What is endpoint security? | Endpoint protection

Endpoint security is the process of protecting endpoint devices like desktop computers, laptops, and smartphones from attacks and data leaks.

Learning Objectives

After reading this article you will be able to:

  • Describe why endpoint security is important for organizations
  • Explain the key features of endpoint protection solutions
  • Understand the relationship between endpoint security and network security

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is endpoint security?

Endpoint security or endpoint protection is the process of defending endpoints — devices that connect to a network, like laptops and smartphones — from attack. Endpoint security can also involve blocking dangerous user behavior that could result in the endpoint device's becoming compromised or infected with malware.

Organizations can use endpoint protection software to enforce security policies, detect attacks, block in-progress attacks, and prevent data loss. Because endpoints connect to internal corporate networks, endpoint protection is also an important component of network security.

There are many facets to endpoint protection, as threats can come from a variety of places. Common endpoint threat vectors* include:

  • Vulnerability exploits through a web browser
  • Social engineering attacks via email that result in users opening malicious files or links
  • Compromised USB devices
  • Threats from shared file drives
  • Usage of unsecured applications

Endpoint protection used to center on malware detection and prevention through the use of anti-malware or antivirus software, but today it has expanded to address these other threat vectors as well.

*In the security industry, "threat vector" means a source or channel that an attack can come from.

How does endpoint security work?

Endpoint security software uses one of two models:

In the client-server model, the software runs on a central server, with client software installed on all endpoints that connect to the network. The client endpoint software tracks activity and potential threats on the endpoint device and reports back to the central server. Usually, the client software can isolate or eliminate active threats if needed — for instance, by uninstalling or isolating malware on an endpoint, or blocking the endpoint from accessing the network.

In the software-as-a-service (SaaS) model, a cloud provider hosts and manages the endpoint software. SaaS endpoint software offers the advantage of scaling up more easily than the client-server model, as is usually the case with cloud computing services. SaaS-based endpoint software can also send updates to and receive alerts from endpoints even when they are not connected to the corporate network.

Typical endpoint security capabilities include:

  • Anti-malware: One of the most important components of endpoint security, anti-malware or antivirus software detects if malicious software is present on a device. Once detected, a number of actions are possible: the anti-malware can alert the central server or the IT team that an infection is present, it can attempt to quarantine the threat on the infected endpoint, it can attempt to delete or uninstall the malicious file, or it can isolate the endpoint from the network to prevent lateral movement.
  • Encryption: Encryption is the process of scrambling data so that it cannot be read without the correct decryption key. Encrypting the contents of an endpoint device protects data on the endpoint if the device is compromised or physically stolen. Endpoint security can encrypt files on the endpoint, or the full hard disk.
  • Application control: Application control allows IT administrators to determine which applications employees can install on endpoints.

What is anti-malware or antivirus software?

Anti-malware (or antivirus) software has long been an important aspect of endpoint protection. Anti-malware detects malware using four main methods:

  • Signature detection: Signature detection scans files and compares them against a database of known malware.
  • Heuristic detection: Heuristic detection analyzes software for suspicious characteristics. Unlike signature detection, this method can identify malware that has not previously been discovered and classified. However, heuristic detection can also result in false positives — instances when regular software is mistakenly identified as malware.
  • Sandboxing: In digital security, a "sandbox" is a virtual environment quarantined from the rest of a computer or a network. Within a sandbox, anti-malware software can safely open and execute potentially malicious files to see what they do. Any file that performs malicious actions, like deleting important files or contacting unauthorized servers, can then be identified as malware.
  • Memory analysis: Fileless malware runs on pre-installed software on a device but does not store files. Fileless malware can be detected by analyzing endpoint memory.

What is endpoint detection and response (EDR)?

Endpoint detection and response (EDR) is an important category of endpoint security products that monitor events on endpoints and on the network. The features of EDR products vary, but all are able to collect data about activity on endpoints in order to help security administrators identify threats. Most can also block threats once they are detected.

Why is endpoint protection important for businesses and large organizations?

For individual consumers, endpoint protection is important but typically does not require dedicated endpoint security software. Many operating systems for consumers come with basic security protections already installed (such as anti-malware), and users can follow certain best practices to keep their computers, smartphones, and Internet activities protected.

Endpoint security is a larger issue for businesses, especially those that have to manage hundreds or thousands of employee endpoint devices. An insecure endpoint can be a foot in the door for attackers attempting to break into an otherwise secure corporate network. The more endpoints that connect to a network, the greater the number of potential vulnerabilities introduced to that network — just as more cars on the road increases the likelihood that a driver will make a mistake and cause an accident.

In addition, the potential impact of a successful attack on a business can be huge, resulting in a disruption of business processes, the loss of confidential data, or a damaged reputation.

What also makes endpoints an enticing target is that they can be difficult to keep secure. IT teams do not have regular, direct access to the computers employees use, nor to employees' personal devices like laptops and smartphones. By requiring the installation of endpoint protection software on devices that connect to a network, IT can remotely manage and monitor the security of these devices.

Securing endpoint devices became far more challenging with the increase of bring your own device (BYOD) environments over the last decade. The number of devices that connect to each network has increased, as well as the variety of devices. Endpoints on a network are likely to include not just personal smartphones and tablets, but also Internet of Things (IoT) devices, which run a wide variety of software and hardware (learn more about IoT security).

How does endpoint security relate to network security?

Endpoint security is part of keeping networks secure, since an unsecured endpoint provides a weak spot in a network for an attacker to exploit. But network security also includes protecting and securing network infrastructure, managing network, cloud, and Internet access, and other aspects not covered by most endpoint security products.

Today, the lines between endpoint and network security are blurring. Many organizations are moving to a Zero Trust model for network security, which assumes any endpoint device may pose a threat and must be verified before it can connect to internal resources — even SaaS applications. With such a model, endpoint security posture becomes important for allowing network and cloud access.

Endpoint security and Zero Trust

In a Zero Trust model, no endpoint is trusted automatically. Zero Trust requires checking every device for security risks regularly, often on a request-by-request basis. This may involve an integration with endpoint security solutions that monitor the endpoint for malware or other risks. Some Zero Trust vendors may provide this natively as well.

Such an approach means that potentially compromised endpoint devices are quickly isolated from the rest of the network, preventing lateral movement. This principle of microsegmentation is a core facet of Zero Trust security.

To learn more about Zero Trust, see What is a Zero Trust network? Or, learn about Cloudflare One, which combines networking and security services in one Zero Trust platform.