During the past 20 years, cybersecurity expert Neil Daswani has witnessed a rapid rise in different types of endpoints and the growing need for securing them and the data they access. At the same time, Daswani has seen the frequency and severity of endpoint attacks increase.
By the time he became chief information security officer of LifeLock in 2015, endpoint protection was a big issue. During his time at LifeLock and then as CISO for Symantec's Consumer Business Unit, Daswani focused on understanding the root causes of breaches and choosing technology to address those root causes.
Like Daswani, many other IT and security professionals are seeing a significant increase in endpoint attacks. According to one recent survey by the Ponemon Institute, about two-thirds of IT professionals said that the frequency of attacks against endpoints has increased over the past 12 months. And those attacks are pretty varied. A report from SANS Institute found that the top three attack vectors today are social engineering (phishing), browser-based attacks (drive-by downloads from the web to the endpoint), and credential theft or compromise.
The uptick in attacks against endpoints shouldn't be a surprise. There are many more endpoints than ever before, and new categories are emerging all the time. Today, in addition to traditional endpoints like servers, desktops, laptops and smartphones, there are many others, including cloud containers, USB thumb drives and sensor-based devices. And then there are smart devices like Alexa for Business and even Apple HomePod, which may be used by remote workers. Some of these devices aren't as secure as professionals would like.
A recent report from Osterman Research put it this way: "Compromising the operational technology endpoints that power smart buildings would enable an attacker to manipulate people's movements within a building, potentially creating life and death situations as the building turns against its inhabitants. The security threats that might be targeted against these new categories of endpoints are unknown or only poorly understood at this stage."
In addition, these endpoints often are bypassing the corporate network and its security, instead connecting via cloud services and other endpoints. In some cases, endpoints do pass through the corporate network, but aren't clearly visible to the network or its monitoring software.
The growing complexity of endpoints is another issue. According to a recent report from Absolute Software, the average endpoint device now has more than 10 agents, each with its own unique security controls. The average endpoint device also has 96 unique applications installed.
Then there is COVID-19. In this era of forced remote work, endpoint devices are more likely to collect sensitive data. The report from Absolute found that the amount of sensitive data on enterprise endpoints has grown significantly in the past several months. More specifically, the report showed a 176% increase in the number of collaboration apps installed as of May 2020, versus before the pandemic started. It also showed a 50% increase in the number of endpoint devices being used for more than eight hours per day.
And with more users working remotely, the issue of user behavior has never been more important.
"When we ask about the top pain points for organizations, user behavior invariably comes out near or at the top," said Fernando Montenegro, principal analyst for information security at 451 Group, part of S&P Global Market Intelligence. "Because user behavior lives on the endpoint, a lot of things that go wrong in security happen at the endpoint. It's become a big battleground of attack and defense."
A Better Way
All of these factors point to one stark fact: Traditional methods of protecting endpoints aren't working as well as they once were. According to the Ponemon study, more than half of those surveyed believe their security team is ineffective in detecting endpoint attacks. For example, the report found that antivirus products miss an average of 60% of attacks today.
Of course, there are plenty of other solutions, from web browser isolation and log file management to application control and vulnerability analysis. While these "point solutions" can help, today's environment requires a security approach that is closer to the endpoints themselves and is as comprehensive as possible in nature.
Despite the protection many organizations have, it may be time to step back and re-evaluate how they are protecting endpoints, said James McQuiggan, security awareness advocate at KnowBe4. "Instead of Band-Aid after Band-Aid, step back and figure out what's most important to protect, and then focus on that," he said.
No matter what route you choose, zero trust should be front and center, McQuiggan said. "Event monitoring isn't good enough," he said. "It's about rethinking how we are interacting with external systems and how can we make more informed security choices by assuming that we trust a lot less about the device and things outside of that connection."
That goes for the network as well. In fact, deploying a true zero trust network is table stakes when it comes to endpoint security, Daswani said. "With a pure zero trust network, you can publish all of your internal applications publicly on the internet, but access to those applications is verified by checking and authenticating the device and the user. If you have that, you can nail most threats."
The next step is implementing some type of endpoint protection platform (EPP). Typical capabilities include antivirus, URL filtering, vulnerability analysis and resolution, and visibility into and control over endpoint encryption settings. With these capabilities, organizations can made headway in monitoring and protecting connected endpoints, both on and off the network, and identifying and enrolling newly identified endpoints. There are plenty of vendors that provide these tools, including Sophos, Symantec, McAfee, Trend Micro and Microsoft.
In many cases, however, an EPP solution will only get you part of the way there by minimizing the chances of having to face an attacker. An endpoint detection and response (EDR) capability will get you most of the rest of the way there. An EDR solution, from vendors including Fortinet, Carbon Black, CrowdStrike, Check Point and Palo Alto, focuses on analyzing emerging threats and providing the tools to resolve compromised endpoints.
While these solutions will provide most of the protection needed, it's important to ensure that they include specific capabilities, including endpoint encryption, remote browser isolation and a virtual desktop interface. That's because traditional endpoint protection and detection tools typically are effective at handling malware, unencrypted data and software vulnerabilities, but sometimes fall short in protecting against phishing and third-party compromise or abuse, Daswani said. Remote browser isolation protects endpoints from browsers, which are a major source of threats, while a virtual desktop interface helps keep important data off of endpoints altogether.
In today's environment, it makes sense to adopt a layered approach, using EPP and EDR solutions together. "By layering these approaches, you've got your antivirus that already has a set of patterns it's fed, and the EDR software analyzing the files or processes it sees and sandboxing them while checking to see if they are OK to launch into the environment," he explained.
In addition to covering your bases, a layered approach can help save users from themselves, Montenegro said.
"Layers are important; one of those layers might fail because of how a user behaves," he said. "You can help prevent this by setting security defaults on the tools in a way that preserves productivity and functionality. For example, does everyone in your organization need to be able to run macros or … run tasks as an administrator on their local systems? The right policies paired with modern tools can go a long way toward securing endpoints."
When it comes to security, one thing will never change: change itself. There will always be new types of endpoint devices, evolving threats and new processes, and your approach and your tools must be able to change as they do.
One example is fileless malware, a relatively new type of malware that attacks operating systems and is very difficult for some endpoint protection solutions to detect. Cybercriminals are putting fileless malware into memory, for example, so endpoint protection solutions must now examine memory. Ponemon, for example, expects 41% of attacks this year to be fileless, a much higher number from the previous year.
The key, Daswani said, is focusing squarely on root causes and making sure your solutions can address the issues of those root causes.
"Attackers are always getting more sophisticated and innovative, so you have to keep up," said Daswani, now co-director of Stanford University's Advanced Security Certification Program. "If you make sure to nail the root causes of the breaches and put in countermeasures to address them, that's an approach that will stand the test of time."
Along with choosing the right tools, it's important to have the right process and mindset, Montenegro said.
"Tools can only take you so far," he said. "Think of it like martial arts, where you train to be hit so when you get hit, you know what to expect. Prepare for endpoint attacks the same way; expect to get hit, and prepare for it by understanding what it will feel like, how to protect your environment and how you will recover."