The emergence of cloud technologies has created new possibilities, and with these came many new products that utilized them. Some very good, existing security products have also evolved and benefited from being enabled by cloud technologies. Cloud endpoint protection products, which are basically old antivirus suites, are some of the most transformed products in this landscape.
Most cloud-enabled endpoint security products have a 24/7 monitoring team overlooking all of their customers' security data, which is stored within the cloud platform from a holistic perspective. This means they not only have an experienced and specialized security team that can deal with a broad range of malware and advanced persistent threats, but also that this team has a cross-customer overview.
For instance, in the case of a global malware outbreak, the security team can use all of their knowledge to build up an intelligence database. This knowledge can then be shared in a sanitized format with all of their customers, sometimes for a subscription fee. Often, there is also an option to upgrade to a full 24/7 monitoring and response functionality, more like the traditional security operations center, although the fees for that can be quite substantial. Some vendors, such as McAfee, CrowdStrike and FireEye, offer a 24/7 monitoring and intelligence function via their cloud endpoint protection products.
External log services
A security best practice is to store security logs both internally, for performance and ease of use, and externally, as a backup archive. When endpoint security logs are sent directly from a host to a cloud platform, both requirements are actually covered at the same time. No matter what happens to the organization's endpoint or to the network, those logs are stored off site in real time. Whatever connection exists between that compromised host or network and the service provider, the logs are completely independent of any compromised network account.
See Infosec Institute's accompanying article on the 5 benefits of cloud-based endpoint security products
This means some trust will need to be placed in your vendor's security and availability, but it is often also possible to set up an additional, on-site log server that can be connected to a security information and event management (SIEM) system.
Local product infrastructure is often optional
In most cases, the endpoints communicate directly with the cloud platform via an API or a simple HTTPS connection, so there is hardly any requirement for costly infrastructure to keep the product operational. Some on-site download and deployment repositories can reduce external traffic, but, even without them, the cloud endpoint protection products will still be operational.
Similarly, a cloud service may be offline from time to time, but local clients on the actual endpoints were designed to continue functioning.
Network-independent, real-time monitoring
In the age of mobility, traditional endpoint protection products are struggling to keep up. For example, imagine a user bringing a corporate laptop or a BYOD smartphone home after a workday in a corporate office. The user connects the laptop to their home Wi-Fi network, before doing some online shopping, downloading some TV series via BitTorrent and eventually installing some new ransomware variety. Without a matching signature, it is unlikely the ransomware infection will be directly blocked, which means the initiated encryption procedure will also be unlikely to be prevented. It gets worse.
Without a connection between the client and a management server within the corporate network, the security department will not be notified that same night, even if they are operational 24/7. There is nothing to stop the user from connecting that infected machine to the company network the next morning back in the office.
The internal security team will only get an alert once the endpoint security client connects back to the network and communicates with the internal management servers. That is too late. The malware could spread to company network shares, steal network credentials and install backdoors all within the blink of an eye.
With a cloud platform communicating with the endpoint client 24/7 through the internet, alerting happens in real time, as long as there is an active internet connection.
True endpoint containment, anywhere
Location-independent and real-time alerting are good additions to the IT security capabilities of any organization. What is even better is the isolation and containment of infected and compromised hosts in real time.
Looking at the previous example, if the infected host had communicated directly with a management system in a cloud platform, the security team would have been able to manually or automatically isolate the infected machine right when the infection occurred. That would truly prevent the system from being connected to any network, other than possibly a whitelisted triage or rebuild environment, until the threat has been eliminated. This is what many vendors offer now, and it is probably one of the biggest benefits cloud-based endpoint security products offer so far.
Security vendors have been leveraging cloud platforms for quite some time now, with mixed levels of success. The most innovative products that benefit from this added flexibility are cloud endpoint protection products. Some of the benefits covered earlier are so significant that a traditional antivirus product without all of these options is simply outclassed. The mentioned network-independent monitoring and containment options especially fill the need for round-the-clock and mobile security.
Organizations that have not compared their current endpoint security controls to the market offerings within the last two years should certainly do so within the next few months.
Learn the basic SIEM analytics steps security teams need to know
Discover new tactics for better endpoint security threat prevention
Check out some new ways to improve endpoint security protection