Everywhere you turn nowadays there’s a new endpoint. Whether it’s users’ laptops, smart phones or tablets — it seems everyone is carrying around multiple devices that are used for work and pleasure. Long gone are the days of the staffer armed with only their work-issued laptop and smartphone.
This continues to have a profound impact on how enterprise security teams must handle endpoint security.
The world keeps adding not only more endpoints, but more types of endpoints. When addressing how growing endpoints add incrementally to the enterprise attack surface, it’s not just laptops, tablets or smartphones any longer. There are even more xIoT (eXtended Internet of Things) devices coming online when one considers all the connected sensors, operational devices, smart devices, connected medical devices and more. These are also endpoints, and they increase the threat surface.
“When we think of endpoints, we think of something that we use for work — your laptop, a tablet, a smartphone, something that's easily controlled and that you can put a policy on,” said Matt Hickey, vice president of sales engineering at Sophos. But companies must widen their perspective regarding endpoints, he said, adding, “I think sometimes organizations lose focus that endpoints do include servers as well, and that goes beyond just Windows servers. I hear customers talk about antivirus for Linux or endpoint protection, but it’s simply a checkbox for compliance and they really don't take the effort to actually harden those devices.”
Organizations must also consider their servers and associated vulnerabilities. Vulnerable servers, for instance, have been used by threat actors to launch everything from disabling distributed denial of service attacks, theft of vast amounts of data, to stunning ransomware attacks that halted the delivery of critical care.
The long shadows of enterprise risk
Then there’s the role of shadow IT accelerating the growth of endpoints in the enterprise. Gartner predicts that by 2027, 75% of employees will acquire, modify or create technology outside of IT’s visibility and in a recent CyberRisk Alliance’s survey on endpoint security, 20% of respondents cited shadow IT as a significant challenge to endpoint security.
Shadow IT, which is widely defined as any technology device, software, or software service that is installed without the IT department’s knowledge — including both endpoints and infrastructure — introduce significant risk and play an instrumental role in getting the attackers in place to conduct their attacks. As the attacker gains entry into the endpoint, they then use that foothold to move laterally through the organization to access even more valuable systems and troves of data. Often, attackers burrow into these endpoints, and even their lower-level firmware, to gain a persistent presence in the organization.
Wide window of vulnerability
To even hope to reach a baseline of risk management, organizations must patch all of these devices — a monumental effort in itself. And as Hickey pointed out, organizations need to be able to patch all of these endpoints — but the reality is that enterprise security and operations teams have barely kept pace with rising patching demands. This leaves the need to patch all of the endpoints. “One thing that hasn't changed since we began tracking this statistic is that the average length of time between when a vulnerability is known for a Windows Server to when it gets patched is still approximately 200 days,” Hickey said. “That is a huge window of opportunity.”
It's also a huge window of vulnerability and risk. Even so, the growth in endpoints isn’t expected to slow any time in the near future. According to a September 2023 CRA Business Intelligence survey, 63% of IT security decision-makers said they have 1,000 or more endpoints and 37% report that number is over 5,000. Hickey contends that a context-sensitive endpoint defense is the way forward. As we recently covered, context-sensitive endpoint defense helps to improve traditional endpoint security by putting to use all of the relevant data so that security teams and their defenses can rapidly contain pressing attacks.
According to Sophos’s description, context-sensitive defense helps to automate existing security tools. By gleaning the data from endpoints as well as also firewall, authentication systems, SIEMs, threat databases, network logs, as well as anti-malware systems, context-sensitive defenses enable a more swift and comprehensive threat response because the attack is identified more quickly, and the security defenses have the precise data they need to be able to command systems to stop it.
Further, the alerts sent to security analysts provide all of the relevant data they need to respond. For most security professionals who are grappling with ever more devices and vulnerable systems — such capabilities can’t come soon enough.