Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

08:05 AM
Simon Marshall
Simon Marshall
Simon Marshall

Endpoint Security: A Never-Ending Battle to Keep Up

Endpoint security has evolved over the last several years as the BYOD trend has slowed, but enterprises are still uploading more data to the cloud, which is accessible on more devices. Even the notion of what an endpoint is has changed. What can enterprise security do?

Enterprises trying to protect their endpoints are up against it. Employees who bring their own devices to work, new threats from phishing and legacy servers and workstations all present a big target for the bad guys.

There's also the need to protect data in newer endpoints in the cloud.

Securing endpoints is an ongoing battle, and what may have worked in the past is no longer effective as malicious actors constantly evolve their methods. (See Endpoint Security: 3 Big Obstacles to Overcome.)

"The reality is that attackers have changed their game," Atif Mushtaq, CEO of Slashnext, told Security Now. "Where old attack schemes required the attacker to find a way in, now they set bait." This includes website ads and pop-ups, social media messages and browser plug-ins, ransomware, fileless attacks and zero-days exploits.

Signature and sandbox-based technologies are consistently failing to detect polymorphic malware, according to SlashNext. And they were never designed to flag phishing, social engineering and so-called callback threats, where malware seeks instructions from infected enterprise hosts.

All of which targets humans, rather than network or code vulnerabilities.

Traditional AV tools are failing to keep up with hackers focused on new attack vectors.

"Enterprises content with standard AV are doomed to be breached and hacked, " said Aaron Zander, an IT engineer at HackerOne, a firm which runs bug bounty programs. "The major AV providers aren't advancing fast enough."

In some cases, he views traditional AV technology as on a par with the malware it seeks to detect. This is because of processor slowdowns caused by AV processing, and outdated operating systems, impairing machines while productivity drops off.

However, the ingenuity of hackers coupled with the high cost of attacks means enterprises need to constantly be searching for answers.

"After being hit by the ExPetr attack, Maersk had to reinstall software on its entire infrastructure, including 45,000 work stations," said Jason Stein, vice president of channel at Kaspersky Lab North America. "This resulted in the company conducting its operations offline for ten days, with losses of up to $300 million, not including reputational damage."

Slow detection, slow remediation
Symantec claims enterprises employ an average of seven agents to manage end-user devices, creating silos that slow detection. Then there's the challenge of protecting legacy devices that use end-of-life operating systems which are not supported by the latest security solutions. (See Data Breach Increase Shows Endpoints Are Under Attack.)

"Often, the devices have limited resources and computing capabilities, which means that running the latest generation of security may simply not be possible," said Michela Menting, research director at analyst firm ABI Research.

Slow or non-existent protection inevitably leads to damage, and the remediation operation can be reduced to a snail's pace as time is lost to quarantining, clean-up, restoring data and updating. Some organizations struggle to attribute sophisticated attacks, and this makes handling them more challenging.

There are also legal requirements to report attacks to enterprise customers or national authorities, which in itself is a slow process, and can shred brand value.

As enterprises harden endpoints such as PCs, Macs and laptops, hackers have gradually switched their attention to mobile devices, which have become softer targets, not least because they are owned by the employee and used outside of the workplace.

But counter to the BYOD trend of the last decade, there's a resurgence in enterprises supplying their own devices to employees, so they can be more closely managed. Companies are also re-architecting networks to take account of what information applications and employees want to access, securing from the inside out.

"When a device becomes corporate-liable, companies can manage them much the way they do any other computer," said Jason Lamar, senior director of product management at Cisco's security business group.

Mobile vs. desktops and laptops
In some ways, endpoint security is not necessarily about the device, but about the visibility a company has into it. But some organizations can easily lose track of where data goes.

A good example of this is where an employee uses a tablet to transfer data from their corporate email to, say, Dropbox. Once they are off the network, visibility ceases, and often companies don't even know that data was downloaded to a tablet.

From another perspective, mobile end-user devices are increasingly being viewed as weak points versus static desktops or even laptops.

"Generally, mobile devices are thought of as less secure, but they were designed and created with the backlog of computer security experience in mind, so they are not inherently insecure," said ABI's Menting. "[But] in some ways they can be more secure since the diversity of OS types and versions makes them more difficult for threat actors to target them."

Protecting the cloud
Servers in data centers are now endpoints. As enterprises rush to migrate on-premises servers to the public cloud, such as Microsoft Azure or Amazon Web Services, data moves through containers and workloads. To make this secure, cloud environments can use APIs to integrate with DevOps processes and cloud services.

"Businesses are moving to direct Internet access to accommodate their cloud strategies," said Robert McBride, director of enterprise and telco solutions at Versa Networks. "Now they're faced with adapting their edge infrastructure security due to the increased attack surface, with distributed direct access to the Internet versus centralized."

Servers are hardware-based endpoints, but in the cloud, they're virtual endpoints.

"With current infrastructure being built around virtualization, security of virtual endpoints needs to be a top priority," said Bitdefenders's senior eThreat analyst Liviu Arsene. "The increased sophistication of threats requires protection technologies outside the operating system, fully leveraging the capabilities of the hypervisor."

Many answers
So, with so many different types of endpoint, with so many vulnerabilities, what's the answer?

"Intrusion prevention, device control and system lockdown can defend against attacks, as well as protection technologies like encryption in case the device is stolen," said Sri Sundaralingam, head of product marketing, enterprise security products, at Symantec. "Data Loss Prevention (DLP) for both desktops and laptops is also valuable to ensure businesses have data privacy policies in place that meet GDPR and HIPAA compliance requirements."

Legacy devices could plausibly eventually be phased out -- that would be expensive -- but in the meantime, patching and updating operating systems is viable. Also, network segregation and network security controls can mitigate potential threats, but because security is normally embedded into the hardware of legacy devices, they're normally reliant on the network's security. (See Verizon: Change the Attacker's Value Proposition.)

Kaspersky advises that once a device has been infected, it's no longer safe and the only appropriate response is to erase and reinstall. Understanding the device's traffic within the network helps establish what effect an exploit may have as it spreads to other endpoints.

It's a good maxim to be prepared before security collapses and reaches this stage, and reliance on traditional AV needs to be reduced. That's because it functions on an outdated whitelist/blacklist model that simply doesn’t capture the latest malware and virus attacks.

No doubt that with so many variables in play for companies, it would be a benefit if more security solutions were interoperable and available for a more holistic approach.

"We need more interoperability across the security industry," said Cisco's Lamar. "Ideally vendors will standardize on one framework, but that's wishful thinking."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.