6 Steps for Mastering Endpoint Security
Every once in a while we will witness businesses in IT becoming infatuated with one or another corporate trend.
Obsessing over some insignificant, fashionable matter, pouring budget for needless changes, flaunting the buzzwords in meetings and conferences, beating themselves in the chest over how far they have gotten into integrating one or another technology or methodology.
Strict software security measures are becoming more and more important and this trend is not dictated by fashion. It is not just a buzzword.
If you want to learn more about why you need to up your endpoint security game yesterday, continue reading this article.
THE IMPORTANCE OF SECURITY?
There are several business tendencies we are observing during the past decade contributing to the rising concern of doing endpoint security right.
The first one is the most obvious. The technological penetration in our everyday lives means more and more data is being accumulated by businesses and is at risk of unauthorized access.
In the year 2000, only about 5% of the world population had access to the Internet. Ten years later, in 2010, that number changes to just under 30%. In 2018, more than half of the world population is using the Internet regularly.
If we factor in that the world population is also growing exponentially, that means a way larger audience for as little as 18 years difference – a difference of about 4 billion people.
This change in quantity is bringing on a quality change where the market share of the IT industry is also rising, with an increasing number of companies joining the field. Music stores become music apps. Retail becomes e-commerce.
Users are becoming more and more trusting of businesses. The Internet is way more interactive today than it ever was.
They submit their personal data, their images, their credit card and other financial information.
Sometimes it goes as far as sharing their genetic information – to discover their ethnic origins or genetic predisposition to disease.
That means a potential data breach makes more citizens vulnerable than before – and in more ways than one.
With the citizens becoming more and more vulnerable, legislation is making effort to catch up with the industry and protect users from unauthorized access to their data.
Let’s take for example GDPR – the regulation on protecting personal data that recently entered into force for all countries in the European Union as well as all businesses that provide services to citizens of the EU.
The General Data Protection Regulation, being applicable since 25 may 2018 aims at providing guidelines to individuals and businesses how to acquire, process and store personal data.
Among other measures, businesses are encouraged to inform data subjects who will have access to their data and what it will be used for. The guidelines include using encryption and pseudonymization of data so it cannot be tracked back to a single data subject.
The Regulation forces corporations to appoint a data protection officer, to assess their data processing practices regularly as well as the different levels of risk the accumulated information may bear for the subjects.
In case of a data breach, an organization must report to the supervisory authority within 72 hours, including the nature of the breach, the scope, the possible consequences, and the measures taken before and after the breach to minimize the risks to the data subjects.
Based on the measures to lower the risk, the organization may be considered ultimately liable for the damages.
Location, diversification, location
The internet, synchronization, video conferencing – the new technologies make it possible, and, what is way more important, easy and affordable, for organizations to offer working remotely.
The physical office is losing its meaning. In the classic situation, an organization could provide physical access security – to restrain access to the physical location and with that to make sure no third parties have ever accessed their systems.
Today, organizations bend the working space and time continuum to provide conditions to work from all over the globe, with the best employees, regardless of borders – and as if employees are all in the same room. Imagine an international organization with dozens of offices in different countries, and why not, even different continents.
In that international organization, half of the employees can take advantage of home office and work from their own house.
Then, you throw in the freelancers – specialists, working part time on company project because of reasons to do with staff of budget. But they never ever belonged to the organization anyway.
When individuals from various locations, time zones and organizations have legitimate reasons to access the same environment, control is becoming elusive. It is time to implement a complex, yet reliable endpoint security strategy.
WHAT IS ENDPOINT SECURITY?
Endpoint security is the practice of applying a complex protection layer between the network (for example a corporate network) and any remote devices that try to establish a connection.
Each of those remote devices is considered a potential threat – an entry point of possible security risks.
Therefore endpoint security is the collection of all security measures to protect those connections from becoming the gateway of ill-intended actors.
The basis to achieve endpoint security involves using security software, installed on a server with centralized management, or a gateway in the network. The endpoint devices then use a specialized client to connect to that software and authenticate themselves as authorized actors in the system.
Based on the vendor of the security software, it could involve a number of additional features, including updating the software on the client’s side, anti-virus, antispyware, and HIPS.
GREATEST THREATS FOR ENDPOINT SECURITY
The Enterprise Strategy Group conducted a survey in 2017 among 300 IT professionals about the types of threat to endpoint security they find the most difficult to detect.
43% of professionals reported unknown malware is among the threats they found most difficult to detect.
Malware (malicious software) is nothing more than a program that is intentionally designed to do some sort of damage to a network. ‘Malware’ is the most general name for such programs.
It can be introduced into the system via a legitimate or an illegitimate agent.
