What is Endpoint Security/Protection?
The Majority of Business Devices are Smartphones and Laptops
The image of employees sitting in cubicles with desktops is starting to fade. Today business is mobile, and users are remote. Applications are leaving the data center and heading into the cloud. This shift has provided organizations with greater agility, higher productivity, and more opportunities. Unfortunately, it’s done the same for cybercriminals.
Don't Let Mobile Devices
Be Your Weakest Security Link
- IT professionals need to adapt their infrastructures and cybersecurity posture to address new challenges.
- A top security concern is the ever-increasing mobile workforce and the cyber-attacks targeted at their devices.
- Endpoint devices, such as mobile phones and laptops, need to be secured, as do the network entry points they use.
In the event of a data breach, businesses and public sector agencies face tremendous costs—and even the potential for criminal penalties—for privacy law non-compliance. A breach can also cause significant damage to a brand or to your agency’s reputation.
Read this white paper to find out how MDR can minimize the impact of a breach.
Two Levels of Cybersecurity
There are two sides to providing endpoint security and combating cyber-attacks, on the edge and beyond the edge. Securing the network’s edge and the mobile devices that lay beyond requires two levels of cybersecurity. Mobile Entry Point Security protects networks and clouds from potential harm caused by connected mobile devices. EDR – Endpoint Detection and Response protects the actual mobile devices
- Malware
- Device hacks
- Data loss / data exfiltration
- Spyware
- Suspicious and erroneous login attempts
- Sudden growth or reduction in the volume of stored files/data
- Geographical location misalignment or frequent changes in location
- Sudden growth of new applications
- Suspicious registry or system file changes
- Large HTML response sizes or large data exports
- Increases in database read activity
- Continuous requests for the same file
- Mismatched port/application traffic
- User or device settings or profile changes
- Suspicious system patches
- Suspicious file names or extensions
- Unusual DNS requests
- Abnormally high utilization of system memory and CPU resources
- Existing threat profiles
- Preset parameters and policy rules
- Security data from other sources
- Any available behavior analytics
- Performing a virus scan
- Installing or updating virus scan and other cybersecurity software and safeguards
- Installing a patch or software upgrade
- Reinstalling existing software and applications
- Resetting system profiles and configurations to factory defaults
- Repairing registries
- Changing passwords and other authentication credentials
- Temporarily isolating (locking out) a device from networks and clouds
- Redirecting the device to a remediation site/service
- Reverting the device to a previous ‘known good’ state
- Quick identification and remediation of cyber threats on mobile devices such as phones and laptops
- Unified security visibility of remote devices
- Unified endpoint threat and attack data
- Continuous improvement of threat identification and remediation processes
- Monitoring and plotting of cybersecurity trends
- Integration with other security tools and systems
- Knowledgebase creation for decision making and future planning
Mobile Entry Point Security
In an age of remote users and cloud applications, endpoint management and security are becoming the primary focus for IT professionals.
Mobile entry point security covers a range of technologies used to protect networks from remotely connected devices. These mobile entry points can be integrated with other local services such as secure web gates and firewalls. This combination provides remote users with secure and direct access to the corporate network, their cloud-based applications, and the Internet.
Mobile entry points support the remote workforce with secure local access regardless of where and when they work. These mobile entry points can be integrated with other local security services such as secure web gates and firewalls. This combination provides remote users with secure direct access to the corporate network, their cloud-based applications, and the Internet.
With local mobile entry points, users have more performance and security than public connections. For example, a local mobile entry point can be within the same city as the user, ensuring consistently high performance as opposed to access located in another city or across the country, which creates latency and degraded performance.
Depending on the location of the workforce, IT professionals can have hundreds to thousands of mobile entry points worldwide. Mobile entry points with integrated security services such as Firewall-as-a-Service and secure web gateways are generally available through global service providers.
Entry points, and all integrated services, such as access control and cybersecurity, are managed by the corporate SOC team. Entry point security policies are enforced locally by the entry point.
Entry points with integrated firewall and secure web gateway technologies provide a broad spectrum of cybersecurity services.
Authentication – Mobile entry points provide authentication, which confirms that users are who they say they are. Once authenticated, the user is granted access to the sub-networks, clouds, and applications they are authorized to use.
Secure Connection– A secure (DTLS) connection is established between the remote user and the mobile entry point to ensure secure encrypted communication across public networks. Some entry points also support VPNs for additional connection security with remote sites and partners.
QoS and Network Performance Monitoring – Mobile entry points can be integrated with performance monitoring services or have settings for predefined minimum QoS levels. Traffic from an overloaded and low performing mobile entry point can be moved to another entry point with more available bandwidth.
As previously mentioned, mobile entry points can be integrated with other SOC managed local security services, such as Firewall-as-a-Service and secure web gateway services. This combination provides a more complete cybersecurity posture.
Cyber Threat Detection – All traffic is inspected for threats. Depending on policies, access is halted, and an alert is sent if a threat is detected. The could be malware from the connected device or coming from a cloud application or website.
