Endpoints used to be safely operated behind a network perimeter. However, the rapid growth of remote access to corporate resources, cloud-based applications and social media by desktops, laptops, smartphones and tablets means that the endpoint is now the new perimeter. Endpoints are being attacked in a variety of ways, including email-based phishing, ransomware, malware, and drive-by downloads from web surfing.
Given that endpoints often store large quantities of corporate data, and also contain virtually everything that attackers need to gain entry into corporate networks, robust endpoint protection is a critical element in any corporate security infrastructure.
Two statements are true about endpoints: first, they are critical to getting work done by employees, and second, they are under attack by cyber criminals. With respect to employees, a growing diversity of endpoints are used for task completion, organizational communication, team collaboration and virtual meetings, including laptops, tablets, smartphones, and new smart devices such as smart speakers.
Cyber criminals, on the other hand, have diversified the range of attacks unleashed against endpoints that circumvent traditional endpoint security capabilities to gain a foothold for data exfiltration, credential compromise and fraud. Initial footholds lead to further attacks, including supply chain phishing attacks and lateral movement to gain control over an increasing set of endpoints, servers and other network devices in anticipation of a master stroke to cripple the organization, such as through a ransomware attack.
Security threats against endpoints include traditional and emerging attack vectors, such as malware, fileless attacks, data breaches, ransomware, phishing attacks, phishing via social media, unpatched vulnerabilities, compromised software patches and updates, drive-by downloads, infected USB drives, insecure and non-compliant applications, new devices that lack strong security and new categories of endpoints that have undetermined security threats.
Understanding the current dynamics in endpoint usage and the security threats deployed against endpoints is essential in embracing appropriate security solutions. The following dynamics are at play:
Things changing in the endpoint security space during the near and mid-term:
A multitude of solutions are available for improving endpoint protection, and as a critical enabler of productivity on one hand and a growing vector of compromise on the other, having appropriate protections in place is essential.
We see the following solutions as core to improving endpoint protection.
Seeking to improve endpoint protection requires giving attention to the three complementary strands of people, process and technology. The dynamic interplay between these three enables strong protections for endpoints; attempting to wing it on only one or two will be ineffective.
The technology component offers a wide array of potential security protections for endpoints. It’s easy to spend money acquiring new technology options, but without corresponding capability improvements in the people and process components, little value will be created. Spending anything on security protections that are poorly used and don’t align with the business threat landscape is a waste of financial investment, human capital, and the already stretched energy of cyber security professionals.
EPPs offer an integrated collection of capabilities for protecting endpoints, covering different solution areas that were originally brought to market as point solutions. The roster of usual capabilities spans anti-virus, URL filtering, baseline endpoint prerequisites, vulnerability analysis and resolution, visibility into and control over endpoint encryption settings, and more. Endpoint Detection and Response (EDR) capabilities are also increasingly integrated with EPP solutions.
An EPP offers capabilities to:
Organizations are increasingly moving to cloud-based EPPs, thereby eliminating the need for deploying and managing on-premises infrastructure. In addition to the much faster time-to protection offered by cloud-based EPPs, such services also offer the advantage of a wider set of threat signals from a huge number of global customers from which to develop threat intelligence that can be shared across all customers to thwart new threats. Organizations attempting to go it alone with an on-premises EPP will not have access to the same quality of threat intelligence.
EDR solutions take a different approach to security attacks and threats, by providing visibility into current attacks and threats on endpoints, along with options for remediation across the endpoint estate. EDR doesn’t primarily attempt to stop attacks - a role played by solutions under the EPP banner - but rather to analyze emerging threats and supply tools for resolving compromised endpoints and hardening the rest. EDR solutions achieve these outcomes by supplying continuous real-time or near real-time visibility into what’s happening across all connected endpoints, offering early warning signals of abnormal behaviors that betray the real intent of seemingly harmless but obfuscated emerging threats. Once new attack chains are identified, protections can be rolled out to other vulnerable endpoints to decrease the likelihood of further threats landing successfully.
Protection against known viruses and malware is important - why get compromised with what’s already been seen and mitigated? - but traditional signature-based anti-virus tools alone no longer offer effective protections. As the quantity of known viruses and malware increases, there’s a logistical challenge of keeping all endpoints up-to-date with the latest signatures. Theoretically, at some point, signature files would need to be streamed continuously and in real-time, meaning that any non-connected endpoints would be at risk. Behavior-based profiling of all processes – for both known and unknown viruses and malware - offers a more strategic and lighter approach to ensure threats are mitigated.
For organizations using Windows 10, one potential short-term approach to the anti-virus quandary is to rely on the default anti-virus and anti-malware protections in Windows 10. The budget that would have been spent buying best-of-breed tools can then be invested in creating protections against the newer, advanced and emerging threats that anti-virus and anti-malware are ineffective against.
Finally, while not an endpoint protection method that is deployed on the endpoint itself, cloud based sanitization via virus and malware checking of inbound and outbound email streams is a very useful wider security protection as part of an overall security strategy
Endpoint protection must be a key component in an overall security strategy, but can only be one strand complemented with cloud security, network security, and physical security, among others. An overall security strategy should be created and defined in light of an enterprise-wide risk assessment for the organization.
iSOC24 carries the VMware CarbonBlack Endpoint Protection Platform in its portfolio. If you would like to learn more please contact one of our specialists to hear about the advantages of Endpoint Protection technology of VMware CarbonBlack within your organization.