How does advanced endpoint protection work?
An advanced endpoint protection solution includes several, complementary technologies. The aim of an advanced endpoint security solution is to identify a potential threat as early as possible and prevent the threat from entering the network or database. Additionally, advanced tools collect information to provide insight into how the threat operates and how the endpoint can be rendered less vulnerable in the future. Endpoint security solutions typically rely on small software agents at each of the endpoints in the network to record data, send alerts, and implement commands.
An advanced endpoint security solution may include several, or all, of the following technologies or capabilities.
Machine learning. Machine learning, a category of artificial intelligence, analyzes large amounts of data to learn the typical behaviors of users and endpoints. Machine learning systems can then identify atypical behavior and either alert IT staff or trigger an automatic security process. Machine learning-enabled security can scan endpoints for vulnerabilities, such as misconfigurations or a missed patch update. Machine learning is a key way to identify advanced threats against endpoints, as well as new or zero-day threats.
Security analytics. Security analytics tools record and analyze data from endpoints and other sources to detect potential threats. Security analytics can help IT professionals investigate security breaches or anomalous activity and determine what damage may have been done. IT departments can use security analytics to understand what vulnerabilities may have led to a breach and the actions that IT can take to prevent future attacks.
Real-time threat intelligence. Advanced security will have the ability to use real-time threat intelligence from outside security vendors and agencies. Real-time updates on the latest types of malware, zero-day threats, and other trending attacks reduce the time from first encounter to threat containment. Examples of intelligence feeds are:
- The U.S. Department of Homeland Security's free Automated Indicator Sharing (AIS)
- The Ransomware Tracker, a Swiss security site that tracks the status of domains and IP addresses linked to ransomware.
- McAfee Global Threat Intelligence, a service that develops reputation scores for billions of files, URLs, domains, and IP addresses.
Device security. Smart, connected devices such as industrial controls, medical imaging systems, office printers, and network routers, are ubiquitous. The number of internet of things (IoT) devices worldwide will reach 125 billion in 2030, according to data company IHS Markit. Many of these connected devices lack security and are vulnerable to a cyberattack. Potentially a single unprotected device can provide a hacker entry to the entire network. In the case of industrial controls, a vulnerable device can enable an attacker to cripple key systems, such as electrical grids. Security solutions for these emerging endpoints may include whitelisting to block unauthorized software or IP addresses and file integrity monitoring to scan for unauthorized changes to configurations or software.
Endpoint detection and response (EDR). EDR isn't brand new technology, but it is more important today as threats increase in sophistication. EDR continuously monitors for suspicious endpoint or end-user behavior and collects endpoint data for threat analysis. EDR solutions may provide automated response features, such as cutting off an infected endpoint from the network, ending suspicious processes, locking accounts, or deleting malicious files.
Rising cybercrime and the increased sophistication of cyberattacks put all organizations at risk of attack. An attack that causes prolonged downtime, or the loss or theft of data, can significantly impact an organization. The National Cyber Security Alliance found that 60% of hacked small- to medium-sized businesses go out of business within six months of a significant, successful attack.
Organizations can minimize the risk of cyberattacks by implementing effective security solutions and practices. Advanced endpoint protection is a critical element of IT security, because any endpoint—whether it's a desktop PC, printer, or an industrial control—is a potential gateway into a network.
Older reactive, static endpoint security solutions of a few years' past are no longer sufficient to keep enterprising hackers at bay, especially with professional criminal groups and nation-states financing many of the attacks. Advanced, dynamic endpoint security technologies, such as machine learning, analytics, and real-time threat updates are increasingly important to the security of IT systems and data.