Remember the simple days, back when your organization could enforce security by keeping every device behind a perimeter like a firewall? Endpoint security management was a breeze with only one domain to worry about.
In this new era of remote work and boundless perimeters, the approach to managing endpoint security has evolved significantly. In this article, we’ll examine some of the key components necessary for effective endpoint security management in today’s landscape and how to overcome the challenges that come along with it.
What is endpoint security management, and why is it important?
Endpoint security management is your organization’s overall program to discover, manage and secure every device (or endpoint) that accesses your data.
With the advent of remote and hybrid work, employees’ devices reside outside the physical boundaries of your network the majority of the time. The mobility of laptops, tablets, smartphones and storage devices is a boon to employee productivity, but it entails the risk of connection over an unfriendly, often hostile internet.
Any device (endpoint) that contacts your network, whether to send data or receive it, is susceptible to attack. The most realistic IT perspective is that any device touching your data is an attack vector – a potential carrier of malware. That includes IT peripherals like printers and wireless access points, quasi-IT devices like hobby computers, and Internet of Things (IoT) devices like smart alarms and HVAC systems.
The proliferation of both the number and type of devices makes endpoint security management increasingly important. By some estimates, IoT devices already outnumber the traditional devices used for business productivity. It becomes imperative for IT teams to ensure that each device, or network endpoint, operates securely, shielding users and the business from cyberattacks and breaches.
Consider electronic devices ranging from pressure gauges on propane tanks for automated delivery to alarm systems, which used to have proprietary interfaces that all behaved differently. They offered high performance and a small attack surface. But as devices running high-level operating systems like Windows, Android and Raspberry Pi increased in number and decreased in price, they became more frequent targets of attack. No longer closed and proprietary systems, they’ve become more vulnerable.
In the traditional model of endpoint security management, you installed a software agent to the endpoint. Systems management software running on an appliance or server regularly polled all enrolled endpoints for information about any changes in hardware, software or user profile. That information was stored in a database for reporting.
While the basics are still similar, much has changed, especially with the shift to cloud management of some endpoints. Not all endpoint security can be monitored and managed the same way. For example, you can’t access a Chromebook externally to install an agent on it or try to manage or patch it; that has to be done through Google’s cloud infrastructure. To manage endpoint security on a Chromebook, you access the device through an API that moves data into and out of Google’s infrastructure. Either that or you use a systems management appliance to connect into your cloud workspace, then into the Chromebook. With a systems management appliance you can then monitor changes to the Chromebook, access inventory, assign ownership and manage its lifecycle.
Key components of endpoint security management
Overall endpoint security management goes beyond just managing devices, but it also encompasses staples of IT security.
Antivirus software
You don’t have true protection without antivirus protection. That extends to a backup system that will continuously monitor for changes caused by malware and ransomware. Also, you don’t have protection unless your antivirus software is always updated with the latest signatures. Most important of all, it should be entirely automated – updates, scans, quarantines, notifications – so that you’re not tempted to postpone it. Do you have an enterprise class anti-virus and malware solution that can distribute and report these critical statuses? If not, your systems management tool can probably act as a reporting feature returning definition version and dates as well as engine information.
Staying updated and patch management
Here it’s useful to distinguish between the operating system and your applications.
The operating system is a big target for updates and patches, especially in the case of a zero-day exploit, when you need to quickly deploy to and defend your endpoints. On the other hand, most people think of application patching by brand or software vendor; if you’re using Microsoft applications, then those are the updates you need to install.
But what about popular applications like video conferencing, web browsers and creative suites? Because patching and updates are less centralized for applications, businesses with large numbers of endpoints rely on systems management to keep most of their software up to date.
Modern management or perpetually enforced will typically allow you to patch these exploits as soon as they are published vs more traditional methods that are more scheduled based such as weekly or monthly recurring schedules. Both have their pros and cons, selecting one that aligns with your business needs and audit demands is critical against this fight.
General physical security
Although patching is important, security covers much more ground than that alone. If an enterprise asset like an endpoint is lost, stolen or forgotten in a hotel room somewhere, then your priority becomes locking or wiping it to prevent data loss. There’s also basic physical security, like controlling physical access to your data center and servers so no one pilfers or tampers with them.
The first rule of endpoint security management is knowing all the assets you have and maintaining an inventory that centralizes your continuous contact with them.
Depending upon the method of systems management, some tools using more modern methods also allow the ability to remote wipe, rotation of bitlocker keys as well as location tracking.
Policy management
Smart organizations make it clear that all use of endpoints, network resources and IT assets are subject to policies. One goal of policy management is to ensure that employees are not wasting company time searching online. But there’s a more important goal: mitigating the security risk inherent to letting people do whatever they want on the web and the network.
