Data Leakage: Understanding and Preventing the Threat


What is Data Leakage?

Data leakage, also referred to as low-profile data theft, involves the unauthorized transfer of electronic or physical data from an organization to external recipients or destinations. Threat actors often leak data using email accounts or the web. They may also use mobile data storage devices like USB keys, laptops, and optical media.

Data leakage can result from purposeful insider action meant to cause harm to the organization, or as part of a bigger scheme to commit payment fraud. It can also be accidental. Cybercriminals look for various types of information in data leaks, including customer information and trade secrets. The scope and the type of leak determines the damage caused to the organization.

This is part of our series of articles about endpoint security.

Causes of Information Leakage

Here are common causes of information leaks at organizations:

Insider Threats
Insider threats include dissatisfied employees, former employees with access to sensitive systems, or business partners. Their motive may be economic gain, theft of valuable data, or a desire for revenge. Insiders can steal an organization’s sensitive data for financial or personal gain.

Payment Fraud
Payment fraud is an attempt to make a fraudulent or illegal transaction. Common scenarios include credit card scams, false returns, and triangle scams. A triangle scam involves an attacker opening an online store with very low prices, tricking customers into providing their payment information, and then using this payment information to buy products at other stores.

Social Engineering
When data leaks are initiated by cybercriminals, they are usually the result of social engineering tactics. Social engineering is the use of psychological manipulation to trick victims into giving over sensitive information. Phishing is the most common type of social engineering attack. Traditionally phishing takes the form of a written message asking the user to provide confidential information or perform an action favorable to the attacker. Increasingly, phishing is performed over the phone (this is known as vishing).

Very often, attackers are after data that does not appear sensitive on its own, but can expand the list of potential victims. This poses a serious threat to data security, because attackers can easily deceive unsuspecting employees, by requesting seemingly harmless information such as phone numbers and social security numbers.

Physical Theft of Sensitive Devices
Company devices contain sensitive information, and misuse of these devices can lead to security breaches and theft of company information.

For example, a cybercriminal can use a stolen device to contact an IT administrator and claim that they have forgotten their login information. With a convincing strategy, attackers can breach the device and gain access to the corporate network.

Unintended Disclosure
Many data breaches are not caused by an attack, but rather by unintentional exposure of sensitive information. For example, employees might view sensitive data and save it to a non-secure location, or IT staff might mistakenly expose a sensitive internal server or cloud system to the Internet.

Malicious Electronic Communications
Many organizations give employees access to the Internet, email, and instant messaging, as part of their role. The problem is that all of these mediums are capable of file transfer or accessing external sources over public networks.

Attackers often target these communication channels and achieve a high success rate. For example, a cybercriminal could spoof a legitimate business email and simply ask an employee to send them sensitive data. If the user is fooled by the message, they could attach the requested files to the email and send them to the attacker.

What Do Cyber Criminals Look for in Data Leaks?

The majority of data leaks involve either personally identifiable information (PII) or protected health information (PHI). Examples of PII are names, social security numbers, and other personal details. PHI is defined in the US HIPAA regulation as any information about an individual’s health, now, in the past, or in the future.

Below are a few types of sensitive data that are commonly targeted in data leaks.

Customer Information

This is information about a company’s customers, including their names and contact details, credentials, activity history, and payment details.

What damage can it cause?

Exposure of customer information can damage both the company and its customers, cause harm to reputation, and in many cases expose a company to compliance violations and lawsuits.

Company Information

This is information revealing the company’s internal operations. It can include emails and internal documents; strategy, marketing, and business plans; and business metrics or forecasts.

What damage can it cause?

Exposure of company information can provide competitors, rivals, or attackers valuable data about a company’s operations. This can give third parties an unfair advantage over the company or help them cause direct damage to its operations. Attackers can also use it to plan secondary attacks.

Trade Secrets

This is possibly the most sensitive information a company can lose in a data leak, including intellectual property, plans for future products, source code, and details about proprietary technologies.

What damage can it cause?

Exposure of trade secrets can cause a company to lose large investments in research and development and make its market offering less valuable.


This is data used by a business to derive insights about its customers or environment. This can include historical data about customers or prospects in the industry, demographic data, and models that can generate useful predictions in the company’s industry.

What damage can it cause?

Analytics is valuable to the business and so is equally valuable to an attacker. Like other types of data leaks it can give third parties an unfair advantage by exposing internal knowledge. If analytics data is not anonymized, it can have the additional impact of exposing PII.

How to Prevent Data Leaks

Ensure Timely Detection

You can avoid or reduce the fallout from a data leak by detecting improper activity fast. Ensure you receive alerts on changes to critical access or configuration parameters, and act quickly to investigate and remediate anomalies. Put in place monitoring for unusual data transfers, such as data loss prevention (DLP), and intervene early on if you discover users copying unusual amounts of data.

Classify Data according to Sensitivity and Value

To prevent data leaks, the first step is to identify which data employees are able to freely share. You should then decide who should have permission to access this data. Using data identification and classification, you can organize your data into categories, protecting sensitive data as required.

Here are a few technologies commonly used to protect sensitive data:

Discover and Mitigate IT Risks

You can’t discover your most vulnerable areas unless you periodically assess your risk. To implement successful risk management and risk assessment, you may wish to use an industry standard such as the National Institute of Standards and Technology (NIST). The NIST SP 800-30 document specifies the protocols for vulnerability assessment, which can help mitigate many risks leading to data leakage.

Discover more best practices in our detailed guide to data leakage prevention (coming soon)

Data Leakage Prevention with Hysolate

Hysolate’s fully managed isolated Workspace sits on end user devices, but is managed via granular policies from the cloud. These granular policies give admins full control for monitoring and visibility into potential data leakage risks, including sending telemetry data to their SIEM. Admins can limit data transfer out of the isolated encrypted Hysolate Workspace via copy/paste/printing/peripherals, and can set anti keylogging and screen capture policies, as well as setting up a watermark to block external screen capture.

Employees can be provided with an isolated Workspace on their corporate device, so that they can access sensitive systems and data from a completely isolated and secure environment. Policies can be set to limit data exiting the Workspace, either accidentally or on purpose.

