Endpoint security: What makes it different from antivirus solutions

Big-time emphasis is being placed on endpoint security. Trouble is: Ask three people what it is and you get three different answers. Michael Kassner tried to get some consensus.

The Year of the Rabbit () started the third of February according to the Lunar Calendar:

"Emerging from the fierce Year of the Tiger, the lunar calendar now enters the Year of the Rabbit (or Year of the Hare), and the imagery is certainly of a more peaceable nature, although much of the trauma from the Tiger still continues to cause havoc across the globe."

When it comes to malware attacks, security pundits are in agreement. 2011 is going to have tiger-like ferocity. They anticipate the number of malicious threats, stolen identities, and drained bank accounts to skyrocket.

McAfee, Symantec, TrustDefender (links explain their perception), and other AV developers agree with analysts that things aren't going to get better anytime soon. Their suggestion: Endpoint security.

With impending computer Armageddon around the corner, I kicked into survivalist mode, learning more about endpoint security. What is it? Does it replace antivirus software? Or, is it an additional layer of security?

What is it?

My quest started at a recent security seminar. Ever the investigative reporter, I asked a few attendees.

"How do you define endpoint security?"

"A damn marketing ploy; it's just AV software with a different name."

Mind racing, I couldn't waste this opportunity. Next query was from my storehouse of incendiary questions.

"Are you saying endpoint security is the latest evolution of the antivirus conspiracy?"

To say the conversation became lively is an understatement. Having done my part and seeing that any meaningful dialogue about endpoint security was lost, I excused myself.

Real answers

Checking in with my normal sources; I got answers that made more sense, albeit less passionate. For instance:

  • In security-speak, computers are considered endpoints.
  • Endpoint security is a concept where each computer or endpoint is responsible for its own security.

Okay, but how is this different from previous AV applications? Actually there is a big difference. And, it might be why AV developers call it endpoint security instead of antivirus software.

To make sure, I contacted Rick Moy, president of NSS Labs. I have borrowed Rick's expertise several times; to write about antivirus programs and then ExploitHub. Dipping into the well one more time, I asked Rick what endpoint security meant to him:

Moy: The terms Endpoint Security or Endpoint Protection are generally used to refer to corporate products that include a range of security features. These typically include:
  • Malware removal based on existing signature files and heuristic algorithms
  • Built-in antispyware protection
  • Ingress/Egress firewall
  • IPS/IDS sensors and warning systems
  • Application control and user management
  • Data input/output control, including portable devices

Consumer products with similar features are generally referred to as Internet security suites. Endpoint security is used in contrast to network security products, which corporate IT managers are also responsible for.

Endpoints can be desktop PCs, laptops, mobile phones, or servers in a datacenter. Additional functionality is starting to appear in endpoint security products, such as:

  • Full Disk Encryption
  • Data Leak Prevention
  • Application White listing

These additional features are relatively new and generally not very well integrated yet.

Consumer versus corporate

There is a difference between consumer and corporate editions. It amounts to how the application is managed. Most home networks consist of only a few computers and managing them individually is typically not a problem. Since there is no central administration:

  • Signature and application updates are received from the developer's control servers via the Internet.
  • Endpoint security apps are configured on each computer.
  • Alert and log entries are only available on the affected computer.

Corporate software uses a centralized server application. It's the only way to logically manage more than a few installations. Centralized administration allows:

  • Single sign-on web interface for configuring endpoints.
  • All log entries and alerts to be sent to one location, the controlling server.
  • Downloading of signature and application updates once, then the server application pushes the files out to all endpoints.
  • Set up and enforcement of a network-wide usage policy.

Why now?

Why now is a good question. Endpoint security came into being due to a paradigm shift in what is considered a network's perimeter. More and more people are using remote access methods to connect to work or home computers from a myriad of locations.

All this mobility means the network perimeter is no longer defined. That makes it impossible for centralized security devices to completely protect computers. Endpoint security supplements the effort, allowing computers to help defend themselves.

What to look for?

My intent was not to actually review products, but to explain what endpoint security is. Still, Rick may be able to shed some light on what to look for:

Moy: Buyers should not forget the main reason for endpoint security is to stop attacks. Products vary greatly, so look for a product with strong real-world protection against malware and exploits.

One example would be how well reviews rate an endpoint security application in preventing attacks from malicious websites. This exploit along with many others are tested by NSS Labs, along with evasion capabilities. We have new research coming out later this week.

Final thoughts

There you have it. Is endpoint security different? Yes. Is it important? I'd say so; specially if you are a mobile user or allow remote computers access to your network.

I want to extend my thanks to Rick Moy for his help.


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks