Endpoints: Same as they ever were, but different too

The numbers are in and they are terrible. The FBI reports that more than 4,000 ransomware attacks occur daily and industry research has found there are 230,000 new malware samples produced every day. During the past six years, the Breach Level Index reports that 15 billion data records have been lost or stolen. That translates to 6.4 million per day, 4,463 every minute, and 74 records every second. In the time it took you to read this paragraph, roughly 2,000 records were stolen.

Malware in general and in its various iterations — ransomware, trojans and the like — are becoming one of the enterprises’ biggest headaches. And yet, companies sally forth piecing together defenses that might have been designed when networks still had “perimeters,” cloud computing was anything but ubiquitous, or simply based on kludging together whatever tools were on hand rather than building a thoughtful, strategic defense.

That said, network security vendors haven’t been sitting on their hands. In the past two years antivirus (AV) and endpoint detection and response (EDR) tools have merged into a single agent. Large platform appliance players created all-inclusive products that offer end-to-end visibility. And, of course, vendors are looking for ways to incorporate artificial intelligence (AI) and machine learning (ML) into their offerings.

Many vendors also are adding services to the mix, such as IT hygiene and IT security services for companies struggling with the ongoing cybersecurity worker shortage. In short, the endpoint security industry has actively developed new products and promises, but how much of this converts into actual endpoint security and how much is the industry equivalent to rearranging the deck chairs on the Titanic?

“I like the idea of integrating the endpoint security and EDR tools,” says Deneen DeFiore, senior vice president and global chief information and product security officer at GE Aviation. “There are several advantages: it simplifies the agent footprint, reduces the time to update and more easily allows the collection of event data. At GE, we can staff the detection and response capabilities, but for organizations that can’t, managed service options allow their resources to focus on the most critical events, or dive into trend analysis to affect strategic improvements to outcomes vs. day-to-day operations.”

While integrating antivirus with EDR tools has been portrayed as a positive development, Aaron Baillio, deputy CISO and an adjunct professor at the University of Oklahoma, cautions that it is not necessarily a panacea.

“What we find is that any time we put a new protection mechanism in place, attackers find ways around them,” he says.

“Usually, a new tool is good for about six months before attackers have found a way to either circumvent the new protection mechanism or to invent a new way to reach our users. We have to constantly monitor the efficacy of the tools. We also greatly rely on our users’ feedback to understand what’s getting through to them.”

The challenge many CISOs face is not that companies are devoid of defenses. Rather, often the defenses in place are perfectly reasonable — if one were to turn the clock back a few years. Defending against past threats can be problematic as attackers are always evolving, and not having defenses against the next, or even current, generation of threats puts a company at further risks.

This ever-expanding threat landscape means endpoints are more vulnerable than ever, even as CISOs try to get a handle on where their network terminates and which devices fall under their management responsibility and which belong to business partner, cloud providers and other entities. The whole idea of what and where an endpoint is located also complicates the issue. Sometimes the endpoint is on a partner’s network, sometimes it is in the cloud, and sometimes it moves with the remote employee.

Gartner predicts that by 2025, 70 percent of organizations with more than 5,000 seats will have EDR capabilities, up from 20 percent today. By 2025, cloud-delivered integrated EDR and endpoint protection platforms (EPP) products will grow from 20 percent of new deals to 95 percent.

Dan Bowden,
vice president and CISO, Sentara Healthcar

Dan Bowden, vice president and CISO at Sentara Healthcare in Norfolk, Va., says these combined offerings are potentially invaluable to a CISO walking into a new role that had no existing capabilities in place. He says they might want to give these emerging EDR products a hard look, adding that if they find the right combination of products at the right cost, it could be a nice jump-start to the organization’s security posture.

“Then there are some protective, detective, and response capabilities in place while the new CISO evaluates other areas of the overall security stack and program,” Bowden explains. “The obvious benefits are the integration and rolled up management. I still recommend taking a closer look at the detailed pieces of the EDR offering. Depending on circumstances, there may be risk in compromising on certain capabilities just for the sake of integration and telemetry.” Dave Gruber, a senior analyst at the consulting firm Enterprise Strategy Group (ESG) who covers endpoint and application security, says vendors are integrating antivirus and EDR into their products because prevention alone is not enough.