For contractors, Hysolate’s isolated OS solution provides a secure Workspace to access the necessary data and applications they need to do their jobs. The Workspace can be pre-provisioned with all the required applications and policies that are required for the contractor to connect to and work in the corporate environment. At the end of the contractor’s engagement, the Hysolate Workspace can be instantly deprovisioned remotely without leaving any data on the contractor’s device.

The Benefits of Hysolate Workspace for preventing data leakage

  • An additional layer of data leakage protection for both corporate and non corporate devices, including telemetry sent to SIEM solution for additional monitoring and visibility.
    Admins can set policies to limit data transfer in and out of the Hysolate Workspace, including files, documents and applications.
  • Hysolate has security capabilities to lock the Workspace and enter only with a PIN.
  • Hysolate’s Workspace can also be set with a watermark, to remove risk from external screen capture.
  • Admins can wipe the Workspace OS remotely if a threat surfaces, or when it is no longer needed.

Request a demo or try Hysolate Free for Sensitive Access for yourself.

Privileged Access Workstations (PAW): Taking No Chances


What Are Privileged Access Workstations (PAW)?

A privileged access workstation (PAW) is an endpoint security solution for employees with privileged credentials. A PAW provides a specialized operating system for privileged user access. You can use PAWs to prevent attackers from compromising privileged accounts and escalating permissions.

Organizations can provide dedicated PAWs for privileged business and IT users. A privileged access management (PAM) platform manages the access permissions of each user. Users must log into the privileged access workstation through the PAM to access protected accounts. If PAWs are in use, users should access all privileged activities using dedicated operating systems or devices.

The privileged access management platform works together with PAW solutions, providing access controls, password vaults, monitoring, and behavioral analytics. You can leverage a PAM platform to secure and control all access to privileged accounts, including the individuals granted permissions, the duration of access, and the actions allowed.

Related content: Read our guide to endpoint privilege management.

Privileged Access Workstation Features

A PAW is a dedicated hardened system that offers high security for sensitive tasks and accounts. A PAW is used for very sensitive roles. If an attacker breached accounts connected to these roles, this would negatively impact the organization.

PAW configuration features security policies and controls that limit local administrative access and productivity tools. These features make it hard for attackers to breach the PAW device as it blocks typical phishing attacks vectors: web browsing and email. To enable productivity for these users, you should provide separate workstations and accounts for web browsing and productivity applications.

A privileged workstation is hardened and features strict control over applications, device configuration, and credentials. These measures help protect the user from malicious activity. Organizations should encrypt every local disk, and web traffic should be limited to a finite set of permitted destinations.

A PAW has these characteristics:

  • Built on trustworthy hardware with clean source media, monitored and instrumented for complete visibility.
  • Features automated patching of security updates to provide system security.
  • Greater security for IT administrators dealing with high-risks applications and servers. For example, web servers, Active Directory and administrative access to databases, and application servers featuring high-risk data.

Types of Privileged Access Workstation Solutions

There are two main types of PAWs: physical and virtual.

Physical PAW

This type is suitable for companies with very stringent security requirements. It requires users to use a company-provided hardened physical device for administrative tasks.

Physical PAW solutions are based on the assumption of “clean sources”—the organization assumes that a trusted system can be depended on, while an untrusted system cannot. Physical PAWs must prevent access to the Internet, email, or any other content that may violate the clean source principle.

Another aspect of the clean source approach is the use of accounts. An administrator must log in using a privileged account management (PAM) tool but cannot have an administrator account on the PAW workstation itself.

Using a virtual machine (VM) for administrative tasks violates this principle because it relies on the security of the hypervisor and the agent that provides it. The management workstation must be a physical device under the full control of the organization to ensure the source is clean.

Virtual PAW

A physical PAW is the most secure solution but is not often impractical. Having a dedicated workstation for administrative tasks can be difficult to implement, especially when users are working remotely. Some level of Internet access is requested for the PAW to connect to the required administrative resources, and this Internet connection violates the clean source principle.

A virtual PAW is a secured virtual machine used by administrators for privileged access. When performing day-to-day activities like email and Internet access, they will work on their regular device. For administrative access, they will only use the secured VM.

PAW Hardening Best Practices

A PAW is a very important target for attackers and requires additional protection to significantly reduce damage. Here are steps you can take to protect a PAW:

Operating system hardening

  • Use an operating system with all security features enabled
  • Apply security patches and updates promptly
  • Regularly scan for vulnerabilities and malware
  • Wipe a PAW and reimage it every 30 days

Account protection and authentication

  • Never give a PAW user administrative access to the device
  • Users should have a standard user account on the PAW and use a PAM tool to log into sensitive corporate resources
  • Prohibit pass-through authentication to the PAW—users must re-authenticate with every access attempt
  • Make multi-factor authentication (MFA) for access to the PAW
  • Use aggressive session inactivity limits—require users to reconnect after 5 minutes of inactivity and 1 minute of disconnection
  • Never store cached credentials in the PAW
  • Delete all user profiles when logging out of the PAW

Blocking applications

  • Block Internet access on the PAW
  • Pre-install all required management tools on the device
  • Use application allowlist technologies such as Windows Defender Application Control
  • Limit the use of command-line tools like PowerShell, and if they are enabled, perform strict monitoring and auditing

Secure Privileged Access with Hysolate

Privileged Access Workstations provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and other threat vectors. Separating these sensitive tasks and accounts from daily activities that can introduce risk provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket.

Hysolate makes PAW practical to adopt at scale, and without degrading the user’s productivity. With Hysolate, a privileged user can keep using a single device, while under the hood everything the user does runs in one of two segregated operating systems running side by side – one for productivity tasks such as email, Internet, etc and another strictly for privileged access, and all in a single seamless familiar Windows environment and without needing to install, manage, or patch another operating system.
Try Hysolate Free for Sensitive Access, or request a Hysolate demo here.

Cloud DLP: Data Security for the Remote Workforce

What is Cloud Data Loss Prevention (DLP)?

Data loss prevention (DLP) secures sensitive data and prevents accidental exposure or malicious data exfiltration. It protects data in transit, data at rest, and data on endpoints. DLP solutions encrypt data to prevent its exposure, and monitor and control data transfers to make sure they are legitimate.

