Endpoint Security: A Never-Ending Battle to Keep Up

Enterprises trying to protect their endpoints are up against it. Employees who bring their own devices to work, new threats from phishing and legacy servers and workstations all present a big target for the bad guys.

There's also the need to protect data in newer endpoints in the cloud.

Securing endpoints is an ongoing battle, and what may have worked in the past is no longer effective as malicious actors constantly evolve their methods. (See Endpoint Security: 3 Big Obstacles to Overcome.)

"The reality is that attackers have changed their game," Atif Mushtaq, CEO of Slashnext, told Security Now. "Where old attack schemes required the attacker to find a way in, now they set bait." This includes website ads and pop-ups, social media messages and browser plug-ins, ransomware, fileless attacks and zero-days exploits.

Signature and sandbox-based technologies are consistently failing to detect polymorphic malware, according to SlashNext. And they were never designed to flag phishing, social engineering and so-called callback threats, where malware seeks instructions from infected enterprise hosts.

(Source: Flickr)

All of which targets humans, rather than network or code vulnerabilities.

Traditional AV tools are failing to keep up with hackers focused on new attack vectors.

"Enterprises content with standard AV are doomed to be breached and hacked, " said Aaron Zander, an IT engineer at HackerOne, a firm which runs bug bounty programs. "The major AV providers aren't advancing fast enough."

In some cases, he views traditional AV technology as on a par with the malware it seeks to detect. This is because of processor slowdowns caused by AV processing, and outdated operating systems, impairing machines while productivity drops off.

However, the ingenuity of hackers coupled with the high cost of attacks means enterprises need to constantly be searching for answers.

"After being hit by the ExPetr attack, Maersk had to reinstall software on its entire infrastructure, including 45,000 work stations," said Jason Stein, vice president of channel at Kaspersky Lab North America. "This resulted in the company conducting its operations offline for ten days, with losses of up to $300 million, not including reputational damage."

Slow detection, slow remediation
Symantec claims enterprises employ an average of seven agents to manage end-user devices, creating silos that slow detection. Then there's the challenge of protecting legacy devices that use end-of-life operating systems which are not supported by the latest security solutions. (See Data Breach Increase Shows Endpoints Are Under Attack.)

"Often, the devices have limited resources and computing capabilities, which means that running the latest generation of security may simply not be possible," said Michela Menting, research director at analyst firm ABI Research.

Slow or non-existent protection inevitably leads to damage, and the remediation operation can be reduced to a snail's pace as time is lost to quarantining, clean-up, restoring data and updating. Some organizations struggle to attribute sophisticated attacks, and this makes handling them more challenging.

There are also legal requirements to report attacks to enterprise customers or national authorities, which in itself is a slow process, and can shred brand value.

BYOD
As enterprises harden endpoints such as PCs, Macs and laptops, hackers have gradually switched their attention to mobile devices, which have become softer targets, not least because they are owned by the employee and used outside of the workplace.

But counter to the BYOD trend of the last decade, there's a resurgence in enterprises supplying their own devices to employees, so they can be more closely managed. Companies are also re-architecting networks to take account of what information applications and employees want to access, securing from the inside out.

"When a device becomes corporate-liable, companies can manage them much the way they do any other computer," said Jason Lamar, senior director of product management at Cisco's security business group.

Mobile vs. desktops and laptops
In some ways, endpoint security is not necessarily about the device, but about the visibility a company has into it. But some organizations can easily lose track of where data goes.

A good example of this is where an employee uses a tablet to transfer data from their corporate email to, say, Dropbox. Once they are off the network, visibility ceases, and often companies don't even know that data was downloaded to a tablet.

From another perspective, mobile end-user devices are increasingly being viewed as weak points versus static desktops or even laptops.

"Generally, mobile devices are thought of as less secure, but they were designed and created with the backlog of computer security experience in mind, so they are not inherently insecure," said ABI's Menting. "[But] in some ways they can be more secure since the diversity of OS types and versions makes them more difficult for threat actors to target them."

Protecting the cloud
Servers in data centers are now endpoints. As enterprises rush to migrate on-premises servers to the public cloud, such as Microsoft Azure or Amazon Web Services, data moves through containers and workloads. To make this secure, cloud environments can use APIs to integrate with DevOps processes and cloud services.

"Businesses are moving to direct Internet access to accommodate their cloud strategies," said Robert McBride, director of enterprise and telco solutions at Versa Networks. "Now they're faced with adapting their edge infrastructure security due to the increased attack surface, with distributed direct access to the Internet versus centralized."

Servers are hardware-based endpoints, but in the cloud, they're virtual endpoints.

"With current infrastructure being built around virtualization, security of virtual endpoints needs to be a top priority," said Bitdefenders's senior eThreat analyst Liviu Arsene. "The increased sophistication of threats requires protection technologies outside the operating system, fully leveraging the capabilities of the hypervisor."

Many answers
So, with so many different types of endpoint, with so many vulnerabilities, what's the answer?

"Intrusion prevention, device control and system lockdown can defend against attacks, as well as protection technologies like encryption in case the device is stolen," said Sri Sundaralingam, head of product marketing, enterprise security products, at Symantec. "Data Loss Prevention (DLP) for both desktops and laptops is also valuable to ensure businesses have data privacy policies in place that meet GDPR and HIPAA compliance requirements."

Legacy devices could plausibly eventually be phased out -- that would be expensive -- but in the meantime, patching and updating operating systems is viable. Also, network segregation and network security controls can mitigate potential threats, but because security is normally embedded into the hardware of legacy devices, they're normally reliant on the network's security. (See Verizon: Change the Attacker's Value Proposition.)

Kaspersky advises that once a device has been infected, it's no longer safe and the only appropriate response is to erase and reinstall. Understanding the device's traffic within the network helps establish what effect an exploit may have as it spreads to other endpoints.

It's a good maxim to be prepared before security collapses and reaches this stage, and reliance on traditional AV needs to be reduced. That's because it functions on an outdated whitelist/blacklist model that simply doesn’t capture the latest malware and virus attacks.

No doubt that with so many variables in play for companies, it would be a benefit if more security solutions were interoperable and available for a more holistic approach.

"We need more interoperability across the security industry," said Cisco's Lamar. "Ideally vendors will standardize on one framework, but that's wishful thinking."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now