The In’s and Out’s of Endpoint Security
Endpoint security refers to defending network endpoints, or end-user devices like desktops, laptops, and mobile devices. Endpoints serve as points of access to an enterprise network and create points of entry that can be exploited by malicious actors.
Endpoint security software protects these points of entry from risky activity and/or malicious attack.[1]
How Does Endpoint Security Work?
Endpoint Security products provide “agents” that are assigned to the endpoints in an organization (or BYOD / take home devices). These agents are a package of software that have defined “rules” that are tuned to detect anomalies and threats to the endpoints and communicate that back to a centrally managed, typically cloud, platform that a member of the security team can manage.
These agents can be tuned for many actions, from blocking the user to click on certain links, unknown services trying to be launched in the background, executable files (.exe) from being run without admin rights, scanning downloadable files, open services communicating externally and of course detecting and quarantining viruses / worms etc. The security team will be alerted by any such events and allow them to “quarantine” a machine or device, meaning – cutting it off from network services to contain the threat locally and not spread or allow things like Data Exfiltration, or the removal of data from a company asset.
Endpoint Security vs Network Security
Historically (in the history of modern networks at least) many attacks against an organization were launched against networks from the outside. Attackers looking to penetrate the castle walls and gain a foothold somewhere on the network to perpetrate whatever they wanted to accomplish. This could have been to steal data, shut down services, steal money etc.
Today, that is not necessarily the case and most certainly, not as common. With advanced Firewalls, Web application firewalls, Database application Firewalls, Firewalls with built in Intrusion Detection, Host Based Intrusion Detection systems… the list goes on and the perimeter is just inherently, a difficult attack vector to crack. Not to mention, an attacker can employ millions of BOTS (previously compromised devices) to send traffic at an internet facing surface with less effort to attempt a DDOS (Distributed Denial of Service) attack and get similar, if not more successful results to shut down services.
Why Endpoint Security is Important?
The reason Endpoint Security is truly so important today is, and I’m going to say it, Ransomware… If you are sick of hearing about, believe me, I am too. The issue is that the world can’t seem to grasp the idea of funding security BEFORE an attack… so here, we are. In all reality, it is not ALL about Ransomware, but especially with remote work becoming the new normal, user- based attacks are on the rise. As we have seen recently Ransomware is still very successful regardless of an organization’s size.
There are many stages of a ransomware attack that typically start with a phishing campaign. A user clicks a spoofed link, maybe downloads a document with an executable, maybe puts in their credentials in the wrong place, the attacks use that .exe or the credentials to gain access to a system. From there, they establish domain administrator rights and execute their ransomware attack to encrypt all the systems on a network. Investing in a robust endpoint platform can not only help stop Ransomware at a variety of these stages but also, segment the device away, block against device encryption and even revert the computer back to its pre-ransomware state if necessary.
Endpoint security is also a great way to supplement other areas of cyber security with integrations and having your endpoint communicate to things like SIEM (Security Information and Event Management) or in certain cases with your firewalls to help provide fluid communication across your tech stack.
“Endpoint Security, Isn’t That Just Anti-Virus?”
Before Endpoint Security, the technology used to be referred to Anti-Virus software. A common question from the non-technical crowd might be – “Isn’t this the same as Anti-Virus?” and while the short answer is yes, there is a longer answer explaining how it is much more and why small businesses especially should get to know the difference.
Small businesses may be inclined to purchase Anti-Virus from a local retailer as a cost-effective solution for peace of mind. This is mostly considered a false sense of security and I can explain why. Anti-Virus for the most part, is based on what is called “Heuristics” or Virus Signatures. Meaning that threats need to be identified by some sort of intelligence feed and delivered to the product. This leaves “Zero Day”, previously unseen, threats largely fair game to get past these systems. The second shortcoming with traditional Anti-Virus is it is focused on looking for specific signatures and specific actions to trigger to quarantine an infection after the fact. In cases with advanced malware or ransomware, it’s just too late at that point. It’s going to miss out on the different stages of detecting a ransomware infection that we covered earlier.
Best Practices
There are at least 20 “Best Practice Tips” that I could share for just good security practices but perhaps we can explore that in a future publication. For now, let’s focus on best practices as it pertains directly to Endpoint Security products.
First and foremost, many times, organizations will fall into this trap of meeting compliance or standards and just finding any product that checks a box and costs the organization the least amount of money; DO NOT FALL INTO THIS TRAP. If you are going to be investing in Endpoint Security, follow some of this advice:
- Do your research – meet with several companies and get demo’s. This is crucial to understand how a product will fit your organizational structure, your team size, your ability to implement and maintain the product and how it fits with the rest of your tech stack.
- Do a Proof-of-Concept deployment – This is often a free service, and you get a chance to see the product in your environment in real time. You can really see if it meshes well with your organization before signing the contract.
- Once you decide on a product, take steps to mature the rest of your security posture that don’t necessarily require a product. Things like device hardening, improving password policies, enforce least privileged access, network segmentation, improving cloud policies etc.
Its July of 2021, we are still hearing about advanced, persistent ransomware attacks against multiple sized public and private organizations all over the country. It’s time to take endpoint security seriously, and time to invest up front to protect your organization and employees from these attacks. Remember, it takes attackers only 1 success to accomplish what they want. As security practitioners and business stakeholders, we are accountable to enable our organizations to help ensure we are doing everything we possibly can to prevent that from happening.