As organizations everywhere transition to remote work, Cloud DLP is becoming critical to data security. Cloud DLP solutions are used by organizations that store sensitive data in cloud storage (commonly accessed by remote employees, but also used from office locations). They encrypt data at rest while stored in cloud systems, and ensure data is only sent to authorized applications. Some cloud DLP products anonymize or obfuscate sensitive data to reduce the impact of data exposure.

This is part of our series of articles about endpoint security.

How Does Cloud DLP Help Secure Remote Workforce Environments?

Multi-cloud environments using tools like Slack, Salesforce, Box, Google G-Suite, and Office 365, promote collaboration and productivity. Employees access these applications from a variety of devices, both corporate and personal, as well as from mobile devices. This raises the need for security policies and controls to safeguard sensitive data.

Different cloud applications employ different security management interfaces and each requires an administration effort. Managing this patchwork of applications and policies can become very complex.

Cloud DLP enables consistent data security and management across different software as a service (SaaS) applications and infrastructure as a service (IaaS) resources, by extending a company’s data security controls to the cloud.

Centralized policies enable cloud DLPs to classify and monitor sensitive data access and protect it, whether in the cloud, in emails and apps, in motion, and at rest. Real-time data protection includes data encryption, masking, and deletion of unnecessary data.

Related content: read our in-depth guides to other solutions that can help secure a remote workforce:

Key Features of Cloud DLP Solutions

A comprehensive cloud data loss prevention solution should contain the following key features.

Pre-Built and Customizable DLP Policies

Cloud DLP should provide out-of-the-box policy templates built around security best practices. However, these templates should be easily customizable, and the solution should let you build new policies from scratch if needed.

Content and Context-Aware DLP

Content-aware DLP technology is now a standard. It constantly scans data for known alphanumeric strings and key terms that indicate sensitive data (these may be defined as policy rules). Content-aware DLP, for example, should be able to identify a 9-digit string as a social security or ID number, and even recognize whether the string is legitimate, and thus requires protection, or not.

Machine Learning

Machine learning techniques have become a critical part of data protection strategies. Machine learning enables DLP systems to progressively learn what should be flagged as a policy violation or security risk and what should not. Cloud DLP-based machine learning technology reduces false positives significantly, ensuring that only anomalies that have a real security impact are raised as alerts.

Alerts and Notifications

A cloud DLP should enable user notifications and administrative alerts, indicating policy violations that require remediation or investigation. Notifications for users are especially important, because they inform users that they have violated policies, and can instruct them how to handle data safely and reduce future incidents.

Automated Actions

Cloud DLP solutions should support automation of monitoring, auditing, and security controls for cloud-based data. They should not only identify policy violations, but also automatically react to them. You should be able to set policies for deleting, quarantining, or unsharing data or an entire data source.

Cloud Data Loss Prevention Best Practices

Here are some best practices you should adopt to make the best use of a cloud DLP product.

Prioritize Data

Identify which types of data the organization defines as critical for business purposes, and which data is sensitive for security or compliance reasons. A possible parameter for determining how “critical” or sensitive data is, is the level of damage caused by its loss or compromise.

Apply DLP to the most sensitive or valuable data, which may attract an attacker and may result in the biggest risks to the business.

Classify the Data

To manage data more easily, you should classify it based on context. Associate each unit of information by its creator and data store, associated application, etc. Consistent classification tags enable easy tracking.

Leverage the DLP solution’s content inspection to automatically classify data by keywords such as ‘secret’ or ‘confidential’, or by patterns such as credit card or social security numbers. The content inspection feature will usually have configurations suitable for specific compliance standards, such as PCI DSS and GDPR.

Identify Risky Data Flows

Data is at the biggest risk when it is distributed to user devices, customers, partners, or a supply chain. Data is at risk when transferred to a storage device or endpoint, attached to an email, or transmitted in any other way. Map out your data flows, identify the ones that carry the most risk, and set the appropriate security policies via the DLP solution to minimize risk.

Monitor Data in Motion

Sensitive data in motion requires monitoring and a high degree of visibility. A DLP solution should be able to identify behavior that puts data at risk, generate alerts, and allow security teams to easily identify what is happening and whether the incident requires intervention.

Progressively Develop DLP Controls

Business line managers should be aware of DLP procedures. These may be simple, to begin with, targeting common but obviously risky behavior around data. As the program progresses, controls may be fine-tuned and made more granular to target more specific risks.

Train Employees and Leverage Automated Prompting

Unless trained on data security practices, employees will continue to exhibit risky behavior. Training reduces risk by explaining the reasons that can lead to data loss, and sharing best practices. 

Automated user prompting is a simple and effective approach to user education, provided by DLP solutions. In addition to blocking some activity, the solution should notify about company policy or potential risk, and this can often be enough to suppress an activity.


Starting small is often an excellent way to deploy a DLP solution. Repeating similar steps on gradually expanding sets of data of data identification and classifications enables fine tuning controls. Begin by focusing on a subset of the most critical data. Then expand outward from the pilot, covering more and more sensitive information. This approach will also enable minimal disruption to business processes.

Enhancing Endpoint Security and Reducing Data Leakage with Hysolate

Hysolate provides your team with a fully isolated and secured and managed VM on their Windows10 endpoint device, to keep access to sensitive systems and data secure, so you can work productively on your host operating system.

Hysolate offers security features to reduce data leakage, including anti-screenshotting, anti keylogging and adding a unique watermark to your Workspace. The Hysolate Workspace can be set up to be non persistent, and can be remotely wiped in seconds if a threat is detected.

Hysolate improves endpoint security as enterprise access is done exclusively from a corporate OS while risky activities happen on the main OS, without the need to monitor personal/private user activity or to fully manage the user’s device.

Request a demo to find out more how Hysolate can help secure your endpoint devices.

Understanding Endpoint Privilege Management

What is Endpoint Privilege Management?

Endpoint privilege management, an element of endpoint security strategies, aims to prevent users from gaining access to software or functionality they don’t actually require. Privilege management uses the principle of least privilege (PLP) to minimize the attack surface, by eliminating unnecessary administrator accounts on devices. The end goal is to prevent privilege escalation by attackers who compromise an endpoint, or malicious insiders.

