Endpoint security is where it all starts. The client is the target most attackers go after. Once you have access there (let’s say by emailing cute cat videos), you are in. Compromised systems are the daily routine of information security. Even without contact with the outside world, you have to think about what happens next. Thomas Fischer has thought a lot about scenarios concerning the endpoint, and he presented his findings at the DeepSec 2015 conference.
To quote from the talk: This presentation will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that living as close as possible to Ring 0 makes it possible to see how a malicious process or party is acting and the information being touched. There you go. Have a look!