Cloud security

5 Benefits of Cloud-Based End-Point Security Products

December 7, 2016 by Frank Siemons

With the emergence of cloud technologies, many products arrived that utilized the newly created possibilities in one way or another. Of course, some very good security products have been created that benefit from these possibilities as well. End-point security products, which are basically the old anti-virus suites, have probably been transformed the most in this landscape. Organizations should really have an in-depth analysis into what the market has to offer and compare that to their current endpoint protection products to identify the benefits to their environment.

Integration and Outsourcing

Looking at traditional endpoint protection products, they would simply detect a suspicious or malicious file, sometimes also suspicious behavior and they would either prevent an infection or send an alert to an internal security team. Depending on the organization, that team would then triage compromised and infected machines, based on the sometimes-limited experience and knowledge that team has. For Cloud-Enabled products, this has become slightly different. Many of the vendors of these products have a 24/7 monitoring team overlooking all their customers’ security data, now stored within their cloud platform, from a holistic perspective. This means they not only have a far more experienced and specialized security team that can deal with a broad range of malware and often even APT’s, but it also means that this team has a cross-customer overview. For instance, in the case of a global malware “outbreak.” They can use all that knowledge to build up an intelligence database. This knowledge can then be shared (in a sanitized format) with all customers, sometimes for a subscription fee. Quite often there is also an option to upgrade to a full 24/7 monitoring and response functionality, more like the traditional Security Operations Centre (SOC), although the fees for that can be quite substantial. Some Vendors that offer a 24/7 monitoring and intelligence function via their cloud-enabled endpoint protection products are McAfee, CrowdStrike, and FireEye.

External Log Solution

A Security Best Practice is to store security logs both internally (for performance and ease of use) and externally (as a backup archive). When End-Point Security logs are sent directly from a host to the cloud platform, both requirements are actually covered at the same time. No matter what happens to the organizations’ end-point or even to the entire network, those logs are stored offsite in real-time. Whatever connection exists between that compromised host or network and the service provider; it will be completely independent of any compromised network account. This means some trust will need to be placed in the Vendors’ security and availability, but it is often also possible to set up an additional, on-site log server (which can, in turn, be connected to a SIEM).

Local Product Infrastructure is Often Optional

Because in most cases the end-points communicate directly with the cloud platform via an API or a simple HTTPS connection, there is hardly any requirement for costly infrastructure to keep the product operational. Some on-site download and deployment repositories can reduce external traffic, but even without them, the cloud-enabled products will still be operational.

Network Independent Real-time Monitoring

In the age of mobility, traditional endpoint protection products are struggling to keep up. For example, imagine a user bringing a corporate laptop (possibly a BYOD device) home after a workday in a corporate office. The user connects the laptop to the home Wi-Fi network, before doing some online shopping, downloading some TV series via Bittorrent and eventually installing some new Ransomware variety. Without a matching signature, it is unlikely the Ransomware infection is directly blocked, which means the initiated encryption procedure is also unlikely to be prevented. It gets worse.

Without some type of cloud infrastructure acting as a relay for communications between the endpoint security client and the centralized monitoring system inside the company network, it is also impossible for the security department to be notified that same night, even if they are operational 24/7. There is nothing to stop the user from connecting that infected machine to the company network the next morning when the user goes back to the office. The internal security team will only get an alert once the end-point client connects back to the network and communicates with the internal management servers. That is too late. The malware could spread to company network shares, steal network credentials, install backdoors, all within the blink of an eye. The issue is that by only using a traditional LAN based end-point client for mobile computer systems, the network that carries the greatest risk of infection (the internet) is basically unmonitored until it is too late. All trust will be placed in the hands of the client’s pre-configured detection and prevention capabilities, which is not the most secure situation, especially not for the easily missed lower confidence or anomalous behavior detections. With a cloud platform communicating with the end-point client 24/7 through the internet, (SOC) alerting happens in real-time, as long as there is an active internet connection.

True End-Point Containment, Anywhere

Location-independent and real-time alerting are a good addition to the IT Security capabilities of any organization. What is even better is the isolation and containment of infected and compromised hosts, in real-time and in any situation. Looking at the previous example, if the infected host communicated directly with a management system in a cloud platform, the security team would have been able to (manually or automatically) isolate the infected machine right when it happened. That would truly prevent the system from being connected to any network, other than possibly a whitelisted triage or rebuild environment until the threat has been eliminated. This is what many vendors offer now, and it probably is one of the biggest benefits cloud-based endpoint security products have made possible so far.


Security vendors have been leveraging cloud platforms for quite some time now, with mixed levels of success. The most innovative products, benefiting the most from cloud flexibility, are end-point products. Some of the benefits covered earlier are so significant that a traditional anti-virus product without all these options is simply outclassed. Especially the covered network independent monitoring and containment options really fill the need for round-the-clock and mobile security. Organizations that have not compared their current end-point security controls against the market offerings within the last two years should certainly organize this within the next few months.

Posted: December 7, 2016
Frank Siemons
View Profile

Frank Siemons is an Australian security researcher at InfoSec Institute. His trackrecord consists of many years of Systems and Security administration, both in Europe and in Australia. Currently he holds many certifications such as CISSP and has a Master degree in InfoSys Security at Charles Sturt University. He has a true passion for anything related to pentesting and vulnerability assessment and can be found on His Twitter handle is @franksiemons