What is endpoint security?

Endpoint security is the practice of protecting the devices that connect to a network, including laptops, desktops, mobile devices, servers, and IoT and medical devices, through both protective and detective controls. It combines preventive protection that blocks known threats at the point of entry with continuous detection and response that finds and stops threats that get inside.

A complete endpoint security program spans an endpoint protection platform (EPP), endpoint detection and response (EDR), endpoint management, device security, and threat intelligence integration. Endpoints are a common attack vector because an attacker's goal is often to compromise a device and then move to the network and the assets within it.

Endpoint security reduces that risk by applying consistent controls across every device, wherever it connects, and by feeding endpoint activity into broader detection and response. It is also an enforcement surface for zero trust, where each device is verified before it is granted access.

Learn about Secure Endpoint

What a complete endpoint security program includes

A complete endpoint security program combines preventive protection with continuous detection and response. Preventive tools block known threats at the point of entry, while detection and response tools continuously monitor devices, analyze behavior, and speed remediation when a threat gets through. To do this well, endpoint tools collaborate with the rest of the security stack and give administrators visibility into advanced threats.

Modern endpoint security typically uses a cloud-based approach to access current threat intelligence without manual updates, which supports faster and more automated response. It continuously monitors files and applications entering the environment and scales as the organization adds devices and users.

For the broader control framework that endpoint security fits into, see NIST SP 800-53. For documented adversary techniques that detection maps against, see MITRE ATT&CK.

What is endpoint security?

Endpoint security combines preventative endpoint protection with a new breed of continuous detection and response capabilities.

Endpoint protection systems are designed to quickly detect, analyze, block, and contain attacks in progress. To do this, they need to collaborate with other security technologies to give administrators visibility into advanced threats to speed detection and remediation response times.

How does an endpoint security solution work?

An endpoint security solution includes continuous monitoring, rapid time to detection, and architectural integrations. With threats continually increasing in sophistication and frequency, it is more important than ever to deploy an effective endpoint protection solution.

Endpoint security solutions take a cloud-based approach to instantly access the latest threat intelligence without requiring manual updates from security admins. This allows for faster and more automated responses. They continuously monitor all files and applications that enter your network and have the ability to scale and integrate into your existing environment.

Cloud-based solutions offer scalability and flexibility and are easy to install, integrate, and manage. There is also less overhead since there is no infrastructure to maintain.

Components of an endpoint security program

Endpoint security combines several components. The table summarizes each at a hub level. 

ComponentPrimary focusWhere it fits
Endpoint protection platform (EPP)Prevention at the point of entryBlocks known threats, including signature-based malware, before they execute
Endpoint detection and response (EDR)Detection, investigation, and response on endpointsContinuously monitors devices to find and contain threats that evade prevention
Extended detection and response (XDR)Correlated detection and response across layersExtends endpoint detection across network, email, and cloud for broader visibility 

Secure MDR for Endpoint

Cisco Secure's Truman Coburn and Security Consulting Engineer Andy Hagar discuss the role the Cisco MDR platform and automation plays when investigating and mitigating threats.

Common questions about endpoint security

Endpoint security is the practice of protecting the devices that connect to a network — such as laptops, desktops, mobile, servers, and IoT devices — through preventative and detective controls. It combines prevention at the point of entry with continuous detection and response for threats that get inside. 

Antivirus is one preventative component that blocks known, signature-based threats, while endpoint security is the broader program that adds continuous detection, investigation, and response. Antivirus alone cannot stop advanced threats that evade signature-based defenses, which is why a complete program also includes EDR. 

A complete endpoint security program includes an endpoint protection platform (EPP), endpoint detection and response (EDR), endpoint management, device security, and threat-intelligence integration. EPP prevents known threats, EDR detects and responds to advanced threats, and management and device security maintain control across all endpoints.

EPP focuses on preventing known threats at the point of entry, while EDR continuously monitors endpoints to detect and respond to advanced threats that evade prevention. A complete approach uses both. See the EPP and EDR pages for full detail. 

Endpoint security supports Zero Trust by verifying device trust and posture before a device is granted access, and by continuously monitoring devices after access is granted. It acts as an enforcement surface that feeds device signals into Zero Trust access decisions.