Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

A Guide to Choosing an Endpoint Protection Solution

A Guide to Choosing an Endpoint Protection Solution

Modern endpoint protection solutions use a number of different methods to protect endpoints from security exploits. Today we explore the endpoint protection landscape with a closer look at what the current technologies have to offer and how InfoSec professionals can use them.

The information security landscape has continued to become more and more complex over the last decade or so, as the number of threats, and types of threats, has increased. InfoSec professionals must keep on top of these security threats and mitigate them as quickly as possible as they evolve. But the recent spike in publicly reported data breaches shows that there's room for improvement.

Of the different potential targets within an organization, one of the most open to successful attacks is the endpoint, or in other words, the device an end user will use to access internal corporate resources. The definition of "endpoint" has expanded considerably over the last decade as the availability of mobile technologies and prevalence of teleworkers has increased. With this expansion comes considerable changes in how an InfoSec professional must protect these resources.

CHECK OUT : Best InfoSec Certifications

Only a few years ago, it was relatively common for organizations to prohibit or restrict outside, externally controlled devices from accessing internal resources. This typically allowed InfoSec professionals to focus on the devices that were controlled by an organization and, with that, the environment that accessed the internal resources. This level of control was significant in limiting the number and types of attacks that were possible from the endpoints. In modern networks, however, it is becoming more and more common for users to access internal organizational resources using employee owned devices, commonly referred to as bring your own device, or BYOD. While this difference in potential access increases the end user's productivity and flexibility, it also increases the risk of potential threats to the organization.

This article will take a look at what InfoSec professionals can do, and which technologies they can deploy, to decrease the risk of threats to the organization. These technologies are commonly lumped together under the moniker of Endpoint Protection products.

Antivirus & Anti-Malware

Note: There are a number of different features and technologies that are part of the complete endpoint protection suite. Each vendor has its own specific way of categorizing each of these and this article will attempt to lump each of the features under a high level umbrella.

The term antivirus has been around for a long time and its coverage over the years has extended exponentially as the threats have changed. Most vendors generally include their antivirus solutions under the higher level anti-malware category, which includes not just the detection and protection from viruses specifically, but also worms, Trojans, phishing and a number of other threats that target a device or group of devices.

MORE: Best Antivirus Solutions for the Enterprise

There are a number of different methods that are used by these antivirus and anti-malware solutions to protect the endpoint from exploitation, some of these include:

  • Threat Signatures -- Once identified, many attacks have a specific signature that anti-malware companies can use to detect and mitigate a threat before it is allowed to take any action on the targeted endpoint device. There are a large number of these signatures that are currently in the databases of these companies, this is both an advantage and a disadvantage. It is an advantage because these large number of threats can be detected and dealt with, however it also means that it can take a considerable number of resources to run through each of these signatures and match them against a scannable resource (like files, network traffic, etc).
  • Sandboxing -- The concept of sandboxing involves taking an untrusted application and allowing it to run in a very limited environment. The application is allowed to run and perform its function without access to the complete system or to other locally running services. In the past, this was often done via the implementation of virtual machines, where a technically savvy user could run the application and not worry as it would only be able to do a very limited amount of harm if triggered. Newer anti-malware solutions are attempting to make this concept work without the added technical steps and within the existing operating system instance.
  • Intrusion Detection/Protection -- Host Intrusion Detection Systems (HIDS) and Host Intrusion Protection Systems (HIPS) work hand in hand with signatures; these system could initially scan a specific resource for a recognizable threat signature and along with this, pass it through a heuristic analyzer/engine which looks for specific odd behaviors by the resource that are not expected to be seen. The major distinction between detection vs prevention is that a HIDS will detect and alert a user/administrator of the potential threat, but not perform any further automatic action; a HIPS has a mechanism of automatically mitigating the detected threat.
  • Firewall -- The concept of a firewall is rather simple; don't allow traffic into a device that is unexpected. For many endpoints it is rare for it to be offering a service or expecting traffic (above layer 2) without first initiating the service; because of this, it is common for a device to lock down all network ports coming into a device and only allow inbound traffic if the device initiated the connection first. It is the function of the firewall to perform this locking down and to keep track of the ongoing sessions to ensure that allowed traffic is permitted without disrupting the user experience while also protecting from unpermitted traffic. (Note: in some packages this is not considered a part of the anti-malware component, but as a separate component)
  • Whitelisting/Blacklisting -- There can be times when a specific site or file could be labeled as a threat, but still need to be accessed. In this situation a whitelist can be used to automatically permit traffic from that specific site or allow a specific file to run. On the opposite end, there can be times when a specific site or file is not listed as a threat, but it is considered a threat by an organization. In these situations a blacklist can be used to specifically disallow traffic from the threat location or disallow the ability to run a specific file.
  • Rootkit Protection -- On the high level, rootkit protection is used to detect and mitigate a threat from a rootkit. A rootkit is a tool that is used by an attacker to take control of part or all of a device; there are several types of rootkits, but as with viruses their level of threat can be from almost no real threat to the threat of losing complete control of a device and allowing the attacker to have the equivalent of root/administrative access.
  • Execution Protection -- There are two different types of execution protection: Data Execution Protection (DEP) and vendor specific. DES is a feature that is built into most modern operating systems. At a high level, this operates by only allowing programs to be run from a specific area in memory (executable), thus disallowing potential threats that take advantage of exploits in the data (non-executable) specified part of memory. The vendor specific type involves disallowing specific files or traffic from reaching areas on the local device that a program could be executed from; this second type can also be lumped together by vendors into their heuristic engine.

