What is endpoint protection and security?
If you do a random search on the web for endpoint security, you will see thousands of hits coming back from hundreds of vendors saying endpoint security is the most critical of all applications.
This is pushed to the point where you could easily get the impression that it is necessary to throw your entire budget at this and nothing else. The difficult part when it comes to saying what constitutes endpoint security, however, is just how much it actually covers.
What is the endpoint?
There are two schools of thought when it comes to answering the question “What is the endpoint?” The classic answer to this question used to be your demarcation point (or demarc location): where your connection arrives at your facility. Fast forward to now, when watches, vehicles and toasters potentially have dedicated 4G connections while simultaneously attaching to Wi-Fi networks, and suddenly the classic answer is much more difficult to stand by.
So what is the endpoint? The effective answer is anything that connects to our network, but that only tells part of the story.
Let’s say for a moment that a single hypothetical user has been issued a workstation, laptop, mobile and tablet from their organization. That is four different devices, all with their own usage profiles, all with different connection methods and all potentially housing sensitive data from our organization on them.
Because our user needs to stay connected to work all the time, they have their work email attached to their tablet as well as their mobile device because sometimes the phone just needs to charge. They also lend this tablet to their three-year-old child to watch streaming videos on because they broke the last one. One of the ads on these videos shows a game that they just have to try out, so they download a free app onto the tablet. It turns out that this app also harvests passwords from email clients.
Because our user uses the same password for everything, suddenly they are seriously vulnerable, and they didn’t actually do anything. What this means for us then is that when we protect the endpoint, we not only need to protect our devices, but also train our users on what they also need to do to protect their devices and themselves.
Physical security controls
Security controls are various concepts that we can use to protect both software and hardware. These allow us to break down what could be a mammoth undertaking into smaller, more easily manageable concepts, and thus make sure that we are not only covering our bases, but also not doing double the work at triple the expense. Devices that do not move very much need just as much physical security as information security, since we really don’t need servers walking off with potentially critical data on them.
Fencing can be extremely useful and can be just about invisible depending on the type purchased. It can act as a first level defense — while it may not stop a seriously motivated person trying to get in, it will help in keeping honest people honest when it comes to just strolling up to your front door. While it is possible to add on elements such as electrification, barbed wire and visibility restrictions, the concept of a fence will help focus the average person’s attention to a single point, the point of authorized entry. This makes covering a potentially large perimeter much easier.
Access controls could then permit users to go in and out of the gate at this fence without having to keep a guard stationed at this location full-time. This would then allow them to check other locations that may not be as easily controlled, granting extra flexibility. To do this, they could either walk around the facility themselves, or use cameras and sensors attached to a central monitoring location.
Once inside the facility, we can make sure that we allow access to data centers, server rooms and switch closets only to those that actually need to work in those locations. The fewer hands that touch something the less likely there is to be an accident. Access controls could then also be used on a department by department basis to make sure that a random person walking in can’t immediately just walk over to finance, human resources or the executive wing. This is especially important if users have workstations that remain on desks overnight, sometimes powered on and logged in or with their passwords stuck to their monitors.
Information security controls
Security awareness and policies are vital to minimize situations like that listed above: systems unlocked or passwords available for anyone to see. Using strong passwords and password retention policies can help to keep compromised passwords from being effective for long. To take that a step further though, we can implement two-factor authentication so that unless a system is unlocked, someone would need to have a security token of some kind to finish logging in.
Despite the best training in the world on users however, viruses and malware may eventually make their way in somehow. To minimize the threat that they present, we need to have up-to-date anti-virus and anti-malware applications running on our devices. This goes for more than just workstations and laptops; mobile devices can be a treasure trove of data to the right person, so they need to be protected just as much. We also want to be sure that our firewalls are configured so that if malicious programs get onto our systems, they don’t have an easy way out to phone home.
Using an intrusion detection system, red flags will also be thrown up when that connection attempt is made, which will allow us to be able to react at a moment’s notice. Depending on the device that is compromised, and the security levels associated with our organization, we can use mobile device management to immediately remote wipe the device. While it varies from threat to threat, this would either eliminate the problem at best or slow it down at worst.
Verification testing
Like any protective measure, everything we have just gone over is only good if it actually works in a real situation. For physical security, we could run a test with a delivery person that piggybacks on someone else heading into the office and then just walks around for a while. Sometimes they won’t be able to get very far before someone asks them where they are going, while other times they could be in there for hours, checking layouts, looking for passwords and raiding the bagel stash in the lunchroom.
For information security, we will want to run vulnerability scanning against not only threats from the outside, but also from within. Servers and workstations that have default or unsecure values for some applications may be vulnerable to being easily compromised, something that can be extremely difficult to do manually on hundreds of systems, but there are plenty of programs and services that can help to automate initial scans.
Securing your endpoint
Protecting the endpoint really is one of the most intensive tasks that we can undertake. While it can potentially take a significant chunk of change to adequately protect endpoints, with the proper planning ahead of time it can be far cheaper than attempting to retrofit existing setups.
With that in mind, we want to be very aware at the outset that protecting the endpoint will help keep our devices, our networks and our people safe for years to come.
Sources
Cybersecurity framework, NIST
What are security controls, IBM
Endpoint security, Check Point
What is endpoint security, Cisco
Endpoint security, Fireye
What is endpoint security, McAfee
What is endpoint security, Forcepoint
Understanding endpoints and endpoint security, Webroot
Demarc, TechTarget