“Security teams need to be able to detect and respond to attacks that evade prevention, and therefore leverage modern EDR solutions,” Gruber says. “Bringing prevention and EDR together into an integrated offering reduces complexity and leverages a single agent, lightening the load on endpoints.”

AI defenses

Gruber says organizations are now implementing AI tools, and its subset machine learning, in the cloud to give them the processing power to look at the behavioral characteristics of malware.

“Just about every vendor has put a piece of their offering into the cloud, which lets both the internal security people and the MSP (managed services provider) more effectively analyze attack patterns,” Gruber says.

Peter Firstbrook, a vice president and analyst at Gartner who covers security, says the move to the cloud has been profound. “Most of the other software domains have moved to the cloud,” he says. “The security industry has been the last to migrate to cloud. It makes sense now that it’s possible to store more and easily analyze data in the cloud.

“Now, every read, write, thread injection and user log-on gets captured in the cloud, and security teams can experiment with machine learning on cloud data,” he continues. “Also, with cloud delivery, everything gets updated automatically, at the speed of the changing attack environment.”

GE’s DeFiore notes whether in the cloud or on-premises, the use of analytics and algorithms to detect anomalies off a baseline has become the standard. “As we are able to harness more and more data, the use of AI and machine learning are enabling a more effective approach to detection,” DeFiore says. “Though the technology makes us more capable, I believe we still need the creativity of skilled professionals to accelerate our understanding of threats.”

Dave Gruber,
senior analyst, Enterprise Strategy Group

University of Oklahoma’s Baillio acknowledges that, like Gruber’s concern that EDR is never 100 percent effective, neither are AI and ML. However, the emerging AI technology has helped get his team very close to replacing some of the university’s Tier 1 analysts, or at least supplement their efforts.

“I can rely on the technology to make correct decisions and quickly react to incidents and events without having to add more manpower to a situation,” Baillio says.

“That allows my human analysts to respond to more significant issues where their talent and expertise can be more targeted. Where traditional signature-based AV was 30 to 50 percent effective, combining AI and ML gets us up to 95 to 98 percent effective, alleviating a huge amount of the workload.”

AI in the cloud

By freeing up the security staff from the entry-level and repetitive tasks, Baillio says his team can focus more on actual machine compromises where an attacker has access to a host and possibly data exfiltration.

Sentara Healthcare’s Bowden agrees, adding he is a big believer in leveraging cloud resources for analytic capabilities at scale for events, devices and locations. He says the agility gained by leveraging cloud resources for analytics allows for the compiling of asset, event, threat and vulnerability data from millions of sources at diverse locations and many ecosystems.

“I believe that if you can get enough data to mitigate/manage the influence of patterns or forms of bias that prevail within particular ecosystems, threat intel ubiquitous to all organizations could be sifted out,” Bowden says.

“Conversely, if you’re in higher education, you may want your AI analysis to be done with data from higher education ecosystems — possibly the same story for other sectors,” he notes. “Seems like you could learn which bad actors are going after everyone, or specific sectors or even certain companies.”

ESG’s Gruber adds that that kind of capability has been promised by the major cloud providers and should offer the security industry something it has never had before.

“The large cloud providers are starting to offer cloud-powered analytics services that can analyze vast amounts of data from the entire security stack, including endpoints,” Gruber says. “This approach will enable organizations to flesh out more attacks and understand attack patterns, helping to prevent future attacks.”

But not everyone is buying into the AI-asa-Panacea approach. Michael Makstman, CISO of the City and County of San Francisco, is frustrated that the overall discussion around endpoints often centers on AI and ML. He thinks the industry might well be missing the bigger point.

“Everyone’s talking about artificial intelligence and machine learning in the cloud, but I’m more interested in outcomes,” Makstman says. “What I need is a service that from the time an attack gets identified through the time we are back up and running and the attack is over, I know [the service] can handle it. We want incident response, threat intelligence and managed detection and response [capabilities].”

And Makstman says he does not want to talk about tools. “When you go to the doctor for a knee replacement, you don’t ask them which brand they like, you just leave it up to them,” Makstman says. “That’s the kind of service that I want for security.”

Interestingly enough, the industry has responded on that front with every type of company from a SaaS provider to what Gartner calls a managed detection and response (MDR) provider offering various security operations center (SOC)-as-a-service capabilities.

