Endpoint security has seen significant change in the last decade. In 2010, the major of endpoint security players, like Symantec/Norton, Trend Micro, McAfee, and many others, were primarily signature-based detection and prevention solutions. This meant they found an infection and prepared a signature that they then downloaded onto each device so that it could detect that malware infection. This approach started to become ineffective in 2007, and by 2010, organizations were regularly getting infections even with endpoint security installed.
The first “next-gen” solution that used the cloud rather than the endpoint and detected and removed endpoint threats in real-time was introduced to businesses in February 2012. Instead of harnessing hundreds of threat researchers to find infections, it used machine learning, had collective threat intelligence on anything new instantly available to all endpoints and removed the need for updates multiple times per day.
The main vendors reacted by adding more capabilities to identify malware and using the cloud, with most launching cloud versions during the ensuing years. There also emerged a whole new raft of next-generation products using machine learning/AI to predict and identify attacks.
Endpoint detection and response (EDR) also made an appearance in the past five years. This approach provided extensive security insights into attacks and infections and the “kill chain” and suggestions on how to deal with such things as well as providing telemetry data for security incident (and event) management tools (SIM/SIEM).
While EDR is useful to trained security analysts and to understand the impact of attacks, its value varies depending on the organization using it. Ultimately some get value, but for most, EDR has not added greatly to their defenses because of the skills needed to harness the information it provides.
This brings us to today, where both next-gen and more conventional endpoint protection and endpoint protection platform technologies exist and are chosen by organizations depending upon their internal security skills.
Endpoint security (antivirus, in old terminology) is now viewed by most organizations as one layer (albeit a very important layer) of their security defenses, part of a more holistic approach to IT security. EDR is morphing into managed detection and response (MDR) to reflect the layered and more holistic approach businesses need to supplement their own lack of IT security skills and the increased sophistication and number of attackers they now face.
Endpoint protection now must deal with ransomware, fileless attacks, phishing, predicting attacks, remediating attack damages, web threats and more. Endpoints and users present large attack surfaces, and attackers employ all of them to compromise endpoints and then their networks.
Features of the Most Advanced Endpoint Security Solutions
Endpoint security solutions differ greatly in the features and capabilities they offer to stop malware infections. Some are unique to the vendor concerned, some require higher security skills to operate, and some are generic and need to be part of every endpoint security solution’s arsenal.
Features can include:
- High efficacy, real-time prediction of threats through advanced real-time machine learning, so threats are identified prior to execution and before they present risk to the endpoint
- High efficacy, real-time detection of threats and attacks, with low false positives or negatives, that minimizes the attack success rate and damage to the business’ system or user assets
- Protection from malicious URLs whether clicked in a web browser or within an email, which is key as phishing attacks are often spread through malicious URL links
- Anti-phishing defenses, which are integral in stopping users from leaking sensitive information or being compromised
- Web threat protection, needed as we spend our lives online, to protect browsers and users from shady websites or clicking on dangerous links
- Identity/credential protection, once more common in consumer solutions, now used to protect logon credentials and privacy by countering credential theft and more sophisticated attacks
- Application control via white- or blacklisting, an essential feature of any endpoint protection defense as it allows unwanted applications to be automatically blocked at each endpoint via policy
- Remediation, preferably auto-remediation, which is a huge cost- and time-saver for both users and administrators, removing the need to reimage devices or take them out of production, which results in losses that occur when infections are not fully remediated
- Script and exploit vulnerability protection, addressing many of today’s advanced attacks that use these methods to bypass endpoint security defenses
- Behavioral detection, often overlooked, but a protection feature of more advanced endpoint security essential to stopping attacks not seen by other prevention methods
- Granular policy management at user/device, group, site/location levels, essential because, with any security, one size doesn’t fit all, and different policies enable more ideal security rules to be applied for better-individualized prevention and protection
- Scheduled reporting and alerting, a time- and cost-saver, as well as a measure that keeps administrators informed of issues they need to address
- API integration with other security and endpoint management toolsets, which allows applications to communicate with each other
There are numerous other add-ons that business can use depending on their requirements, including:
- Patch management
- Vulnerability management
- Data loss protection
- Device control
- Asset management
What VARs and MSPs Need from Endpoint Security
Managed services providers (MSPs) and value-added resellers (VARs) need to look for solutions that provide:
- The ability to fully manage an endpoint remotely
- Deep (rather than basic) integrations with RMM and PSA tools
- Full control of licensing
- A platform approach to security
- Multi-tenant management
- Easy deployment and removal
- Exceptional protection against ransomware
- Automated reporting and alerting.
MSPs basically need a solution that does the work for them, as far as practical, and so minimizes support, operational and infection removal costs.
So, when an MSP chooses an endpoint solution — apart from the solution offering great prevention and protection — it needs to offer more in how it fits into their processes and procedures and the other services and management toolsets needed to deliver profitable services to their clients.