On average, it takes 170 days to detect an advanced attack, 39 days to contain it and 43 days to remediate it, according to a Ponemon study.
Security threats are pervasive and constantly evolving. Today’s cybercriminals are smarter, bolder and more ambitious than in years past. The IT landscape is changing to accommodate mobility, cloud environments and the movement of massive amounts of data. Security has become the top priority for most organizations. It can be hard to maintain control when a strong security strategy depends on so many factors. Deploying next-generation endpoint security can help your organizations combat modern threats — as long as you first review your environment and upgrade from traditional anti-virus products.
1. Organizations Face Major Internet Security Challenges
Today, endpoint security represents the front line in the fight against cyberattacks. Breaches have become commonplace among enterprises, and user endpoints and servers are targeted more than any other type of asset. That is because the data is in the endpoints.
The effects from these security breaches can be devastating, causing a company to lose revenue, market reputation and market competitiveness. Unfortunately, inadequate endpoint security leaves the doors wide open to a variety of attacker techniques and tools, including malware, software exploits and social engineering.
Now, more than ever, it’s critical to have the right endpoint protection in place.
2. Firewalls Offer Inadequate Protection Against Threats
Networks require a multilayered security approach encompassing both hardware and software — no single solution will protect against the variety of threats that organizations face. For instance, although firewalls are common defenses for many IT infrastructures, cyberattackers are far more sophisticated than they were in the past. Firewalls alone can no longer provide effective protection for the following reasons:
- Firewalls protect only on-premises users: Many users work remotely from home offices or coffee shops, increasing their exposure to security breaches.
- East-west traffic on the LAN isn’t governed by most firewalls: A firewall sees only what’s going through it. Some malware moves laterally once it manages to break in.
- BYOD devices operate outside of firewalls: Firewalls have little to no control over personal devices that are connected to your network.
- Cloud servers move data beyond the firewall: Deploying virtual firewall appliances on the cloud is possible, but how do you control malware injected over an IPSec VPN tunnel that the firewall doesn’t see?
- Firewalls cannot protect stolen laptops and mobile devices: Once again, firewalls have no control once computers are in the wrong hands.
You need security protection placed as close to the user or asset as possible. Think of the Secret Service agents protecting the president at an event. Although layers of security have been set around the venue, having protection placed directly around the president is crucial and most effective.
3. Next-Gen Endpoint Security Eclipses Legacy Anti-Virus Software
A traditional anti-virus solution can detect only the malware it recognizes. However, if a threat is not known, or if an attack doesn’t use malware, traditional anti-virus solutions will usually fail to provide protection. This is why the demand for next-gen endpoint security has increased so rapidly in recent years. This approach takes a system-centric view of endpoint security, examining every process, on every endpoint, to detect malware and block the malicious tools, tactics and procedures on which attackers rely.
The key techniques that next-gen endpoint security products typically employ include:
- Signature, live-update, computer scan and host-based IPS. Next-gen products still use signature and hash matching to determine whether malicious files are detected, simply because these techniques provide the fastest detection for known malware. Once the easy stuff is eliminated, we need to work on more sophisticated threats.
- Behavioral analysis: This approach can identify malicious files based on how they deviate from normal behavior. For example, a malicious Microsoft Excel document may try to modify registry keys on a Windows computer.
- Threat intelligence: This is the data collected from machine learning and artificial intelligence algorithms that determine whether a file is malicious based on millions of other file samples. Some security vendors such as Cisco Systems and Palo Alto Networks offer unified security intelligence feeds collected from their firewalls across their worldwide customer base.
- Ransomware protection: The ability of an agent to cache a copy of a file prior to it being executed can protect against malicious payloads such as ransomware. In the event that a file is encrypted, the agent will stop the process and restore the file from the cached copy.
- Forensics and investigations: The ability to replay attacks for analysis can help IT teams understand breaches and attackers.
- Endpoint detection and response: This emerging technology addresses the need for continuous monitoring and response to advanced threats.
- Machine Learning and AI: Sophisticated algorithms can determine whether a file is malicious based on millions of file samples.
- Exploit Prevention: The ability to prevent exploits from being launched keeps an attacker from connecting to a target machine.
As traditional approaches to endpoint security prove less effective, behavioral protection, machine learning and automation have become key differentiators in today’s market. Performance is also an important factor to consider. The agent must be lightweight and have minimal CPU/RAM impact on a user’s computer.
4. No Solution Is One-Size-Fits-All
The market for next-gen endpoint security is highly fragmented. Many vendors are trying to provide the same thing: protection from cyberattacks. As the number of new malware variants and methods of obfuscation increase, older technologies have become less effective at protecting user endpoints and servers. As a result, numerous competing technology vendors have taken aim at the stagnant anti-virus market, including Carbon Black, Cisco, Cylance, Trend Micro, Sophos, and Palo Alto. This is by no means a conclusive list, nor is one vendor better than another. As a security solution architect, I have seen different customers successfully deploy different products based on what works best in their specific environments and meets their requirements. There isn’t a one-size-fits-all when it comes to next-gen endpoint protection solutions.
It is not enough to simply select a product. The security tools you choose must work efficiently to protect your end users. When a CISO jokingly states that his top goal is to keep his company out of the news, it is the truth. You need a trusted adviser to assess your environment and guide you through the product evaluation and selection process, and finally to assist in designing, deploying and operating the security solution at its maximum potential in your environment.
5. Advanced Tools Contribute to a Holistic Security Approach
People often focus heavily on preventing cyberattacks from happening but overlook that there are three distinct phases of a security attack: before, during and after.
Before an attack, you need to identify who and what is attempting to access your environment, and where the adversary is attempting to go, in order to enforce an access policy. The goal here is to harden the network by restricting access based on your company policy. Let’s face it, no network is 100 percent secure and no single vendor can claim to offer 100 percent protection.
Once the bad stuff is inside a network, during an attack, the goal is to defend your core infrastructure and data by detecting and blocking attacks as soon as possible. Every second counts. You can’t afford to take 170 days to realize you’ve been breached.
The period after an attack is critical, because you must be able to understand the scope of the breach, contain it and then remediate it. You need a plan in place to detect and remediate quickly.
My best advice is to take a holistic approach when it comes to information security. No single vendor or product will provide total security. Based on a survey, most organizations have deployed security products and tools from an average of 30 or more vendors. Each vendor’s products don’t communicate with others, adding further risks and increasing detection time. This leads to significant gaps in security because it creates silos of management and interoperability. Given the pervasiveness, sophistication and advanced nature of today’s security threats, it is important for businesses to look beyond picking individual products, and instead plan and deploy security solutions in a holistic fashion.