The Open API approach

While many companies are focusing their marketing pitch on AI, Gruber says that another important and effective change on the endpoint over the past two years has been the advent of open APIs that let security teams integrate endpoint data with the rest of the security stack, including orchestration, analytics and other network, email and identity management security systems.

The vendor community responded, mainly because security professionals get a great deal of value by sharing information and capabilities across different parts of the security stack, he opines. In fact, research by ESG found that 41 percent of security and IT professionals believe that a cybersecurity platform consists of an integrated product suite from a single vendor that also provides APIs for the integration of third-party technologies.

Gruber says that with the open APIs, the vendors publish the source code that makes up the API so security experts can evaluate the code to see if something has changed to the point where it would alter existing integrations with their other security products.

Deneen DeFiore,
senior vice president, global chief informationand product security officer, GE Aviation

“The idea is that if it changes, the security teams want to make sure that their integrations don’t get disrupted,” Gruber says. “With this capability, we’re no longer living in a world where everything must be from one vendor.”

Baillio adds that the open APIs also let his security team use web hooks and scripting tools to automate a response to an indicator of compromise (IOC).

“Rather than going into the tool and block it manually, when the system sees the IOC, it can send a message to the firewall to block it so it doesn’t wind up at the endpoint,” he explains.

DeFiore also employs APIs with her staff. The use of open APIs to integrate security tools helps security teams close the gaps in visibility they have across multiple platforms and products, she says. It also helps them integrate some of the custom-developed detection products into their ecosystem.

“They let us reduce inefficiencies in our analyst work processes,” DeFiore adds. “I see more and more vendors adopting this strategy.”

Changing Endpoint Management

Baillio notes that while the cloud creates opportunities, such as the ability to analyze network data more efficiently, it also eliminates the traditional “wall” or “fortifications” upon which security staffs used to rely. CISOs, either need to pull endpoints back in, or push those protection layers all the way to the endpoint, he says.

Baillio adds to truly take advantage of what the cloud can offer, security teams need to push those protection layers to the endpoint. He says what we see in practice is something between pulling the users back in and putting more control on the endpoint.

Baillio adds to truly take advantage of what the cloud can offer, security teams need to push those protection layers to the endpoint. He says what we see in practice is something between pulling the users back in and putting more control on the endpoint.

“So when you force the endpoint to come back through the network’s protection/choke points, you lose some of the user’s ability to innovate with cloud technologies,” Baillio says. “But I do understand the control issues, nobody wants to be the next breach.”

Gartner analyst Firstbrook classifies attackers into one of three categories:

• Automated attacks. These are attacks launched by bad guys who let computers do the heavy lifting in finding vulnerable websites as opposed to hackers doing the work manually.

• Opportunists. These groups scan the internet looking for victims and once they find an open door they quickly determine if they can make money on the victim. If so, they attack. If not, they move on.

• Hghly motivated and target-oriented. Attackers in it for more than the money. While money can be a motivator, they are more interested in intellectual property, like the latest design of a Lockheed Martin fighter jet. Major culprits include China, Russia, Iran, North Korea and Eastern Europe. And it can be more than nation states. This group also includes hacktivists and some criminal organizations.

Going forward

Firstbrook offers some important advice to CISOs looking to sort these endpoint issues out.

First, he says, CISOs should evaluate clouddelivered product offerings well before the organization’s next product renewal. Second, sign on with vendors that offer a true elastic and agile cloud architecture supported by a range of service options, such as incident response help and managed detection and response.

Third, CISOs should seek fully integrated EPP offerings with EDR capabilities that use the same detection funnel, data repository, management console and agent. Fourth, ensure that EPP detection capabilities include more modern behavioral approaches that are immediately adaptive to detect or block new attack techniques.

“Remember, there are only 2,000 known behaviors, but there are an unlimited number of ways to execute them,” Firstbrook says.

“Finally, favor vendors that can help harden the endpoint against attacks that target vulnerabilities and common misconfigurations,” Firstbrook says.

All of this has been evolving at a dizzying pace. It is clear that CISOs are on edge every day and need some serious help managing endpoints and keeping their networks free of malware, ransomware and significant breaches.

In some ways, the industry requires all of the above: integrated tools, open APIs, better, more data-rich analytics and companies that can take all of these capabilities and offer them as a service. Only really large corporations have a shot at staffing a team with all those capabilities, but there is no question that a need for these kind of capabilities and security services exists. It will be interesting to see how organizations sort it all out and how the market responds.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.