How Has Endpoint Security Evolved?

Endpoint security has evolved significantly since the early days of computing. In this article, I outline the history of how endpoint devices such as computers and laptops have been secured and showcase a sample of modern tools and practices that have been developed alongside changes in the modern threat landscape.

Get The Full Seth Klarman Series in PDF

Get the entire 10-part series on Seth Klarman in PDF. Save it to your desktop, read it on your tablet, or email to your colleagues.

Q2 2020 hedge fund letters, conferences and more

The 1970's-1990’s: The Early Computing Days

Introduction to Malware in Early Computing

The 1970s brought us an early introduction to computer networking through the ARPANET, a predecessor to what would eventually become the internet of today. Not long after the introduction of the ARPANET, we were introduced to the first computer virus and worm in the form of Creeper and Reaper.

Seth Klarman Tells His Investors: Central Banks Are Treating Investors Like “Foolish Children”

Volatility"Surreal doesn't even begin to describe this moment," Seth Klarman noted in his second-quarter letter to the Baupost Group investors.  Commenting on the market developments over the past six months, the value investor stated that events, which would typically occur over an extended time frame, had been compressed into just a few months. He noted Read More


According to an article from Core War, the first virus started in 1971 with the invention of Creeper, the first computer program with the ability to move across a network. Creeper was designed to travel between Tenex terminals on the early ARPANET, where it displayed the message “I’M THE CREEPER: CATCH ME IF YOU CAN” on arrival.

The first computer worm was developed when Creeper was bolstered with the ability to replicate itself rather than simply moving as a standalone program between terminals. Later, a program called Reaper was designed to propagate through the ARPANET to remove Creeper, giving us an early introduction into what would become prime computer security concerns once the internet became mainstream in the business world: Protecting against computer viruses.

The First Virus Epidemics & Endpoint Security Companies

The 1980s introduced the computing world to Elk Cloner and the Brain Boot Sector Virus. Elk Cloner is thought to be the first virus ever discovered operating in the wild and Brain kicked off the coming trend of viruses that were compatible with IBM PCs. Both of these early malware examples lead to unexpected outbreaks that set the precedence for the future of antivirus and antimalware in endpoint security.

Early antivirus companies such as G Data Software, NOD, and McAfee set the stage in 1987 with the introduction to businesses that catered to the newfound need for antivirus solutions. Coming into the 90s endpoint security was largely centered around identifying what was bad and removing it through the use of signatures.

As the amount of malicious software rapidly increased, signature-based threat detection solutions were becoming less reliable as they simply could not reliably keep up with every piece of new malware. Marcus Ranum's essay "The Six Dumbest Ideas in Computer Security" refers to this practice as Enumerating Badness, and it is his belief that the clearest need to evolve beyond signature-based solutions came in 1992 when “the amount of Badness in the Internet began to vastly outweigh the amount of Goodness.”

The 2000's: Defense-in-Depth & Layered Security

Moving into the 2000s, endpoint security trends moved beyond reliance on traditional antiviruses. Endpoint detection & response (EDR), next-generation antivirus (NGAV), virtual desktop infrastructures (VDI), and Positive Security models became popular solutions for protecting endpoint devices.

Next-Generation Antivirus (NGAV)

Next-Generation Antivirus programs (NGAV) aim to advance traditional antiviruses beyond the limitations of the usual indicators of compromise (IOC) such as signatures with a suite of added malware detection capabilities.

While there is not a standard definition for what constitutes an NGAV, there are some common features among them such as machine learning, artificial intelligence, and data analytics. Each of these features are intended to bolster malware detection capabilities by studying existing malware for patterns of behavior that can be used to identify signs of an attack.

The main limitation of NGAVs is that they inherently rely on existing malware datasets to make their inferences. This is problematic as AI technologies can also be used by threat actors to create polymorphic malware that is designed to modify itself in response to detection. In the event that malware is able to bypass prevention from the NGAV solution, endpoint security defers to the next stages of a layered security approach: detection and response.

Endpoint Detection and Response (EDR)

In 2013 Gartner’s Anton Chuvakin coined the term Endpoint Threat Detection and Response (EDR) to refer to tools that moved away from signature-based solutions and instead approached threat detection from the perspective of investigating suspicious activities on endpoint devices.

As a standalone solution, the challenge of EDR came from its reliance on security staff to hunt for and verify threats as they were detected by EDR tools. These solutions also relied on the endpoint already being infected and potentially compromised before their alerts were triggered.

This further exemplified the critical importance of a layered security and defence-in-depth approach to cybersecurity. EDR tools served as much-needed detection and response solutions that complemented prevention-based options.

The Positive Security Model

Many endpoint security solutions aim for understanding what is bad, detecting it, and preventing it from causing further damage. The trouble with focusing on the bad (a negative security model) is precisely what was pointed out by Marcus Ranum in his essay - the bad is practically infinite, making the back-and-forth race of identifying and remedying threats unreliable and resource intensive.

A positive security approach to endpoint security such as OS-Centric Positive Security aims to complement the negative security model by shifting focus away from the ever-expanding list of what is bad and instead focus on what is good. What is defined as “good” is a predetermined set of expected behavior on endpoint devices that are not expected to change in a healthy operating system. Should there be any changes to what is on the expected behavior list of the operating system the immediate assumption is that it is an IOC that needs to be investigated.

Virtual Desktop Infrastructure (VDI)

During this time, Virtual Desktop Infrastructure (VDI) also became popular as an endpoint security solution. With VDIs in place, the endpoint devices could become non-persistent virtual mirrors of desktops, complete with cloud-based applications. By having data provided by and stored on an external server rather than the endpoint device, endpoint security could be moved to the cloud and the threat of a lost or stolen endpoint device could be better managed.

Unfortunately, VDIs are not the panacea for all endpoint security concerns. VDIs are still potentially vulnerable to fileless attacks, insecure applications, and data leaks caused by malware moving laterally through the VDI desktop to the data center should the VDI setup and endpoint device not be sufficiently locked down.

Endpoint security has rapidly evolved alongside the ever-expanding threat landscape. While not entirely obsolete, traditional antiviruses are simply not enough to meet the endpoint security needs of today. Modern cybersecurity relies on a defense-in-depth and layered security approach that combines a multitude of technologies, policies, and practices at every layer to truly protect sensitive data against today’s threats.