Endpoint protection software uses a combination of techniques to detect and stop malicious behavior, but the types...
of techniques vary from product to product.
The capabilities most often provided by endpoint protection software include:
- Antimalware software
- Application whitelisting
- Device control
- Endpoint data loss prevention (DLP)
- Enterprise mobile device management (MDM)
- Host-based firewall
- Host-based intrusion detection/prevention system
- Storage encryption
- Vulnerability assessment
However, few endpoint protection software products provide all the capabilities in this list. Endpoint protection software may also provide application-specific security services, such as website filtering and antispam protection.
Let's look at the security capabilities that are most commonly provided by endpoint protection software in more detail. Note that the extent to which each of these capabilities is implemented may vary from product to product (for example, endpoint DLP may be more rigorously implemented in one product and storage encryption in another).
This is the standard antimalware software that's been available for endpoints for many years. It is best suited to detect known instances of malware. Unfortunately, antimalware software, while still an important component of endpoint security, is not nearly as effective as it used to be because of the highly customized and targeted nature of many of today's malware threats. Symantec reported that less than 50% of malware was detected by antimalware software in 2012. Antimalware software is primarily signature-based, and you generally can't use signatures for identifying the novel and unknown.
Application whitelisting is a feature that limits which applications may be installed or executed on an endpoint. It is only useful for environments that are able to tightly restrict what applications may be used while still providing the necessary services to their users. However, if application whitelisting can be used in an environment on its user endpoints, this can prevent the execution of known and unknown malware, as well as attack tools and other malicious software. Application whitelisting can also prevent use of applications with known vulnerabilities that could be exploited to access sensitive data or otherwise gain unauthorized access to the endpoint.
Device control, sometimes referred to as port control, is software that prevents unauthorized endpoint use of connected mobile devices and removable media, most notably USB drives and CDs/DVDs. Device control can prohibit all use of certain classes of mobile devices and removable media. It can also more granularly limit what types of data may be stored on mobile devices and removable media, often working in conjunction with endpoint DLP technology (described next). Device control can help prevent the spread of malware, as well as blocking the sprawl of sensitive data to locations other than its origin.
One of the newest components of endpoint protection software, endpoint DLP, is intended to stop inadvertent and intentional breaches of sensitive data, ranging from Social Security and credit card numbers to proprietary intellectual property (e.g., blueprints and other sensitive documents). Endpoint DLP monitors an endpoint's storage to identify sensitive data and monitors an endpoint's use to identify actions involving sensitive data, such as copying and pasting from a customer database to an email message. Endpoint DLP can run in a monitoring-only mode that observes and logs policy violations, or in an enforcement mode that stops attempted policy violations from succeeding.
Enterprise MDM software is geared toward controlling and protecting mobile devices, primarily smartphones and tablets, but also laptops in some cases. Enterprise mobile device management software traditionally provides some of the other security capabilities that endpoint protection software does, including endpoint DLP, device control and storage encryption. Think of enterprise MDM as a suite of security controls that protects sensitive data on an endpoint. One of the most notable emerging features of enterprise MDM software is establishing a secure sandbox to house an organization's applications and data. This helps to isolate it from other threats and vulnerabilities on the endpoint.
Host-based firewalls, also known as personal firewalls, have been around almost as long as antimalware software. And like antimalware software, they have lost effectiveness over the years as the nature of threats has changed. Most of today's threats are at the application layer, not the network layer. While a host-based firewall still provides valuable protection to endpoints -- by blocking unwanted connection attempts -- it doesn't stop the vast majority of threats against endpoints. Note that some host-based firewalls have "application firewall" capabilities built-in that may provide some additional protection for application-generated network traffic. Host-based intrusion detection/prevention system: The functionality provided by a host-based intrusion detection/prevention system (IDS/IPS) can vary greatly among implementations. Some analyze attempts to execute code on the endpoint, some analyze the endpoint's incoming and outgoing network traffic, some monitor the endpoint's file system and some analyze the endpoint's logs. Most IDS/IPSes perform a combination of two or more of these techniques. The primary benefit of using a host-based intrusion detection/prevention system is to detect unknown threats based on their suspicious or unusual behavior.
Full disk encryption is the most common implemented form of storage encryption for endpoint protection software. This type of encryption completely encrypts the endpoint's storage media (other than perhaps the boot sector) so that the data stored on the media cannot be recovered when the endpoint has been powered off or is otherwise in an unauthenticated state. This protects against a data breach should the endpoint be lost or stolen. Some endpoint protection software also provides forms of storage encryption other than full disk encryption, such as file or disk encryption. These forms of encryption are active even when a host is fully booted, and it only allows access to the sensitive data after proper authentication has been provided.
The exact nature of vulnerability assessment software varies among endpoint protection software, but the fundamental idea is that it detects known vulnerabilities in the endpoint, primarily its operating system and common applications (Web browser, email client, etc.) The types of vulnerabilities it can detect may include missing patches, outdated software and misconfigured security settings. Vulnerability assessment software generally has no capability to stop threats; rather, it can notify users and system administrators of security problems so that they can be addressed before exploitation occurs. Some vulnerability assessment software can even make recommendations on how to address known vulnerabilities.
The main technical architecture of an endpoint protection software product comprises one or more centralized management servers and agent software installed onto each endpoint. Typically, this agent software is embedded into the operating system so that it intercepts endpoint activity as it occurs, permitting it to be blocked as needed. An example is integrating a host-based firewall into the endpoint's network stack so that all network activity has to go through the host-based firewall. Achieving this level of integration necessitates installing the agent software with administrative privileges.
The centralized management servers used for endpoint protection software are typical of many security technologies. They are used for full lifecycle management of the endpoint agent software, including agent deployment, agent configuration (e.g., enterprise policy management), agent monitoring (e.g., incident response, vulnerability response) and agent updating. Usually, the data collected by each endpoint is transmitted to the centralized servers for processing, reporting and archival purposes.
Because the centralized management servers are such a key component of an endpoint protection software deployment, even the most basic implementation generally necessitates the installation of at least two servers. This provides redundancy -- should one server fail, the other server can keep operating in its place. Sizable enterprises are likely to deploy more than two servers -- for example, servers to support different geographic locations, or several additional servers to support increased workloads.
About the author:
Karen Scarfone is senior cybersecurity engineer at tapestry technologies Inc. and the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.
Check out different endpoint protection options
Expert Lisa Phifer offers advice on enforcing endpoint security