DNS (Domain Name Service) – DNS is important when remote users are accessing the Internet. If the requested website is on the blocklist and known to be malicious, the access request is denied.
DLP (Data Loss Protection) – Outgoing traffic is inspected. Any communication is halted, and alerts are sent if it contains sensitive information such as security credentials, credit card details, or controlled documents. The service options can also monitor what is accessed, retrieved, or copied and report and block unauthorized activity.
Outbound Encryption – Confidential information leaving the network and destined for an authorized user or third party will be secured. The entire data set will be encrypted, or parts can be scrambled using tokenization to ensure confidentiality. The service can also support digital rights management and compliance management applications.
Application Usage – Remote access services can track user movement, actions, and behavior. The information provides visibility for IT professionals into how the network and cloud applications are used. It makes it easier to determine which applications are useful and gaining interest versus those that should be retired or updated. It’s also valuable to understand if users are accessing applications that are not authorized.
Mobile entry points and other integrated local security services provide IT professionals with the cybersecurity capabilities needed to protect their networks and cloud applications. They also provide users with secure and direct access to the corporate network, Internet, and cloud resources.
Endpoint Detection and Response (EDR)
In general, mobile devices have integrated services to deter cyber threats. Unfortunately, cybercriminals have become experts at bypassing these safeguards.
Endpoint Detection and Response is a platform that provides additional cybersecurity for endpoints. As the name implies, EDR identifies and remediates cyber threats on laptops, desktops, and mobile phones. EDR identifies and aids in the remediation of cyber-attacks. Cyber-attacks may include,
Endpoint security with EDR generally requires an agent or software to be installed on the device. The agent continually monitors the device and is logging events and activity. Ideally, the remote device is connected to the mobile entry point so that the log data can be polled continuously and exported for analysis. If the device is not connected, the log data will be stored on the device and exported when it reconnects to the network.
The logs are analyzed to identify indicators of compromise (IoCs). IoCs are forensic data that would indicate possible malicious activity. These indicators may include,
The generated logs are typically ingested by a SIEM (Security Information and Event Management) system or similar system. These systems can be integrated into the endpoint security platform or operate as a separate service. They use real-time machine learning and AI to normalize, analyze, correlate, enrich, and categorize the data. The system compares the data output to,
An alert is created if the process identifies a possible threat. Mundane and low-level security issues on devices are autonomously remediated by the endpoint security / EDR platform and other services using predefined playbooks.
Remediation may include,
More severe, complex, and unique security threats can be enriched with additional contextual information and forwarded to the security team at the SOC (Security Operations Center) for further attention.
Endpoint security / EDR platforms vary in capabilities but provide similar benefits,
In an age of remote users and cloud applications, endpoint management and security are becoming the primary focus for IT professionals.
Mobile entry point security covers a range of technologies used to protect networks from remotely connected devices. These mobile entry points can be integrated with other local services such as secure web gates and firewalls. This combination provides remote users with secure and direct access to the corporate network, their cloud-based applications, and the Internet.
Mobile entry points support the remote workforce with secure local access regardless of where and when they work. These mobile entry points can be integrated with other local security services such as secure web gates and firewalls. This combination provides remote users with secure direct access to the corporate network, their cloud-based applications, and the Internet.
With local mobile entry points, users have more performance and security than public connections. For example, a local mobile entry point can be within the same city as the user, ensuring consistently high performance as opposed to access located in another city or across the country, which creates latency and degraded performance.
Depending on the location of the workforce, IT professionals can have hundreds to thousands of mobile entry points worldwide. Mobile entry points with integrated security services such as Firewall-as-a-Service and secure web gateways are generally available through global service providers.
Entry points, and all integrated services, such as access control and cybersecurity, are managed by the corporate SOC team. Entry point security policies are enforced locally by the entry point.
Entry points with integrated firewall and secure web gateway technologies provide a broad spectrum of cybersecurity services.
Authentication – Mobile entry points provide authentication, which confirms that users are who they say they are. Once authenticated, the user is granted access to the sub-networks, clouds, and applications they are authorized to use.
Secure Connection– A secure (DTLS) connection is established between the remote user and the mobile entry point to ensure secure encrypted communication across public networks. Some entry points also support VPNs for additional connection security with remote sites and partners.
QoS and Network Performance Monitoring – Mobile entry points can be integrated with performance monitoring services or have settings for predefined minimum QoS levels. Traffic from an overloaded and low performing mobile entry point can be moved to another entry point with more available bandwidth.
As previously mentioned, mobile entry points can be integrated with other SOC managed local security services, such as Firewall-as-a-Service and secure web gateway services. This combination provides a more complete cybersecurity posture.
Cyber Threat Detection – All traffic is inspected for threats. Depending on policies, access is halted, and an alert is sent if a threat is detected. The could be malware from the connected device or coming from a cloud application or website.
DNS (Domain Name Service) – DNS is important when remote users are accessing the Internet. If the requested website is on the blocklist and known to be malicious, the access request is denied.
