Table of Contents

IT Pro's Guide to Endpoint ProtectionStop malware. Secure your business.


Introduction: Endpoint Security Terminology

Questions We'll Answer:

  • Why should I focus on protecting endpoints?
  • How are endpoints targeted and compromised?
  • What is the difference between traditional and next generation endpoint protection?
  • How do I protect my company's endpoints against ransomware and phishing?
  • How does endpoint protection fit in with a layered security approach?

What exactly does “endpoint” refer to these days?

In simple security terms, an endpoint can be any device that has the capability to connect to your network. Common examples include desktop computers, laptops, smart phones, tablets, printers, and point-of-sale (POS) terminals, etc.

Of course, if we take into account IoT “smart” devices the scope of that list can expand dramatically to include anything from your thermostat to your refrigerator to your car. Unless specified otherwise, for the purposes of this guide we’ll be focusing on the more traditional endpoint devices called out in the first list.

So what does “endpoint security” entail?

In a basic sense, think of it as any protective measures designed to prevent endpoint devices from being compromised or limit the negative impact if and when they are. Most people think of antivirus when they think of endpoint security, but there’s a lot more to it than that.

Okay, but what is “next generation” endpoint protection all about?

If you’ve been researching endpoint solutions you’ve probably noticed the term “next generation” gets thrown around a lot. Vendors and analysts have applied it to a wide variety of products, but in general it really just signifies an approach that attempts to improve upon the shortcomings of traditional A/V.

There are a lot of great questions to cover and we’ve got answers. So let’s get to it and dive in.


Why It All Starts at the Endpoint

Why should I focus on protecting endpoints?

With more and more devices connecting to our networks — the average employee uses at least three for work — it’s important to realize each one represents a possible entry point for attackers to gain access to data and launch their attacks. All it takes is one slip-up from a user for their machine to be compromised, and once that happens, attackers are in.

Did you know?

Nearly 50% of organizations are aware they’ve had endpoints compromised in the past 24 months1.

Why do cyber attacks target endpoints?

For criminals, it’s all about playing the odds and going after the most vulnerable target. They only need to find one crack in a company’s defenses to launch a successful attack. The more individual users and endpoints they target, the more likely they are to find it.

While one user’s machine is a relatively small prize on its own, more importantly, it provides a foothold from which attackers can collect data, access credentials, and gather other information they can use to spread their attack.

How are endpoints targeted and compromised?

The majority of attacks start with a user visiting the wrong site or clicking something they shouldn’t in an email. Many of the high-profile breaches in recent years — the attacks on Sony and Target, the ransomware attack on Hollywood Presbyterian Medical Center — all began with a single user’s machine being compromised with the help of malicious emails and websites.

Did you know?

91% of successful data breaches start with attackers infecting an endpoint via a phishing attack2.

Endpoints can also be extremely difficult to manage and regulate. Any time they’re connected to external networks, or any time users run software that isn’t patched and up-to-date, endpoints are opened up to attackers exploiting potential vulnerabilities.

What are the biggest threats to endpoints?

  • Phishing: Attacks designed to trick users into clicking malicious links and email attachments (learn how to spot a telling giveaway).
  • Spear phishing: Targeted phishing attacks that appear to be from sources you know and trust (see what one looks like here).
  • Unpatched vulnerabilities: Flaws, bugs, or weaknesses discovered in software that can lead to security concerns and exploits.
  • Malvertising: Attack campaigns that deliver payloads of malware by disguising themselves as ads.
  • Drive-by-downloads: Attacks that install malware on an endpoint as soon as the user visits an infected website.

Attacks can take many shapes and forms. To get a better idea of how they can play out, let’s look at an example in action:

Example attack in action: VirLock ransomware

VirLock is ransomware that also acts like a parasitic virus, infecting files and spreading across systems, creating new, unique versions of itself every time a file is executed.

Endpoint Protection Guide - VirLockExample

Stage 1: Initital infection

An employee receives an email that appears to be from a source he trusts. The email includes a link which the employee clicks on, but the website he is directed to looks a little strange. Meanwhile, malicious code on the website exploits a vulnerability in the employee’s web browser to download a copy of VirLock onto the employee’s machine.

