How to Establish & Enhance Endpoint Security

Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

Eric Grenier, Director Analyst, Gartner

September 9, 2024

4 Min Read
Padlock on wooden door; hinge reads: ENDPOINT SECURITY
Source: Dzmitry Skazau via Alamy Stock Photo

Because of their large attack surface made up of different sets — including laptops, desktops, mobile devices, and servers — endpoints are becoming the primary targets of increasingly sophisticated attacks. This diversity is further complicated by the variety of operating systems (OSs) being run on those devices. In addition, the location of these devices is often no longer tied only to company networks, due to the increase in hybrid and remote work, and more server workloads moving to the cloud.

To meet the growing needs of security teams, the endpoint security market is constantly evolving, albeit at an incremental rate recently. Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

Below are four areas for security professionals to focus on to establish and enhance their endpoint security. While not a comprehensive list, this should help security experts, both new and established, understand the core concepts around endpoint security.

Baseline Security

Endpoint protection starts with strong baseline security. Organizations must make optimal use of all of the features their OSes and applications provide that can help with endpoint protection. To do this, security experts should:

  • Use consistent application deployment methods: Restrict application deployments to known sources. Layer on a workflow for updating and maintaining approved applications.

  • Perform configuration management: Configure OSes and applications for security. For example, use hardening guidelines and manage browser add-ons and client applications' security capabilities.

  • Use auditing and logging: Understanding events on an endpoint starts with auditing and logging the right security events, and with having a process in place to monitor for security events. Aim to establish a single source of truth for endpoint status.

While providing a foundation for baseline security, this list is not exhaustive. Security leaders should also look into actions that include managing vulnerabilities for all OSs and managing backups.

Endpoint Detection and Response

Endpoint detection and response (EDR) tools store and monitor endpoint events to detect and hunt for suspicious behaviors, and also provide response capabilities to those events. Common events that are monitored include, but are not limited to, execution events, registry events, file events, and network events.

EDR, in its purest form, does not interrupt running processes; instead, it analyzes the resulting events to search for known indicators of compromise or patterns that indicate malicious behavior.

EDR tools can be likened to a data recorder, or "black box," for the endpoint devices on which they are installed. These tools gather telemetry data about the activity happening on those devices and make it available for examination later. Of course, storing the recorded data is not nearly enough — an EDR tool must also be able to present the data to an administrator in a way that enables further analysis using both automated and human-driven means.

Automated Moving Target Defense

Automated moving target defense (AMTD) is an emerging technology that focuses on constantly changing the attack surface of a system or network. AMTD makes it harder for attackers to identify and exploit vulnerabilities by dynamically modifying the process structure, memory space, system configurations, software stack, or network characteristics. This proactive approach helps to improve cyber defense and mitigate the risk of successful attacks.

Endpoint defense with AMTD can include:

  • Enhancing memory defense through morphing or enhanced randomization

  • Augmenting confidential computing enclaves with AMTD proactive defense

  • Enhancing runtime software hardening (polymorphism of code or inputs)

  • Automatic endpoint self-healing from known good files storage

  • Applying AMTD to file storage or storage access channels (command and storage polymorphing)

AMTD for endpoints and endpoint software is a set of technologies that make it harder for attackers to reverse engineer and exploit endpoint OSes and software technologies. AMTD works by introducing unpredictable and frequent changes in the attack surface of the applications and OSs on which it is used.

Mobile Threat Defense

The mobile attack landscape has continued to grow and change with the increase of smartphone and tablet sales, and with the proliferation of bring-your-own-device arrangements in enterprises. Every year, we see new statistics claiming hundreds of percentage points of growth in mobile malware.

The MTD market includes vendors that use some combination of the following mobile protection methods for Android and iOS:

  • Behavioral anomaly and configuration detection

  • Malware detection

  • Protection against device attacks, network attacks, and malicious and leaky apps

  • Mobile anti-phishing protection

  • OS-, hardware- and application-based vulnerability assessment, monitoring, and compliance

  • Crowdsourced threat intelligence

Baseline security, EDR, AMTD, and MTD are just a few crucial tools security leaders can use to improve their endpoints' resilience against attacks. There continue to be many other layers of security designed to contribute to the protection of endpoints, and security leaders must take a holistic approach, as this topic is foundational for enterprises who will need to adjust their strategy for changing and increased variation in devices, agile work environments, and increasingly sophisticated security threats.

About the Author

Eric Grenier

Eric Grenier

Director Analyst, Gartner

Eric Grenier is a Director Analyst at Gartner working in the Technical Professionals Security Technology and Infrastructure team, focusing on Endpoint Security including endpoint protection and endpoint detection and response.

See more from Eric Grenier
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Black background and white text saying Dark Reading Confidential
Vulnerabilities & Threats
Dark Reading Confidential: Pen Test Arrests, Five Years LaterDark Reading Confidential: Pen Test Arrests, Five Years Later
byDark Reading Staff
Sep 10, 2024
42 Min Listen
Digital flowchart abstract blue background. Computer software algorithm conceptual illustration.
Application Security
CISA Urges Software Makers to Eliminate XSS FlawsCISA Urges Software Makers to Eliminate XSS
byEdge Editors
Sep 17, 2024
2 Min Read
A canary in a coal mine
Cybersecurity Analytics
Infostealers: An Early Warning for Ransomware AttacksInfostealers: An Early Warning for Ransomware Attacks
byNate Nelson, Contributing Writer
Sep 18, 2024
4 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events