It could take the form of a code, a script, or a program and is extremely likely to be confused for well-intended, legitimate content and to be imported intentionally during authorized access.
Because of the many forms the malware can take and the multiple entry points towards the inside of a system, specialists find it extremely difficult to detect.
Zero day exploits
31% of professionals reported zero day exploits are among the threats they found most difficult to detect.
In the first days after a software launches a new release, it is common flaws are being discovered by users or ill-intended actors. The issues could be the result of bad security configurations or programming errors.
Hackers often set out to exploit new releases for weaknesses, often packaging attack agents into malware. The idea is to either compromise the system, make it act in an unintended way, or to make them be able to take unauthorized control.
When the new version has already been released into production, the developers have ‘zero days’ to fix the issue – hence the name of the attack.
29% of professionals reported Fileless attacks of weaponized content are among the threats they found most difficult to detect.
A Fileless attack means the source of the attack cannot be traced back to an unauthorized file introduced to the compromised system. Therefore anti-virus and other protections are more likely to miss the malevolent agent.
They are also known as zero-footprint attacks. According to some statistics, more than 70% of compromising attacks in 2017 were fileless and those are ten times more likely to succeed in actually inflicting damage.
It is very often that the fileless malware sneaks in applications the user has already deemed safe, for example your favorite text editor.
Multistage and multi part attacks
25% of professionals reported Multistage and multi part attacks are among the threats they found most difficult to detect.
A multistage attack is the long con of cyber security.
The attack uses multiple technologies, programming languages, psychological tricks and, to a large extent, a volunteer from the audience.
A common deception would be for a spammer to send out emails pretending to be from a popular financial institution, containing an attachment the user is supposed to open to verify their account.
Now, even if a user is suspicious and would not provide their bank account details, they could still open the file. The attachment could contain an underlying HTTP request to a malicious source.
Because these attacks count on cooperation from the user, the user could override the security warnings. And the threat is often left undetected.
23% of professionals reported ransomware is among the threats they found most difficult to detect.
Ransomware is another form of malicious software, however, it has a specific intent.
Ransomware could be introduced into a system via conventional methods such as phishing, or any sort of social engineering.
Once the malware is imported and has access, it could compromise the system in various ways. A very common tactic is to encrypt the information.
The victim of ransomware will be threatened with destroying their information, or making public their personal data, unless they pay ransom.
Learn more about ransomware here:
Exploits of vulnerabilities in unpatched applications
21% of professionals reported Exploits of vulnerabilities in unpatched applications are among the threats they found most difficult to detect.
Sometimes legitimate applications bear vulnerabilities.
Even if the developers have provided updates to patch the software and minimize the risk, a user failure to update their application may lead to serious consequences, especially because the user trusts the application.
19% of professionals reported known malware is among the threats they found most difficult to detect.
Known malware is rarely an issue because there are supposed to be security mechanisms designed to prevent it from compromising the network. However, a poor security program, poor execution or uneducated user behaviors may allow it to wreak havoc on the organizations system.
6 IMPORTANT STEPS IN ENDPOINT SECURITY
Step 1. Impeccable planning
Endpoint security cannot be underestimated. Any breach may cost your organization a large amount of man-hours, may set you back years against your competition. It may have large scale financial and/or legal consequences and, most importantly, it can cost jobs.
First, identify the group that will work on the project. You need to involve management, finance, security officers from all levels, and HR who will help do the trainings with the employees as end users. Gather external experts if you have to and can afford it.
Second, give yourself a deadline in timing and an approximation in budget to get to the end goal. Be generous with your resources, however much money and efforts you spend on the task, it will be worth it against the risks.
Third, identify entry points. Communicate to all your employees you are revising your endpoint security policy and ask them for cooperation. Ask what devices they are using to get to the network, what tools they are using, what third party software they are applying into their work and what are their most trusted applications.
Step 2. Build a scalable and adaptable framework
This article has already outlined the biggest threats professionals see for their network in 2017. In three years the picture could look completely different. The nature of malicious activities is they have to surprise the security officers and the end users in order to work. And therefore they are constantly changing.
Try and stick with a module-based security strategy, where you can add one more layer. Do not keep all your eggs in one basket. One provider might offer you a seamless integration at a good price today and be completely outdated tomorrow.
A multi-layer defense system is already the choice of most organizations. What you want to do is to achieve the best value via creating a flexible and scalable security framework.
Each layer cannot be left independent, they need to communicate with each other, complementing their work and contributing to the end result.
The framework must be sufficient for your needs at all times and therefore must be open to seamlessly add new modules for trending new threats.
