Advanced endpoint protection protects systems from file, fileless, script-based and zero-day threats by using machine-learning or behavioral analysis. Traditional, reactive endpoint security tools such as firewalls and anti-virus software generally depend upon known threat information to detect attacks. But advanced technologies go several steps farther by using more proactive technologies, such as machine learning and behavioral analysis to identify potential new or complex threats.
Using techniques that identify and block advanced threats based on factors such as their behavior and interaction with other suspect software, blocking or containing “zero day” threats that may not have known or identifiable signatures. These platforms may also integrate with other security tools in order to consolidate event management and provide enterprise-wide visibility of suspect behavior for security operations personnel.
Organizations today need advanced protection against an increasingly sophisticated threat environment. Cybercrime is a highly lucrative undertaking and with so much money at stake, cybercriminals have become adept at finding new ways to infiltrate IT systems. For example, blended attacks are common. These attacks use multiple, coordinated tactics, none of which would appear suspicious to traditional security systems. Zero-day threats are another common form of attack that standard signature-based scans cannot easily identify. Trellix threat research team reports nearly 400,000 new types of attacks every day. Many of these involve minor alterations of existing malware, but they are different enough to elude signature scans alone.
An advanced endpoint protection solution includes several, complementary technologies that identify a potential threat as early as possible and prevent the threat from entering the network or database. Additionally, advanced tools collect information to provide insight into how the threat operates and how the endpoint can be rendered less vulnerable in the future. Some endpoint security solutions rely on small software agents at each of the endpoints in the network to record data, send alerts, and implement commands. However, a few vendors have begun offering advanced endpoint protection in the form of a single-agent architecture—this is rapidly becoming the preferred form of protection, due to its lighter footprint, ease of deployment and management, and significant decrease in management task redundancy.
An advanced endpoint security solution may include several, or all, of the following technologies or capabilities.
Machine learning. Machine learning, a category of artificial intelligence, analyzes large amounts of data to learn the typical behaviors of users and endpoints. Machine learning systems can then identify a typical behavior and either alert IT staff or trigger an automatic security process, such as containing the threat, quarantining the endpoint or issuing an alert. Machine learning is a key way to identify advanced threats against endpoints, as well as new or zero-day threats.
Security analytics. Security analytics tools record and analyze data from endpoints and other sources to detect potential threats. Security analytics can help IT professionals investigate security breaches or anomalous activity and determine what damage may have been done. IT departments can use security analytics to understand what vulnerabilities may have led to a breach and the actions that IT can take to prevent future attacks.
Real-time threat intelligence. Advanced security will have the ability to use real-time threat intelligence from outside security vendors and agencies. Real-time updates on the latest types of malware, zero-day threats, and other trending attacks reduce the time from first encounter to threat containment. Examples of intelligence feeds are:
IoT security. Smart, connected devices such as industrial controls, medical imaging systems, office printers, and network routers, are ubiquitous. The number of internet of things (IoT) devices worldwide will reach 125 billion in 2030, according to data company IHS Markit. Many of these connected devices lack security and are vulnerable to a cyberattack. Potentially a single unprotected device can provide a hacker entry to the entire network. In the case of industrial controls, a vulnerable device can enable an attacker to cripple key systems, such as electrical grids. Security solutions for these emerging endpoints may include whitelisting to block unauthorized software or IP addresses and file integrity monitoring to scan for unauthorized changes to configurations or software.
Endpoint detection and response (EDR). EDR isn't brand new technology, but it is more important today as threats increase in sophistication. EDR continuously monitors for suspicious endpoint or end-user behavior and collects endpoint data for threat analysis. EDR solutions may provide automated response features, such as cutting off an infected endpoint from the network, ending suspicious processes, locking accounts, or deleting malicious files.
Rising cybercrime and the increased sophistication of cyberattacks put all organizations at risk of attack. An attack that causes prolonged downtime, or the loss or theft of data, can significantly impact an organization—their reputation among both customers and shareholders may take a significant hit or they may be ordered to pay multimillion-dollar settlements, in addition to the direct cost of the breach itself.
Organizations can minimize the risk of cyberattacks by implementing effective security solutions and practices. Advanced endpoint protection is a critical element of IT security, because any endpoint—whether it's a desktop PC, printer, or an industrial control—is a potential gateway into a network.
Older reactive, static endpoint security solutions of a few years past are no longer sufficient to keep enterprising hackers at bay, especially with professional criminal groups and nation-states financing many of the attacks. Advanced, dynamic endpoint security technologies, such as machine learning, analytics, and real-time threat updates are increasingly important to the security of IT systems and data, as they allow a greater number of threats to be identified in a shorter amount of time.