By the time the employee closes out the web page VirLock has already installed multiple instances of itself on his computer.

Stage 2: Full endpoint compromise

Once on the employee’s machine, VirLock combs his computer looking for specific file types (which may include executable files, document files, image files, archive files, etc.). Once found, VirLock encrypts these host files, making them inaccessible. But it doesn’t stop there. It also infects them with its ransomware payload, priming the pump for further infection. Leaving behind even one infected file can kickstart the process all over again.

With the files encrypted, VirLock locks the employee’s screen and displays a ransom message disguised as a fine for copyright infringement. In order to unlock the machine and decrypt his files he is instructed to pay the fine in Bitcoin. His only options are to pay up or accept that his files are permanently lost.

Stage 3: Infecting additional endpoints

Given the parasitic nature of VirLock, the presence of a host of infected files increases the chances infection will spread, and unfortunately the employee unknowingly shares one of the infected files with a coworker. Executing the file causes the process to repeat itself on the coworker’s machine.

Stage 4: Network infection

As the VirLock infection spreads throughout the coworker’s machine it also gains access to files stored on a shared network drive. From there, infection spreads rapidly to machines across the entire organization.

VirLock is just one example of the types of malware today’s attackers are utilizing to circumvent security and compromise their victims’ machines. Companies can utilize a number of approaches to try to detect, respond, and recover from infections like VirLock (more on those in Section 2), but the best way of minimizing damage is to prevent the infection from happening in the first place.

Since phishing is one of the most common delivery vehicles for malware, training users to spot phishing attempts and to adopt better security habits in general can go a long way to reducing your risk. But when mistakes do happen, the right endpoint protection can immediately cut an attempted attack short, before it has the chance to gain traction, do damage, and spiral out of control.

Benefits of Endpoint Protection

  • Stop attacks where they start: By cutting off an infection before it has a chance to spread you drastically reduce the costs and complexity associated with remediation.
  • Strengthen your “weakest link”: Shoring up your endpoints will raise your organization’s barrier to entry and solidify your security posture across the board.
  • Provide your users with a safety net: Everyone makes mistakes, and when that happens to one of your users, having their device protected can prevent the wrong click from becoming a catastrophe.
  • Keep machines up and running: Having even just one machine out of commission can be costly to a business. Strong endpoint protection helps you avoid downtime and keep important systems and files accessible.
  1. SANS 2016 Endpoint Security Survey
  2. National Counterintelligence and Security Center (NCSC)

Section takeaways

Endpoints are your first line of defense. Stop attacks there and you’ll dramatically reduce your risk of a data breach or greater system compromise.

Security awareness training combined with strong endpoint protection is crucial to protecting your organization as a whole.


Moving Beyond Antivirus: The Evolution of Endpoint Security

Endpoint protection has come a long way from just A/V

If you immediately think of antivirus when you hear the words “endpoint protection” you’re not alone. That close association has unfortunately resulted in the assumption that the only thing endpoint security consists of is running scans and installing updates (or, in other words, slowing your endpoints down).

That’s far from the case today, but before we look at the latest developments in endpoint protection, let’s quickly review how and why the security has evolved.

The rise and fall of signature-based endpoint protection

For all the innovation on the attacker side, up until recently the general approach to protecting endpoints has more or less remained the same — install software that scans files against a massive database of known malware. Flag anything that shows up as a match.

It’s basically like using fingerprints to identify criminals. And for a while, it worked. But it also left companies perpetually one step behind attackers:

  • Attackers create new malware and infect as many machines as possible before the malware can be discovered.
  • Security companies get their hands on a sample of the malware and create a “fingerprint” to add to their database. Now they know what to watch out for and block.
  • Attackers create a new version of the malware that doesn’t match the fingerprint on file.
  • Rinse and repeat.

For attackers, staying ahead in this game of whack-a-mole became all about accomplishing two things:

  1. Lengthening the window of time it takes to discover and detect their malware.
  2. Finding cheap ways to ramp up the production of new malware so security programs would have even more difficulty keeping up.

