In the [previous post](https://www.reddit.com/r/cybersecurity/comments/o7j3g9/feel_free_to_use_this_endpoint_security_checklist/), I wrote about how there’s more to enterprise-level endpoint security than just patching (which is sometimes the only level of defense few businesses out there have). I divided the features listed in the previous posts into two– Priority list #1 and Priority list #2 for reference where the former is compulsory and the latter is advanced and you may use it once you’re done with list #1.
**Priority list #1**
1. Securing your browsers aka Browser security
2. Filtering applications via Application control
3. Controlling what devices are plugged in (and removed)
4. A solid way to address unknown vulnerabilities and threats (not a half-baked one)
5. BitLocker Encryption
**Priority list #2**
1. Endpoint Detection and response (EDR)
2. ZTNA (this is basic stuff but a lot of vendors think they’re awesome because they provide this)
3. A business intelligence reporting system (to visualize your internal and external threats)
4. A proper Network Access Control system
5. Data loss prevention (mostly combines app and device control along with some fancy features)
I have mentioned all the ‘must-have’ features of Priority list #1in the [previous post](https://www.reddit.com/r/cybersecurity/comments/o7j3g9/feel_free_to_use_this_endpoint_security_checklist/). I’ll now attempt to explain the ‘must-have’ features of Priority list #2.
# Priority list #2
Endpoint Detection and response:
Why you need this: A good EDR solution has one job: It is to monitor, collect, and record any data in order to identify and detect malicious behavior and contain it from spreading in the network. EDR was a security feature that stayed on the fringes for a long time (ever since it was coined in 2013) but now is trending ever since organizations started adopting aggressive endpoint security strategy. Must have features include:
>An automated threat response mechanism (just a fancier term for detecting and shutting down ransomware right at its root)
>Safeguard business critical data and monitor file access and modification real-time.
>Realtime analytics where EDR tool can go through scores of data and look for threat patterns
Zero Trust Access Network (ZTNA):
Why you need this: To authenticate network-friendly devices and fend off hostile devices. Basically, any new device in the network is considered hostile by default unless it’s cleared for access by the admin. This is different from the traditional approach which considers that every device in the organization can be trusted. Must have features include:
>The mode of access provision for the devices need to be done in a few taps.
>The ability to understand trusted devices, be it in a list or or roles or tasks.
>Facilitate Bring Your Own Device policies in the organization (BYOD)
Business threat intelligence reporting system:
Why you need this: What is the point of securing your endpoints if you can’t compile all info in one place and visualize them? Usually I would have showed a picture or two on this but since this sub doesn’t allow pictures, you can see that for yourself [here](https://www.manageengine.com/analytics-plus/advanced-analytics-for-desktop-central.html?reddit-post). Must have features include:
>Ability to track unprotected endpoint devices, basically increase visibility across all endpoints.
>Provide real-time info on threats and visualize health status of systems in decent, meaningful dashboards
>Be able to prioritize threats and patches, i.e., address risky ones first and then moving on to the less imminent ones
>A provision to check compliance and audit devices whenever required.
Network Access Control system (NAC)
Why you need this: Short answer: COMPLIANCE. Elaborate answer: Just like how you are quarantined after reaching a new country and tested (for COVID for instance) before letting you out of the airport, your end user devices need to have a similar policy to ascertain if anything is wrong with it or if it fails in compliance checks. This makes a lot of sense especially when you’re reopening your offices and a part or whole of your remote workforce is making a shift to working back from office. A network access control needn’t have a elaborate list of features per se. However it’d be good if your NAC can:
>Run checks on software and service along with device configuration
>Invoke or revoke the ‘Quarantine’ status.
>Do compliance checks based on registry path or registry value and file path and file value.
Data loss/leak prevention
Why you need this: To protect your sensitive and corporate data. It can’t get any simpler than that. Data loss can be minimized to a great extent by keeping tabs on the data (from your apps, software, access info) and controlling the devices that store this data in (like your USB sticks and other storage devices). Preventing data loss can be done by a mix of all the above from priority list #1 and #2. However it mainly consists of:
>Setting up predefined security policies that let you identify and and respond to security threats
>Isolate data, control/restrict USB data transfer and stop files from being transferred to external storage devices.
>Getting alerts when a designated high priority file is on the move via email
>Block ports based on the end user behavior and control user access and permission levels
There are many ways to use this checklist. You can either use this checklist while buying an endpoint security tool (unless they offer a free trial) or you can use this as an internal reference. Also, since enterprise endpoint security is still in its initial stages, it is better to stick to one or a handful of security tools, unless you need to fix a particular problem during which a point product suffices.
For example, ManageEngine’s Desktop Central ([source](https://www.manageengine.com/products/desktop-central/index1.html?utm_source=redditpost)) is an all-inclusive endpoint management & security product that can expand its feature set with the help of a few extensions and plug-ins. At the same time, those individual features have their own point-products for businesses looking to solve only a particular problem. It’s flexible that way.