Endpoint security: What makes it different from antivirus solutions

Big-time emphasis is being placed on endpoint security. Trouble is: Ask three people what it is and you get three different answers. Michael Kassner tried to get some consensus.
The Year of the Rabbit () started the third of February according to the Lunar Calendar:

"Emerging from the fierce Year of the Tiger, the lunar calendar now enters the Year of the Rabbit (or Year of the Hare), and the imagery is certainly of a more peaceable nature, although much of the trauma from the Tiger still continues to cause havoc across the globe."

When it comes to malware attacks, security pundits are in agreement. 2011 is going to have tiger-like ferocity. They anticipate the number of malicious threats, stolen identities, and drained bank accounts to skyrocket.

McAfee, Symantec, TrustDefender (links explain their perception), and other AV developers agree with analysts that things aren't going to get better anytime soon. Their suggestion: Endpoint security.

With impending computer Armageddon around the corner, I kicked into survivalist mode, learning more about endpoint security. What is it? Does it replace antivirus software? Or, is it an additional layer of security?

What is it?

My quest started at a recent security seminar. Ever the investigative reporter, I asked a few attendees.

"How do you define endpoint security?"

"A damn marketing ploy; it's just AV software with a different name."

Mind racing, I couldn't waste this opportunity. Next query was from my storehouse of incendiary questions.

"Are you saying endpoint security is the latest evolution of the antivirus conspiracy?"

To say the conversation became lively is an understatement. Having done my part and seeing that any meaningful dialogue about endpoint security was lost, I excused myself.

Real answers

Checking in with my normal sources; I got answers that made more sense, albeit less passionate. For instance:

  • In security-speak, computers are considered endpoints.
  • Endpoint security is a concept where each computer or endpoint is responsible for its own security.

Okay, but how is this different from previous AV applications? Actually there is a big difference. And, it might be why AV developers call it endpoint security instead of antivirus software.

To make sure, I contacted Rick Moy, president of NSS Labs. I have borrowed Rick's expertise several times; to write about antivirus programs and then ExploitHub. Dipping into the well one more time, I asked Rick what endpoint security meant to him:

Moy: The terms Endpoint Security or Endpoint Protection are generally used to refer to corporate products that include a range of security features. These typically include:
  • Malware removal based on existing signature files and heuristic algorithms
  • Built-in antispyware protection
  • Ingress/Egress firewall
  • IPS/IDS sensors and warning systems
  • Application control and user management
  • Data input/output control, including portable devices

Consumer products with similar features are generally referred to as Internet security suites. Endpoint security is used in contrast to network security products, which corporate IT managers are also responsible for.

Endpoints can be desktop PCs, laptops, mobile phones, or servers in a datacenter. Additional functionality is starting to appear in endpoint security products, such as:

  • Full Disk Encryption
  • Data Leak Prevention
  • Application White listing

These additional features are relatively new and generally not very well integrated yet.

Consumer versus corporate

There is a difference between consumer and corporate editions. It amounts to how the application is managed. Most home networks consist of only a few computers and managing them individually is typically not a problem. Since there is no central administration:

  • Signature and application updates are received from the developer's control servers via the Internet.
  • Endpoint security apps are configured on each computer.
  • Alert and log entries are only available on the affected computer.

Corporate software uses a centralized server application. It's the only way to logically manage more than a few installations. Centralized administration allows:

  • Single sign-on web interface for configuring endpoints.
  • All log entries and alerts to be sent to one location, the controlling server.
  • Downloading of signature and application updates once, then the server application pushes the files out to all endpoints.
  • Set up and enforcement of a network-wide usage policy.

Why now?

Why now is a good question. Endpoint security came into being due to a paradigm shift in what is considered a network's perimeter. More and more people are using remote access methods to connect to work or home computers from a myriad of locations.

All this mobility means the network perimeter is no longer defined. That makes it impossible for centralized security devices to completely protect computers. Endpoint security supplements the effort, allowing computers to help defend themselves.

What to look for?

My intent was not to actually review products, but to explain what endpoint security is. Still, Rick may be able to shed some light on what to look for:

Moy: Buyers should not forget the main reason for endpoint security is to stop attacks. Products vary greatly, so look for a product with strong real-world protection against malware and exploits.

One example would be how well reviews rate an endpoint security application in preventing attacks from malicious websites. This exploit along with many others are tested by NSS Labs, along with evasion capabilities. We have new research coming out later this week.

Final thoughts

There you have it. Is endpoint security different? Yes. Is it important? I'd say so; specially if you are a mobile user or allow remote computers access to your network.

I want to extend my thanks to Rick Moy for his help.


Information is my field...Writing is my passion...Coupling the two is my mission.


I think we will also have to look at tools like UAG which classify endpoints and decide how close to the core network the device needs to be.


Dear Michael, once again I ask you to check the InZeroSystemsdotcom website. I paid for the first patent in 2001 I recall, and now we have 83 patents and an office in the DC area. I'm a disabled US VN vet who went to computer school in 1961, but KNEW the explanation the inventor described to me was 100% security (which they hate me to say)) and so I've sponsored it for near 10 years and now, IT'S READY to buy & use. Banks, gov't's and more are doing so now!! H20's


As the infrastructure becomes more and more virtualized, the role of security must become more agile. Yet this premise contradicts security's underlying premise - to be measured against a known good standard. Most security protocols work on two standards, a known good and known bad. If an item is designated in either standard an appropriate action can be taken. But, when everything but the endpoints is in flux, the standard becomes difficult to define and even harder to implement. Yet, through all of the variations, the endpoints remain fairly constant at this stage. Because of this, the view is shifting to protect the ends and survive the middle. If I can provide thorough security on origin and destination, then the delivery can be hostile. I hold the view that the network is becoming simpler and will one day be like a highway without a lot of oversight. A few "police" agents to keep things running and standardized rule sets for normal operations. Yet our cars have keys, car alarms, windows, intelligence, communications, etc.


There is one important difference. The endpoint scheme realizes that virus infection can originate on a client -- from infected files being manally loaded on the client--and will attempt to isolate it on the client, protecting the server and other clients in the network. The only problem is, if a virus' signature is not on the client database, it won't be on the server database either. There should also be a piece of hardware running strong Hueristics and dumping the files somewhere for further examination. The advantage to that is that the hardware appliance is not susceptible to being infected itself, as the viruses are designed to infect computer OSes and not hardware appliances.

Michael Kassner
Michael Kassner

I did not think so at first, but there is. And, it is an important difference.

Michael Kassner
Michael Kassner

UAG has more to do with resources and data. It is vital to have this as well. My concern is that UAG could be defeated if the endpoint is compromised.

Michael Kassner
Michael Kassner

"Protecting the ends and surviving the middle" has a great deal of significance. Thanks for mentioning it.

Michael Kassner
Michael Kassner

I was under the impression that endpoint security typically incorporated heuristics as well, AV apps as well. Is that not the case?

Editor's Picks