(A preview for the soon-to-be released SC Media eBook “Endpoint security: Critical in the fight against ransomware.”)
Today’s cyber criminals are spoiled for choice.
Instead of waging an all-out frontal assault on an organization’s firewall defenses, attackers now have millions of backdoor endpoints they can try poking and prodding, biding their time until a vulnerability presents itself that allows them a foothold into a target’s network. Once that foothold is established, it becomes much easier for bad actors to move laterally through a network undetected and thereby steal, damage or hold data for ransom.
The risk has compelled many organizations to take their endpoint security much more seriously. Fortunately, the cyber community has rallied to the cause and sought to equip businesses with better understanding, availability of tools, and policy guidance geared around common endpoint vulnerabilities.
Here’s some of the top recommendations we’ve put together.
Steps to optimizing endpoint security
- Patch, patch, patch. Patching should be as natural as breathing, something done often and automatically. Of course, organizations are inevitably going to encounter instances where patching isn’t possible, such as lack of continued vendor support for example. But when it’s in their power to do so, patching should be the priority. "Exploiting a vulnerability is once again the leading root cause this year, which means we're still not properly patching our environments,” says John Shier, Senior Security Advisor at Sophos. "I think there's been partly a collective failure across the entire industry. But we've got to get better at producing more secure software."
- Always use backups. Physical backups have stood the test of time. In the event that ransomware takes down a company’s systems or encrypts their data, backup copies stored in an off-site physical location can be used to restore these assets and mitigate disruption to the business. However, backups should be attended to and inspected on a regular basis. “A lot of people think they have backups, but it turns out the backups haven't been working for six months or it takes their team three days to restore because they weren’t trained on the procedure,” says Chester Wisniewski, Field CTO of Applied Research at Sophos. His company recommends scheduling automatic backups on a routine basis, taking a manual backup right before and after configuration changes or firmware upgrades, as well as saving backups at a safe, separate location with a secure storage master key.
- Invest in solid endpoint security tooling. It can be overwhelming to survey the security solutions landscape when hunting for endpoint protection tools. Company whitepapers burst with acronyms that hype the latest solutions – EDR, NDR, XDR, EDPR, the list goes on. Global enterprise spending on endpoint protection is expected to pass $26.4 billion by 2025, suggesting that companies see the value in tools that can monitor and generate real-time alerts regarding endpoint health. “We saw a variety of different attack types in this year’s ransomware data,” says Shier. “This diversity might be due to attackers not achieving their end objectives. More companies are adopting EDR, NDR and XDR which allow them to spot trouble sooner. This in turn means they can stop an attack in progress and evict the intruders before the primary goal is achieved – or before another, more malignant intruder finds a protection gap first located by a lesser adversary.”
- Be a zero-trust evangelist (but also know your audience). Zero trust security is the idea that no one can be trusted on the network – not outsiders, not insiders, not IT security, not even C-suite leadership – unless they have the right authorization and can prove they are who they say they are. However, before applying maximally restrictive controls in blanket fashion across the enterprise, your organization might consider identifying which endpoints merit the most security and which ones can afford a little more leniency. “I recommend companies, especially those with a remote-first working model, do what I call a traffic light protocol,” says Wisniewski. “Sit down and figure out what all your applications are. Some apps will be green light, meaning you can bring your own device to access that app. Some apps are yellow light — you can bring your own device, but I'm gonna make you use two factor authentication to get access to them. The remaining apps are red light — for these, you must use a company-issued device, it's got to have multifactor [authentication], and it's got to be fully managed and up-to-date and secure” because that device has the potential to interface with an organization’s most sensitive data.
- Partner with a MDR vendor. Whether you’re looking for peace of mind or simply lack the headcount and expertise to execute on these plans yourself, consider partnering up with a company offering managed detection and response (MDR) service. MDR vendors bring a wealth of resources to the table – elite threat hunting experts, advanced endpoint scanning tools, rapid incident response, and contextual threat intelligence – that can help organizations proactively address their endpoint vulnerabilities. One of the biggest advantages of MDR, besides getting dedicated from highly-sought after threat hunters, is the massive data they bring to the fight. By working with thousands of clients around the world, they have significantly more threat data at their fingertips than the average organization is privy to. Moreover, with the help of automation and AI, the MDR vendor can spot suspicious activity and pick up on patterns in a matter of minutes rather than the months it might take others, and then use that knowledge to immediately alert customers or take action on their behalf to remove those threats.
