Catalog
concept#Security#Architecture#Observability#Platform

Endpoint Security

Concept and measures to secure endpoints against malware, unauthorized access, and data loss.

Endpoint security covers policies, controls and technologies that protect endpoints (laptops, desktops, mobile devices) from malware, unauthorized access and data leakage.
Established
Medium

Classification

  • Medium
  • Technical
  • Architectural
  • Intermediate

Technical context

SIEM / SOAR systemsIdentity providers (IAM / MDM)Patch management and CMDB systems

Principles & goals

Defense in depth: layered protections rather than single measures.Least privilege: enforce minimal rights on endpoints.Continuous monitoring: use telemetry and centralized analysis.
Run
Enterprise, Domain, Team

Use cases & scenarios

Compromises

  • Misconfigurations may cause security gaps or availability issues.
  • Central telemetry can cause data overload and privacy concerns.
  • Dependency on third-party EDR vendors and their trustworthiness.
  • Perform agent deployments gradually with pilot groups.
  • Combine least privilege with application allowlisting.
  • Schedule regular tabletop exercises for incident response.

I/O & resources

  • Device inventory with OS and software versions
  • Agent telemetry and log data
  • Security policies and hardening guidelines
  • Detected incidents and tickets
  • Compliance reports and audit trails
  • Hardening and patch status overviews

Description

Endpoint security covers policies, controls and technologies that protect endpoints (laptops, desktops, mobile devices) from malware, unauthorized access and data leakage. It combines prevention, detection and response at device level, including hardening, patch management, EDR and centralized monitoring. Effective programs require policy alignment and operational processes across teams.

  • Reduced attack surface and faster detection of local incidents.
  • Improved enforcement of policies and configuration standards.
  • Increased resilience against targeted endpoint attacks.

  • Agent-based: visibility depends on deployed agents.
  • False positives can disrupt operations.
  • Scaling requires infrastructure for telemetry and storage.

  • Mean Time to Detect (MTTD)

    Average time from occurrence to detection of an incident.

  • Mean Time to Respond (MTTR)

    Average time from detection to containment or remediation.

  • Patch compliance rate

    Share of devices with current critical security updates.

EDR deployment at a mid-sized company

A company deployed EDR, reduced dwell time and improved incident response processes.

Device hardening in a government agency

Standardized images and strict patch policies increased compliance.

Open-source endpoint monitoring

Use of osquery for centralized querying of endpoint telemetry for detection scenarios.

1

Analyze current landscape, inventory and risk assessment.

2

Define policies, select agents and run a pilot.

3

Rollout, monitoring integration, training and continuous improvement.

⚠️ Technical debt & bottlenecks

  • Old unmanaged devices without agents.
  • Manual log analysis instead of automated pipelines.
  • Outdated policies that do not consider new platforms.
Agent compatibilityTelemetry volumeChange management
  • Disabling agents to avoid performance issues.
  • Excessive alert noise without a triage process.
  • Uncoordinated policy changes by individual teams.
  • Ignoring privacy when collecting telemetry.
  • Insufficient communication between security and IT operations.
  • Lack of resources for long-term tuning and operations.
Endpoint and OS expertise (Windows, macOS, Linux)Experience with EDR tools and telemetry analysisKnowledge in incident response and forensics
Minimize attack surfaceFast detection and containment of incidentsScalable telemetry and analysis backend
  • Heterogeneous operating systems and device profiles.
  • Legal requirements on privacy and logging.
  • Limited resources for storage and analysis.