Ransomware, Security Staff Acquisition & Development

Survey: Not all endpoints are observed equally. How to strike a better balance


In a perfect world, every endpoint is accounted for and kept under lock and key. 

No matter where they reside or who uses them or how much traffic they ferry in a corporate network on a given day, endpoints in this utopia are just as safe and secure as the most tightly guarded on-site data center. 

Of course, we live in something much closer to a dystopia. Security teams are frequently understaffed, cybersecurity investments come too little too late, and legacy defenses struggle to keep tabs on ever-expanding libraries of devices, sensors and Internet-connected appliances residing at the network periphery.    

The result is that not all endpoints are observed equally. 

According to a recent survey of IT and security professionals, just 59% of respondents are confident their organizations are monitoring 75% or more of their endpoints on a regular basis. That means roughly 4 out of 10 security pros work at organizations where rogue endpoints are operating beyond their security teams' oversight. When you consider that 63% of respondents attest to having over 1,000 endpoints on their network, the likelihood of a compromised endpoint resulting in unauthorized access is high.  

And that is exactly what happens, with three out of every five respondents admitting to one or more endpoints being compromised under their watch in the last year. With that kind of average, it's no wonder adversaries focus their attention on seizing vulnerable endpoints and misconfigured applications. It’s certainly more palatable than penetrating corporate firewalls head-on. 

While the conditions that create this nightmare aren’t likely to recede any time soon, organizations need not raise a white flag of surrender either. Getting comprehensive visibility of your endpoints can be accomplished, but it takes work and an open mind. Here’s how. 

Unified endpoint management platform

When it comes to managing and securing endpoints, many companies may feel like they’re looking through a kaleidoscope. Almost as soon as they get their bearings, the image shifts and blurs as new IT assets join the fray. It doesn’t help that organizations may use security products from multiple vendors, which can create incomplete or contradictory assessments of what is known versus what is unknown. What’s needed is a single source of truth that gives SOCs visibility over all mobile devices on their networks and devices being used. Unified endpoint management (UEM) platforms aim to do just that, acting as centralized command consoles where devices can be configured, tracked, logged, secured and vetted for compliance. UEMs also help companies discover previously unknown Internet-facing connections. As one respondent in CRA’s survey says, “our biggest concern is the inability to know basic answers to questions like whether an asset is known or unknown, where it’s located, what it is, and whether it’s configured correctly.” With UEM, companies finally get answers to those questions. 

Pair EDR with XDR for added visibility

Think of endpoint detection and response (EDR) as a guardsman standing watch over castle ramparts. It’s vigilant, wary of anything remotely suspicious and is great at calling for reinforcements as soon as an attack is underway. At the same time, its focus is entirely devoted to endpoints and not much else. But context is king in cybersecurity, and the more awareness you can extend to the broader IT architecture the more insight you’ll have into how attacks travel through the network. Extended detection and response (XDR) solutions incorporate more data sources than just endpoints, such as firewall, email and cloud, to give organizations visibility beyond endpoints and servers. By combining data sources, XDR allows information to be displayed in a central location, giving security teams the ability to zoom in on activity, where needed, and investigate alerts with more context. 

Consider integrating AI and machine learning capabilities

The sheer volume and variety of endpoints can fatigue security teams who don’t have the bandwidth or time to monitor all endpoints at all hours. Fortunately, recent advances in AI and machine learning make it possible for organizations to scale their security in line with such sprawl. AI can process threat data from across an organization and provide both rich context and better visibility of endpoint activity to help analysts make informed decisions about how to react in any given moment. More security vendors are integrating AI applications with their EDR and XDR solutions. This means that, while traditional EDR products are only programmed to detect threat activity that is documented and known, the latest generation of AI-enhanced tools (with the aid of deep learning neural networks, Bayesian models and clustering) can detect malware that’s never been encountered before, signature or no signature. 

Add threat hunting vigilance with MDR

Many companies would like to add more IT and security expertise to their ranks, but simply can’t afford it. Other companies might have the headcount, but find themselves bogged down by endless alerts and tickets that prevent them from working on more strategic security initiatives. Managed detection and response (MDR) isn’t just a lifeline for these companies, it’s also a great resource for raising endpoint visibility. The value of an MDR service is that companies get dedicated 24/7 support from skilled threat hunters and incident responders for a fraction of the cost it would take to employ them in-house. Moreover, customers get the benefit of working with teams that are operating on a vastly larger playing field than just a single company. And that means significantly more knowledge about how bad actors use endpoints to get in.

“One of the advantages of providing MDR to more than 17,000 organizations is that we get to see the same attackers repeatedly,” says Chester Wisniewski, Field CTO of Applied Research at Sophos. “This enables us to spot patterns more quickly and see through much of the smoke screen left behind by the naming of different ransomware strains and criminal nicknames.”

The bottom line: defense-in-depth is the way forward

While any one of the aforementioned measures can help companies get a better reading of their endpoints, combining them in a unified defense-in-depth approach is guaranteed to make criminals sweat. Companies might have felt confident their endpoints were secure behind corporate firewalls but, those days are long over. BYOD is here to stay; shadow IT is likely going to get worse before it gets better; and endpoints will continue to proliferate and multiply at the network edge.

Visibility doesn’t have to be sacrificed in the pursuit of productivity and convenience, though.

“When you add these technologies to pre-execution protection, behavioral detection, machine learning models, client firewalls, DLP, application control and XDR, you are starting to look at a comprehensive stack of defenses for attackers to overcome – even if the endpoints themselves are now free-range,” says Wisniewski. 

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.