There are two basic hierarchy levels in an enterprise when determining endpoint privileges: administrators and standard users. Administrators usually have elevated privileges when running specific applications. They can be domain administrators or local administrators.

Domain administrators can modify and access all standard user machines, thereby having the highest level of privileges.

  • Local administrators can access specific endpoints and the data they contain.

Traditionally, standard users who had to run an application in administrator mode either received admin credentials for that application, or worse, received organization-wide privileges. This created major security concerns. Privilege management makes it possible to elevate application privileges only when users actually require it, and revoking them later, enabling productivity without sacrificing security.

Benefits of Endpoint Privilege Management

Endpoint privilege management provides the following security benefits.

Visibility of Privileges

Privilege management platforms usually incorporate dashboards, providing reports with drill-down options that let you view privileges at a granular level. This visibility enhances auditing and control over other activities. The platform details what applications are deployed or in use, which of them actually require privileges, which users have admin rights at any given moment.

Improving Security for Remote Workers

Mobile users and remote workers represent a higher security risk than employees working inside the network perimeter. Privilege management allows them to install software, update applications, and change settings, no matter where they are, as long as they comply with the security policy. This flexible privilege policy provides the precise privileges required to perform a specific job or role, enhancing both productivity and security.

Securing Third-Party Access

A major security risk in many organizations is administrative access provided to external users. This is especially problematic when these third parties perform IT services like network or system maintenance.

Endpoint privilege management enables third parties to perform their function on specified servers, using company-approved processes and applications. The privilege management system defines a timeframe and scope of work, and revokes privileges when the job is done.

Components of an EPM Solution

A properly functioning enterprise privilege management solution provides chief information security officers (CISOs) and their teams with comprehensive control over all users and service roles. Its three main components are:

Privileged Access Management (PAM)

PAM monitors and controls each entity on the network and its current privileges. Upon discovery of a privileged account, it applies security controls and alerts the security team. Using policies, it audits usage of administrative accounts, actively reduces or removes admin privileges on endpoints, and prevents attacks from escalating into major incidents.

Endpoint Application Control (EAC)

Day-to-day operations like installing peripherals, changing system configuration, or updating software, all require administrative privileges. Under a strict least privilege policy, all these requests would have to be handled by IT, which would affect productivity and become a burden on IT teams.

EAC solves this problem by automating privilege allocation. It determines the conditions under which a service, process, or application can run. One of those conditions is the user: who can do what with what—even if they lack administrative privileges for the endpoint.

EAC can then grant selective administrative permissions to a user, letting them run certain applications with temporary increased privileges, but without granting full administrative access. EAC can also define which users can run which services, without changing user accounts or access control lists (ACLs).

Local Account Management

Local accounts on endpoints (for example, Windows user accounts) control access to that individual endpoint. Credentials are stored and verified locally by the host when logging in. By contrast, domain accounts allow access to applications and services on the corporate network, and can potentially be used from any endpoint.

Since a single endpoint can contain multiple local accounts (both local accounts and domain accounts), to enforce least privilege, you need to manage privileges on all these accounts, along with the privileges of the main user, the endpoint administrator. 

Local Account Management lets you remove accounts from privileged groups or roles, and set rules specifying which accounts can and cannot be added to privileged groups on each endpoint Endpoints should not be permitted to directly change membership in groups. An additional benefit is the ability to enforce strong passwords and regular password rotation.

What to Look for in an EPM Solution

Here are some of the key features to look for in an endpoint privilege management system.

  • Automated privilege elevation—making privilege management practical for users by automatically elevating privileges when the user’s need complies with security policies. With granular privilege policies, most requests for administrative permissions can be evaluated without manual intervention from IT staff. Only special cases can be escalated to an IT team. 
  • Account discovery—automatically identifying privileged accounts across all endpoints and applications. It is impractical to rely on manual lists of applications and accounts.
  • Support for external devices—managing least privileges for endpoints outside the corporate network, such as personal devices and cloud-based applications or resources. 
  • Reporting and analytics—providing dashboards to show stakeholders the scope, impact and results of your privilege management program, and track key performance indicators.
  • Application restrictions—restricting the use of unknown applications, either by whitelisting or security rules.
  • Sandboxing applications—enables security teams to run applications in a secure, isolated environment, and test them before allowing their use in production. If an application turns out to be malicious, it will have no impact on the underlying endpoints and no access to credentials.
  • Threat intelligence—an EPM solution should have an integrated, constantly updated threat database. This can help automatically update blacklists of unwanted or malicious applications.
  • Compliance—privilege management systems must be compatible with your compliance obligations. PCI DSS, HIPAA, and many other standards have specific requirements for least privilege management. 

Enhancing Endpoint Security with Hysolate

Hysolate Workspace is a fully isolated and secured VM on your users’ Windows10 endpoint, so your team can work productively on their host operating system, while keeping access to your company’s data secured and protected in the Hysolate OS.

Workspace is deployed and scaled in minutes on user endpoints, and is managed from the cloud, so you can customize policies for each team and their needs. Unlike cloud-based traditional VDI or DaaS solutions, Workspace provides a great native user experience, with no lag or latency issues, even when using communication and productivity applications like Slack and Zoom.

Request a demo to find out more how Hysolate can help secure your endpoint devices, while your team can work productively.


EDR vs EPP: Key Features, Differences, and How They Work Together


What is EDR?

Endpoint detection and response (EDR) was originally proposed by Gartner’s Anton Chuvakin, referring to endpoint security systems capable of detecting and investigating suspicious activity on hosts and endpoints.

EDR systems are typically deployed as an agent on endpoints, although some solutions are agentless. They monitor and collect endpoint activity data, identify threat patterns, and provide both manual and automated forensics capabilities to identify suspicious activity on endpoints.

When a threat is identified, EDR systems can automatically contain or remove the threat, and alert security personnel to enable further security action.

What is EPP?

The goal of endpoint protection platforms (EPP) is to prevent attacks on endpoints, from threat vectors like malware, zero-day vulnerabilities, and fileless attacks.