Examples of policies range from the commonplace (blocking screen capture) to the discreet (denying access to inappropriate websites) to the security-focused (requiring VPN access and RSA tokens). They extend to enforcing deny-lists and allow-lists for running applications and visiting websites. IT teams make policies in collaboration with management, then impose the policies according to user roles.
At a basis however, a least privileged environment should be a minimum standard, elevating applications and processes and removing all end user elevated rights.
Network access control
Besides enforcing how endpoints can be used, your IT team enforces decisions about who may and may not access your network.
Most network access control focuses on permission to read and copy files in certain folders or on particular servers. It also plays a role in ensuring that any endpoint attempting to access the network complies with policies and security measures. Examples include running up-to-date malware protection or a current version of an operating system.
Different software vendors provide additional tools for monitoring, whether real time change auditing or reporting regularly in an Enterprise report the status of your environment, whether it be O365, Exchange, Active directory, file systems or database servers.
VPN software
One way to enforce network access is with a virtual private network (VPN). A VPN adds security by encrypting all traffic between the endpoint and your network.
VPN is a venerable technology that spiked in popularity when pandemic lockdowns sent millions of employees home to work. Unfortunately, that sudden demand surprised the many organizations that didn’t have enough licenses to go around.
Once users are connected over a VPN, they have broad network access. That is a convenience for them but a security concern for IT, should an attacker manage to log on to the VPN. Security is therefore evolving toward the zero trust architecture, which continuously verifies user-access permissions (human and machine) to all requested resources (on-premises, cloud and hybrid). Zero trust involves removing vulnerable permissions, unnecessary access and excessive access in favor of specific delegation and proper provisioning with fine granularity.
VPN still plays a prominent role in endpoint security management. However, it shouldn’t be the only arrow in the IT security quiver.
A caveat to VPN connectivity to local resources for remote users is the need for a connection to have connectivity to local, on-premise systems management and patching tools. It is important in this scenario to have either a cloud based management tool or an on-premise tool correctly configured for connectivity to external clients without a VPM connected endpoint.
Current challenges of endpoint security management
Most of the obstacles to endpoint security management are similar to the classic obstacles around IT security in general.
Money and time
Endpoint security is not free; neither are the software tools on which it depends. In the early days, the cost made organizations think that those tools were a nice-to-have. As their value became more apparent, they became a should-have. Now, most organizations regard them as a must-have.
The time component is also onerous. If an IT pro’s time is valued at $100-150,000 a year, do you really want that person performing tasks that can be automated?
From not only a cost and time savings, but from an employee satisfaction and knowledge growth, wouldn’t you prefer your employees to being working on others projects instead of daily tasks that could be automated?
It may be true that patching endpoints costs time and money and is boring, but the exciting alternative – dealing with cyberattacks and ransomware – is not boring. That is a fitting perspective for the question of money and time.
Data loss
Data is the lifeblood of your business. If someone attacks you, and a ransomware attack starts deleting or encrypting files, you lose the data contained in those files. Most admins rest assured that their backups will save them, but in an era when attackers go for backups too, it’s unwise to think that.
Too many ransomware attacks involve unpatched devices, and malware that has been on someone’s computer for a long time. But by the same token, the patch that addresses that vulnerability has often been available for weeks, months or maybe years, and IT has not installed it yet. So, when a new zero-day exploit surfaces, you’re thrown into a race against time to patch all your endpoints. Bad actors know and exploit that by activating malware that has been on your computer for months on end.
Modern patch management, perpetual enforcement as it is commonly referred to, allows you to patch on a 24×7 basis. Typically a tool will update signatures from vendors for detection cycles fairly quickly after release and then based on policy can immediately apply and enforce.
Remote work
The pandemic forced a lot of people to use endpoint devices in unsecure conditions at home. They had used Wi-Fi routers and PCs for personal computing for a long time, but suddenly they had to rely on that same equipment for access to business networks. It was often a perfect storm of unsophisticated passwords, unprotected networking gear, inadequate antivirus protection, numerous SSIDs and post-end-of-life operating systems.
Even a well-configured organization endpoint could be at risk when connected to an unsecured home network. Imagine users trying to install software or connect a home printer to a corporate-issued device, yet failing because they don’t have administrator rights. In the rush to enable co-workers to get up and running remotely, IT staff sometimes granted those rights to them, putting the endpoints – and corporate networks – at even greater risk. A least privilege environment is a critical component of your endpoint security stance.
How endpoint security management reduces risk
The essence of mitigating risk lies in collecting all the hardware, software and user information about your endpoints, deriving insights and acting upon them.
Rapid deployment
When IT staff learns of a new exploit or vulnerability, their first question is “Are any of our endpoints affected by this?”
