Endpoints are a continuous target for threat actors. They serve as gateways to the overall network, meaning an attack that starts on a single endpoint can quickly spread across the attack surface. They offer a valuable entry point into an organisation’s environment that can be used to launch sophisticated cyber attacks.
Arctic Wolf has observed that 15% of all ticketed incidents originate at the endpoint, and even when an attack doesn’t start on an endpoint, it doesn’t mean it won’t reach one, or multiple, during different stages of an attack. Ransomware, for example, commonly replicates and spreads laterally through a network, infecting as many endpoints as possible to disrupt an entire organisation. Similar malware strains, known as worms, follow the same pattern.
That’s why endpoint security is so foundational to cybersecurity. Monitoring and securing the array of endpoints throughout your environment allows you to detect threats as early as possible, stopping them before they go from isolated to network-wide security incidents.
What is an Endpoint?
An endpoint is anything on your network that can receive and transmit data. This definition may appear broad, and for good reason. As network architecture has evolved over the years, the very definition of an endpoint has morphed alongside it.
Some security tools vendors will say that an endpoint is defined as a computer — whether it be a laptop or desktop — installed with the most common operating systems in use today. Others will tell you the definition is much broader than simply limiting the idea of an endpoint to a Windows or MacOS machine.
For our purposes, we define “endpoint” by the very words that make up the term. An endpoint is any device that resides at the end point of a network connection and can communicate on said network. This offers a much broader, more reflective, definition that includes much more than just desktops and laptops, including servers, mobile devices, IoT technology, and more.
This definition is also beneficial when we look at the current threat landscape, and how attackers are breaching organisations. Threat actors have shown themselves capable of leveraging any device from the above list to breach an environment and execute malicious activity. If we limit what we consider an endpoint to just computers, then we risk missing essential visibility that can help an organisation detect a potential incident. A successful approach to endpoint security is one that includes visibility into any device that can transmit and receive data on your network.
The Evolution of Endpoint Security
Endpoint security began its life as antivirus software. Designed to scan and detect malware that could infect computing devices, antivirus software marked a major step forward in protecting endpoints from threats.
In its most basic form antivirus software will scan the host machine it is installed on to try and identify known viruses. What occurs once a virus is detected depends on the type of antivirus software used. Some versions of antivirus simply alert that a virus has been detected and place the emphasis on the user to remove the unwanted code. Other forms of antivirus include the ability to quarantine the unwanted code or automatically remove it.
As time passed threats and technology have evolved side-by-side, and so too has antivirus and endpoint security, broadly.
Most endpoint security in use today falls under the banner of “next- gen,” which means any endpoint tool that goes beyond traditional antivirus and may include endpoint detection and response (EDR), endpoint protection platforms (EPP), or extended detection and response (XDR). That list also includes next- generation anti-virus, which, depending on the vendor, can leverage the cloud to eliminate the need to download large sets of virus definitions and instead stream the results of a scan to a cloud database of software reputations.
To combat modern threats, organisations should focus on and strategically implement this next-generation endpoint security into their cybersecurity architecture.
Why is Endpoint Security Important?
All security incidents will land on the endpoint at some phase of the attack. Be it the root point of compromise, where a threat actor has gained access to a laptop,; or the middle of an attack, where a threat actor has exploited a vulnerability to access mobile devices,; or even the late stages of a malware attack, where a strain has exploded across multiple endpoints. It’s these scenarios that make endpoint security so important to any tech stack and overall strategy. Additionally, the strength of perimeter security has drastically weakened in the age of “bring your own device” and “work from anywhere.” If a user is taking their laptop out of the office, or remotely logging into an IoT device from their mobile phone, the importance of security on those endpoints devices increases exponentially.
According to the IBM Cost of a Data Breach 2024, having EDR in place can reduce the cost of a breach by $185,533 USD, highlighting its value.
Benefits of endpoint security include:
- When fully deployed, it protects all endpoints within a network or organisation
- It helps secure devices in an age of hybrid and remote work
- It offers a more sophisticated threat protection, detection, and response
- It protects users’ identities or credentials which may be present on an endpoint, now a major target for threat actors
Endpoints hold valuable data, operational functions, and serve as access points to a broader network. They must be protected at all costs.
Different Types of Next- Generation Endpoint Security
According to The State of Cybersecurity: 2024 Trends Report, 66% of organisations are using at least one endpoint security solution, and out of those organisations, 87% are utilising two or more. This duplication is due to the wide range of technology available, the varying capabilities and visibility of those solutions, and individual businesses’ cybersecurity strategies.
While each organisation takes a different approach, the commonality is that endpoint security is as foundational as ever.
Endpoint Detection and Response
Endpoint detection and response (EDR) was developed as a response to the drawbacks of traditional antivirus, which included the inability to detect unknown threats or live threat actors. Instead of running point-in-time scans as most antivirus was designed to do, EDR records critical activity that occurs on an endpoint to observe behaviours. Process executions, command line activity, running services, network connections, and file manipulation are just some of the events that EDR tools are designed to record. Many EDR vendors also include a series of analytics that run across recorded actions to identify suspicious behaviors. The idea is that — although the signatures, names, and hashes of malware may change — the behaviour of malicious software often remains the same. The same can be said for many threat actors, whose actions can be detected when observing the behaviours occurring on the endpoint. This is where the “detection” part of EDR comes in. When a suspicious action occurs, the EDR agent installed on the endpoint will trigger an alert, letting the security professional know that something potentially malicious has been detected.
