Endpoint Security

This section covers endpoint protection vocabulary such as antivirus, EDR, XDR, hardening, device management, and host-based controls.

Use it when the term is about protecting the device or workload itself.

Core Articles

• Endpoint Detection and Response
• Extended Detection and Response
• Antivirus
• Anti-Malware
• Application Whitelisting
• Mobile Device Management
• Device Hardening
• Host-Based Firewall
• Patch Management
• Secure Boot
• Device Compliance
• Endpoint Isolation
• Tamper Protection
• Disk Encryption
• Remote Wipe
• Sandboxing
• File Integrity Monitoring
• Mobile Application Management
• Trusted Execution Environment
• Browser Isolation
• Command-Line Auditing

Related Foundations

Endpoint security works best when it reinforces Least Privilege, Defense in Depth, Multi-Factor Authentication, and Network Segmentation.

In this section

• Anti-Malware Protection
  Anti-malware is the broader category of controls used to detect, block, or remove malicious software and related harmful behavior on endpoints.
• Antivirus Software
  Antivirus is endpoint protection software that helps detect, block, or remove malicious files and related threats on devices.
• Application Whitelisting Control
  Application whitelisting limits which programs are allowed to run so unapproved or unexpected code is blocked by policy.
• Browser Isolation Protection
  Browser isolation is a security approach that separates web browsing activity from the user's main endpoint so risky web content is less likely to directly affect the device.
• Command Line Auditing Logs
  Command-line auditing is the practice of recording and reviewing command execution activity so administrators and security teams can understand what actions were taken on systems.
• Device Compliance Checks
  Device compliance is the evaluation of whether a device meets required security conditions before it is trusted for access.
• Device Hardening Practices
  Device hardening is the practice of reducing unnecessary exposure on a device through safer configuration, fewer services, and tighter control settings.
• Disk Encryption Controls
  Disk encryption is the protection of stored data on a device by keeping it unreadable without the required cryptographic key or unlock process.
• Endpoint Detection and Response
  Endpoint detection and response combines endpoint telemetry, alerting, and response actions to help detect and contain suspicious activity on devices.
• Endpoint Isolation Controls
  Endpoint isolation is a containment action that cuts a device off from most network communication so security teams can limit spread and investigate safely.
• Endpoint Tamper Protection
  Tamper protection is a control that helps prevent malware or unauthorized users from disabling or weakening endpoint security tools and settings.
• Extended Detection and Response
  Extended detection and response combines signals from multiple security domains so defenders can investigate and respond with broader context than endpoint data alone.
• File Integrity Monitoring (FIM)
  File integrity monitoring is the practice of watching important files for unexpected creation, deletion, or modification.
• Host-Based Firewall
  A host-based firewall filters traffic at the device level so each endpoint can enforce its own local network access rules.
• Mobile Application Management
  Mobile application management is a policy approach that controls business apps and their data on mobile devices, often used for BYOD when full device management is not appropriate.
• Mobile Device Management
  Mobile device management is the use of centralized policy and control to secure, configure, and manage mobile devices and sometimes other managed endpoints.
• Patch Management Program
  Patch management is the process of identifying, testing, deploying, and tracking software updates that reduce security and operational risk.
• Remote Wipe Capability
  Remote wipe is the ability to erase data or reset a managed device from a distance when the device is lost, stolen, or no longer trusted.
• Secure Boot Verification
  Secure Boot is a startup trust mechanism that verifies approved boot components before the operating system is allowed to load.
• Security Sandboxing
  Sandboxing is the practice of running code or content in a restricted environment so its behavior is contained and its access to the broader system is limited.
• Trusted Execution Environment
  A trusted execution environment is a protected area of a device or processor designed to isolate sensitive operations and data from the rest of the system.