Here at The KR Group, we analyze more than a dozen areas in our most comprehensive risk assessment, the Purple Team Hive Assessment.
Like us, most security advisers include a review of endpoint security protection when they analyze your security posture.
When it comes to endpoint security protection, your security team should advise you on five questions:
- What is endpoint security protection?
- Why is endpoint security protection important?
- What does the defensive side of the security team look for?
- What does the offensive side of a security team look for?
- How do you ensure your endpoints are protected?
By answering these questions, your security team will ensure you know what they’re looking for and what your endpoint security protection should look like.
1. What is endpoint security protection?
As the name suggests, endpoint security protection is software that protects the endpoints of your network from malicious attacks.
It is your last line of defense against malicious attacks.
By the time you’re relying on your endpoint security applications, the attacker has found their way into your network through existing vulnerabilities.
Endpoint security is the last line of defense between threat agents and your sensitive data.
During an IT risk assessment, your security adviser will look for two forms of endpoint security.
Antivirus software protects your computer systems from a variety of malware, including viruses, adware, bots, bugs, ransomware, spyware, Trojans, worms.
All malware is harmful to your environment, but how it operates depends on which form it takes.
To protect yourself from all types of malware you need to invest in antivirus or next-generation (next-gen) antivirus.
These forms of anti-malware can identify and block malicious threats before they cause chaos in your environment.
Antivirus relies on a known database of existing threats (signature-based) to identify malicious activity, so it’s important you keep up on updates.
Next-gen anti-virus, on the other hand, incorporates AI and EDR to identify and stop malicious threats, including ones that slip through traditional antivirus.
Host-based Intrusion Prevention System (IPS)
While antivirus, including next-gen antivirus, provides one layer of protection, it is not infallible.
Another level of protection your security adviser will look for during a security assessment is host-based IPS, which provides a secondary level of protection to keep hackers from stealing your information.
Think of host-based IPS as a preventative alarm system for your network.
This application analyzes what is happening on your critical security systems, logs suspicious or anomalous activity, and finally blocks and reports it to the network administrators.
Some anti-malware products include host-based IDS, but in other cases, you may need to run a specific host-based IDS application.
2. Why is endpoint security protection important?
As we already discussed, endpoint security protection is the final stand against cyberattacks. That in and of itself makes it an important component of your security posture.
If you think of every endpoint of technology (laptops, desktops, mobile phones, servers, etc.) as windows or doors into your network, you want to ensure there is a way to protect your access points.
With physical security, locks provide one layer of protection but adding a security alarm further enhances.
Antivirus software and host-based IPS are similar in the sense that they identify threats, but they function differently and catch threats at different levels.
Having multiple layers of endpoint protection is important for providing redundancy to your security posture.
So, what does a security assessment look at when it comes to endpoint protection?
3. What is the defensive team looking for?
On the defensive side of your security assessment (the Blue Team of Purple Team Hive Assessment), your security adviser will check to see if you’re using antivirus and/or host-based IDS.
The most common endpoint security vulnerability your security adviser will find is gaps at the patch level. This includes IOP (input/output operations) systems and third-party applications.
These gaps are ways attackers can sneak into your network and exploit you. By identifying them, the offensive team can come up with recommendations to avoid likely exploits.
They’ll look to see if that software is up to date and configured correctly and how recent your last login was. The latter can point to a higher likelihood of lapses in your endpoint security.
4. What is the offensive team looking for?
On the offensive side of a security assessment (the Red Team of a Purple Team Hive Assessment), your security team also looks for gaps. However, instead of simply looking to see if they exist, they look to see if they can exploit the gap without being noticed.
This practice is commonly referred to as penetration testing, and it refers to the offensive side’s efforts to gain access to your network using similar strategies as hackers.
If your security team’s attacks aren’t getting blocked or an attack isn’t being picked up, this is a signal of inadequate security coverage.
This could be from missing patches, misconfigured policies, or general exceptions. Whatever the cause, it’s something your security adviser will address in their report.
How to ensure your endpoints are protected
Your security adviser’s recommendations to mitigate your vulnerabilities when it comes to endpoint security will vary based on what your vulnerabilities are.
- If you don’t have any form of endpoint protection, your security adviser is going to recommend to implement protection.
- If your antivirus isn’t filtering or catching threats within your environment, your security adviser may recommend you implement next-gen antivirus and host-based IDS if you haven’t already.
- If your security adviser is able to break into your IT network even with next-gen antivirus and host-based IDS running, they’ll look to see what gaps, misconfigurations, and/or missing policies are making you vulnerable.
A reputable security adviser remains product-agnostic while making these recommendations. However, their security assessment aims at identifying ways to make you more secure than it was before.
You can read more about forms of endpoint protection on our blogs: