A holistic approach to security: endpoint protection

The modern threat landscape continues to evolve to meet the changes in modern computing. One that sees companies migrating to remote and hybrid work environments, adopting Apple in the enterprise and varying device ownership levels. All in service to permit users to work:

• Where they feel most comfortable
• On their preferred device
• From anywhere and at any time

What is endpoint protection?

To best answer this question, we must first know what we need protection from. Armed with an entire arsenal at their disposal, threat actors actively target all endpoints in a concerted effort to compromise your device fleet, as well as your users to gain access to critical and sensitive organizational data for their own nefarious purposes.

The days of merely installing antivirus on your computer are both wholly inadequate and asking for trouble given the array of threats that exist across the threat landscape that impact modern devices — not just computers but mobile devices across multiple platforms too.

To that end, endpoint protection is the umbrella term that describes a group of security solutions that work in synergy to keep endpoints (devices), users and data safe and secure against the current and evolving modern threat landscape.

What is the primary purpose of endpoint protection?

Protect against new and evolving threats

Alas, it’s a brave new world and that includes a whole slew of threats and attacks that impact the security of your endpoint— regardless of whether users are at the office or home, connected to any network, or on macOS, iOS, Android or Windows.

How does it differ from antivirus software?

While malicious code is still very much a thing to be wary of. Historically, antivirus software only provided protection against malware and possible variants but that was it! As you can tell from the list of threats below, challenges to a device’s security posture — and to a greater degree, the organization’s security posture — have evolved to encompass a variety of threat types. Ones that merely protecting against malware cannot address. A few examples of modern threat types are:

• In-network attacks
  • Man in the Middle (MitM)
  • Zero-day phishing attacks
    • SMS
    • Email
    • Social media
    • Messaging
  • Lateral movement attacks
• On-device attacks
  • Living off the land (LotL)
  • Malware
    • Spyware
    • Trojans
    • Ransomware
    • Cryptojacker
    • Potentially unwanted programs (PuP)
  • Unauthorized data exfiltration

Layered security protections to combat convergence

And while some of the threats above carry identifiable fingerprints that can tip IT and Security admins off to their whereabouts, an increasing number of bad actors are combining threats (referred to also as convergence), employing the latest tactics to remain unknown, and therefore able to carry out attacks stealthily over time.

Hence a need for comprehensive security solutions to protect against modernized and converged threats that place devices and users at risk by blending attacks that target multiple vectors. By implementing a defense-in-depth strategy, IT and Security teams gain the features necessary to keep endpoints safe while users get the support they need to stay secure while upholding organizational and privacy data security.

Minimizes costs associated with security risk

Risk from security incidents doesn’t just refer to a device’s vulnerability to threats. The cost(s) that stem from risk that — when left unchecked — leads to a data breach have been increasing steadily year-over-year. In fact, below are a few statistics that further underscore the real-world need organizations have for an enterprise-wide endpoint security solution that comprehensively protects company- and personally-owned endpoints used to access business resources:

• The global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years
• Nearly 60% of companies affected by a data breach are likely to go out of business due to reputational damage
• 41% of respondents report a regulatory violation in the past two years
• 74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or Social Engineering
• For the second year in a row, manufacturing was the top-attacked industry. With finance and insurance in second place again by a margin of nearly 6%
• 64% of vulnerable devices accessed collaboration tools while 34% accessed enterprise email

Features of robust endpoint protection

Jamf Threat Labs (JTL)

You may be thinking, how can you possibly stop that which you cannot see? With Jamf Threat Labs, that’s how. Jamf’s team of cybersecurity experts and data scientists works tirelessly to assess macOS and iOS-based endpoints, performing threat hunting to successfully identify and prevent both novel and unknown threats from affecting your Apple fleet. Not only are they great at what they do, but their research feeds the threat intelligence engines that drive Jamf’s endpoint security solutions. By incorporating their findings, detecting unknown threats through advanced behavioral analytics and frequently updated YARA rules work in tandem to mitigate security threats that may be lurking within your fleet before they have a chance to escalate to something worse, like a data breach.

The work performed by the JTL has a direct impact on Jamf Protect, which cascades and causes a ripple effect that reaches our users in the form of security benefits: From identifying new Mac-based and mobile threats to developing analytics for detecting them to stopping the sophisticated malicious actions of applications, scripts and even risky user behaviors. Keeping administrators alerted to detected threats, logging findings, and informing both administrators and users during each step of the way.

Speaking of logging threat data, the telemetry gathered by Jamf Protect is not only used by JTL to hunt for the latest threats — both unknown and known threats that have evolved in an attempt to evade detection — but this very same telemetry data can be used to aid your organization’s IT and Security (or authorized third-parties) in hunting for malicious threats that may be embedded within your device fleet, quietly gathering intel on your business processes, awaiting the right time to perform a data breach. By having access to your device’s health status through rich telemetry data, organizations can be better equipped to identify potentially malicious threats and risky behaviors, subsequently containing incidents before they have a chance to occur, ensuring compliance is maintained (but more on how Jamf Protect can help you with achieving your compliance goals a little later).

Key takeaways:

• Supported by Jamf Threat Labs team of cybersecurity experts and data scientists to research, identify and prevent novel threats
• Advanced threat intelligence engine and machine learning (ML) aid in threat hunting to identify potential attacks before they can happen
• Protect endpoints from new and existing, known and unknown threats, risky apps and suspicious behaviors
• Active hunting of threats — both unknown and in the wild — leading directly to the patching of vulnerabilities that impact macOS and iOS-based devices
• Constant incorporation of threat intelligence data, research and findings into Jamf Protect by a dedicated team of cybersecurity experts to enhance security protections

Monitor

In addition to the Jamf Threat Labs team constantly monitoring macOS and iOS-based operating systems across the expanding threat landscape to identify and thwart the latest threats facing organizations, Jamf’s endpoint security solutions actively surveil endpoints for known, unknown and suspected threats across all supported platforms, including Windows and Android.

This minimizes risk from various Apple-focused and mobile device security threats while serving as one of the foundational components in the comprehensive, multi-prong endpoint security protections. Jamf solutions keeps a watchful eye over your organizational devices and users by:

• Consistently and actively monitoring endpoints 24x7x365
• Gathering rich telemetry logging and reporting data
• Providing insight into device health, aiding compliance auditing

Key takeaways:

• Active monitoring of managed endpoints — regardless of the ownership model (BYOD/CYOD/COPE) — logging device health status
• Obtain detailed logging and rich telemetry data through deep visibility and insight into endpoints and threat trends
• Stream logging of gathered data to your preferred SIEM solution for centralized management of threat intelligence
• Leverage MI:RIAM and machine learning to find (and stop) new, advanced threats, like zero-day phishing and Cryptojacking attacks
• Maintain careful watch over managed endpoints, locking down unwanted software and limiting the execution of suspicious file types

Detect

Keeping vigil over endpoints is just one aspect of protection, the next is identifying threats. Whether known, unknown or suspected – IT and Security administrators will have visibility into device health, including real-time alerts that inform stakeholders of detected threats that affect their devices.

Further, logging data is gathered for each endpoint, providing in-depth information about the security of your entire fleet. The rich telemetry data collected serves administrators well in not only quickly identifying what risks impact their endpoints but also allows them to:

• Perform threat hunting to identify potential threats
• Leverage granular information to refine protections
• Mitigate risky behaviors to mitigate potential attack vectors

Key takeaways:

• Speed up incident response, resolution and remediation times with MI:RIAM and automated workflows
• Isolate affected devices and perform a clean-up of endpoints under attack using secure, managed processes
• Prevent malware, potentially unwanted apps and risky behaviors performed by end-users from impacting device performance or productivity with lean resource utilization
• Alert IT and Security teams, and critical stakeholders of security incidents in real-time with deep visibility into each endpoint
• Extend security protections across your Apple fleet — including personally- and company-owned devices so that business data is accessed securely from any supported device type

Prevent

Every threat, like malware, is a potential risk to exposing user and/or company data, so it’s important that organizations choose an endpoint protection solution that specializes in detecting the unique and evolving threats that target users on Mac and mobile devices – inside and out.

The on-device and in-network protections provided by Jamf endpoint security solutions mean faster detection, notification and threat response to known and unknown threats thanks to our:

• Advanced machine learning (ML) and threat intelligence engine – MI:RIAM
• Customizable behavioral analytics mapped to the MITRE ATT&CK Framework
• Data policy enforcement ensures data remains only on secured, compliant storage
• Blocking of network threats, such as phishing, malicious downloads and command and control (C2) traffic, including risky domains

Key takeaways:

• Stops threats that occur on-device, like malware while also preventing in-network attacks, like zero-day phishing and lateral movement
• DNS-based content filtering, purpose-built for Apple, prevents access to websites hosting malicious code, used in attacks or simply to block inappropriate content on managed devices
• Limit data exfiltration by enabling removable storage controls to enforce encryption of removable media, manage permissions or disable external storing of protected data altogether
• Implement ML for enhanced threat intelligence gathering to prevent advanced, novel threats from compromising endpoints, users and/or data
• Utilize rich telemetry data and MI:RIAM to perform both manual and automated threat hunting to detect unknown threats that may be lurking in your devices and stop them before a data breach can occur

Remediate

Even with increased visibility and compliance, granular reporting, real-time alerts, advanced threat intelligence and protection against novel threats, the modern threat landscape evolves so frenetically that endpoints may be impacted or drop out of compliance. What then?

Once again, Jamf endpoint security solutions – with their multiple layers of protection – facilitate powerful remediation workflows to correct deviations from your OS hardening configurations, quickly bringing endpoints back into compliance.

Jamf solutions flexibly provision manual and automated workflows to respond to and remediate incidents in real-time.

Key takeaways:

• In-depth visibility into all macOS security tooling activity and system processes in real-time
• Eradication of malicious, unwanted and potentially risky files, apps and downloads
• Isolating devices found to be out of compliance or that pose a risk to data security
• Aligning with CIS Benchmarks to develop, enforce and monitor secure device baselines
• Prevention of potentially unwanted apps and risky behaviors to ensure data remains secure while devices are free from end-user-introduced risk

Compliance

For some, compliance is nothing more than a term in a sea of other words. However, for others, particularly those tasked with ensuring that systems, data and processes are aligned with local, state, national and/or regional laws in highly regulated industries, compliance represents a potential nightmare. One that if left unchecked could lead to disastrous consequences for the regulated organization as well as its stakeholders — perhaps even impacting the customers that depend on the organization to protect and safeguard sensitive data types.

Thankfully, Jamf Protect users can sleep a little easier at night knowing that the endpoint security solution goes beyond just malware prevention. In fact, it goes well beyond with tight-knit integration (discussed in more detail below) by mapping analytics to the MITRE ATT&CK Framework to prevent known threats while remaining flexible and allowing administrators to customize existing analytics (or create entirely new ones) to meet the demands of your regulated environment.

Taking it further, Jamf Protect’s rich telemetry data combined with behavioral analytics — and enforced via Jamf Pro — form a covalent bond by securely sharing this data between solutions. The result? Jamf Protect establishes the requirements necessary for managed endpoints to be compliant. At the same time, integration with Jamf Pro enables the use of policy-based management to enforce compliance. Should a device, say miss a critical security update, have a vulnerable app installed or perhaps a curious user is performing risky behaviors, Jamf Protect’s logging system will share this data with Jamf Pro. In turn, this triggers a policy contained within the MDM that executes an automated workflow to remediate the issue, bringing the endpoint back into compliance…all without IT or Security teams having to lift a finger and without impacting end-user productivity.

But how does it actually help administrators meet compliance standards? That’s a great question and one that we’ll answer right now. As mentioned above, Jamf Protect can be configured to align with regulatory governance. By doing so, endpoints are actively monitored and report back on any changes to device health that would otherwise impact compliance status. Threat prevention works to limit the impact of threats on endpoints, mitigating the risk in one fell swoop. And when Jamf Protect is integrated with Jamf Pro, compliance is enforced through policy-based management, ensuring devices remain compliant and remediating any deviations from regulatory compliance through both manual and automated workflows.

Below is a sampling of the security frameworks supported by Jamf to help organizations realize their compliance goals:

• Center for Internet Security (CIS)
• National Institute of Standards and Technology (NIST)
• Defense Information Systems Agency (DISA)
• International Organization for Standardization (ISO)
• macOS Security Compliance Project (mSCP)

Key takeaways:

• Behavioral analytics mapped to MITRE ATT&CK Framework for powerful, customizable prevention of threats, tailored to the unique needs of your organization
• Automated incident response and remediation workflows eradicate malicious, risky and unwanted files while isolating devices that pose a risk to data security
• Develop, enforce and monitor secure device baselines aligned with CIS Benchmarks to drive compliance and aid in auditing compliance tasks
• Adapt secure configurations and device hardening profiles to Apple-based endpoints in accordance with NIST, DISA and mSCP guidelines for secure computing
• Jamf cloud operations are certified for compliance with ISO 27001/27701, SOC 2 and FBI Infraguard, among many others for data security and corporate governance practices

Multiple layers of security – one solution

Look at the fingers on your hand. They work independently to accomplish certain tasks, yet work in tandem when needed to perform larger-scale functions, do they not? A single, yet powerful security solution similarly relies on many individual layers that – while capable of performing independently in their own right – also work together to form a holistic, multithreaded net to monitor, detect, prevent and remediate against attacks from bad actors and the various security threats they employ to target your device, users and critical data.

Defense-in-depth

“…loved by good, feared by evil.” – Voltron

In the show by the same name as the quote above, the first season saw a team of five pilots, each of whom commands a robot lion with unique strengths and abilities. In their quest to maintain peace and protect Earth from evil, the team of five would combine to form a larger, more powerful robot named Voltron, Defender of the Universe, to further aid them with their task.

Though it was a beloved cartoon from 1984, the premise of Voltron shares much with the strategy of defense-in-depth(DiD) to best secure assets, users and resources across the modern threat landscape. Specifically, the belief that a singular, “one size fits all” application will holistically keep organizations protected is a myth a best – and one that often leads to data breaches at worst.

The premise of DiD is simple, yet both efficient and effective. Layer security protections, just like the layers of cake, so that they overlap their strengths while minimizing weakness, in the service of identifying, stopping and if it comes to it, remediating against a variety of security challenges that threaten the integrity of your endpoint, the safety of your users and confidentiality of your data.

Simply put: should one layer fail, the next one exists to intercept it.

Integration

Jamf’s endpoint protection solutions, much like all of our solutions, are designed to work alongside numerous first- and third-party solutions to extend capabilities and enable automation while establishing feature-rich workflows to ensure data flows securely between solutions.

For example, Jamf Pro, our flagship mobile device management solution, is known for its seamless deployment and management capability, which includes installing patches. However, when integrated with Jamf Protect, not only is deploying endpoint security to your endpoints possible with just a couple of clicks but secure endpoint health data is shared in real-time between both solutions.

What does this mean for your organization? We’ll tell you. Event information relating to incidents, such as phishing attacks and other network-based threats are automatically synced to inform the risk status of any individual device. This connection between management and security is critical to taking real-time action to protect your environment. A few examples of the automated workflows that are made possible, thanks to the native, secure integration between Jamf solutions:

1. Consider how crucial to endpoint security it is that devices keep up-to-date with patches. As part of a defense-in-depth strategy, organizations using Jamf Protect will receive alerts from endpoints found to be non-compliant with patches. This telemetry data is communicated with Jamf Pro, where IT can implement patch management policies to enforce compliance. Once triggered, Jamf Pro will execute workflows to deploy necessary updates to apps and OSs, bringing them into compliance.
2. Organizations can leverage Smart Groups in Jamf Pro to dynamically update and respond when a device’s risk status changes in Jamf Protect. This trigger can automatically update a user’s access permissions via Jamf Pro’s conditional access integrations with Microsoft or Google Cloud BeyondCorp solutions.
3. Use the advanced reporting options found in Jamf endpoint security solutions to automatically stream rich telemetry data to your preferred SIEM solution, like Azure Sentinel or Splunk, providing MacAdmins a single pane of glass view into the health of their Apple endpoints while further extending the capability to transform data using visualizations for added depth and granularity.

Key takeaways:

• Develop advanced workflows via integration with Jamf Pro and first- and third-party solutions
• Implement advanced security orchestration, automation and response workflows through integration
• Leverage Jamf’s API to communicate and share data securely between solutions while enhancing your endpoint security capabilities
• Extend features to support greater management and security capabilities across the Apple ecosystem of desktop and mobile devices
• Establish automation to simplify endpoint management while ensuring compliance with organizational policies and industry regulations

Purpose-built endpoint protection for Apple, Windows and Android

Jamf’s purpose-built, Apple-first endpoint security solutions offer IT and Security teams several benefits that firmly establish its solutions as best-of-breed, for example:

• Same-day support allows users to adopt the latest, safest releases from Apple as soon as they’re available – upgrade on your schedule, not ours
• Leverage Apple’s Endpoint Security API to embrace the latest security capabilities available natively for Apple devices
• Low-impact performance means battery life isn’t affected, won’t slow down machines or get in the way of user productivity
• Implement Apple-best security to your Apple fleet while supporting mobile platforms from Windows and Android, providing them with network-based endpoint security protections as well

Speaking of user productivity, being Apple-first (but not Apple-only) means Jamf designs and optimizes each of our endpoint security solutions to take advantage of the OS on which it operates so that protecting your devices does not come at the expense of user experience nor compromise the user’s privacy.

Key takeaways:

• Purpose-built for Apple to address the challenges of the modern threat landscape across macOS and iOS-based devices, but also designed and optimized for Android and Windows mobile devices
• Defense-in-depth strategy layers multiple protections to monitor, identify, prevent and remediate a variety of security challenges – should one layer fail, the next one intercepts it
• Extend services, features and capabilities by leveraging the Jamf Risk API, securely sharing pertinent device health data with first- and third-party solutions
• Update to the latest and safest releases from Apple the day they are released with same-day support across all Jamf solutions — no delaying critical updates until your MDM and/or endpoint security solution gets around to supporting it
• Minimal impact equals better performance, allowing users to utilize resources for productivity — not having to choose between getting work done or the security of their device

This post is one of a series on a holistic approach to security. See a roundup of all of the posts