Endpoint
7/21/2014
12:00 PM
Candace Worley
Candace Worley
Commentary
100%
0%

Internet of Things: Security For A World Of Ubiquitous Computing

Endpoint security is hardly dead, and claiming that it is oversimplifies the challenges corporations face now and in the not-very-distant future.

I got an email from my car the other day, informing me about its need for service. As a security professional, I found it unsettling, not surprising, but unsettling. What’s my car doing on the Internet, anyway? What are the possible implications of that?

Security practitioners within corporate IT are rightly focusing on the emerging risks presented by laptops, tablets, and smartphones when used by employees and contractors in the course of doing business. But other trends are developing all around us that challenge the foundations of our security assumptions.

For example, while worrying about employee behavior at work, we can lose sight of the fact that computing is becoming part of daily life in such a way that it’s nearly impossible to separate "work" and "personal" activities and devices. The concept of a corporate boundary is dissolving as computing and communication endpoints embed themselves in a growing number of devices like thermostats, medical devices, my car, and, in the near future, my clothing. These trends have profound implications for the security industry.

In anticipating our future reality, we only have to look at the recent past and the wide uptake of smartphones. People started bringing them into their workplaces -- spurring the BYOD trend and broad adoption of smartphones in business.

The cybercrime industry was quick to respond. Where mobile malware was once the frontier for malware innovators, today it’s almost a mainstream delivery mechanism. Mobile malware grew 197% between Q4 2012 and Q4 2013, according to McAfee’s Q4 2013 Threat Report.

The death of endpoint security? Not yet
As more devices join the universe of computing endpoints, we should expect a similar uptick in exploits and malware. The endpoint will always be an attractive target for those who seek to intercept or steal information or infiltrate networks.

Given the scope of the problem, it’s fashionable nowadays to claim that endpoint security is ineffective. Endpoints are often considered the weakest link in the security infrastructure, because they are furthest from any central control and there is generally a human using them.

But to claim that endpoint security is dead is to oversimplify the challenges corporations currently face. Now more than ever, endpoint security has a critical role to play in ecosystems that protect highly diverse corporate computing environments against complex security problems.

Layered defenses, but across multiple dimensions
Despite what any security vendor may wish you to believe, there’s no single way to secure either your personal data and identity or corporate systems and data. While layered defenses have been a best-practice in corporate security for many years, in today’s increasingly complex security environment we need to expand our thinking to layers across many dimensions. Specifically, security requires holistic approaches that span people, infrastructure, data, and applications.

People: The boundaries between personal and professional online activities and identities are blurring. Corporate security measures must accept this reality and support people with everything from online identity controls to simplified, embedded processes, making secure computing as easy and transparent as possible.

Infrastructure: Corporations are very adept at securing traditional infrastructure elements such as desktops, laptops, and servers. The security and policies applied to these devices may not be effective with devices as diverse as phones, tablets, wearables, and the Internet of Things. Security controls and measures need to become more intelligent and integrated in order to secure the ever-expanding universe of endpoints and devices.

Data: Pervasive computing capability means that data is highly nomadic. As network boundaries erode, you need to put controls around the data itself. In addition to access and authentication controls, companies must track and audit where sensitive data travels, while empowering people to collaborate and be productive.

Applications: Security isn’t something that can be tacked onto an application at the end of its development. Even in an environment with significant time-to-market pressures, application developers need to be part of the holistic approach to security, delivering vulnerability free software that considers the implications of sensitive and/or regulated data.

Security for the way we live
The biggest shift I see in the industry is that we need to move beyond thinking of security as a set of extra steps, processes, or systems built around our computing environment. As computing becomes more pervasive and embedded, often unseen, in our daily lives, we need to design holistic approaches to security that match the way we live and work.

It’s an exciting time to be in the security industry. There won’t be just one single answer or solution. Many players will be involved in a holistic, systems-based approach to security. And the environment will continue to evolve, as endpoints expand and innovative new technologies enter both our business and personal lives. Security practitioners and developers will be challenged to be innovative and collaborative in adapting to the constantly evolving threat environment.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
William L. Lind
50%
50%
William L. Lind,
User Rank: Apprentice
7/25/2014 | 8:29:19 AM
Re: The endpoint is not dead
The government should ensure about internet security. The use of the internet should be free of malware. But unfortunately the rate of using malware are increasing day by day at a raid pace. Some essay writing service reviews did it correctly. I appreciate those companies.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/24/2014 | 2:00:33 PM
Re: The endpoint is not dead
Thanks, Candace. To your point about endpoint security being comprised of a broad spectrum of technologies, Rick Gordon, Managing Partner at Mach37 an early-stage tech venture development company, backed your take up in a Dark Reading Radio broadcast earlier this month. He said he was seeing some startup activity in endpoint security and "the emergence of next generation leaders."  

Good news for the customer base.. more competition for McAfee & other mainstream players.
Candace Worley
100%
0%
Candace Worley,
User Rank: Author
7/24/2014 | 12:06:53 PM
Re: The endpoint is not dead
The security industry has been dancing around the idea that anti-virus is dead for many years, so it is not really shocking when someone says it out loud. My take on this topic is that it is not so much that AV is dead as it is taking a less prominent role. Endpoint security is inclusive of a broad spectrum of technologies many of which are critical in applying good security hygiene. Rather than being the primary medium through which organizations secure their endpoints AV is now in a supporting role with companies relying heavily on a multi-tiered approach. It takes a village, from the endpoint to the heart of the network, to protect all businesses from the most advanced threats out there.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/23/2014 | 9:00:18 AM
Re: The endpoint is not dead
I think as malware evolves so must endpoint. I have seen crowdstrike adapt such as providing a real-time cloud endpoint solution. Other companies have simply incorporated it into a UTM strategy. But to say endpoint security is ineffective is just a blanket statement. Any security control by itself is relatively ineffective, especially when comparing it against specific threat vectors. It takes different safegards working together (IDS/IPS, Firewall, Anti-Virus, WebSecurity, DLP) to make a cohesive effective solution. And even those working in tandem isn't 100%. Awareness and end user education is also a big must for a secure environment.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/22/2014 | 11:00:25 AM
The endpoint is not dead
Thanks for a very interesting blog, Candace. Curious to know if when you mention "it's fashionable nowadays to claim that endpoint security is ineffective" are you referring to quotes from Symantec's execs that antivirus is dead, or something more general? 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7052
Published: 2014-10-19
The sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application 2.4.9.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7056
Published: 2014-10-19
The Yeast Infection (aka com.wyeastinfectionapp) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7070
Published: 2014-10-19
The Air War Hero (aka com.dev.airwar) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7075
Published: 2014-10-19
The HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7079
Published: 2014-10-19
The Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.