Knowledge What is Endpoint Security? Explaining its Importance in the Zero Trust Model and Best Practice at Overseas Offices

Along with the popularization of cloud services and teleworking on a global level, endpoint security is entering the spotlight. First, we are going to describe the definition of an endpoint in the zero trust model and then outline the importance of endpoint security.

An endpoint is an arbitrary device connected to a network. Such devices include desktop PCs, laptop computers, smartphones, tablets, and other IoT devices. All of these devices are "endpoints" of data or applications to which users can access, giving rise to the name "endpoint."

Endpoint security refers to overall security measures with respect to the endpoint devices mentioned above. Threats for endpoints include data leaks and unauthorized access by malware. Endpoint security prevents, detects, visualizes, and analyzes such threats. Some of the typical technologies used for endpoint security are anti-virus software, firewalls, intrusion detection systems (IDSs), and intrusion prevention system (IPSs). In recent years, new technologies including EDR and EPP and advanced management tools such as MDM have counted among technologies for endpoint security. We will expound on EDR, EPP, and MDM later.

An endpoint is a gateway to a company network, and is a major route for the user to be connected to company's data and applications. The more endpoints diversify and the greater the number of them, the more gateways we will have. If an endpoint is attacked, the entire network could face threats through the affected device (endpoint).

More recently, the number of risks associated with the use of endpoints has been increasing with an increase in remote work and with the spread of BYOD (Bring Your Own Device) at overseas offices.

Based on the principle of not trusting anyone and verifying everything, every access is verified each time in the zero trust model. Moreover, access is permitted to minimum resources only, based on the Principle of Least Privilege (PoLP) for zero trust. By adopting the zero trust model, the security of each endpoint is ensured, and even if network intrusion occurs, the impact can be minimized.

As you can see now, endpoint security is an integral element for guaranteeing the robustness of the security system throughout the entire company. Owing to the rising global tide of digitization, endpoint security has become an important technique not only in Japan but also at overseas offices.

Specifically, what technologies support endpoint security? This section introduces the following technologies for realizing endpoint security.

①   Endpoint security

- EPP (Endpoint Protection Platform)
- EDR（Endpoint Detection and Response）
- MDM（Mobile Device Management）

An EPP (Endpoint Protection Platform) is a solution that protects endpoints such as PCs, tablets, and smartphones from threats like malware, and comprehensively manages endpoint security. Generally speaking, another name for an EPP is anti-virus software. Today we can see some high-level products that integrate the functions of a firewall, intrusion protection system, and data loss prevention. The major functions of an EPP are as follows:

- Malware protection

Malware protection

The primary function of an EPP in the zero trust model is to protect data and devices from malware. An EPP blocks malware from entering endpoint devices, and if malware has already entered a device, it detects the malware and then quarantines or removes it. Furthermore, an EPP learns the type and behavior of the malware that has entered the device. Based on the data collected, it is also possible to enhance the defense against new unknown malware.

EDR (Endpoint Detection and Response) is a solution that detects suspicious behaviors in an endpoint in real time, and provides measures against the threat. Unlike an EPP, EDR assumes a situation where the endpoint is already infected with malware. EDR enables users to detect new threats through checking and analysis of suspicious behaviors on the endpoint. EDR provides effective measures against unknown malware that cannot be blocked completely by an EPP. EDR’s major functions are as follows:

- Monitoring and detection
- Visualization and analysis
- Response to incidents
- Prevention

Monitoring and detection

EDR’s basic functions are monitoring and detection. EDR monitors behaviors on an endpoint, including network traffic, system changes, processes, and file operations, and always collects data. In this way, EDR can check for suspicious behaviors in endpoints in real time and promptly detect potential threats such as unknown malware.

Visualization and analysis

EDR enables analysis of collected data and visualization of an endpoint device’s status. People in charge of security can see suspicious behaviors and potential threats at a glance, enabling them to move rapidly in response.

Response to incidents

If a potential threat such as unknown malware is detected, EDR launches an automated incident response. Incident response includes malware quarantining, threat elimination, and system restoration. Moreover, detailed incident logs can be used for threat analysis and future measures.