EPP uses several methods to detect attacks. It matches malware and other file-based threats using a database of known threat signatures; uses blacklists or whitelists to block or allow applications, URLs, ports, and addresses; and provides a sandbox where files suspected of malware infection can be safely executed and tested. Advanced EPP also uses behavioral analysis and machine learning to report unusual or suspicious activity on endpoints.

EPP provides software agents deployed on endpoints, but usually has a cloud-based management component that collects and analyzes data, allowing security analysts to access it from a central interface.

EPP solutions are commonly packaged together with EDR solutions.

Although most contemporary EPP platforms incorporate optional EDR solutions, here we will compare the two.

Key Features of EPP and EDR Solutions

Key Features of an EPP Solution

Endpoint protection platforms focus on prevention. As a first line of defense, they protect against threats like malware, basic phishing, and automated attacks.

Key features include:

  • Threat signatures—a legacy antivirus capability, which detects threats by matching them with known malware signatures.
  • Static analysis—analyzes suspicious binary files, typically using machine learning techniques, to detect malicious features.
  • Behavioral analysis—even in the absence of known threat signatures, EPP solutions can analyze endpoint behavior and identify anomalous patterns that require investigation.
  • Whitelist and blacklist—blocks or allows access to specific IP addresses, URLs and applications.
  • Sandbox—tests for malicious behavior by running files in a virtual environment before executing it normally on the endpoint device.

Learn more in our detailed guide to Endpoint Protection Platforms (EPP).

Key Features of an EDR Solution

When EPP fails, endpoint detection and response can capture threats that have crossed the first line of defense. This allows IT security teams to identify breaches, isolate affected endpoints, and initiate automated or manual responsive actions.

Key features of EDR systems include:

  • Threat detection and alerting—detects malicious activity and unusual processes on the endpoint and alerts security teams.
  • Incident investigation—enables forensic investigation by centrally collecting security events and traffic data from multiple endpoints.
  • Incident containment—prevents common security incidents from spreading, by automatically isolating infected endpoints, and preventing threats from spreading throughout the network.
  • Incident response—enables security teams to perform responsive actions on endpoints, such as wiping and reimaging a compromised endpoint or resetting passwords.

Learn more in our detailed guide to Endpoint Detection and Response (EDR).

EDR vs EPP: What’s the Difference?

EPP operates independently of supervision, passively preventing known and often unknown threats. It is considered a front-line threat prevention tool that protects through endpoint isolation with no visible endpoint activity.

EDR, on the other hand, is an actively-used incidence response solution for security teams. It assists the operator by investigating and containing active breaches, actively detecting threats, and responding to those that are undetectable to EPP. It aggregates cross-enterprise endpoint data and generates information on multiple endpoint attack data and context.

Modern cybersecurity strategies operate in an “assume breach” model. They ensure that if and when a breach occurs, there are effective means to respond to an attack. While EDR assumes a breach has taken place, EPP aims to prevent a threat from hitting an endpoint.

Whereas EPP solutions indicate intrusions by detecting familiar signatures and attributes, EDR employs behavior-based threat-hunting tools, thereby adding an extra layer of defense. And, while EPP requires minimal supervision following successful installation and configuration, EDR requires security experts to investigate and analyze potential threats.

The two solutions complement one another and should be used together for effective endpoint security. Thus, many EPP solutions include EDR technology as a feature or bundled product.

EPP vs EDR: Which Should You Choose?

Why Choose EDR?

Endpoint detection and response provides intelligent detection and visibility. Experienced staff can filter false positives, find actionable data, and detect threats early. Most importantly, EDR makes it possible to respond to attacks on endpoints if other security measures fail.

Why Choose EPP?

EPP performs monitoring and threat detection provides monitoring and protection for endpoints. It requires little oversight and is easily managed by a qualified IT team. Unlike EDR, it does not require regular monitoring. If hosted in the cloud, it uses fewer resources and can be accessed from anywhere.

Endpoints are one of the most important assets for enterprises to monitor security threats. While EPP is reactive and designed to prevent attacks from common threat sources, EDR lets your organization respond faster and empowers security teams to take action and contain or stop the threat.

A combination of both EPP and EDR is best for most enterprise organizations. Many EPPs recognize this, by including an EDR feature as part of their platform. The best solution for your organization will depend on factors such as vulnerability, budget, and tolerance to risk for specific endpoints and the network at large.

Enhancing Endpoint Security with Hysolate

Hysolate Workspace provides you with a fully isolated and secured VM on your users’ Windows10 endpoint devices, to keep access to sensitive systems and data secure, so your team can work productively on their host operating system, while keeping access to your company’s data secured and protected in the Hysolate OS.

Workspace is deployed and scaled in minutes on user endpoints, and is managed from the cloud, so you can customize policies for each team and their needs. Unlike cloud-based traditional VDI or DaaS solutions, Workspace provides a great native user experience, with no lag or latency issues, even when using communication and productivity applications like Slack and Zoom. IT and Security save time and resources on managing endpoint security, and teams can work more productively.

Request a demo to find out more how Hysolate can help secure your endpoint devices, while your team can work productively.


How to Choose an Endpoint Protection Platform (EPP)

What is an Endpoint Protection Platform (EPP)?

Organizations operating a large number of endpoints, such as employee workstations, workstations, and mobile devices, must establish an endpoint security strategy. Typically, a key part of this strategy is the use of endpoint protection platforms (EPP), solutions that protect endpoints against malware and other malicious activity. EPPs also offer investigation and remediation abilities that are required to rapidly respond to security incidents.

Endpoint protection platforms provide multiple detection tools that range from the standard indication of compromise (IOC) solutions to more advanced behavioral analysis techniques based on machine learning. Modern solutions are cloud-based, covering endpoints both on the corporate network and outside the corporate perimeter.

EPPs typically provide cloud-based threat data, meaning that endpoint agents do not need to maintain local IoC databases. Instead, they refer back to a constantly-updated cloud resource to obtain context on security events.

Why is Endpoint Protection Important?

Most endpoint protection platforms employ one or more layers of defense. Defense in depth is a concept that now guides most organizational IT security mechanisms. It establishes multiple layers of defense, so that even if attackers succeed in breaching one or more layers of security, additional layers exist, deeper within the perimeter, to mitigate the threat.

