Showing results for 
Search instead for 
Did you mean: 
Create Post

You Are Here - Part 3 - Endpoint & Application Security

So far in this series we have reviewed a few popular and emerging models and frameworks. These tools are meant to help you make sense of where you are and how to get where you’re going when it comes to information security or cybersecurity. We’ve also started the process of defining a new, more practical, more technology-focused map of the cybersecurity landscape. At this point you are familiar with the concept of four critical domains, and six key technology categories within each. Today we’ll dive into the second domain: Endpoint and Application.

I must admit that not everyone agrees with me about lumping servers and applications in with laptops and mobile phones as a security domain. I admit that the choice was a risk, but I believe it makes the most sense. So many of the tools and techniques are the same for both groups of devices. Especially now, as we move our endpoints out onto networks that we don’t fully control (or control at all in some cases). Let’s explore it together - and then let me know what you think!

Domain: Endpoint & Application

If we stick with the castle analogy from part 2, endpoints and applications are the people living inside the walls. Endpoints are the devices your people use to work: desktops, laptops, tablets, phones, etc. Applications are made up of the servers and software your employees, customers, and partners rely upon. These are the things that are affected if an attack penetrates your perimeter, and as such, they need their own defenses.

The categories in the endpoint and application domain are endpoint protection, detection, and response (EPP / EDR), patch and vulnerability management, encryption, secure application delivery, mobile device management (MDM), and cloud governance.

Category: EPP / EDR

The oldest forms of IT security are firewalls and host antivirus. Both have matured a lot in the past 30+ years. Endpoint protection (EPP) is the evolution of host based anti-malware tools, combining many features into products with great success rates. Nothing is perfect, however, and there are advanced persistent threats (APT) that can get into your devices and do damage over time. Endpoint detection and response (EDR) tools are the answer to APT. We're combining these two concepts into a single category because you need both – and luckily for us, many manufacturers now combine them as features of their endpoint security solution.

Category: Patch and Vulnerability Management

While catching and stopping malware and other attacks is great, what if you didn’t have to? Tracking potential vulnerabilities across your systems and automatically applying patches as needed should reduce the exploit capabilities of an attacker and help you sleep better at night. While you can address patch management without vulnerability management, I recommend that you take a comprehensive and automated approach, which is why they are both covered in this category.

Category: Encryption

When properly applied, encryption is the most effective way to protect your data from unwanted disclosure. Of course, encrypted data is only useful if you can decrypt it when needed – be sure to have a plan (and the proper tools) for extraction! Encryption/decryption utilities can protect data at rest (stored files), data in use (an open file), and data in motion (sending/receiving a file).

Category: Secure Application Delivery

Load balancers used to be all you needed to round-robin requests to your various application servers. Today application delivery controllers (ADC) are much more than that. You always want to put security first, so I recommend an ADC that includes web application firewall (WAF) and other security features for secure application delivery.

Category: Mobile Device Management

EPP and EDR may be enough for devices that stay on-prem, under the protection of your perimeter security tools, but what about mobile devices? When people are bringing their own devices into your network, and taking your devices onto other networks, a more comprehensive security-focused solution is needed. These solutions fall under the umbrella of mobile device management (MDM). 

Category: Cloud (XaaS) Governance

Cloud Governance is a fairly emergent realm and in many ways is still being defined. What’s more is that to an even higher degree than the other categories here, governance must always include people, processes, and technology. Since this reference model is focused on technology and practical tools, this category includes technologies that enable and enforce governance.  As your organization becomes more and more dependent on more and more cloud platforms, you need visibility and policy control over that emerging multi-cloud environment. A solid cloud governance tool provides that.

What's Next?

We are now three parts into this six-part series. Are you starting to feel like you know where you are? How about where you need to be going? Don’t worry, we still have two more domains to cover, and then a final word on how to make this model practical for you and your organization. Keep an eye out for part 4, where we’ll dive into identity and access - an area that many of you are probably neglecting, despite its extreme importance. Talk to you then!

Level 14

Thanks for the article!

Level 13

Thanks I'm enjoying the series so far.

Level 20

Endpoint protection has come a long way since the old day of just having AV.

Level 9

Awesome, glad to hear that!

Level 9

Thanks for the article. Great info.

Level 13

Good post.  Really enjoying the series.  Thanks!

You've provided some definitions; now let's see your final implementation guideline based on those concepts!  Is there a Part IV coming up that shows your ideas in practice?

Level 9

As I stated in part 1; the intent of this series is to provide a reference model for IT security. Applying this model requires a thorough understanding of your organizations current and ideal state. I will talk about that generally in part 6. Specific advice on what to implement, or how to implement it is outside the scope of this particular series however.


Nice post


Nice building blocks in each of these articles.

Level 9

All about Security

About the Author
Chris Grundemann is a passionate, creative technologist and a strong believer in technology's power to aid in the betterment of humankind. In his current role as Director of Strategy at Myriad360 he is expressing that passion by helping clients build bigger, faster, more efficient IT infrastructure that is both more secure and easier to operate and scale. Chris has well over a decade of experience as both a network engineer and solution architect designing, building, securing, and operating large IP, Ethernet, and Wireless Ethernet networks. Chris holds 6 patents in network technology and is the author of Day One: Exploring IPv6 and Day One: Advanced IPv6 Configuration, an IETF RFC, a personal weblog, and various other industry papers and blogs. As a volunteer he is currently serving as President of IX-Denver, Program Committee (PC) member for AfPIF, and Chair of the Open-IX BCOP committee. Chris often speaks at conferences, NOGs, and NOFs the world over. He has held previous positions with Markley Group, Internet Society, CableLabs, tw telecom, CO ISOC, ISOC-NY, ARIN, NANOG, CEA, UPnP, DLNA, RMv6TF, and several others. Chris is currently based in Brooklyn, NY and can be reached via Twitter.