Skip to content
Lesson 6 of 8

Endpoint Security

4 min read

What an Endpoint Is and Why It Is a Target

An endpoint is any device that connects to a network: laptops, desktops, servers, mobile phones, tablets, and even Internet of Things (IoT) devices. Each one represents a possible entry point for an attacker and, at the same time, an asset we must protect.

With the disappearance of the traditional perimeter —due to remote work, the cloud, and personal devices— endpoints have become the first line of defense. A single compromised machine can serve as a beachhead for an attacker to move laterally across the entire network. Protecting the endpoint is therefore a strategic priority.

Endpoint security is not a single tool, but a combination of layers: malware prevention, vulnerability management, attack surface reduction, and recovery capability. Let us go through each one.

Antivirus and EDR

Traditional antivirus protects by detecting known malware through signatures: patterns that identify already-cataloged threats. It is effective against known threats, but on its own it does not stop new attacks or variants that change their signature to evade detection.

That is why it evolved into EDR (Endpoint Detection and Response). Instead of merely comparing signatures, EDR monitors the system's behavior in real time: suspicious processes, unusual network connections, attempts at mass encryption. When it detects anomalous activity, it can isolate the machine, stop processes, and give the security team the visibility to investigate. Its evolution, XDR, correlates signals from multiple sources.

For individual users, a reputable, up-to-date security solution is enough; for organizations, centrally managed EDR/XDR allows responding to incidents at scale. In both cases, no single tool replaces the other layers of defense.

Patch Management

Most successful attacks do not exploit unknown vulnerabilities, but known flaws for which a patch exists that the victim did not apply. Patch management —keeping the operating system and all applications up to date— is probably the defensive measure with the best cost-benefit ratio.

When a vendor publishes a security update, it also implicitly reveals the vulnerability it fixes, which gives attackers a map of how to exploit those who do not patch quickly. That is why the window between a patch's release and its application is a period of high risk. Mature organizations automate patch deployment and prioritize by criticality.

Enabling automatic updates on operating systems, browsers, and applications is one of the simplest, highest-impact actions any person can take. Unsupported (end-of-life) software, which no longer receives patches, must be retired or isolated.

Hardening: Reducing the Attack Surface

Hardening consists of configuring a system to minimize its exposure, removing everything unnecessary and restricting the rest. Every unused service, port, or account is a possible attack path that is best closed. The guiding principle is: only what is strictly necessary should be enabled.

Hardening practices include disabling unused services and accounts, closing unnecessary ports, disabling old and insecure protocols, applying secure default configurations, and enabling the operating system's own firewall. Reference guides such as the CIS Benchmarks offer detailed checklists for common operating systems and applications.

Full-disk encryption (such as BitLocker on Windows or FileVault on macOS) is also part of hardening: it protects the confidentiality of data if the device is lost or stolen, since without the key the content is unreadable.

Backups: the Last Line of Defense

When all other defenses fail —due to ransomware, a hardware failure, or human error— backups are what allow recovery without paying ransoms or losing information. A good strategy is summed up in the 3-2-1 rule: keep three copies of the data, on two different types of media, with at least one off-site.

It is crucial that at least one copy be isolated or immutable, so that ransomware infecting the network cannot also encrypt the backups. Copies permanently connected to the system are as vulnerable as the original data.

Equally important is testing the restore regularly: a backup that has never been verified may be corrupt or incomplete exactly when it is needed most. With endpoints protected and backed up, in the next lesson we will go out to browse safely and protect our privacy.