DLP (Data Loss Protection) – Outgoing traffic is inspected. Any communication is halted, and alerts are sent if it contains sensitive information such as security credentials, credit card details, or controlled documents. The service options can also monitor what is accessed, retrieved, or copied and report and block unauthorized activity.
Outbound Encryption – Confidential information leaving the network and destined for an authorized user or third party will be secured. The entire data set will be encrypted, or parts can be scrambled using tokenization to ensure confidentiality. The service can also support digital rights management and compliance management applications.
Application Usage – Remote access services can track user movement, actions, and behavior. The information provides visibility for IT professionals into how the network and cloud applications are used. It makes it easier to determine which applications are useful and gaining interest versus those that should be retired or updated. It’s also valuable to understand if users are accessing applications that are not authorized.
Mobile entry points and other integrated local security services provide IT professionals with the cybersecurity capabilities needed to protect their networks and cloud applications. They also provide users with secure and direct access to the corporate network, Internet, and cloud resources.
In general, mobile devices have integrated services to deter cyber threats. Unfortunately, cybercriminals have become experts at bypassing these safeguards.
Endpoint Detection and Response is a platform that provides additional cybersecurity for endpoints. As the name implies, EDR identifies and remediates cyber threats on laptops, desktops, and mobile phones. EDR identifies and aids in the remediation of cyber-attacks. Cyber-attacks may include,
- Malware
- Device hacks
- Data loss / data exfiltration
- Spyware
Endpoint security with EDR generally requires an agent or software to be installed on the device. The agent continually monitors the device and is logging events and activity. Ideally, the remote device is connected to the mobile entry point so that the log data can be polled continuously and exported for analysis. If the device is not connected, the log data will be stored on the device and exported when it reconnects to the network.
The logs are analyzed to identify indicators of compromise (IoCs). IoCs are forensic data that would indicate possible malicious activity. These indicators may include,
- Suspicious and erroneous login attempts
- Sudden growth or reduction in the volume of stored files/data
- Geographical location misalignment or frequent changes in location
- Sudden growth of new applications
- Suspicious registry or system file changes
- Large HTML response sizes or large data exports
- Increases in database read activity
- Continuous requests for the same file
- Mismatched port/application traffic
- User or device settings or profile changes
- Suspicious system patches
- Suspicious file names or extensions
- Unusual DNS requests
- Abnormally high utilization of system memory and CPU resources
The generated logs are typically ingested by a SIEM (Security Information and Event Management) system or similar system. These systems can be integrated into the endpoint security platform or operate as a separate service. They use real-time machine learning and AI to normalize, analyze, correlate, enrich, and categorize the data. The system compares the data output to,
- Existing threat profiles
- Preset parameters and policy rules
- Security data from other sources
- Any available behavior analytics
An alert is created if the process identifies a possible threat. Mundane and low-level security issues on devices are autonomously remediated by the endpoint security / EDR platform and other services using predefined playbooks.
Remediation may include,
- Performing a virus scan
- Installing or updating virus scan and other cybersecurity software and safeguards
- Installing a patch or software upgrade
- Reinstalling existing software and applications
- Resetting system profiles and configurations to factory defaults
- Repairing registries
- Changing passwords and other authentication credentials
- Temporarily isolating (locking out) a device from networks and clouds
- Redirecting the device to a remediation site/service
- Reverting the device to a previous ‘known good’ state
More severe, complex, and unique security threats can be enriched with additional contextual information and forwarded to the security team at the SOC (Security Operations Center) for further attention.
Endpoint security / EDR platforms vary in capabilities but provide similar benefits,
- Quick identification and remediation of cyber threats on mobile devices such as phones and laptops
- Unified security visibility of remote devices
- Unified endpoint threat and attack data
- Continuous improvement of threat identification and remediation processes
- Monitoring and plotting of cybersecurity trends
- Integration with other security tools and systems
- Knowledgebase creation for decision making and future planning
Consider an EDR/XDR Service
IT professionals need to adapt their infrastructures and cybersecurity posture to address threats facing endpoint devices. Providing a global network or mobile entry points, remote user authentication, security policy enforcement, and endpoint security can be challenging.
Many corporations have opted to use a professional cybersecurity provider instead of implementing a DIY ‘do it yourself’ plan. They rely on leading EDR / XDR (Extended Detection and Response) providers for world-class network security. As a bonus, these organizations have experienced up to a 30% reduction in cybersecurity costs.
A professional EDR / XDR service encompasses nearly all the processes, technologies, and techniques used to deter, detect, contain, and remediate cybersecurity threats and attacks. That includes endpoint devices, mobile entry points, cloud applications, compute clouds, WANs, remote sites, and networks.
A Global Provider of Endpoint Security and Endpoint Detection and Response (EDR)
Please contact our customer advocates to learn more about our cloud-based EDR/XDR services. Learn more about a complete cybersecurity posture with MDR (Managed Detection and Response) or SASE (Secure Access Service Edge).
