When it comes to cyber threats, the endpoint is often where the action is. In today’s post, we’ll discuss why it’s time to update your endpoint security approach. We’ll also offer some recommendations for how to go about this.
Why Antivirus + Perimeter Protection is No Longer Enough
For the last 20-plus years, the primary solution for endpoint protection has been signature-based antivirus (AV). When most network traffic was unencrypted and threats were unsophisticated, reactive endpoint AV combined with perimeter defense was sufficient to protect most organizations.
But threats have evolved. Most traffic is encrypted now, ransomware is rampant, and there are legal requirements to protect sensitive data. Today’s reality dictates a new approach to endpoint security. It requires a different set of solutions that provide greater control and insight into what’s happening on endpoints.
Some key solutions to greatly improve endpoint security include:
- Data Loss Prevention (DLP);
- Endpoint Detection and Response (EDR);
- Multi-Factor Authentication (MFA);
- Enhanced DNS services; and
If you’re evaluating any of these solutions, be aware that there are not many pure solutions out there. This is both good and bad. It’s good, because who needs solution purity anyway, we just need things to work and you might find a blended solution that meets your needs.
Mixing features can make it difficult to evaluate and compare solutions, though. The functionality of many products starts with a specific focus. They often evolve through feature bleed into other areas over time. It can be helpful to look into the history of the solution to identify its core strengths. One excellent option for many organizations is to move to a SOC-as-a-Service solution, which we’ll also discuss.
Data Loss Prevention
Data Loss Prevention (DLP) is one of those solutions that can be very important as an endpoint security solution if you deal with sensitive data. From an endpoint perspective, DLP was a bit painful in its initial uses. It often ended up being turned off due to high rates of false positives and a poor user experience.
Today’s DLP solutions use a few primary ways to determine how to apply rules to a bit of data. These include:
- User-based tagging or automated tagging of files based upon content patterns;
- Where the data resides; and
- Who is using the data.
An important thing to know is that file tagging is an operating system (OS) level function. All file types on a typical OS do not support tagging. Tags that are applied can’t be guaranteed to persist once they leave a specific machine. What is supported for tagging methods also varies by OS.
But, those limitations aside, file tagging can be very powerful when used to prevent the exfiltration of sensitive data and track data usage on an endpoint. Using tags this way gives you the chance to prevent data leaving the endpoint by evaluating it before it gets put in an encrypted payload.
Most DLP solutions are also much better at cutting down on false positives now. Test this on your data and systems though before seriously considering any solution, of course.
Endpoint Detection and Response
DLP solutions often bleed over into the Endpoint Detection and Response (EDR) space. If you’re collecting information on the sensitive data that an employee emailed or used in the last 30 days, why not track all their activities on the endpoint?
Taking it a step further, why not look at the processes, behaviors, and combinations of behaviors on the endpoint? By looking at specific and collective behaviors, EDR solutions add an important facet to endpoint security. Perhaps you want to trip an alarm based upon PowerShell being run.
You may want to trip an alarm when PowerShell is kicked off from an email and registry keys are modified, or outbound connections are spawned. It’s easy to come up with a long list of policies and rules when we want to track or trigger alarms.
In addition, EDR solutions also typically provide process trees. This brings us to the response portion of EDR. Process trees and other tools within EDR solutions allow for analyses of potential threat activity and responses. These responses can be as granular as blacklisting a file hash, or as heavy handed as bricking an endpoint.
These solutions can also be tied into subscription-based threat and indicators of compromise (IOC) exchanges. One thing to keep in mind with DLP and EDR is the need for a skilled tuning to cut down on false positives. You also need to have a dedicated group to handle investigations and responses.
Using DLP and EDR are very effective ways to increase endpoint security. Sometimes, though, it’s the simple things that we do that can have a huge effect. A case in point is how many systems still only use single-factor authentication.
A recent study from the Australian government showed that 50 percent of breaches in the past year were the result of compromised credentials. The 2019 Verizon Data Breach Investigations Report (DBIR) showed that nearly one-third of data breaches were from stolen credentials.
Moving beyond just the password to require ongoing Multi-Factor Authentication (MFA) or periodic MFA can greatly increase the security of your systems. It used to be that we only saw these solutions at large companies or government agencies. However, today’s solutions are affordable and easy to add for any size organization.
These solutions can be implemented without hardware tokens and can also be applied to mobile devices.
Enhanced DNS Security
While DNS is a network level activity, you can also take advantage of commercial services to provide enhanced network security and strengthen your endpoint security. These services provide the ability to block connections to known malicious sites before an endpoint connection occurs.
They can also block reach-backs to bad sites by malware that gets executed inside your network, no matter how it gets executed. The reporting from these services also makes it easy to see activity across all devices and ports that isn’t usually available from a basic DNS service or something nobody would have the time to collect and aggregate.
These services are relatively easy to implement. They typically employ some type of machine learning or artificial intelligence to detect emerging threats.
Many organizations, particularly SMBs, have found that a SOC-as-a-Service solution often offers the best approach for securing their endpoints. For example, our ActiveEye platform uses a single agent, console, and dataset. It continuously monitors all endpoint activity and analyzes the data in real time to automatically identify threat activity. This enables it to both detect and prevent advanced threats as they happen.
Unfiltered, tagged data allows you to easily search and investigate endpoints. You can then follow the stages of an attack and identify root causes to close the security gaps. Delta Risk also incorporates insights from third-party threat intelligence partners, like the Alien Labs Open Threat Exchange, to help detect and prevent threats faster.
All of this is built into ActiveEye to provide a single source for combating threats, versus trying to manually view and piece together data from multiple sources.
In the cat and mouse game of endpoint security, the threats have become more sophisticated and ever more complex. Fortunately, the security controls and technologies available to address these threats have also matured. They’ve also become more cost effective and easier to implement. Adding DLP, EDR, MFA and enhanced DNS, as well as considering SOC-as-a-Service, can greatly improve the security posture of your endpoints.