Not all endpoints have the same risk. A developer laptop with access to source code is different from an admin laptop with infrastructure access, which is different from a regular employee laptop. Protections should be proportional to risk.
What is an endpoint
An endpoint is any individual device connected to a network that can be a target of cyber attack: corporate laptops, desktops, servers, network printers, smartphones, tablets. In an enterprise security context, 'endpoint protection' means securing all these devices against malware, unauthorised access and data exfiltration. Protection tools include: antivirus, EDR (Endpoint Detection and Response), local firewall, disk encryption, access policies. A compromised endpoint is a door for lateral movement across the network: an attacker accesses a corporate laptop, executes malware, and from there attacks other systems. That is why endpoints are a critical defence point: they are the perimeter closest to data and users.
Why it matters
For a CISO, endpoints represent the 'last mile' of defence. Perimeter can be hardened (firewall, proxy, WAF), but if an employee opens a malware email on a corporate laptop, the perimeter is useless. Endpoints are numerous (a 500-person company has 500+ devices), heterogeneous (Windows, Mac, Linux, mobile), and dispersed (many in home office post-COVID). Managing endpoints at scale requires: (1) Centralised inventory (which devices, which software, which vulnerabilities), (2) Automatic patching (OS, applications, firmware), (3) EDR (detection of suspicious behaviour), (4) Policies (USB blocked, unauthorised software, access limits), (5) Incident response (if an endpoint is compromised, isolate it, investigate, clean). Without these, endpoints are an open door for breach. With them, you significantly reduce the exploitation window.
Key points
Malware on an endpoint does not need to be sophisticated to be destructive. Malware that steals browser cookies can give an attacker access to stored credentials (AWS keys, GitHub tokens). Ransomware can encrypt the disk and paralyse the user's work.
EDR (Endpoint Detection and Response) is more modern than traditional antivirus. Traditional AV looks for known signatures; EDR monitors behaviour (process creation chains, suspicious network connections, privilege escalation attempts). EDR detects unknown malware by pattern.
Endpoint security is shared responsibility: IT/security provides tools (EDR, antivirus, policies), but the user is the last line (do not open suspicious email, do not share password, report weird behaviour). User training is critical.
Example: compromise of a corporate endpoint
An accountant receives an email appearing to be from a bank, with a link 'confirm your password'. Click. Emotet malware is downloaded. Without EDR, Emotet silently: (1) Steals cached credentials in browser (access to corporate email, internal systems). (2) Attempts privilege escalation (Emotet uses EternalBlue to gain admin). (3) Downloads ransomware. (4) Encrypts disk. Effect: accountant cannot work, customer data at risk, IT shuts down the machine. With EDR implemented: (1) EDR detects Emotet because it creates anomalous persistence (modifies registry, starts suspicious processes). (2) EDR alerts immediately. (3) IT isolates endpoint from network in seconds. (4) Malware cannot communicate with C&C. (5) Ransomware was not downloaded. (6) Endpoint is cleaned, user works without major interruption. Critical difference: without EDR, compromise takes hours/days to detect. With EDR, minutes. Smaller window means smaller damage.
Common mistakes
- Assuming perimeter firewall is sufficient. Firewall protects the corporate network, but malware on an endpoint evades firewall because it comes from inside. Endpoint protection is a separate and equally important defence line.
- Negligence with endpoint patches. An endpoint without OS patches in 6 months has dozens of exploitable CVEs. Automatic patches for OS, browser, common applications is critical.
- Not blocking physical access (USB, CD, ports) to endpoints. An attacker can connect a USB with malware or copy data. Although rare, sensitive organisations (defence, banking) control physical access.
- Confusing EDR with antivirus. AV is reactive (known malware). EDR is more proactive (suspicious behaviour). A modern company needs both: AV as first layer, EDR as second.
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between endpoint security and antivirus?
Antivirus is a specific tool that looks for known malware by signature. Endpoint security is an integral strategy that includes antivirus, EDR, local firewall, encryption, policies. Antivirus is a component of endpoint security.
What is EDR?
EDR (Endpoint Detection and Response) is software that monitors process behaviour on an endpoint. It detects unknown malware by patterns (obscure activity, lateral movement, data exfiltration). It allows automatic response (isolate endpoint) or manual (IT investigates). Much more effective than traditional antivirus.
How do I protect dispersed endpoints (remote workers)?
Corporate VPN secures traffic. EDR with remote monitoring capability. Device compliance policies (updated OS, active antivirus, disk encryption). User training on phishing/malware. Without VPN and EDR, a remote endpoint is as vulnerable as a public one.
What happens if an endpoint is compromised?
Ideally, EDR detects and automatically isolates it. Then: (1) Investigation (what malware, what data was accessed), (2) Cleaning (antivirus, malware removal, credential restoration), (3) Monitoring (intense monitoring for a period after infection to ensure cleaning).