Endpoint security for Mac: 3 best practices

If you’re one of the 50% of small and medium-sized businesses (SMBs) that use Mac devices today, chances are your IT and security teams have a ton of Mac endpoints to monitor. 

Securing that many endpoints can get really complex, really fast, especially when you consider that the common wisdom that Macs don’t get malware simply isn’t true: in fact, the number of malware detections on Mac jumped 200% year-on-year in 2021. 

And it’s not just malware you have to worry about with your Mac endpoints. 

Phishing attacks, vulnerability exploits, DDoS attacks, and much more threaten your company’s Macs at any time — and if any of them are successful, it could cost your business millions in lost productivity and information theft

Needless to say, these are a lot of different threats to deal with when it comes to Mac endpoint security. But Thomas Reed, Director of Mac & Mobile at Malwarebytes, is here to remind us of a few simple things we can do to make our Mac endpoints more secure. 

In this post, we break down three of Reed’s best practices for endpoint security for Mac. 

1. Update frequently

As in the Windows world, one of your top priorities needs to be keeping your Macs up to date — and by now we should all understand why. Just consider the fact that 60% of companies say breaches could have been avoided if they had patched known vulnerabilities. 

Tracking and patching vulnerabilities on macOS, however, is a little more difficult to do than on Windows. 

While Microsoft regularly advertises its security updates with its Patch Tuesdays,  Apple slips in patches on an ad-hoc basis — meaning MacOS admins need to put in a little more legwork to keep their devices up-to-date.

To ensure that you know about the latest updates for your Mac endpoints, there are two things you should do.

  1. Sign up for Apple’s public security notifications and announcements mailing list. You’ll get an email anytime Apple releases a patch for macOS.
  2. Regularly check Apple’s list of security updates and patches. It provides patch names, patch information, affected devices, and release dates.

Additionally, if you’re like most businesses and find that having no common view of assets is causing you major delays in patching, you should consider a vulnerability management solution that gives you instant visibility into potential vulnerabilities across your macOS environment.

2. Use a DNS filter to stop web-based attacks

Since Macs have a much smaller amount of “traditional” malware attacking them compared to Windows, you might think your endpoints are in the clear of cyberattacks. 

Not so. 

Instead of file-based malware, a lot of Mac users get attacked with adware and PUPs that are typically delivered through a number of web-based scams. These threats can throw advertisements up on your screen and slow your computer down, among other things.

OK, that sounds annoying. But surely a few advertisements aren’t too big a threat to your Mac endpoint security, right? Not quite, says Thomas Reed.

“Some of the adware out there is more sophisticated than most of the malware that we see for Mac,” Reed says. “It can do all kinds of stuff, like sending all your network traffic through a proxy or changing system settings to be less secure.”

Reed also mentions that a lot of adware and PUPs are part of the payload of scam sites that direct you to some kind of installer that you download — and so having some sort of web-based protection is vital. That’s where DNS filtering comes in.

“The source of all of these kinds of attacks is through the web, and DNS filtering can help with that by blocking some of those sites,” Reed says.

DNS filtering blocks connections to malicious web servers attempting to deliver malware payloads, so any business interested in Mac endpoint security should have it. Learn more about the ways DNS filtering can save your business from cyberattacks.

3. Don’t rely on Mac AV – use EDR 

Since 2009, Apple has included a built-in antivirus (AV) technology called XProtect on all Macs — and while it’s fairly good, there are a lot of threats that it doesn’t detect (that a third-party would).

“You can’t rely on the built-in antivirus that’s in Mac OS to do the job,” Reed says. “You really need to have something else on top of that.”

Even so, let’s be overly generous and say XProtect and your third-party AV detects and removes every Mac malware threat. Throw in the fact that traditional AVs can’t prevent sophisticated threats such as file-based malware, and you just may be left wondering what you can do to best protect your Macs from damaging endpoint attacks.

Endpoint detection and response (EDR) is the answer. 

EDR gives you a real-time “birds-eye view” of all of your Mac endpoints, so whenever something happens outside the norm, you isolate an endpoint, quarantine the threat, or remediate. This stands in stark contrast to more reactive signature-based solutions (like AVs) that allow malware to execute before working.

A key feature of EDR is its threat hunting capabilities. 

Prevent your Mac endpoints from online threats 

With everything from security vulnerabilities to malware threatening your company’s Macs at all times, Mac endpoint security is high-up on the list of priorities for macOS admins. In this post, we explained how macOS admins can stay on top of their patching game and why having a DNS filter and EDR are so essential for protecting Mac endpoints from a variety of threats.

Malwarebytes EDR prevents, detects, and responds to ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and “zero-day” unknown threats so you can avoid business disruption and financial loss.