With those two motivations driving innovation, the game quickly began to change — and the good guys weren’t ready for it.

Did you know?

Over 390,000 new malware samples are reported every day.3.

Conscious of security’s reliance on signatures, criminals began developing ways of encrypting, parceling out, and introducing slight alterations into their malware’s code. This allowed them to spin off countless variations of the programs, each with their own unique “fingerprints.”

These new malware programs all functioned the same way, yet by introducing even slight variations in the code attackers were able to slip them past signature-based security unrecognized and undetected.

Did you know?

70-90% of malware samples are unique to an organization.4.

Leaving users exposed to new malware variants while security companies scrambled to create signatures and push updates was a big enough problem already. Now there was malware that defied signature-based detection altogether. In order to solve this problem, endpoint protection needed to evolve.

What is the difference between traditional and next generation endpoint protection?

Fast-forward to today: Proven blind spots and overall dissatisfaction with existing signature-based solutions has created a vacuum of protection. New and existing security vendors are looking to fill that vaccum with a variety of solutions, many of which are being described as “next generation.”

Did you know?

Nine in ten organizations aren’t satisfied with their current endpoint protection and plan on replacing or augmenting it.5.

That common label isn’t very descriptive, and it can make understanding and differentiating these solutions difficult. To help clear things up, let’s look at what point during the infection process they actually detect objects as being malicious. After all, as we covered in the Virlock ransomware attack breakdown, when you’re able to detect and block malware can be just as important as how.

Different solutions target different stages of an attack

Endpoint Protection Guide - Timeline

1) Threat intelligence

Identifying a new malware sample, creating a new signature for it, and adding it to a blocked list takes time — and during that time, companies are vulnerable.

One approach to minimizing these windows of vulnerability is to gather threat intelligence from multiple sources, looking for new security events that can be associated with previously unidentified malicious programs. Doing this in nearly real-time provides security monitoring and detection tools with a valuable source of additional info they can use to identify new threats more quickly.

The problem — as with any signature-based protection — is that in order for a threat to be identified and shared there needs to be at least one victim. Worse, attackers are increasingly using malware that integrates encryption, obfuscation, and polymorphism to effectively create a new version of itself on each new device it infects.

Threat intelligence is most often an enhancement or contributor to one or more of the other solutions in this list.

Example vendor: Webroot

2) Behavioral analysis

While its signature may change often, the fundamental ways a piece of malware operates typically does not. By monitoring malware programs in real-time, solutions that utilize behavioral analysis are able to look for tell-tale signs of malicious activity and block those behaviors immediately, before the malware can do any harm.

Rather than reactively chasing after new malware samples to add them to a blacklist (remember, that’s 390,000 new samples generated every day), the benefit of blocking one malicious behavior is that it results in blocking a multitude of malware programs — including never-before-seen malware and even malware that will likely arrive in the future. You are effectively kicking the legs out from malware by blocking one or multiple critical functions it relies on to do its thing.

Vendors utilize behavioral analysis in different ways. When it is high-level and fairly general, organizations will use it for attack detection and incident monitoring. Others (like us here at Barkly) use specific and conclusive low-level information to actively shut down malware, stopping it in its tracks.

Example vendor: Barkly

3) Whitelisting and Blacklisting

As an administrative control, whitelisting — limiting the programs and applications authorized to run on an endpoint — is a proven approach particularly valuable to organizations with a very small and/or stable number of applications. Similarly, blacklisting — preventing specific applications running — has been used to eliminate access to either unknown or untrusted programs.

While whitelisting/blacklisting is an effective way to ensure that only approved applications are allowed to run, building and maintaining a whitelist or blacklist in a typical environment is complex and time-consuming. Just think of the variety of programs and apps being used in your organization right now. How many are mission critical, how many others are just running there, and how do you stay up-to-date on what the organization needs and approves?

Without this almost unheard-of level of software governance and control, whitelists and blacklists rapidly become frustratingly obstructive or sadly out of date. And as some well-known attacks have shown, the content of these lists can be manipulated by attackers with the appropriate stolen credentials, eliminating organizational confidence in the approach.