Automated detection uses patterns and correlation engines, and in modern platforms, machine learning-based behavioral analysis. If the detection layer does not detect a risk, a second layer within the EPP uses custom prevention policies, such as whitelists and blacklists, to avoid execution of malicious software, or software containing vulnerabilities.

In this way, EPP can hinder basic endpoint threats independently, leaving security analysts free to hunt down advanced threats using endpoint detection and response (EDR) technology, which is commonly bundled as part of EPP solutions.

Learn more in our detailed guide to Endpoint Detection and Response (coming soon)

How Do EPP Solutions Work?

One of the biggest threats to endpoints is malware. Malware can come from many sources, but most often, it infects a machine when a user clicks a link or opens a malicious email attachment. Once in the environment, malware tries to infect as much data and processes as possible.

A main goal of endpoint protection platforms (EPP) is to protect endpoints by preventing malware from entering the environment. Just as firewalls prevent unauthorized network access, EPP solutions can block malware and other known threats on endpoints.

Antimalware protection has evolved beyond legacy antivirus. Modern malware is evasive and often cannot be detected by traditional, signature based approaches. For this reason, modern EPP utilizes a combination of advanced anti-malware features, including:

  • Behavioral analysis—machine learning capabilities allow endpoint protection platforms to analyze large amounts of data, to determine whether files have the potential to be malicious, or exhibit unusual behavior, even if not detected as malware.
  • Threat intelligence—by integrating with cloud-based threat intelligence databases, EPPs can automatically block known malicious elements with up-to-date data on billions of threats, threat actors and traffic sources.
  • Sandbox—allows endpoint protection platforms to quarantine suspicious files in a secure environment. In this environment, the endpoint protection platform can safely detonate a file and monitor its characteristics, without risking damage to other parts of the system. Learn more in our detailed guide to sandbox security.

How to Choose an Endpoint Protection Platform

Here are a few key features you should evaluate when selecting an EPP solution.

Multiple Threat Detection and Remediation Approaches

An EPP platform should include several integrated detection and remediation solutions. These should cover:

  • Anti-malware signature scanning
  • Web-browser security
  • Threat vector blocking for fileless malware blocking
  • Credential theft monitoring
  • Rollback remediation.

Platforms are increasingly employing endpoint detection and response (EDR) and data loss prevention (DLP) for both threat detection and remediation. Whereas EDR effectively monitors endpoint events, collating the data for future analysis, DLP prevents leaking sensitive data from the organization’s servers.

Real-Time Threat Data

EPPs should provide a comprehensive, constantly updated database of threats and threat actors. This data can be used directly to prevent attacks (as in malware and attack patterns), or can be correlated with other data to detect and block sophisticated attacks. Prefer a vendor that has an independent security research team, but also pulls data from other sources to increase coverage.

Integration Framework

Endpoint protection needs to integrate with other parts of the security stack. Third-party products may provide intrusion prevention, DLP, EDR, and other capabilities. The EPP solution also needs to be able to integrate with systems that provide data about endpoints outside the corporate network—for example, mobile device management (MDM) and cloud monitoring systems.

Centralized Management

An EPP solution should provide a single pane of glass providing visibility into all endpoints and related security tools. There should be one interface enabling configuration, alert management, visibility into security incidents, and endpoint protection metrics across the enterprise, such as number of security events detected and prevented.

EPP vs EDR Solutions

Endpoint detection and response (EDR) provides an additional line of defense after EPP preventative measures. EDR assumes a breach is underway. It conducts behavior-based detection and gives security analysts the tools to respond to a security incident on endpoints.

A few key differences between the two types of solutions:

  • EPP presents a more passive approach, while EDR is proactive
  • EPP operates without supervision, while EDR must be operated by expert security staff
  • EPP focuses on each endpoint in isolation, while EDR, aggregates data from across the entire enterprise, detecting threats that affect multiple endpoints

Ideally, organizations should employ EDR and EPP together. While EPP provides comprehensive protection for a wide range of threats, when breaches do happen, the tools provided by EDR are essential for detecting and mitigating the threat in time.

Learn more in our detailed guide to EDR vs EPP (coming soon)

Enhancing Endpoint Security with Hysolate

Hysolate Workspace provides you with a fully isolated and secured VM on your Windows10 endpoint device, to keep access to sensitive systems and data secure, so you can work productively on your host operating system, while keeping access to your company’s data secured and protected.

Workspace is installed on user endpoints, but is managed from the cloud, so you can quickly and easily deploy it and scale it across your company, customizing policies for each team and their needs. Unlike cloud-based traditional VDI or DaaS solutions, Workspace provides a great native user experience, with no lag or latency issues, even when using communication and productivity applications like Slack and Zoom.

This improves endpoint security as enterprise access is done exclusively from within an isolated corporate OS, while risky activities happen on another separate OS, without the need to monitor personal/private user activity or to fully manage the user’s device.

Request a demo to find out more how Hysolate can help secure your endpoint devices, while your team can work productively.


Understanding Endpoint Detection and Response (EDR)

What is Endpoint Detection and Response (EDR)?

EDR solutions are endpoint security tools designed to proactively detect potential attacks on endpoints. An endpoint can be a desktop, a laptop, a mobile, or any devices connected to the network. EDR technology helps you gain visibility into endpoint activity. This level of visibility can help you analyze threats, and respond to breaches, which will inevitably happen.

EDR tools continuously monitor endpoints and can quickly respond to cyber threats. Ideally, an EDR solution should provide capabilities for data exploration, threat hunting, detection of suspicious activity, forensic investigation tools like searching incident data, alerts prioritization, and response features that help stop attacks.

To increase coverage, you can combine EDR with an Endpoint Protection Platform (EPP) solution, which is designed to block malware and prevent other malicious activity on the endpoint. EPP technology is preventative in nature while EDR technology is proactive. Together, EDR and EPP can help protect and respond to endpoint threats on the network and on endpoint devices.

Related content: read our guide to endpoint protection platforms.

Why is EDR Security Important?

