What is endpoint security? | Endpoint protection

Endpoint security is the process of protecting endpoint devices like desktop computers, laptops, and smartphones from attacks and data leaks.

What is endpoint security?

Endpoint security or endpoint protection is the process of defending endpoints — devices that connect to a network, like laptops and smartphones — from attack. Endpoint security can also involve blocking dangerous user behavior that could result in the endpoint device's becoming compromised or infected with malware.

Organizations can use endpoint protection software to enforce security policies, detect attacks, block in-progress attacks, and prevent data loss. Because endpoints connect to internal corporate networks, endpoint protection is also an important component of network security.

There are many facets to endpoint protection, as threats can come from a variety of places. Common endpoint threat vectors* include:

  • Vulnerability exploits through a web browser

  • Social engineering attacks via email that result in users opening malicious files or links

  • Compromised USB devices

  • Threats from shared file drives

  • Usage of unsecured applications

Endpoint protection used to center on malware detection and prevention through the use of anti-malware or antivirus software, but today it has expanded to address these other threat vectors as well.

*In the security industry, "threat vector" means a source or channel that an attack can come from.

How does endpoint security work?

Endpoint security software uses one of two models:

In the client-server model, the software runs on a central server, with client software installed on all endpoints that connect to the network. The client endpoint software tracks activity and potential threats on the endpoint device and reports back to the central server. Usually, the client software can isolate or eliminate active threats if needed — for instance, by uninstalling or isolating malware on an endpoint, or blocking the endpoint from accessing the network.

In the software-as-a-service (SaaS) model, a cloud provider hosts and manages the endpoint software. SaaS endpoint software offers the advantage of scaling up more easily than the client-server model, as is usually the case with cloud computing services. SaaS-based endpoint software can also send updates to and receive alerts from endpoints even when they are not connected to the corporate network.

Typical endpoint security capabilities include:

  • Anti-malware: One of the most important components of endpoint security, anti-malware or antivirus software detects if malicious software is present on a device. Once detected, a number of actions are possible: the anti-malware can alert the central server or the IT team that an infection is present, it can attempt to quarantine the threat on the infected endpoint, it can attempt to delete or uninstall the malicious file, or it can isolate the endpoint from the network to prevent lateral movement.

  • Encryption: Encryption is the process of scrambling data so that it cannot be read without the correct decryption key. Encrypting the contents of an endpoint device protects data on the endpoint if the device is compromised or physically stolen. Endpoint security can encrypt files on the endpoint, or the full hard disk.

  • Application control: Application control allows IT administrators to determine which applications employees can install on endpoints.

What is anti-malware or antivirus software?

Anti-malware (or antivirus) software has long been an important aspect of endpoint protection. Anti-malware detects malware using four main methods:

  • Signature detection: Signature detection scans files and compares them against a database of known malware.

  • Heuristic detection: Heuristic detection analyzes software for suspicious characteristics. Unlike signature detection, this method can identify malware that has not previously been discovered and classified. However, heuristic detection can also result in false positives — instances when regular software is mistakenly identified as malware.

  • Sandboxing: In digital security, a "sandbox" is a virtual environment quarantined from the rest of a computer or a network. Within a sandbox, anti-malware software can safely open and execute potentially malicious files to see what they do. Any file that performs malicious actions, like deleting important files or contacting unauthorized servers, can then be identified as malware.

  • Memory analysis: Fileless malware runs on pre-installed software on a device but does not store files. Fileless malware can be detected by analyzing endpoint memory.

What is endpoint detection and response (EDR)?

Endpoint detection and response (EDR) is an important category of endpoint security products that monitor events on endpoints and on the network. The features of EDR products vary, but all are able to collect data about activity on endpoints in order to help security administrators identify threats. Most can also block threats once they are detected.

Why is endpoint protection important for businesses and large organizations?

For individual consumers, endpoint protection is important but typically does not require dedicated endpoint security software. Many operating systems for consumers come with basic security protections already installed (such as anti-malware), and users can follow certain best practices to keep their computers, smartphones, and Internet activities protected.