Advances in technology have made rolling out and enforcing smaller and special purpose whitelists and blacklists across organizations possible, but they remain unpopular as a standalone means of protection.

Example vendor: Bit9 component of CarbonBlack

4) Sandboxing / Virtualization

Of course, the most definitive way to determine whether or not a program is malware is to simply fire it up and let it do its thing — except, you know, over there, away from all the stuff you don’t want trashed or infected.

Sandboxing programs (sometimes called containers) create an isolated environment in which that can happen without corrupting the main parent system. New files that have never been seen before can be executed in this partitioned environment to see how they will behave.

The problem with sandboxing is that good malware can usually tell if it is being executed in a virtualized environment. Knowing this, it can hide its malicious attributes until it’s passed back into the mainline environment, or it can simply refuse to execute.

For solutions that attempt to make every program and process operate within a container, there are high costs in terms of system resources. The enforced isolation can be a significant impediment for users. It’s also rare for sandboxing to yield obvious, conclusive results. Malicious behavior at this level can look very similar to legitimate behavior, so solutions often require trained analysts on staff to run and monitor the tests.

Example vendor: Bromium

5) Intrusion / Anomaly Detection

Operating under the concession that endpoint breaches are inevitable, some vendors have shifted focus from prevention to post-infection detection, monitoring, and response. The primary goals their tools support are identifying when a breach has taken place, containing the infection, and gathering threat intelligence on the compromise to prevent additional breaches from taking place.

Simply confirming that a breach has in fact taken place is a valuable capability many organizations could benefit from. According to our recent survey on cybersecurity confidence, 33% of organizations currently don’t have the ability to determine whether they’ve suffered a breach or not. The ability to remotely isolate compromised endpoints is another appealing feature that can help prevent an infection from spreading.

But to take full advantage of these capabilities, intrusion detection solutions often require hands-on management by security analysts who are familiar enough with typical endpoint behavior to know when something is anomalous and requires further investigation.

In addition, when it comes to endpoint breaches, simply knowing you’ve been infected sometimes isn’t good enough. Ransomware provides the perfect example of how waiting to detect and respond to an infection until it’s already running can often mean you’re too late.

Example vendor: FireEye

6) Incident response and rollback

Our last group of solutions shares many of the elements of intrusion detection but adds continuous monitoring and recording of all endpoint and server activity into the mix. Not only does this allow you to maintain a clear view of what is happening before and during an attack, it also makes it possible to automatically restore affected machines to their pre-attack states.

The primary benefit of these solutions is reducing the costs and complexity associated with response and recovery. Without the continuous recording, security teams are left to piece together what happened manually from limited information and compromised sources.

Of course, any damage generated from the outset of an attack to the point of detection and response is damage done. Endpoints may be brought back online more easily, but any sensitive information accessed or stolen during that time has still been compromised.

Example vendor: CarbonBlack

  1. AV-TEST
  2. Verizon 2015 Data Breach Investigation Report
  3. CyberEdge Group 2016 Cyberthreat Defense Report

Section takeaways

Endpoint protection is much more than antivirus. Evolutions in malware have rendered A/V and other signature-based detection solutions ineffective on their own.

Next generation endpoint security solutions can utilize a variety of different approaches aimed at improving on the shortcomings of traditional AV. Choosing the best one(s) for you will depend on your organization’s infrastructure, needs, and priorities.


Where Endpoint Protection Fits in Your Security Stack

It’s prevailing wisdom that good security comes in layers. No single solution is perfect or all-encompassing. In order to protect your company against a wide range of scenarios it’s a good idea to invest in a variety of approaches that cover three fundamental bases — prevention, detection, and response.

To evaluate and improve your coverage across these areas here are three simple questions to ask, along with potential answers and solutions that can help:

Security stack layers

Endpoint Protection Guide - Security Layers


What are the best ways we can actively prevent breaches?