Also, EDR includes features that allow the security professional to act once a detection occurs on the endpoint. This is the “response” capability of EDR, and these features vary by vendor. Most EDR agents, however, include the ability to isolate the host system from the rest of the network. The idea is that if the host is infected with malware, isolating the machine will prevent threats propagating to other systems. If the endpoint is being remotely manipulated by a threat actor, isolating the machine will terminate their connection and prevent them from pivoting deeper into the network..
Beyond the isolation capability, some vendors offer more advanced responses, including terminating processes or deleting files. The ability to take these actions on a remote endpoint should be approached cautiously as there are situations where it could result in additional harm to the host system.
Explore the differences between various detection and response technologies.
Endpoint Protection Platforms
Although EDR drastically improves on the limitations of antivirus, it is not without some drawbacks of its own. One of the primary complaints related to EDR is its emphasis on detection of threats rather than the prevention of them. By design, EDR records the actions taking place on the endpoint and triggers an alert when suspicious activity is detected.
But detection alone does not guarantee that the threat is mitigated. EDR traditionally places the emphasis for threat resolution on human analysts, where limited security staff, alert fatigue, excessive noise, and other factors could result in critical detections going unaddressed.
To combat this drawback, endpoint protection platforms (EPP) were developed to build off what was seen as the best aspects of both EDR and antivirus. These platforms record actions occurring on the endpoint in the same fashion as EDR, and these actions are then processed against a database of known suspicious behaviours in near real-time. When it is assumed that a malicious action is about to occur, the EPP agent will interfere and prevent the threat from executing.
For example, an EPP cloud database might have an entry that says Action A leading to Action B leading to Action C will result in a threat. Therefore, if the EPP agent installed on the endpoint observed Action A then Action B, which in turn is attempting to execute Action C, it will prevent this execution since it is assumed that it will result in a threat.
Prevention is the key differentiator between EDR and EPP. Where some EDR may include the ability to develop specific custom preventions, it is primarily designed to record endpoint activity and detect threats. EPP takes the proactive approach of focusing on prevention.
Which Endpoint Tool is Right for You?
Determining which endpoint tool is right for your environment is often a difficult decision to make.
The needs and limitations of every organisation are unique and should be considered when purchasing an endpoint tool. Antivirus software, both legacy and modern (commonly known as Next- Generation Antivirus or NGAV), is often seen as an outdated approach to securing endpoints but that does not mean it does not have a place within some organisations. Smaller environments or those companies that are just beginning to develop their security program may find that they are only able to afford antivirus at the beginning. Although it may not have the same capabilities as more advanced tools, it is still better than no security on your endpoints.
EDR is an excellent choice for organisations that are well-staffed and capable of managing the alerts generated. The large amount of recorded activity also offers the additional benefit of a data set that your analysts can use for threat hunting exercises. Unfortunately, organisations with limited security staff may find EDR overwhelming. Alert fatigue can result in a false sense of security. Just because an alert was generated does not mean the problem was resolved. A detection that was not responded to is just as bad as no detection at all
EPP on the other hand may be an excellent choice for an organisation with a limited security staff that is looking to proactively prevent threats. By automating the prevention of malicious activity, EPP takes some of the burden off of your analysts.
This is not to say that there are no potential drawbacks to EPP, however. The EPP analytics are not guaranteed to always prevent threats from occurring. There is a balance that these platforms must find between preventing legitimate actions that simply appear suspicious versus allowing threats to run for fear of preventing business activities from being executed. In many cases these platforms will allow the customer to set their own standards for prevention. This can result in some environments lowering their prevention threshold, resulting in occasional malicious processes executing.
Think of it this way: if a sprinkler system’s sensitivity is too high, then it could be set off by the flame from a candle or smoke from cooking. This would result in extensive water damage to your home. To prevent this the sprinkler system sensitivity may be set so low that a fire could cause a large amount of damage before the sprinkler detects it and attempts to suppress it. This is the same balancing act many organisations face with their EPP.
Going Beyond the Endpoint – MDR and XDR
There are two major solutions on the market that help organisations protect both their endpoints and other aspects of their environment – managed detection and response (MDR) and extended detection and response (XDR).
Managed detection and response not only offers more telemetry (depending on the vendor) but offers a third-party security staff to oversee the technology, reducing alert fatigue and the cost of internal staffing. Additionally, MDR offers consistent monitoring, managed investigations of alerts and incidents, and guided remediations.
With XDR, monitoring also goes beyond the endpoint, pulling in multiple sources of telemetry into a single dashboard and platform. With the prevalent usage of the “XDR” acronym it’s important to note that the ability to outsource management of some XDR platforms is vendor- dependent and specific capabilities will vary by vendor.
One consideration organisations should make when evaluating XDR solutions is whether the provider offers open XDR or native XDR. Open XDR will ingest telemetry from multiple vendors via third-party integrations. On the other hand, native XDR requires that the telemetry ingested into the XDR platform comes from tools that exist within that provider’s product portfolio. Considerations around which vendor type makes sense will be dependent on the types of security tools are used in an individual organization’s environment – whether they largely come from a singular vendor or multiple vendors. Both options allow organisations to gain clarity in their environment while utilising next-generation protection. Additionally, XDR is only a tool, and lacks the management and expertise available with an MDR solution.
Learn more about how MDR can transform your organisation’s security approach.
See how Arctic Wolf uses open-XDR technology to provide holistic, operations-focused protection.
