The enterprise definition of endpoint has dramatically shifted over the years. Endpoints traditionally referred to desktop computers and laptops, which could be secured with antivirus software and firewalls. Today, the term covers a wide array of devices used for business, from PCs and laptops to corporate- and employee-owned smartphones to IoT sensors — all of which require much more security than antivirus and firewalls provide.
With an endpoint security policy in place, organizations can ensure corporate assets and data remain protected even when devices outside of their four walls access them. To build this policy, companies should ask themselves how much security is needed for their specific endpoints, as well as whether endpoint security tools should keep devices heavily locked down or provide lighter protections to allow employees some personal freedom.
To get started writing a policy customized for your company, here are five universal endpoint security best practices to consider.
1. Asset discovery
As more employees work on the go, from the road or remotely, the use of BYOD and unsanctioned IoT devices is becoming increasingly common. To understand what is connecting to their network resources, IT teams should start with an inventory audit of all devices. Note, some devices may never touch the corporate network itself and instead head straight to the cloud to integrate with SaaS applications. In this case, a cloud access security broker or equivalent may be required.
It is necessary to get full visibility of all the endpoint devices connecting to corporate applications and data before doing anything else — after all, it’s impossible to secure what you don’t know is there.
2. Device profiling
The next step for IT teams is to understand the ways these various endpoints operate. Document which servers and applications they connect to, as well as when and what sorts of data they share and collect. It is also important to include how software is updated on these endpoints and how often. Finally, assess what security risks each endpoint could potentially present, along with their business impacts, in case there is a breach or compromise.
3. End-user device security
Once endpoints are identified and profiled, IT teams need to understand how existing security products can be used to protect them. Next-generation antivirus is still widely deployed as it uses a combination of signature comparison to detect known threats and AI and machine learning for novel threats. This technology has evolved into endpoint detection and response, which provides console alerting, reporting, security incident response and expanded location coverage and also enables third-party integrations. This is a necessary defense mechanism to manage end-user devices.
Note, however, that IT teams will have to develop a different plan for employee-owned devices. This could require installation of an agent onto their devices or having them use a VPN before accessing company assets.
4. Principle of least privilege access using zero trust
With a gamut of endpoints proliferating at organizations, the zero-trust principle of “never trust, always verify” is critical to controlling the risk surface and ensuring employees have accurate access to corporate assets. By controlling policies centrally, these endpoints are constantly assessed against standard device configurations, access requests, temporary privilege escalations, revocation of privileges and access rights. With a well-designed identity and access management framework in place, most of these tasks can be accomplished in an automated fashion, and precious human intervention can be reserved for the anomalous cases that demand it.
5. IoT device security
IoT spans a wide array of devices, from iris scanners to smart speakers to nuclear power sensors. The following security best practices are generally applicable to all IoT devices:
- Security framework adherence. Specific IoT endpoint security best practices will vary based on the device’s impact and risk. Following a security framework is a crucial first step. For example, the NIST Interagency/Internal Report 8259 framework applies to IoT manufacturers. As a buyer, ensuring vendors adhere to this framework offers a solid foundation for risk assessment of hardware and software inventories, standardized and accessible event logging, integrated identity and key management, standardized configuration management and centralized vulnerability remediation capabilities. It also confirms vendors are responsible for timely disclosures in the event of a breach or a vulnerability.
- IoT device passwords. One of the most exploited hacks against IoT devices is default manufacturer username-password combinations, which can often be found on the internet. IT teams should inspect every device’s password and change it to something unique.
- IoT device discovery and policy enforcement. IoT devices are much more likely than laptops to be installed without permission. Thus, running regular IoT device audits is a must. Any new or unknown devices detected should be blocked by default, and an escalation and authentication process should be put in place. With this information, IT can track down the device owner to not only ensure legitimacy, but also change default passwords before further network access is granted.
Endpoint security remains as important as ever
These five steps provide a good baseline of end-user device posture and basic hygiene. With today’s ever-changing landscape, IT needs to remain vigilant, even after implementing the above endpoint security best practices. As more companies reevaluate how often employees need to be in the office and IoT adoption continues to boom, more endpoints will remain outside of the network and at increased risk for attack.