An EDR solution keeps track of all endpoints connected to the corporate network, proactively looks for threats, and initiates responses. Here are several benefits of using EDR technology:

Continuous visibility across endpoints—EDR solutions continuously monitor and hunt for threats. You can use this information to block threats and analyze past and ongoing attacks. You can automate many processes and keep your team productive while maintaining visibility at all times.

  • Detection of unknown threats—traditional antivirus and firewalls are designed to detect known threats, usually using signature-based detection. An EDR solution can actively look for unknown threats and help you block and stop advanced attacks. Typically this is achieved through the use of behavior analysis capabilities powered by artificial intelligence (AI).
  • Fast incident response—once the EDR solution detects a security event, it starts containing the threat. The solution isolates any affected endpoints, quickly responding to the event. Meanwhile, the security admin or team receives notifications and can respond quickly. The initial automated response is critical to prevent an event from escalating.
  • Efficient cyber forensics—EDR tools provide forensic capabilities, including visualizations. The solution continuously collects data and generates reports—of each step in the killer chain.

How EDR Works

To achieve real-time visibility and initiate proactive detection and response, EDR security solutions use several mechanisms, including:

  • Collection of data—generated at the endpoint level, including communications, process execution, and user logins.
  • Recording data—including real-time data logs containing information about security incidents.
  • A detection engine—that performs behavioral analysis. These insights are used to establish a baseline of normal activity and identify anomalies that represent malicious behavior.

The above three tasks are performed on a continuous basis to ensure real-time visibility and response. When threats are detected, the EDR solution performs automated responses while alerting relevant stakeholders.

What to Look for in an EDR Solution

Here are several important capabilities to look for in an EDR solution:

  • Incident triaging flow—an EDR solution can help prevent alert fatigue, by automatically triaging suspicious events. This helps security teams prioritize their investigations.
  • Threat hunting—can help proactively search for threats and potential intrusions.
  • Data aggregation and enrichment—is needed to provide context, and context helps EDR solutions and security teams differentiate between false positives and real threats.
  • Integrated response—enables teams to quickly review evidence and immediately respond to security events.
  • Multiple response options—enable teams and technologies to appropriately respond to an event. For example, responses should include capabilities for eradication and quarantine.

Endpoint Detection and Response Best Practices

Here are several best practices to consider when implementing EDR in your organization.

Integrate with Other Tools

EDR solutions are designed to protect endpoints—this does not provide complete security coverage for all digital assets in your organization. EDR should work as a component in your information security strategy, combined alongside other tools such as patch management, antivirus, firewalls, encryption, and DNS protection.

Ideally, an EDR solution should integrate with your existing Security Information and Event Management (SIEM) solution. A SIEM monitors and provides alerts when network-wide issues are detected. You can use SIEM to centralize various security processes and the collection of logs. Centralization can help you quickly respond to events and analyze data.

Use Network Segmentation

While some EDR solutions isolate endpoints when responding to threats, they do not replace network segmentation. Here are some examples:

  • A segmented network—lets you restrict endpoints to specific services and data repositories. This can significantly reduce data loss risks and the level of damage a successful attack might accomplish.
  • Ethernet Switch Paths (ESPs)—can help you further protect the network. ESPs let you hide the structure of the network, ensuring attackers cannot easily move between segments of the network.

Choosing a Vendor Based on Your Organization’s Specific Requirements

The features and cost of an EDR solution can vary between vendors. Before choosing an EDR tool, make the time to research multiple vendors and find the one that suits the needs of your organization. Here are some questions to consider:

Can you integrate the EDR solution with your existing operating systems (OS) and applications?

  • Does the solution offer integration with third-party security tools?

Integration is critical to ensure your security strategy works smoothly. However, there are many other considerations. Model your question according to your existing circumstances and requirements, and choose the appropriate tool.

Be Aware that EDR Solutions Require Human Talent

EDR solutions, when deployed across large networks covering many endpoints, can generate thousands or even tens of thousands of alerts on a daily basis. To effectively respond to alerts, you need to set up a prioritization strategy that reduces the amount of false positives and ensures your team remains productive.

There are many systems that can reduce false positives, but you also need security analysts that can analyze the data generated by the system. You can hire your own in-house staff or hire external service providers.

Endpoint Security with Hysolate

Hysolate Workspace increases your endpoint security with a fully isolated and secured VM that sits on your users’ Windows10 endpoint, so your team can work productively on their host operating system, while keeping access to your company’s data secured and protected in the Hysolate OS.

Workspace is deployed and scaled in minutes on user endpoints, and is managed from the cloud, so you can customize policies for each team and their needs. Unlike cloud-based traditional VDI or DaaS solutions, Workspace provides a great native user experience, with no lag or latency issues, even when using communication and productivity applications like Slack and Zoom. Hysolate reduces management time and resources, compared to other traditional EDR solutions, by isolating all risky activities from corporate data, while allowing teams to get their jobs done.

To find out more about how Hysolate can help secure your endpoint devices, while your team can work productively, request a demo here.


Endpoint Security: A Practical Guide

What is Endpoint Security?

With the growth of cloud computing, the prevalence of remote working, and the proliferation of IoT, protecting endpoint devices has become vital to securing company data. Endpoint devices may include mobile and desktop computers, point of sale terminals (POS), cellular phones, industrial devices, and even connected household appliances.

The typical strategy to secure endpoints is to deploy endpoint security software on the devices themselves. This software aims to protect endpoints from malware and risky user behavior, identify anomalous patterns on the endpoint, detect intrusions, and assist security teams in identifying and stopping attacks targeted at endpoints.

Why Is Endpoint Security Important?

Endpoint security is vital in an expanding threat landscape. The primary security goals of an endpoint security system are:

  • Protecting all endpoints—the number and types of devices accessing an enterprise’s IT environment are growing rapidly. The data on those devices must be secure against loss or theft, no matter the type of device, its operating system, or location.
  • Securing remote working—many employers now either provide employees with mobile devices and even let them bring their own personal devices to work (bring your own device—BYOD). This increases productivity and contributes to employee satisfaction. However, it also increases network vulnerability, which hackers may exploit. Here, endpoint security becomes crucial.
  • Sophisticated threat protection—hacking methods have grown in their sophistication. New types of malware have evolved, which can easily evade traditional antivirus. Attackers use advanced social engineering techniques which can fool users into divulging information or performing actions that undermine security. Endpoint security aims to protect against these threats, but, recognizing that breaches will happen, must also provide tools to mitigate and contain security incidents.
  • Protecting identity—traditional approaches to protecting an IT perimeter are no longer applicable, now that the perimeter extends far beyond an organization’s network. Security means must be applied to all devices belonging to all employees and third-parties, regardless of time or place the moment a device gains access to corporate systems and data.

