Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

08:05 AM
Simon Marshall
Simon Marshall
Simon Marshall

Endpoint Security: A Never-Ending Battle to Keep Up

Endpoint security has evolved over the last several years as the BYOD trend has slowed, but enterprises are still uploading more data to the cloud, which is accessible on more devices. Even the notion of what an endpoint is has changed. What can enterprise security do?

Enterprises trying to protect their endpoints are up against it. Employees who bring their own devices to work, new threats from phishing and legacy servers and workstations all present a big target for the bad guys.

There's also the need to protect data in newer endpoints in the cloud.

Securing endpoints is an ongoing battle, and what may have worked in the past is no longer effective as malicious actors constantly evolve their methods. (See Endpoint Security: 3 Big Obstacles to Overcome.)

"The reality is that attackers have changed their game," Atif Mushtaq, CEO of Slashnext, told Security Now. "Where old attack schemes required the attacker to find a way in, now they set bait." This includes website ads and pop-ups, social media messages and browser plug-ins, ransomware, fileless attacks and zero-days exploits.

Signature and sandbox-based technologies are consistently failing to detect polymorphic malware, according to SlashNext. And they were never designed to flag phishing, social engineering and so-called callback threats, where malware seeks instructions from infected enterprise hosts.

(Source: Flickr)
(Source: Flickr)

All of which targets humans, rather than network or code vulnerabilities.

Traditional AV tools are failing to keep up with hackers focused on new attack vectors.

"Enterprises content with standard AV are doomed to be breached and hacked, " said Aaron Zander, an IT engineer at HackerOne, a firm which runs bug bounty programs. "The major AV providers aren't advancing fast enough."

In some cases, he views traditional AV technology as on a par with the malware it seeks to detect. This is because of processor slowdowns caused by AV processing, and outdated operating systems, impairing machines while productivity drops off.

However, the ingenuity of hackers coupled with the high cost of attacks means enterprises need to constantly be searching for answers.

"After being hit by the ExPetr attack, Maersk had to reinstall software on its entire infrastructure, including 45,000 work stations," said Jason Stein, vice president of channel at Kaspersky Lab North America. "This resulted in the company conducting its operations offline for ten days, with losses of up to $300 million, not including reputational damage."

Slow detection, slow remediation
Symantec claims enterprises employ an average of seven agents to manage end-user devices, creating silos that slow detection. Then there's the challenge of protecting legacy devices that use end-of-life operating systems which are not supported by the latest security solutions. (See Data Breach Increase Shows Endpoints Are Under Attack.)

"Often, the devices have limited resources and computing capabilities, which means that running the latest generation of security may simply not be possible," said Michela Menting, research director at analyst firm ABI Research.

Slow or non-existent protection inevitably leads to damage, and the remediation operation can be reduced to a snail's pace as time is lost to quarantining, clean-up, restoring data and updating. Some organizations struggle to attribute sophisticated attacks, and this makes handling them more challenging.

There are also legal requirements to report attacks to enterprise customers or national authorities, which in itself is a slow process, and can shred brand value.

As enterprises harden endpoints such as PCs, Macs and laptops, hackers have gradually switched their attention to mobile devices, which have become softer targets, not least because they are owned by the employee and used outside of the workplace.

But counter to the BYOD trend of the last decade, there's a resurgence in enterprises supplying their own devices to employees, so they can be more closely managed. Companies are also re-architecting networks to take account of what information applications and employees want to access, securing from the inside out.

"When a device becomes corporate-liable, companies can manage them much the way they do any other computer," said Jason Lamar, senior director of product management at Cisco's security business group.

Mobile vs. desktops and laptops
In some ways, endpoint security is not necessarily about the device, but about the visibility a company has into it. But some organizations can easily lose track of where data goes.

A good example of this is where an employee uses a tablet to transfer data from their corporate email to, say, Dropbox. Once they are off the network, visibility ceases, and often companies don't even know that data was downloaded to a tablet.

From another perspective, mobile end-user devices are increasingly being viewed as weak points versus static desktops or even laptops.

"Generally, mobile devices are thought of as less secure, but they were designed and created with the backlog of computer security experience in mind, so they are not inherently insecure," said ABI's Menting. "[But] in some ways they can be more secure since the diversity of OS types and versions makes them more difficult for threat actors to target them."

Protecting the cloud
Servers in data centers are now endpoints. As enterprises rush to migrate on-premises servers to the public cloud, such as Microsoft Azure or Amazon Web Services, data moves through containers and workloads. To make this secure, cloud environments can use APIs to integrate with DevOps processes and cloud services.

"Businesses are moving to direct Internet access to accommodate their cloud strategies," said Robert McBride, director of enterprise and telco solutions at Versa Networks. "Now they're faced with adapting their edge infrastructure security due to the increased attack surface, with distributed direct access to the Internet versus centralized."

Servers are hardware-based endpoints, but in the cloud, they're virtual endpoints.

"With current infrastructure being built around virtualization, security of virtual endpoints needs to be a top priority," said Bitdefenders's senior eThreat analyst Liviu Arsene. "The increased sophistication of threats requires protection technologies outside the operating system, fully leveraging the capabilities of the hypervisor."

Many answers
So, with so many different types of endpoint, with so many vulnerabilities, what's the answer?

"Intrusion prevention, device control and system lockdown can defend against attacks, as well as protection technologies like encryption in case the device is stolen," said Sri Sundaralingam, head of product marketing, enterprise security products, at Symantec. "Data Loss Prevention (DLP) for both desktops and laptops is also valuable to ensure businesses have data privacy policies in place that meet GDPR and HIPAA compliance requirements."

Legacy devices could plausibly eventually be phased out -- that would be expensive -- but in the meantime, patching and updating operating systems is viable. Also, network segregation and network security controls can mitigate potential threats, but because security is normally embedded into the hardware of legacy devices, they're normally reliant on the network's security. (See Verizon: Change the Attacker's Value Proposition.)

Kaspersky advises that once a device has been infected, it's no longer safe and the only appropriate response is to erase and reinstall. Understanding the device's traffic within the network helps establish what effect an exploit may have as it spreads to other endpoints.

It's a good maxim to be prepared before security collapses and reaches this stage, and reliance on traditional AV needs to be reduced. That's because it functions on an outdated whitelist/blacklist model that simply doesn’t capture the latest malware and virus attacks.

No doubt that with so many variables in play for companies, it would be a benefit if more security solutions were interoperable and available for a more holistic approach.

"We need more interoperability across the security industry," said Cisco's Lamar. "Ideally vendors will standardize on one framework, but that's wishful thinking."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-19
Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-...
PUBLISHED: 2021-10-19
Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free (CWE-416). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp
PUBLISHED: 2021-10-19
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is c...
PUBLISHED: 2021-10-19
In broadband environments, including but not limited to Enhanced Subscriber Management, (CHAP, PPP, DHCP, etc.), on Juniper Networks Junos OS devices where RADIUS servers are configured for managing subscriber access and a subscriber is logged in and then requests to logout, the subscriber may be fo...
PUBLISHED: 2021-10-19
An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these pac...