Endpoint Security

An endpoint, in the context of a computer network, is a remote computing device that communicates back and forth with a network to which it is connected.

Examples of endpoints are:

• Desktop computers
• Smartphones
• Servers
• Internet-of-Things (IoT) / Embedded devices

In a more extended definition of endpoint, it may include as well:

• Virtual machines
• Applications

In the context of an organization, term “endpoint” is used to differentiate these devices mostly from firewalls and network devices that are not considered to be final recipients or consumers of information.

On the other hand, end user devices are those used directly by end users.

This post is an overview of IT security aspects on endpoints, or what is called endpoint security (EPS).

Endpoints can have antimalware software, like for example, an antivirus.

The challenge of endpoint security is the sheer volume of data that they can create.

Confidential computing is a technology that protects data in use, even while being processed thanks to the use of protected CPU enclaves.

Endpoint Security Mechanisms

List of endpoint security mechanisms:

• Antivirus (AV)
• Antimalware
• Endpoint detection and response (EDR)
• Extended detection and response (XDR)
• Managed detection and response (MDR)
• Advanced Threat Protection (ATP)
• User and entity behavior analytics (UEBA)
• Endpoint protection platform (EPP)
• Endpoint data loss prevention (DLP)
• Host-based IDS (HIDS)
• Whitelisting and Blacklisting
• Microsoft Group Policy to check baseline)

Endpoint Detection and Response (EDR)

Endpoint detection and response (EDR) extends the functionality of antivirus by adding the following functionalities:

• Analyzing endpoint for signs of malicious activity
• Isolating malicious activity automatically
• Integration with threat intelligence sources
• Integration with other incident response mechanisms

UEBA

The difference between EDR and UEBA is that the first focuses on the endpoint while the second one in the user.

XDR

An example of XDR is Wazzuh. Wazzuh is a combination of XDR and SIEM. It is FOSS.

Wazzuh official website

Endpoint Security Hardening Guides

There are different organizations that issue hardening guides, as for example:

• CIS Benchmarks
• DISA STIGs
• CCN-STIC Guides

CIS Benchmarks

CIS (Center for Internet Security) is a non-profit organization promoting protection against cyber threats. It is based in New York, USA.

There are CIS Benchmarks on different topics, including OS. You can find them on this link.

CIS Benchmarks relevant to endpoint include:

• Microsoft Windows Desktop
• Microsoft Windows Server
• Ubuntu Linux
• Apple iOS
• Google Android

The CIS Benchmarks are available to be downloaded from this link.

DISA STIGs

The Defense Information Systems Agency (DISA), that belongs to the Department of Defense (DoD) of the USA, develops Security Technical Implementation Guides (STIGs) for different operating system.

DISA develop and upload STIGs that are uploaded to the public STIG Document Library of the portal DoD Cyber Exchange, and can be access from this external link.

CCN-STIC Guides

CCN (National Cryptologic Center, from the Spanish Centro Criptológico Nacional) is a public organization of Spain, dependant on the CNI (National Intelligence Center, from the Spanish Centro Nacional de Inteligencia), the Spanish official intelligence agency.

CCN publishes a set of guides, referred as CCN-STIC (from the Spanish Seguridad de las Tecnologías de Información y Comunicaciones) guidelines and recommendations related to cybersecurity. They are mostly oriented to Spanish public administrations and their collaborating organizations.

CCN-STIC guides are grouped in series. The existing series are listed on this link.

500 guide series is related to Windows environment, and can be found on this link. 600 guide series are related to other non-Windows environments.

Regarding endpoint, we can find the following CCN-STIC guides:

• Windows
  • CCN-STIC-522A Windows 7 (domain client)
  • CCN-STIC-522B Windows 7 (independent client)
  • CCN-STIC-559A Windows 10 (domain member client) group contains:
    • CCN-STIC-559A Windows 10 Security (domain member client)
    • CCN-STIC-599A18 Windows 10 Security (domain member client)
    • CCN-STIC-599A19 “Windows 10 Security Settings (domain member client)”
  • CCN-STIC-599B Windows 10 (independent client) group contains:
    • CCN-STIC-559B Windows 10 Security (independt client)
    • CCN-STIC-599B18 Windows 10 Security (independent client)”
    • CCN-STIC-599B19 “Windows 10 Secure Settings (independent client)”
• Non-Windows
  • CCN-STIC-617 Implementación de seguridad sobre Suse Linux Enterprise 12 (cliente independiente)
  • CCN-STIC-619 Implementación de seguridad sobre Centos 7 (servidor independiente)
  • CCN-STIC-684 Publicación Segura de aplicaciones y escritorios virtuales con Citrix

There are other guides more specific to specific functionalities in Windows desktop OS, like:

• CCN-STIC-512 Gestión de Actualizaciones de Seguridad en Sistemas Windows
• CCN-STIC-529 Seguridad en Microsoft Office 2013
• CCN-STIC-596 Protección de sistemas con AppLocker
• CCN-STIC-885E Guía de configuración segura para Microsoft Defender for Endpoint

Endpoint Security depending on OS

• Linux Endpoint Security
• Windows 10 Security
• Android Security
• iOS Security

You might be also interested in…

• IT Security
• Windows 10 Security
• Android Security
• iOS Security

External references

• M. Chapple et al; “CISSP Study Guide Ninth Edition”, pp. 556-559; Wiley, 2021
• M. Chapple et al; “CISSP Study Guide Ninth Edition”, section “Malware Prevention”, pp. 1006-1009; Wiley, 2021
• CCN; “Nueva guía sobre configuración segura para Microsoft Defender for Endpoint“; CCN
• Microsoft; “Implementing security rules” [with Microsoft Endpoint Manager]; Microsoft
• Microsoft; “Learn about endpoint security“; Microsoft
• Gartner; “Roadmap for Improving Endpoint Security“; Gartner
• Gartner; “Competitive Landscape: Endpoint Protection Platforms“; Gartner