Prevention

EDR detects potential threats early and prevents them from developing into major problems. It also learns attack methods and patterns, and provides preventive measures based on the accumulated data, enabling users to take prompt action against future threats.

MDM (Mobile Device Management) is a tool for companies to manage mobile devices such as smartphones and tablets securely. It enables management of a large number of mobile devices and unified security measures. MDM helps a company confirm that its mobile devices satisfy the security policy and are used securely. MDM’S major functions are as follows:

- Mobile device management
- Device security measures

MDM centrally manages mobile devices’ basic settings, application installation/uninstallation, and operating system updates. When a device is lost, it is also possible to lock the device or delete the data remotely. By using MDM, the company can achieve consistent management of mobile devices and ensure security.

MDM also enables users to strengthen security measures for mobile devices. For example, you can prevent installation of unauthorized applications and mandate encryption of devices. Furthermore, you can also check whether a device meets compliance requirements, and if any violation occurs, you can take necessary measures swiftly by, for example, disabling its use.

Finally, we introduce some examples of use and best practices for endpoint security in the zero trust model.

This section introduces examples of building an endpoint security system through the introduction of EDR.

A trading company (hereinafter "the company") has built the latest generation of its collaboration base using Microsoft 365 and is accelerating its efforts toward citizen development and improvement of employee experience (*1). Although the company had been operating a large-scale system used by approximately 12,000 users in over 60 countries as its collaboration base, emails and telephones were generally used for communications and collaborations. In response, the company decided to completely overhaul the base. In so doing, the company aimed to respond to a new way of working, improve the efficiency of the IT infrastructure operations, and use the latest functions of the cloud while realizing zero trust security.

Then the company established a fully cloud-based system globally using Microsoft 365. Windows Hello and Microsoft Defender for Endpoint were adopted for terminal authentication and terminal security. For authentication, the company used Azure Active Directory (Azure AD) to realize conditional access/adaptive authentication, multi-factor authentication, privileged access control, and device authentication.

A food manufacturer (hereinafter "the manufacturer") has been implementing a variety of measures to raise production efficiency in its offices since 2014, in such a way as to build a cloud system through introducing Microsoft 365 (formerly Office 365) as its communication base and quickly improve a teleworking environment that supports work-style reforms. The manufacturer has also been addressing the strengthening of security at its overseas offices where budgets and resources are limited. To do this, the manufacturer started rapidly implementing zero trust at its nine overseas companies through the use of Microsoft 365 E5 Security (*2). The key point of implementing security was to enhancing it through the cooperation between Microsoft Defender for Endpoint and an SOC (Security Operation Center) provided by an external IT partner. As a measure for a case where a device has been infected with malware or a virus, the manufacturer deployed Microsoft Defender for Endpoint and adopted a system in which AI monitors devices based on Microsoft’s immense amount of knowledge. As a result, the manufacturer successfully limited damage from Emotet, malware that went on the rampage around 2020.

Even at its overseas offices, where no adequate operational management system had been prepared, the manufacturer improved the environment in which the status of every terminal and system can be grasped in real time, resulting in horizontal expansion and strengthened cooperation across groups.

Endpoints are physical objects that are touched most frequently by users in an information security system, both domestically and overseas. You can access companies’ confidential information, and such information is often stored on an endpoint.

In general, when malware starts acting, it does so in an endpoint. A series of actions such as intrusion, execution of an unauthorized program, and infection are carried out within the endpoint.

In line with these facts, best practice for endpoint security in the zero trust model should be as follows:

①   Detection and management of all devices connected to a network
②   Application of the latest OS, security software, and security patches
③   Minimization of user privileges
④   Periodic detection and modification of vulnerabilities
⑤   Swift modification of lost or infected devices

The most important point when introducing endpoint security is to cover all the devices you are using and incorporate them under management. Then, take security measures suitable for the organization’s security policy and make periodic improvements to maintain the optimal security level.

This article introduced the roles of endpoint security in the zero trust security model. Overseas offices tend to have fewer human resources but need to adopt a security system that ensures regional compliance. KDDI is implementing support for attaining zero trust at overseas offices. If you do not know how to carry out effective security measures, contact KDDI.

Next, we will introduce the use of the zero trust security model in IoT.