Endpoint Security Solutions

Let’s review the three most common technology solutions used for endpoint protection—endpoint protection platforms (EPP), endpoint detection and response (EDR), and eXtended detection and response (XDR).

Endpoint Protection Platform (EPP)

Endpoint protection platforms are deployed on endpoint devices to protect against file-based malware attacks, and identify potentially malicious activity. They investigate, alert, and provide remedial responses to security threats.

Advanced solutions employ multiple detection techniques—ranging from static indicators of compromise (IoCs) to behavioral analysis. Most EPPs are cloud-managed, covering endpoints within the corporate network and those outside the company environment. They are also cloud-data assisted so that the endpoint agent can cross-reference findings against a cloud database of all known IoCs, rather than maintaining a local threat database.

An additional advantage of cloud monitoring is that data collection and remediation are immediate, thanks to continuous monitoring.

Learn more in our detailed guide to endpoint protection platforms.

Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) tools, often bundled together with EPP platforms, monitor and record endpoint activity, seeking security risks, such as suspicious behavior, and responding to threats. They work alongside antivirus tools and firewalls, but do not replace them.

Whereas antivirus and firewalls are passive—they protect the end-user device and prevent threats—EDR tools are active. They give security teams the tools to detect and act to mitigate security incidents, as they happen.

EDR solutions track, monitor, and analyze activities and the data passing through endpoints, aggregating it across the enterprise. They can help detect and prevent advanced persistent threats (APTs), in which attackers gain access to an endpoint and use it to perform lateral movement to additional systems, or privilege escalation to gain access to sensitive systems and data.

Learn more in our detailed guide to endpoint detection and response.

Extended Detection and Response (XDR)

XDR addresses the problem of highly complex network environments, and the difficulty of correlating and investigating signals from multiple security tools. XDR enhances traditional EDR by extending protection throughout all network layers and application stacks, including cloud infrastructure, SaaS applications, and any network addressable resource.

XDR employs machine learning to combine data from multiple layers of the security stack and identify attacks that span multiple systems in the IT environment. It leverages advanced analysis to filter out the noise that is typical to most organizational networks and identify real security incidents.

XDR transforms event data with contextual information, making it much faster and easier for security teams to investigate incidents. Instead of having to pull and correlate data from multiple security tools, they can see all the pertinent data on one pane of glass. It automates forensic analysis, integrating multiple signals into a ‘big picture’, enabling prompt investigation and increased confidence regarding indicators of compromise (IoC).

4 Key Considerations for Endpoint Security Management

The best tools remain underutilized unless properly configured and comprehensively deployed. To properly protect your endpoints, the following considerations are important:

Bring Your Own Device (BYOD)

Company policies should restrict the manner in which personal devices serve for business activities. This should include restrictions on storing business data on personal devices and access only through encrypted channels. At a minimum, use virtual private networks (VPNs) to shield traffic and prevent man-in-the-middle (MitM) attacks. Preferably, adopt a zero trust approach, as described below.

If you deploy endpoint security agents on BYOD devices, you will need to assume liability for conflicts with personal software installed on the device, and deal with pushback from users. Endpoint security systems may restrict functionality on the device and hurt productivity, or interfere with non-work operations.

Related content: read our guide to endpoint privilege management.

Leverage Zero Trust

Zero trust is a new security paradigm rapidly being adopted by security-conscious organizations. A zero trust architecture enables access only to identified users and devices, and even then—only to the level of permissions required to perform a specific task.

With the proliferation of organizational endpoints, zero trust is a highly effective way to minimize the threat surface, while providing employees with the required access to company assets.

Zero trust network access (ZTNA) solutions, commonly used to deploy zero trust, provide centralized policy control. This enables constant assessment of endpoints against access rights, user identities and device configuration, enables easy revocation of privileges, and prevents privilege escalation. ZTNA works with identity and access management (IAM) solutions to automate this process, requiring human intervention only to respond to anomalies.

Learn more in our detailed guide to zero trust networks

Keep Systems Updated

According to Data Prot, the number of malware variants has grown to over a billion, with nearly 600,000 new types of malware detected each day. Zero day threats are constantly emerging, making it critical to immediately deploy updates across all enterprise devices and endpoints, applications, firmware, and network environments.

Automated tools can help by pushing updates automatically to endpoints. Zero trust networks can check basic device health/compliance, and prevent users from connecting to corporate resources if their device is not updated.

Shared Security Responsibility in the Cloud

Cloud providers and other third-party providers commonly employ a shared responsibility model for security management. This will usually place responsibility for company data and applications in the hands of the company; in other cases, you will be responsible for everything above the network layer.

Ensure you are aware of this division of responsibilities and employ your service provider’s best practices and tools to secure endpoints. You may employ third-party endpoint security tools, in which case you must ensure that the tools provided integrate with all your systems—both on-premises and in the cloud.

Related content: read our guide to cloud DLP.

Endpoint Security with Hysolate

Hysolate Workspace provides you with a fully isolated and secured VM on your Windows10 endpoint device, to keep access to sensitive systems and data secure, so you can work productively on your host operating system, while keeping access to your company’s crown jewels secure and totally isolated.

Workspace is installed on user endpoints, but is managed from the cloud, so you can quickly and easily deploy it and scale it across your company, customizing policies for each team and their needs. Unlike cloud-based traditional VDI or DaaS solutions, Workspace provides a great native user experience, with no lag or latency issues, even when using communication and productivity applications like Slack and Zoom.

This improves security as enterprise access is done exclusively from a corporate OS while risky activities happen on another separate OS, without the need to monitor personal/private user activity or to fully manage the user’s device.

Request a demo to find out more how Hysolate can help secure your endpoint devices.