Step 3. Identify and contain damage
At all points keep sufficient resources of high level administrators that can track and respond timely to any attack to your network. Your employees must have the sufficient time, training and permissions to respond to large scale issues at all times.
Ideally, you need to have a wing of highly educated investigators that will monitor the system reports and respond to threats in real time.
Realistically, your goal must be to also implement detection and response mechanisms into all endpoint operations and therefore allow even your low-level front-of-the-line administrators to remedy most situations.
Work on strategies of regular trainings, regular shadowing and coaching drills, internal workshops and easy escalation procedures where low level and high level employees can interact, share experience and exchange ideas.
Step 4. Data sharing
You can use automation to save on human resources. Automated tools can look after your system for known offenders. They can identify a potential threat so your administrators do not have to bother.
Sharing threat intelligence is a good way to avoid overloading your own employees. A shared system can detect a known actor as good or bad – whitelist it if it has been verified and legitimized before or blacklist it and stop their access if they have been proven to be malevolent already. And that Is all before the alert is even brought to the attention of your employees.
You will be removing layers of complexity and limiting the man hours for your security team. You will be processing through larger amounts of information faster and easier. Removing mundane tasks from your employees’ work trays will help you retain talent and leave more capacity for actual issues that require the human factor to be resolved.
Some data sharing tools will even offer you a prioritizing system where they will automatically distribute the load between the employees and the system via only offering the highest priority alerts for manual check, leaving all the rest to automatic processing.
Threat sharing intelligence will accumulate your data with databases of external sources to give you a high-probability suggestion whether you should or should not allow a particular action or user. More often than not, the tools can be seamlessly integrated without you having to switch between interfaces, or copy your data.
What is more, the data will recognize the same threat if it reappears via another department, another device or another IP.
Step 5. Machine learning analysis
A lot like sharing threat intelligence, machine learning is used to accumulate data with external sources to offload your security officers from manually checking upon possible threats.
What is unlike sharing threat intelligence, machine learning accumulates and studies patterns, rather than specific data for users and activities that have already occurred.
What machine learning does is it gathers data from your system about user access habits – the timestamp of the usual user access and log-off, the tools they are using, the processing power they usually need.
Machine learning algorithms are to be fed information about the scope of the company activities, the locations of the users, the usual operating system, the type of exchanged data.
The machines learn the ‘habits’ of your organization on a macro- and micro-scale. Then they report whenever a pattern is detected that is an outlier from the normal behavior.
The alert can then be brought on to the attention of a different team in your security department based on the significance of the deviation from the norm.
It is yet another way to prevent anomalies from being overlooked.
Step 6. Regular revision
Schedule a regular revision of your endpoint security policy. Every quarter have your team meet and report on the success of the adopted tools. Yearly, the same meeting must aim at actually introducing improvements in the policy.
Updates of tools, adding modules, adopting changes in your workflow and procedures, changing the vendor of your security software.
All suggestions must be driven by actual cases you have encountered or trends in the business or among your competition.
Make sure when revising your policy you are adopting a consolidated approach. Factor in both the automatic and manual methods and always consider they are interchangeable.
ENDPOINT SECURITY STATISTICS
In 2017, 70% of organizations report they have assessed the risk to their security has raised significantly during the past year.
Additionally, most businesses recognize endpoint security is becoming more important because attacks are evolving with 77% percent of successful attacks using fileless techniques.
Fileless attacks are ten percent more likely to succeed and cause more damage than other conventional methods of deception.
80% of organizations confirm their trust in their antivirus protections has been shaken during the past year and they have substituted their vendor for new endpoint solutions or added detection and response tools.
More than half of the surveyed organizations admit they have been the victim of a ransomware threat, with more than 60% admitting they resolved to actually paying the required amount. The average ransom is more than three thousand dollars.
Organizations find current security measures to be ineffective and inefficient with more than half of security alerts proving to be false positives.
The nature of endpoint security attacks is to always evolve. As soon as a popular detection mechanism is discovered, the attack is rendered useless since it cannot inflict the same harm on the organization. New methods arise, new exploitation techniques are invented.
And it looks like they are here to stay. The tendencies are for the market share of the IT companies to expand, for the number of users to increase, for the online activities to diversify and for the amount of collected sensitive data to accumulate and present higher and higher value for hackers and, with that, higher and higher risk for the companies and the users.
The field of endpoint security is to be constantly invested in. Utilizing automated and manual techniques to detect and respond to threats is crucial. The key towards creating an effective and efficient mechanism is to achieve harmony between machines and human resources an organization employs to deal with the threat.
Only when the resources are efficiently distributed, can the company stay on top of its game of endpoint security.
Customer validation is the second part of the Customer Development model. This phase is important …