As security technology gets more sophisticated, so do the attack tools, tactics, and methods.
Attackers today are masterful at discovering the weak points in a corporate security strategy – and right now, more than any other time given Covid-19 they are zeroing on endpoints.
The traditional network perimeter has now been extended to the endpoints – yet for most companies, the right security protocols for endpoint devices have not been put in place. And the attackers are well aware of this.
According to The Cost of Insecure Endpoints report from Ponemon Institute:
- 48% of the organizations surveyed are disappointed or not satisfied with their endpoint security
- 55% of endpoints in the respondents’ organizations are vulnerable to a data breach involving sensitive or confidential data
- Ineffective endpoint security strategies are costing these organizations US$6 million annually in detection, response, and wasted time.
First, Let’s Define Endpoint Security
Endpoint security protects desktops, laptops, servers, and fixed-function devices from malicious internal and external threats.
Endpoint security defends what is now thought of as an enterprise’s perimeter – the devices that are the gateways into the network – from known as well as unknown threats. These threats, which include malware and non-malware attacks, attempt to steal data, destroy infrastructures, or cause financial damage.
Endpoint security combines various attack prevention, detection, and response technologies with intelligent services to form an advanced platform that effectively helps enterprises:
- Detect, disrupt, and prevent malicious attacks before they cause any major damage
- Monitor and track attackers’ actions to identify and stop intrusions
Antivirus Software vs Endpoint Security. How Do They Differ?
Traditional antivirus software was developed to prevent and detect known malware attacks. It is one aspect of the overall strategy of endpoint security. Today, that is not enough, even when there are several different solutions in place.
Endpoint security comprises the entire strategy and technology stack required to protect endpoints from threats and attacks, while antivirus software protects a computer or device from malware. Endpoint security is not just prevention, but also detection and response. It’s not reactive, it’s predictive.
To combat the advanced threats of today, modern endpoint security requires next-generation antivirus (NGAV) protection, delivered on an integrated endpoint security platform with other advanced security technologies and services such as endpoint detection and response, incident reporting, threat hunting, and predictive analytics.
The threat landscape is evolving. Attackers are getting craftier with infiltrating secure environments. Is your endpoint protection able to keep up? In many cases, organizations just aren’t sure.
The increase in the number of cyberattacks targeting endpoints — and attackers using craftier methods to gain access to user machines — has lead to a highly competitive endpoint protection market. There’s plenty of confusion surrounding what differentiates one endpoint protection solution from another, let alone which product will meet your unique business needs.
Among the claims and counter-claims about which solution is best, the reality is that the right solution for your organization is not necessarily the one with the loudest voice in the marketplace.
Instead, consider whether your approach to endpoint protection matches that of the providers you evaluate. With rapid changes in the way malware and threat actors are compromising victims, which security solutions are keeping up?
7 Factors to Consider when it comes to evaluating Device Protection solution
1. Don’t underestimate the risks of mobility
The traditional approach that legacy AV software is just there to protect your devices from malware and data loss creates a blind spot in defensive thinking. The task is to protect your network from both internal and external threats, and that includes the potential threat from end-user behavior when they’re mobile and off-network.
Today, users who login from airports and cafés using public and open access points pose a greater threat to the corporate network. Modern, integrated security thinking understands that this means more than just anti-malware or AV coverage on the device.
And in the event a verdict from the agent doesn’t have confidence, having a second layer of defense via a cloud-based malware analysis engine helps handle it in real-time.
2. Avoid drowning in the noise of alerts
Alerts that go unnoticed because they are swimming in a sea of hundreds of other alerts clamouring for attention are as good as no alerts at all. Rather than a security solution that provides hundreds of single alerts for each command with little or no context, choose one that provides a single alert with the telemetry and details of all the related commands — whether that be one or 100 — automatically mapped into the context of an entire attack storyline.
3. Secure the endpoint locally
We live in the age of the cloud, but malicious software acts locally on devices, and that’s where your endpoint detection needs to be, too.
If your security solution needs to contact a server before it can act (e.g., get instructions or check files against a remote database), you’re already one step behind the attackers.
Make sure that your endpoint protection solution has the capability to secure the endpoint locally by taking into consideration the behavioral changes and identify malicious processes without cloud dependency. And when using a cloud-based second layer, make sure the suspected threat is contained to eliminate impact while a verdict is made.
4. Keep it simple
There’s power in simplicity, but today’s threat landscape is increasingly sophisticated. While some vendors think the number of tools they offer is a competitive advantage, it just increases the workload on your staff and locks knowledge into specialized employees who may not always be with your organization.
You want to be able to eliminate threats fast and close the gaps without needing a large or dedicated SOC team. Look for endpoint protection that takes a holistic approach, builds all the features you need into a unified client and is managed by a user-friendly console that doesn’t require specialized training.
5. Build for the worst-case scenario
Let’s face it, ANY protection layer can fail. It’s the nature of the game that attackers will adapt to defenders. If you can’t see what your endpoints are doing, how can you be sure that one of them hasn’t been compromised?
Has a remote worker clicked a phishing link and allowed an attacker access to your network? Is a vulnerability in a third-party application allowing cybercriminals to move around inside your environment undetected? Have you factored for attackers who have now embraced encrypted threats (e.g., HTTPs vectors) and acquired their own SSL certificates?
The modern cyber threat landscape requires a defense-in-depth posture, which includes SSL/TLS decryption capabilities to help organizations block encrypted attacks and drive visibility into application vulnerability risk and control to reduce the attack surface.
6. Drive compliance across all endpoints
If your enterprise is 95% harnessed to one platform, it doesn’t mean you can write-off the business risk presented by the other 5% as negligible.
Attackers are able to exploit vulnerabilities in one device and jump to another, regardless of what operating system the device itself may be running.
7. If in doubt, look beyond trust
Blocking untrusted processes and whitelisting the known “good guys” is a traditional technique of legacy AV security solutions that attackers have moved well beyond, and businesses need to think smarter than that, too.
With techniques like process-hollowing and embedded PowerShell scripts, malware authors are well-equipped to exploit AV solutions that trust once and allow forevermore. Endpoint protection needs to look beyond trust and inspect the behavior of processes executing on the device. Is that “trusted” process doing what it’s supposed to be doing or is it exhibiting suspicious behavior?