  • Gating and restricting access to our endpoints (firewalls)
  • Regulating which applications are allowed to run on endpoints (whitelisting and blacklisting)
  • Identifying and blocking malware attempting to execute on the endpoint (endpoint protection)
  • Making sure endpoint operating systems and applications are up-to-date (patch management)
  • Training endpoint users to adopt good security habits (awareness training)


What are the best ways we can determine if we’ve been breached or not?

  • Identifying anomalous behavior (threat/anomaly detection)
  • Monitoring for indicators of compromise (SIEM)
  • Identifying unauthorized or suspicious access (IAM)


What are the steps we can take to ensure we’re prepared to respond to a breach?

  • Clearly outlining what constitutes a breach, who is responsible for what in the event of a breach, and how internal stakeholders will be notified and kept up-to-date (security incident response plan)
  • Establishing reliable backup capabilities (backup and recovery solutions)
  • Developing evidence-collecting capabilities (forensics)
  • Developing procedures for if and when to notify customers, employees, legal advisors, law enforcement, and regulatory bodies, as well as how to respond to press and/or public inquiry (breach notification policies)

The case for focusing on prevention: Protecting endpoints from ransomware

The blind spots exposed in traditional signature-based solutions have prompted many vendors to give up on prevention and focus on enabling post-infection detection and response, instead. In many situations, however, simply knowing you’ve been infected isn’t good enough. Ransomware is a perfect example.

Did you know?

Teslacrypt ransomware takes less than one minute to encrypt your files and lock you out of your system.

Unless you have security in place that can actively prevent ransomware from the outset — before files and disks can be encrypted — detection and response will come too late.

Strong endpoint protection, along withsecurity awareness training for employees, is the cornerstone of preventing ransomware attacks in the first place.

How does endpoint protection fit in with a layered security approach?

The goal of any good layered security approach is to generate coverage that is wide as well as deep. Not only does it place a variety of barriers between attackers and your assets, it can also help you get more bang for your buck by pairing together solutions that compensate for each other’s weaknesses and compliment each other’s strengths.

Endpoint security is one of the core layers of basic protection. It provides a critical boost to essentially any other security technology you have in your stack:

  • Network monitoring and detection tools are more effective when infected endpoints aren’t flooding them with data and alerts.
  • Identity and access management (IAM) doesn’t hold up if attackers have infected and stolen credentials off a user’s machine.
  • Firewalls can’t protect mobile and remote employees operating outside the firewalled network. Endpoint protection ensures they’re not left wide open to attack.

On the flip side, endpoint protection can benefit greatly from a good firewall that does some of the vetting before traffic actually reaches a machine. Having a bird’s-eye view in the form of security information and event management (SIEM) can also help identify unexpected traffic or requests that could signify an infection or insider threat.

How you prioritize building and adding onto your security stack should be determined by your own unique needs and priorities.

A final quick note on antivirus

For all the doubts regarding its continued relevance, the truth is A/V does still have a place in many organizations’ security stacks. Despite major shortcomings that produce blind spots for a large chunk of today’s malware, A/V technology can still be quite effective at blocking a vast amount of older malware that is still very much in use.

As with many security solutions, the mistake in utilizing A/V is thinking it can be effective on its own, without the addition of strong endpoint protection designed to detect and stop malware that has never been seen before.

Section takeaways

Good security comes in layers. Invest in approaches that cover three fundamental bases — prevention, detection, and response.

Not only is new endpoint protection critical for preventing threats like ransomware, it’s also central to enabling any other security technology you have in your stack.

Conclusion: Focus Your Efforts on the Endpoint

Malware is evolving fast. So is the technology companies are using to stop it. To stay ahead of the game, the best thing you can do is focus your efforts on a) preventing attacks in the first place; and b) installing protection that stops new and advanced attacks where they start — on the endpoint.

That is the clearest way to simplify security, reduce your costs, and transform your employees and endpoints into a reliable first line of defense.

Hate ransomware? So do we.

Want to stop the ransomware epidemic from damaging your company? Find out how Barkly blocks even new, never-seen-before ransomware by recognizing its malicious behavior and stopping it before damage is done.

Learn how

We'll send it right to your inbox!

Block attacks that get by antivirus
Stop ransomware now