Consider a bug in a commonly used service in the operating system. The value of systems management software is that you can quickly identify the endpoints running that service and label them. Then you can decide how to address the vulnerability. That may involve writing a script, removing the offending software or disabling the service all over the network. With systems management insight, you can also identify the affected computers and patch them, either automatically or manually, based on the inventory your agents have been collecting for years.
An enterprise class imaging tool can also be of great assistance during an outbreak, whether to help rapidly reimage systems back to a known-good corporate state or as simply as the last outbreak with a common vendor, booting into a boot environment, running a custom script to remove certain vendor files and configuration or rebooting to login so your business can continue operations.
Known baseline image
Systems deployment is an aspect of endpoint security management that provides for deploying an initial image or overwriting an existing disk image (reimaging). Systems deployment automates the process of building, testing and refining a golden image for installation to all devices of a given model or for all users of a certain role.
Suppose that everyone who works in Sales receives a Dell Latitude 5320 with Windows 11 and a complement of licensed software. For imaging, you create and test a golden disk with all necessary drivers, operating system files and applications. That way every new employee receives an endpoint device that works the same.
Reimaging an existing device works similarly. The systems deployment software copies all the user files – those created in Word, Excel, PowerPoint, etc. – and stores them temporarily. Then it wipes the device completely clean, installs a new golden image and copies the user files back onto the new image on the device.
By deploying a known baseline image, you can initialize or reimage countless endpoint devices quickly and identically. Then, when a software vendor releases a new patch or update, you can test it on several lab machines running those images. Once you’re satisfied that the update does not break anything in your configurations, you deploy it across the organization the next time each device connects to the network. You can be confident that all your devices will run it without problems.
Systems deployment of a known baseline image spares you the headache of scrambling around your company with disks and USB drives. It also ensures that your endpoint security management does not interfere with user productivity.
Streamlined systems
Patching high-profile applications and endpoints is a routine task for enterprise IT teams. But in most IT environments, patches for third-party applications used across a business are not prioritized in those updates, or not included in provided patching tools. Thus, in many companies, third-party patch management entails additional systems and work for IT teams to maintain a secure environment.
Different endpoint security management systems for Windows, macOS, Linux, Android and iOS introduce friction and complications into managing endpoints. If you have four different systems, then you have four different places available for errors or to miss endpoint updates.
Endpoint security management aims to have streamlined systems and processes to avoid errors that can introduce vulnerabilities. Where perpetual enforcement of patching may seem desirable and in your environment achievable, there is still a need for release management and testing of patches before distributing to your user environment.
Key practices for endpoint management security
Vulnerability assessment
The centrally managed list of Common Vulnerabilities and Exposures is a repository of knowledge about vulnerabilities, incidents and remedies.
Vulnerability assessment is important because, as described above, most cyberattacks involve an unpatched device. In fact, most attacks involve malware for which patches have existed for weeks, months or years. But the devices are vulnerable because they haven’t yet been patched.
Depending on your environment, you may be faced with security audits that refer to these vulnerabilities and the ability to report on the application of patches to remedy the exposure. Ensure you have a systems management tool in place that can easily report on these statuses and preferably automate the delivery of these reports to the recipients on a recurring basis.
Immutable backup and recovery
Naturally, IT professionals regard backups as a component of endpoint security management. The problem is that threat actors are going after backups as well. The 3-2-1 backup rule – 3 copies of the data, 2 different media used for the backups, 1 copy offsite – is a good start. But there’s more you can do.
With immutable backups, you have a much better chance of surviving a ransomware attack unscathed. In an immutable backup, your backup software sets special attributes on the backed-up data. The attributes prevent the stored data from being deleted or even modified for as long as you specify. The effect is to make your backups read-only to everyone, including to you, to ransomware and to the manufacturer of the backup system. Immutable backup preserves your backup from attack and keeps it viable for endpoint security management. When auditing your backup environment or shopping for a new tool, this question should be at the top of your list.
Set permissions around devices that can access your data
It’s important to point out that endpoint security management is not the same as protecting your network. The two disciplines use different tools and execute different kinds of tasks. The strategic goal of endpoint management is to set permissions around devices that can access your data. That plays into zero-trust security and privileged access management.
Patch, secure, and manage every endpoint
Conclusion
In an era of burgeoning numbers and types of connected devices, anything trying to access your data is a potential attack vector. The most dangerous aspect of endpoint management is the belief that your organization won’t be breached. All businesses should plan on their endpoint devices being attacked eventually. Systems deployment solutions allow them to quickly image and reimage large populations of diverse devices, and systems management solutions enable them to easily roll out patches and updates organization wide.
In that environment, IT professionals turn to endpoint security management to ensure that they have a handle on all the assets they have and maintain an inventory for ongoing contact with and maintenance of those endpoints.
Ensure you invest and choose the right tools for your environment, cheap isn’t best and when you really need your tools working for you, ensure your software vendor also has a solid support network that is there to support you when you need it most.
