Endpoint Protection – SY0-601 CompTIA Security+ : 3.2


We use many different techniques to keep our endpoint devices safe. In this video, you’ll learn about anti-malware, EDR, data loss prevention, host-based firewalls, and more.


We’re keeping an increasing amount of sensitive information on our computing devices and we’re using different kinds of computing devices. We might have a desktop computer, a laptop, a tablet, or a mobile phone. With each of these devices, we’re concerned about attackers gaining access inbound to these devices or sending the information that we have outbound to their own servers.

Of course, we have to think about all of the different operating systems that we’re using, all of the different platforms, and maintaining the security for each one of those. With all of these devices, there will be different security techniques and different mechanisms that we’ll use to keep these safe. We call this Layered Protection Defense in depth. And so in this video, we’ll look at some of the security features that we might add to our endpoint devices.

Antivirus and anti-malware are some of the most common security features that we might add to our computing devices. Our endpoints have antivirus loaded on them, but very often this means antivirus along with other anti-malware software.

This is designed to stop viruses, worms, trojan horses, and other types of malicious software attacks. Along with antivirus, we have anti-malware software that we’re running. Anti-malware software is commonly blocking fileless malware, ransomware, and other types of malware attacks. If you have antivirus software on your device, then you probably effectively also have anti-malware software as well.

These capabilities have been generally combined into the same software suite. So if you’re running one of these, you’re probably running the other as well. One of the challenges with antivirus and anti-malware software, is they tend to focus on identifying malicious code through the use of signatures. Signatures are a set pattern that may be within the file or within the memory that is being used by this malicious software.

The attackers though have found many ways around signature-based detection. And so we’ve had to change the way that we’re looking for a lot of this malicious software. To do that, we use endpoint detection and response or EDR. EDR is going to use other mechanisms to find malicious software other than just signatures. So instead of looking for a signature to occur within a file, we can look at what the file is doing.

We can use machine learning and process monitoring to see if we can identify malicious types of actions on our computer, and block the actions rather than blocking a signature. This can be done from a relatively lightweight agent that’s running on the endpoint, and can constantly be watching for these types of problems to occur.

This EDR solution can often perform a root cause analysis, to determine why this particular behavior occurred in the first place, and can generally find the code that was being used as that malicious software. It can then respond to the threat by isolating the system from the rest of the network, it can quarantine that malicious software into a different part of the operating system, or remove what’s on the system now and roll back to a previously known good configuration.

Of course, all of this can be automated through the use of application programming interfaces or APIs, which means that the identification, the removal, and the restoration of this system can be done without the need to involve any individual technician. Organizations are keeping databases of very sensitive information. They can have medical records, social security numbers, credit card numbers, and other types of confidential data.

So how can you prevent that sensitive information from being sent across the network in a form that someone would be able to see? To be able to do that, we use data loss prevention or DLP. DLP is designed to stop data leakage. It’s designed to prevent this sensitive data from being sent across the network in the clear or even set across the network in encrypted form.

The challenge, of course, is that there’s so many different places that could be sending this information and so many destinations that it could be going to. So DLP often involves many different systems. This could be a DLP solution based in a firewall, it could be something in client software, on each individual system, or it might be based in the cloud so that it can examine all of the emails that may be going in or out of an organization.

If the DLP solution identifies some sensitive data within any of these data streams, it can block that information from being transferred outside of your private network. Traditionally, we’ve used firewalls to allow or block traffic based on an IP address and a port number. But these days we need to provide more security, and we need to do it across a much more granular scale.

To be able to provide this functionality, we need to use next-generation firewalls or NGFWs. A next-generation firewall is able to identify the applications that are flowing across the network, regardless of the IP address or port number that might be in use. And you as the security professional can set policies to allow or disallow access to those applications on the network.

Although next-generation firewall is probably the most common name for this, you might also hear it called an application layer gateway, stateful multilayer inspection, or deep packet inspection. A next-generation firewall cannot only identify the applications running over the network, it can identify individual features within the application.

So you could set security policies that would allow someone to view the information on Twitter but prevent them from posting any information on Twitter. Most next-generation firewalls also have antivirus and anti-malware capabilities, so they can look for known malicious software and block it at the network level.

It’s also common to see next-generation firewalls have an SSL decryption capability so that any of the SSL traffic can be decrypted, examined by the firewall, and then re-encrypted and sent on its way. And next-generation firewalls often have a URL filtering capability, so that you can block individual access to a particular website or you can block it based on categorizations. You might want to allow access to travel websites but prevent any access to auction websites.

It’s not only useful to have firewalls that are on the network, it’s also useful to have firewalls on each individual endpoint as well. These are host-based firewalls and it’s software that we would run in the operating system of our endpoints. Because this software is running on our endpoints, it can see all of the different applications that are in use and it can allow or disallow communication for each individual app.

Even if the information being sent across the network is encrypted, a host-based firewall is able to see the in the clear traffic that exists on the individual endpoint. And since this host-based firewall is on our individual endpoint, it can see everything going on with the operating system.

So we can identify any unknown processes that are trying to start and it can block that malware before anything is executing on the endpoint itself. It’s also common to manage all of these endpoints centrally so that you can put host-based firewalls on all of your devices, and be able to view and manage them all from one single point.

Another type of software for our endpoints is a host-based intrusion detection system. This is a secondary type of security that will look through the log files on your system, to identify intrusions that may be occurring, and at that point, the software can choose to reconfigure firewalls or other types of security devices to prevent additional attacks to that computer.

These days it’s more common to have a host-based intrusion prevention system or a HIPS, where it has a known set of vulnerabilities that it’s looking for, and if it sees any inbound attacks occurring, it can block those immediately before they hit the operating system.

You may find that the software that’s running on your computer is not running a separate piece of software that is a host space intrusion prevention system, but instead, it’s built-in to the endpoint protection software that’s being used for your antivirus or anti-malware.

These host-based intrusion prevention systems use many different techniques in order to identify attacks. One of those might be a signature, we have a known vulnerability we can attack it by looking at the flow of data itself as it’s going across the network. We might also have heuristic functionality, within the device, so that we can identify when large changes may be occurring and investigate more into why those particular changes are happening on that device.

We also might have behavioral identification, so that if a certain behavior occurs, even though we don’t have a signature and even though nothing major change that would cause the heuristics to fire, we do have a way to identify something that is occurring a little bit out of the ordinary.

For example, we can have buffer overflows that have a known signature that can be identified by the intrusion prevention system, or perhaps a large number of registry updates suddenly occurs and that would fire the heuristics engine inside of the hips, and of course, writing files directly to the Windows folder is certainly behavior that you would not expect to see and the behavioral aspect of that software would identify something malicious occurring whenever anything is written into that folder.

And of course, since this is running on our endpoints themselves, it has full access to all of the data that is on the system, even data that may be in the clear and not encrypted as we are processing that information in memory.