What is endpoint security?

What is endpoint security?

Endpoint security, a network's critical first line of cybersecurity defense, protects end users and endpoint devices—desktops, laptops, mobile devices, servers and others—against cyberattacks.

Endpoint security also protects the network against adversaries who attempt to use endpoint devices to launch cyberattacks on sensitive data and other assets on the network.

Endpoints remain the primary enterprise network entry point for cyberattacks. Various studies estimate that as many as 90% of successful cyberattacks and as many as 70% of successful data breaches originate at endpoint devices. According to the Cost of a Data Breach Report from IBM, the average data breach cost companies USD 4.44 million.

Today companies must protect more endpoints, and more kinds of endpoints, than ever before. Bring-your-own-device (BYOD) policies, increased remote work, and the surging number of IoT devices, customer-facing devices and network-connected products have multiplied the endpoints that hackers can exploit, and the vulnerabilities that security teams must secure.

Think Newsletter

Would your team catch the next zero-day in time?

Join security leaders who rely on the Think Newsletter for curated news on AI, cybersecurity, data and automation. Learn fast from expert tutorials and explainers—delivered directly to your inbox. See the IBM Privacy Statement.

Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.

https://www.ibm.com/us-en/privacy

Antivirus software

The original endpoint security software, antivirus software protects endpoints against known forms of malware—Trojans, worms, adware and more.

Traditional antivirus software scanned the files on an endpoint device for malware signatures - strings of bytes characteristic to known viruses or malware. The software alerted the user or admin when a virus was found, and provided tools for isolating and removing the virus and repairing any infected files.

Today's antivirus software, often called next-generation antivirus (NGAV), can identify and fight newer types of malware, including malware that leaves no signature. For example, NGAV can detect fileless malware—malware that resides in memory and injects malicious scripts into the code of legitimate applications. NGAV can also identify suspicious activity using heuristics, which compare suspicious behavior patterns to those of known viruses, and integrity scanning, which scans files for signs of virus or malware infection.

Security Intelligence | 5 November, episode 7

Your weekly news podcast for cybersecurity pros

Whether you're a builder, defender, business leader or simply want to stay secure in a connected world, you'll find timely updates and timeless principles in a lively, accessible format. New episodes on Wednesdays at 6am EST.
Watch the latest podcast episode

Endpoint protection platforms (EPPs)

Antivirus software alone may be adequate for securing a handful of endpoints. Anything beyond that typically requires an enterprise protection platform, or EPP. An EPP combines NGAV with other endpoint security solutions, including:

  • Web control: Sometimes called a web filter, this software protects users and your organization from malicious code hidden in web sites, or within files users download. Web control software also includes whitelisting and blacklisting capabilities that let a security team control which sites users can visit.

  • Data classification and data loss prevention: These technologies document where sensitive data is stored, whether in the cloud or on premises, and prevent unauthorized access to, or disclosure of, that data.

  • Integrated firewalls: These firewalls are hardware or software that enforce network security by preventing unauthorized traffic into and out of the network.

  • Email gateways: These gateways are software that screen incoming email to block phishing and social engineering attacks.

  • Application control: This technology enables security teams to monitor and control the installation and use of applications on devices and can block the use and execution of unsafe or unauthorized apps.

An EPP integrates these endpoint solutions in a central management console, where security teams or system admins can monitor and manage security for all endpoints. For example, an EPP can assign the appropriate security tools to each endpoint, update or patch those tools as needed, and administer corporate security policies.

EPPs can be on-premises or cloud-based. But industry analyst Gartner, which first defined the EPP category, notes that “Desirable EPP solutions are primarily cloud-managed, allowing the continuous monitoring and collection of activity data, along with the ability to take remote remediation actions, whether the endpoint is on the corporate network or outside of the office.”

Endpoint detection and response (EDR)

EPPs focuse on preventing known threats, or threats that behave in known ways. Another class of endpoint security solution, called endpoint detection and response(EDR), enables security teams to respond to threats that sneak past preventative endpoint security tools.

EDR solutions continuously monitor the files and applications that enter each device, hunting for suspicious or malicious activity that indicates malware, ransomware or advanced threats. EDR also continuously collects detailed security data and telemetry, storing it in a data lake where it can be used for real-time analysis, root cause investigation, threat hunting and more.

EDR typically includes advanced analytics, behavioral analysis, artificial intelligence (AI) and machine learning, automation capabilities, intelligent alerting, and investigation and remediation functionality that enable security teams to:

  • Correlate indicators of compromise (IOCs) and other endpoint security data with threat intelligence feeds to detect advanced threats in real time.

  • Receive notifications of suspicious activity or actual threats in real time, together with contextual data that can help isolate root causes and accelerate threat investigation.

  • Perform static analysis( analysis of suspected malicious or infected code) or dynamic analysis (execution of suspcious code in isolation).

  • Set thresholds for endpoint behaviors and alerts for when those thresholds are exceeded.

  • Automate responses, such as disconnecting and quarantining individual devices, or blocking processes, to mitigate damage until the threat can be resolved.

  • Determine if other endpoint devices are being impacted by the same cyberattack.

Many newer or more advanced EPPs include some EDR capabilities, but for complete endpoint protection encompassing prevention and response, most enterprises should employ both technologies.

Extended detection and response (XDR)

Extended detection and response, or XDR, extends the EDR threat detection and response model to all areas or layers of the infrastructure, protecting not only endpoint devices but applications, databases and storage, networks, and cloud workloads. A software-as-a-service (SaaS) offering, XDR protects on-premises and cloud resources. Some XDR platforms integrate security products from a single vendor or cloud service provider, but the best also allow organizations to add and integrate the security solutions they prefer.

Resources

Secure the post-quantum future: How quantum safety strengthens cyber-resilience for today and tomorrow

Advance your company’s readiness, infused by the findings of the new IBM Institute of Business Value Report on securing the post-quantum future.
IBM® X-Force® threat intelligence index 2025

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force threat intelligence index.
IDC MarketScape: Cybersecurity Consulting Services Vendor Assessment 2025

See why IBM has been named a Major Player and gain insights for selecting the Cybersecurity Consulting Services Vendor that best fits your organization’s needs.
Cybersecurity in the era of generative AI

Learn how today’s security landscape is changing and how to navigate the challenges and tap into the resilience of generative AI.
IBM® X-Force® cloud threat landscape report 2024

Understand the latest threats and strengthen your cloud defenses with the IBM X-Force cloud threat landscape report.
What is data security?

Find out how data security helps protect digital information from unauthorized access, corruption or theft throughout its entire lifecycle.
What is a cyberattack?

A cyberattack is an intentional effort to steal, expose, alter, disable or destroy data, applications or other assets through unauthorized access.
Related solutions
Enterprise security solutions

Transform your security program with solutions from the largest enterprise security provider.

 Explore security solutions
Cybersecurity services

Transform your business and manage risk with cybersecurity consulting, cloud and managed security services.

         Explore cybersecurity services
    Artificial intelligence (AI) cybersecurity

    Improve the speed, accuracy and productivity of security teams with AI-powered cybersecurity solutions.

         Explore AI cybersecurity
    Take the next step

    Whether you need data security, endpoint management or identity and access management (IAM) solutions, our experts are ready to work with you to achieve a strong security posture. Transform your business and manage risk with a global industry leader in cybersecurity consulting, cloud and managed security services.

         Explore cybersecurity solutions Discover cybersecurity services