Why endpoint security is important and how it works

Organizations and IT admins must understand the fundamental approaches that endpoint security platforms take to secure endpoints and defend against common threats.

Organizations often focus their security efforts on the data center and invest significant financial and intellectual capital to secure the centralized servers and storage that drive their productivity, but they may be overlooking endpoint security.

However, the data center's resources are useless without user endpoints that can access and manipulate vital business data from almost anywhere that a network connection is available. Therefore, IT admins must properly secure these endpoints and include them in security assessments just like any data center infrastructure.

Unfortunately, many organizations treat endpoint security as an afterthought while IT and business leaders make flawed assumptions about infrastructure, tools and staff. It's a scenario with all the makings of a serious security breach.

Endpoint security approaches

Risks of undermanaged endpoints in the enterprise

The client-server computing model is a tried and true approach to enterprise computing. The idea is to concentrate or centralize resources into a data center so IT can centrally manage the resources.

Endpoint security issues

A traditional example of this paradigm is everyday corporate email, where users employ email client applications such as Outlook to exchange messages through the email server application such as Exchange. These components run on a physical server located in the data center.

Endpoints pose particular security risks and challenges for any organization, and if attackers get access to the endpoint via a username and password, they can potentially wreak havoc on any organization.

There are five major security risks involved with managing endpoint computers.

  1. Lightweight credentials

In most cases, all it takes for an endpoint to log in to a corporate data center is a valid username and password. Too often, users compromise their credentials through common attack methods such as social engineering. Once an attacker has access, it's a relatively simple matter to read, copy or delete the valuable files and data authorized by that login. Advanced authentication techniques such as single sign-on (SSO) can exacerbate the risk by essentially logging on to every authorized application with the same credentials rather than requiring different credentials for each application.

Today, organizations are meeting endpoint credential risks with more aggressive endpoint security policies such as forcing periodic password changes, multifactor authentication (MFA) -- such as acknowledging a login through a user's personal smartphone -- comprehensive user activity logging and other analytics. This makes it easier to identify and address unauthorized access. Still, organizations face the challenge of balancing a user's productivity and ease of use with the security needs of the business.

  1. Meaningless security perimeters

Security software has traditionally employed a perimeter approach where endpoints operating within a perimeter -- such as an organization's local network -- could access applications and data. On the other hand, endpoints operating outside the perimeter -- such as endpoints connecting through an internet gateway -- cannot. The local endpoint was connected to a known network port, used a known local IP address and had to be a known and authorized endpoint.

Today, the inherent security of a perimeter is essentially meaningless. The proliferation of endpoint devices connected to the internet make it possible for users to operate almost anywhere that a network is available. Users can log in from desktops at work, laptops from home, tablets from hotels, smart devices from the road and so on. This means an organization must manage endpoint devices with more versatile and intelligent security tactics such as VPNs, endpoint validation -- checking the endpoint for a minimum OS and version of antimalware -- and comprehensive user activity logging.

  1. Diversity of endpoints

Endpoints pose a problem for enterprise IT because of their customizations. Unless organizations preconfigure endpoint devices, users will add their own customizations to each device or even work from their own devices. Each of these devices will have unique setups and configurations that may not support an organization's security needs.

Customized and varied endpoints present an endless array of potential threats such as unpatched operating system versions, missing or outdated antimalware tools and malware already present on the endpoint. And these issues don't even factor in the risks of zero-day threats.

Today, enterprise IT administrators employ VPNs and endpoint validation checks to ensure that an endpoint attempting to log on meets minimum setup, configuration and other system health criteria. This allows the business to verify that an endpoint is using a patched OS and updated anti-malware before allowing the endpoint to connect.

  1. Unattended automation

Automation has proved invaluable for data centers -- it can ensure consistency and reduce errors for many routine tasks. However, automation has its limits, and endpoint threats can be difficult to predict.

Two problems with automation are rule obsolescence and error handling. For example, consider an automation tool that checks endpoints' configuration and forces an OS upgrade or patch. The goal is to ensure that the endpoint meets a minimum configuration standard before allowing it to access the corporate network. But the rules and policies that are codified in the automation demand regular updates, which can be a significant amount of work for IT professionals.

A second issue is that automation rules may return an error such as a patch or update failing to install correctly. IT must make sure that the automation notifies the endpoint's user and an IT administrator when an error occurs. They will receive the details needed to remediate it, but the reporting component is essential for this process. Any issue with reporting will leave users confused and IT admins unable to help.

Social engineering is one of the most common ways for an attacker to gain access to business data.
  1. User behaviors

Risks that endpoint devices pose are often exacerbated by the users themselves. Businesses often rely on written policies and rules -- acceptable use policies -- which outline the requirements and expectations of endpoint users when accessing business resources. The problem here is that the business essentially defers critical security issues to end users. Trusting employees, customers, partners and other users to keep endpoints configured, patched and properly updated may lead to some additional vulnerabilities.

While it's always worthwhile for users to understand the terms of acceptable use and be aware of best practices, it's risky and unreliable for organizations to rely on users with little to no IT background to take an active role in endpoint management. Organizations can manage endpoints more effectively with tools designed to validate each system's configuration prior to login approval and monitor user activities for suspicious behaviors while the user is connected.

Different approaches to endpoint security

Knowing the most pressing risks involved, IT administrators can work to strengthen the security of endpoint systems used to access the enterprise data center. An organization will typically adopt an array of strategies and tools to provide a well-rounded and flexible security posture.

  • Use data encryption. What if an attacker manages to log in or access network traffic? Strong data encryption is the answer to this breach scenario and many others. Using encryption tools to encrypt email and business data at rest and in-flight can render sensitive data unusable even if a malicious actor gains access to the device, network or storage. The endpoints that store and access data should also support encryption.
  • Train employees. Social engineering is one of the most common ways for an attacker to gain access to business data. Tricking a user into simply giving up their login credentials can be much easier and quicker than brute force guesswork. Training alone isn't enough to ensure endpoint security, but outlining the security best practices -- along with regular reminders and alerts -- can go a long way to raising user awareness and preventing an easy vector of attack.
  • Employ endpoint security policies. Corporate IT departments can exercise control over the endpoints that log in and access business data. However, such control doesn't happen automatically; IT must establish it, enforce it and update it on a regular basis. Simple yet helpful examples of policies include group access and forcing regular password changes. Group access allows IT to organize users by type and allow or deny access based on group policies. These policies should always follow least privilege practices. Similarly, regular password changes make it much harder for attackers to guess a user's password.
  • Implement an endpoint security infrastructure. Endpoint security relies on the use of tools and software, so it's vital to evaluate offerings and select a tool set that best accommodates the organization's unique needs. The selected infrastructure and products must allow IT administrators to set and enforce aspects of endpoint security. The infrastructure may involve several layers of tools and services, including additional support for mobile device management (MDM) to validate devices and apps before allowing mobile devices into the corporate network.

One simple and common example is a VPN and client capable of enforcing OS and antimalware requirements on the endpoint before login access is complete. As another example, Microsoft Endpoint Manager is a tool capable of setting policies for a broad array of endpoint features, including antivirus, disk encryption, firewall, endpoint detection and response, attack surface reduction and account protection.

Dig Deeper on Windows OS and management

Virtual Desktop