Configuration Management, Patch Management & More

Configuration management is a fundamental part of any endpoint management solution, since the target of this article is not the configuration management solution itself, it will be covered at a high level. At its simplest, configuration management is used by organization engineers to control how specific devices are configured. This configuration is then monitored to ensure that it fits within the restrictions of the system configuration and the organization's device policy (i.e. no unauthorized programs running or systems settings modified); for example, a popular option in the Windows world is the use of Group Policy.

MORE: Active Directory Security with Group Management Tools

Patch management (which can also be covered under the umbrella of configuration management) is a vital part of any organization. It involves ensuring that each of the devices that are managed has all of the up-to-date patches; this includes operating system (OS) patches and application patches. As many can attest, the simple lack of maintaining the patch level of a device greatly increases the likelihood of it being exploited.

Another management system that is common is asset management. Asset management is used to keep track of an organization's devices to ensure that they are all tracked and maintained. These systems typically use a device discovery mechanism which goes out onto an organization's network and detects the devices that are connected; this information is then entered into a central database and augmented by the administrators to ensure that all devices have been accounted for.

Each of these different systems can be managed through an agent or agentless. Agent-based solutions require that a separate piece of software is installed on the device which communicates with a central system for its overall instructions. Agentless systems do this same service without using an installable application, typically through some type of remote access.

Device Policy

Device policy is a high-level umbrella category that includes a number of different polices that affect the devices within the organization including: device use, application policy, encryption, and Network Access Control, to name a few.

  • Device use policy -- How a device can be used and how it is allowed to be used are two different things. Some companies are small enough that little monitoring and control are required to maintain some level of consistency in device use, but most medium to large companies require a defined policy for what the devices are and are not allowed to be used for. This can include not only a written policy that employees are expected to follow but an enforcement component. A big thing that has been an issue in many different organizations is the idea of implementing Data Leak Protection (DLP). DLP is a fancy name for preventing internal company data from being transferred outside of organizational control. This can include everything from limiting external device access (flash or external hard drive) to monitoring email and cloud storage transfers.
  • Application policy -- There are specific applications that administrators take into account when building out devices for employees. This is due to a number of factors, but one of the biggest is stability and security. The ability to install external unknown applications onto devices can quickly create a giant opening into the organization's internal information. The types of protection that are possible depends on the OS being deployed, so this will play a factor when implementing and updating these policies (an example of this is the protection of the Windows registry from applications). The limiting of these applications and what they are allowed to be used for is part of a complete endpoint protection solution.
  • Encryption -- With the security of organizational information being of paramount importance, it is sometimes required to implement encryption on a device and to a device's communications to the internal organizational network. The policy that is implemented to enforce this encryption is through an encryption or information security policy. Devices like laptops, tablets and phones are all large targets for attackers as they are much easier to steel and exploit. Some organizations take advantage of the more powerful smaller processors now available to have the information on these devices encrypted; both on the device and when the information is transferred from the device to the organization's network.
  • Network Access Control (NAC) -- This is another feature that can be implemented on an organization's network. With NAC, the machine must go through an authentication session to validate its authority to connect to the network; without this authority, the device is not able to get a connection into internal organization's network resources. Some organizations will allow some amount of unauthorized access, but only as a way to gain access to the Internet (or organizational public resources) and not to internal resources.

Mobile Application Management

A recent entrance into the world of information security is the smartphone and tablets. While mobile phones have been around for some time, the entrance of a truly smart phone have only really existed for the last 15 years or so and have gained considerable popularity over the last 5-10 years. On top of this these devices have become more open and flexible and their hardware specifications have grown exponentially year over year.

MORE: 5 Mobile Application Management Features That Matter

Another trend is the wider support for Bring Your Own Device (BYOD) policies within organizations. For a long time employees were strictly restricted to have their organizational programs and data on one device and their personal programs and data on another. This way the IS departments were able to carefully ad tightly control what devices were allowed to do and how they accessed the organization’s resources.

However with the popularity of these more advanced mobile devices in the consumer parts of the market, it has reached a point where most employees would prefer to only use a single device for both their personal and organizational programs and data. This of course has added an additional layer of security risk to organizations and because of that specific methods needed to be developed to properly secure these devices for organization access while also retaining the personal aspects of the mobile device itself.

All of this wraps into what is commonly referred to as Mobile Application Management (MAM) or Mobile Enterprise Management (MEM). These solutions offer the ability to secure these mobile devices to the satisfaction of an organization’s IS department; this includes the ability to provision and control access to internally developed applications, internal network access/access control, application versioning maintenance (updates and patch management), application configuration, and user/device authentication among other things. Other features that are possible include remote wipe capability, anti-theft protection, data encryption and application sandboxing.


In summary, many factors complicate IT professionals' ability to properly secure access into an organization's devices and resources. However, careful planning, the use of the appropriate tools, and a highly skilled and organized IS engineering staff, can make the job much easier. Of course, the endpoint is only one method of accessing an organization's resources. Any IS strategy would not be complete without endpoint protection, along with plans that address the other access points into the network (servers, network devices, physical security).

Read on to see a comparison of the top five endpoint protection solutions, intended to help you choose the right one for your organization.