The hybrid and flexible working models that are now integral to so many organizations have shifted the cybersecurity paradigm and resulted in more emphasis than ever being placed on endpoint security. Devices have more sensitive documents stored on and traversing through them than ever before, while employees could be working from anywhere: at home or at a coffee shop or hotel using public Wi-Fi, with limited to no connectivity back to firewall-protected offices and data centers.
These devices are no longer backhauling traffic via a virtual private network (VPN) to their offices and on-prem data centers. The default is often a direct connection from their devices out to the Internet, where they're now connecting to cloud file servers and software-as-a-service (SaaS) applications, and they are active at all hours of the day.
This shift requires security teams to adapt. It fundamentally changes the profile and nature of endpoints — these devices are doing more than ever before, connecting to new places constantly, and finding new paths to productivity. With more sensitive data on these endpoint devices, it's imperative we recognize they aren't what they used to be and acknowledge that legacy defenses aren't doing enough to keep them secure.
Most organizations have responded to this change by building additional solutions on top of standard antivirus tools. This may include anti-malware, command-and-control (C2) beaconing protections, anti-ransomware on the endpoint (monitoring file encryptions and taking backups as they happen), and URL filtering. More mature organizations have enhanced their endpoint security with endpoint detection and response (EDR) or extended detection and response (XDR) platforms; subscribed to threat intelligence feeds to identify known bad websites; found ways of feeding data into security orchestration, automation, and response (SOAR) platforms; or some combination thereof.
These enhancements considerably improve an organization's ability to catch known threats. They have a range of different strengths and use cases, but they have one thing in common: Regardless of their level of sophistication, the fundamental philosophy behind their detection mechanisms is the same: In order to stop the next threat, they look for attacks (or patterns and hallmarks in attacks)that have been seen before. Only when they spot something that matches or closely resembles a previously encountered threat will they initiate a block.
But criminals think like entrepreneurs – they find creative solutions to achieve their goals. In cybersecurity, this means they have to adopt new tactics, techniques, and procedures to evade these legacy defenses.
As a result, security tools looking at past attacks need to be continuously updated and fine-tuned, creating manual, human-intensive workflows and preventing security teams from focusing on more proactive and strategic work. Meanwhile, "known unknown" or "unknown unknown" attacks that have never been seen before slip through these tools with ease. Ultimately, the complexity of modern attacks and the speed of attacker innovation have rendered this approach unworkable.
Securing the Endpoint Starts With Understanding It
The question of how to protect against "unknown unknowns" is complex: How do you stop something when you don't know what you're looking for? The answer may be surprisingly simple: It requires a shift from looking in the rearview mirror at past attacks to looking at the organization and learning how it normally behaves.
This shift in approach entails the use of artificial intelligence (AI) to learn the unique behavior and characteristics of each and every endpoint device. This enables the detection of subtle deviations from normal that indicate a cyber threat, as well as a targeted response: stopping malicious activity by enforcing a device's normal behavior.
This marks a significant step forward from the binary decision-making of most endpoint tools that are confined in their actions to "block" or "allow," which can lead to overly aggressive actions that quarantine devices and disrupt legitimate business.
Instead, this approach can specifically target the malicious activity and surgically remove the threat. This allows the technology to work with VPN services: It can quarantine a device and stop it communicating with threat actors, while maintaining VPN access and allowing human security personnel to remotely control an infected device.
Bringing Enterprisewide Context to the Endpoint
As endpoint activity becomes more intertwined with activity in cloud applications and email systems, using a single AI engine to gain visibility over multiple parts of your enterprise will result in something greater than the sum of its individual parts.
Take, for example ,a ransomware attack that starts with a single, targeted phishing email. A remote worker clicks on a malicious link, which takes them to a website that initiates a browser download. Their device then gets infected with malware and initiates C2 communication with the attacker's infrastructure, before uploading large amounts of data to a cloud server.
Only with unified coverage across email, endpoint, cloud, and network data can you determine at each stage of this intrusion that something unusual is going on, prioritizing the incident for the human security team or autonomously responding at each stage to stun the attacker in place.
Endpoints Have Changed, and So Should Security
We are in an era where data flows more freely between devices, cloud systems, and the Internet; more sensitive data lives directly on devices; and those devices are active for more hours of the day. Meanwhile, attackers continue to innovate with new tools and techniques to access the data on those devices.
Strong endpoint security means maintaining visibility over these devices, but it also entails the ability to illuminate novel threats, regardless of their nature; bring enterprisewide context onto endpoint activity; and respond in a timely and targeted manner, keeping today's dynamic workforce safe while maintaining productivity.