An endpoint security architecture in the past means any personal device used by an end-user. It includes laptop desktop and other devices now it includes smartphones, IoT and other devices connected to a network.
Endpoints need to be secured because they are easy to point of entry into a network. This is because gullible end users can be deceived through social engineering and attackers will have access to a network.
You also need to know that online connections have expanded which has also increased the attack paths for a network. In this article, I will be talking about all that you need to know about endpoint security architecture.
Before the advent of the internet, bad actors always rely on floppy disks to spread malware. Infected disks inserted into a computer will always infect other computers. This also includes all other connected devices such as CDs, DVDs and other removable devices.
This attack path was limited in scope before the advent of the internet. The first endpoint products were antivirus. They are meant to scan devices for malware.
Anti Virus
A virus always looks for specific characteristics and fingerprints of viruses in a particular device. If it found any documents or programs that have these characteristics, it could quarantine or expunge the program.
All these changes were when businesses began to connect to the internet. Many more attack vectors became available to the criminals.
Such as email phishing, infected website, BYOD and social media. These new opportunities proliferate the growth of malware from 10s of thousands per year to 100 of thousands per day.
Also, the bad actors begin to exploit security loopholes in an OS. Applications like web browsers and MS Office increases attack surfaces.
There was the introduction of Polymorphic malware which can change its characteristics itself. This makes signature-based antivirus to become ineffective. This leads to the introduction of the Endpoint Protection Platform.
The technology of EPP is to prevent malware before it executes itself. It also prevents fire-based malware, which is malicious software that is coded, that when opened, can cause harm to devices. EPP is meant to prevent that. It makes use of firewall-based security.
It provided many prevention-based services such as anti-virus, device, firewall, web filtering, and data protection through encryption. Device control is a technology that provides built-in security that detects, authorises and secures removable storage devices.
Web Filtering
Web filtering is a technology that enables a network administrator to control what type of website you are allowed to visit. Non of these techniques provide an ultimate remedy for endpoint protection.
Web filtering, for example, is not the solution because malware can also be displayed as adverts on legitimate sites. Given the complexity of malware and attack paths, security professionals came to realised that it is difficult to block all attack paths.
That is why a new strategy was developed called Endpoint Protection and Response.
Endpoint Protection and Security
EDR is software that detects, investigates and responds to malware threats. It began as a Digital Forensic Investigation tool. It provides security analysts with a threat to intelligence. It helps them to analyse attacks and identify Indicators of Compromise.
This allows them to detect malware that cannot be detected, which has been on the network for months or years. This allows them to learn about attacks and record their characteristics.
This also allows Security Analysts to detect attacks in real-time. It also comes with remediation tools.
This allows them to request more information from endpoints and come up with probable solutions. They can now use that as the basis for blocking specific IPs where an attack is coming from. This solution also has its own shortcomings.
Some of them use manual methods that were time-consuming and were too slow for fast-moving threats like Ransomware. Configuring and using it also includes some analysis of alerts, which always come out as False Positives.
That means EDR cannot detect all threats in real-time. They are also time-consuming for the Analyst. Vendors responded to the shortcomings by introducing Managed EDR.
This performs basic Alert Rehash and notifies the Analyst via email. Though EDR remains too slow and too complicated this leads to the introduction of second-generation EDR. Second Generation EDR. It was designed to be fast, driven, and automated. An analyst can now direct EDR to remediate problems and immediately proactively address them.
It is now configured to respond in a particular way when problems are detected. Malicious activities can now trigger a response that can block those activities before they could do any harm. It can now stop and roll back ransomware in real-time.
This allows the EDR to now address threats without necessarily removing the device. Security professionals now find the need to merge EDR and EDD technologies. The new technology now includes both characteristics.
This merger also removes integration concerns as it allows different anti-malware technologies to work together. It also comes with simplified configuration and management for Analysts.
EPP and EDR software now include other Intrusion Prevention controls to improve security. The new technology can now neutralise malware at the pre-execution stage. It now includes other prevention controls to improve security hygiene.
This includes the ability to identify critical vulnerabilities, which allows security teams to mitigate threats. They can create policies that address malware concerns. Machine Learning was also added as part of the new capabilities. This also helps to detect malware at the pre-execution stage.
Fortinet Endpoint Security Product
Fortinet came up with FortiClient and FortiEDR that can fully integrate with other security products. They can share intelligence and can be managed centrally in what is called Fortinet Security Fabrics.
Action Point
PS: I know you might agree with some of the points raised in this article or disagree with some of the issues raised.
Please share your thoughts on the topic discussed. We would appreciate it if you could drop your comment. Thanks in anticipation.
