performance, and improved user experience. The most utilized cloud service providers (CSPs) are AWS, Azure, and Google Cloud. 87% of organizations use multiple cloud providers and 72% have a hybrid cloud structure combining both public and private clouds.
While this migration to cloud is necessary for future growth, it also increases the attack surface. This is because when cloud resources are publicly accessible, whether by design or error, they become a target for threat actors. CWPPs provide threat detection for servers, virtual machines, containers, and Kubernetes clusters across all cloud environments. CWPPs protect against a wide range of attacks including ransomware, fileless, and zero-day attacks. They can alert a security administrator not just to vulnerabilities, but also to compliance violations.
Determining the Proper Technologies for Your Business
You may be wondering if your organization really needs all of these protections. The answer could be as simple as doing an assessment of where your sensitive data is stored. Even the smallest businesses have valuable data including customer and payment details, and for companies linked to healthcare, law, insurance, or finance, there is likely even more private information that could be leveraged for identity theft.
According to a recent study, on average, an employee at a business with fewer than 100 employees will be subjected to 350% more social engineering attacks than an employee at a larger enterprise. Employees at businesses of all sizes may perform bookkeeping or other tasks on laptops, utilize tablets to process transactions or collect customer information, and use mobile phones to respond to business texts or emails.
For every organization, endpoint security should be viewed not only as a way to reduce risk, but also as a fundamental investment in ensuring business continuity.
Blog courtesy of AT&T Cybersecurity. Author Mary Blackowiak is Director of Product Management and Development for the endpoint and mobile security portfolio with AT&T Cybersecurity. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program. Read more AT&T Cybersecurity news and guest blogs here.