Endpoint security is a larger issue for businesses, especially those that have to manage hundreds or thousands of employee endpoint devices. An insecure endpoint can be a foot in the door for attackers attempting to break into an otherwise secure corporate network. The more endpoints that connect to a network, the greater the number of potential vulnerabilities introduced to that network — just as more cars on the road increases the likelihood that a driver will make a mistake and cause an accident.

In addition, the potential impact of a successful attack on a business can be huge, resulting in a disruption of business processes, the loss of confidential data, or a damaged reputation.

What also makes endpoints an enticing target is that they can be difficult to keep secure. IT teams do not have regular, direct access to the computers employees use, nor to employees' personal devices like laptops and smartphones. By requiring the installation of endpoint protection software on devices that connect to a network, IT can remotely manage and monitor the security of these devices.

Securing endpoint devices became far more challenging with the increase of bring your own device (BYOD) environments over the last decade. The number of devices that connect to each network has increased, as well as the variety of devices. Endpoints on a network are likely to include not just personal smartphones and tablets, but also Internet of Things (IoT) devices, which run a wide variety of software and hardware (learn more about IoT security).

How does endpoint security relate to network security?

Endpoint security is part of keeping networks secure, since an unsecured endpoint provides a weak spot in a network for an attacker to exploit. But network security also includes protecting and securing network infrastructure, managing network, cloud, and Internet access, and other aspects not covered by most endpoint security products.

Today, the lines between endpoint and network security are blurring. Many organizations are moving to a Zero Trust model for network security, which assumes any endpoint device may pose a threat and must be verified before it can connect to internal resources — even SaaS applications. With such a model, endpoint security posture becomes important for allowing network and cloud access.

Endpoint security and Zero Trust

In a Zero Trust model, no endpoint is trusted automatically. Zero Trust requires checking every device for security risks regularly, often on a request-by-request basis. This may involve an integration with endpoint security solutions that monitor the endpoint for malware or other risks. Some Zero Trust and secure access service edge (SASE) vendors may provide this natively as well.

Such an approach means that potentially compromised endpoint devices are quickly isolated from the rest of the network, preventing lateral movement. This principle of microsegmentation is a core facet of Zero Trust security.

To learn more about Zero Trust, see What is a Zero Trust network? Or, learn about Cloudflare One, which combines networking and security services in one Zero Trust platform.

FAQs

What is endpoint security?

Endpoint security is the practice of defending devices that connect to a network from cyberattacks. It involves not only blocking malware but also preventing dangerous user behaviors that could compromise a device.

Why is endpoint protection particularly important for businesses?

Businesses must manage large amounts of devices. Each insecure endpoint acts as a potential entry point for attackers to access the broader corporate network. Centralized endpoint security allows IT teams to remotely monitor and secure these devices.

What are the different ways endpoint security software can be deployed?

There are two primary models for endpoint security: client-server and software-as-a-service (SaaS). In the client-server model, a central server manages software installed on each device. In the SaaS model, a cloud provider hosts the security platform, which allows for easier scaling and the ability to update or alert devices even when they are not connected to the internal network.

How does anti-malware software identify threats?

Modern anti-malware uses four main techniques: signature detection (comparing files to a database of known threats), heuristic detection (looking for suspicious characteristics in unknown software), sandboxing (testing files in a safe, isolated virtual environment), and memory analysis.

What is endpoint detection and response (EDR)?

EDR is a specific category of security tools that goes beyond basic prevention by continuously monitoring events on endpoints and the network. These products collect detailed activity data to help security teams identify complex threats.

How does endpoint security fit into a Zero Trust architecture?

In a Zero Trust model, no device is trusted by default, regardless of whether it is inside or outside the network perimeter. Endpoint security provides the security posture data that Zero Trust systems use to decide whether to grant access to specific applications or resources.

How does endpoint security help protect data if a laptop is physically stolen?

Endpoint security solutions can encrypt specific files or the entire hard disk, scrambling the data so that it remains unreadable to anyone without the correct decryption key, even if they have physical possession of the device.