Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/21/2014
12:00 PM
Candace Worley
Candace Worley
Commentary
100%
0%

Internet of Things: Security For A World Of Ubiquitous Computing

Endpoint security is hardly dead, and claiming that it is oversimplifies the challenges corporations face now and in the not-very-distant future.

I got an email from my car the other day, informing me about its need for service. As a security professional, I found it unsettling, not surprising, but unsettling. What’s my car doing on the Internet, anyway? What are the possible implications of that?

Security practitioners within corporate IT are rightly focusing on the emerging risks presented by laptops, tablets, and smartphones when used by employees and contractors in the course of doing business. But other trends are developing all around us that challenge the foundations of our security assumptions.

For example, while worrying about employee behavior at work, we can lose sight of the fact that computing is becoming part of daily life in such a way that it’s nearly impossible to separate "work" and "personal" activities and devices. The concept of a corporate boundary is dissolving as computing and communication endpoints embed themselves in a growing number of devices like thermostats, medical devices, my car, and, in the near future, my clothing. These trends have profound implications for the security industry.

In anticipating our future reality, we only have to look at the recent past and the wide uptake of smartphones. People started bringing them into their workplaces -- spurring the BYOD trend and broad adoption of smartphones in business.

The cybercrime industry was quick to respond. Where mobile malware was once the frontier for malware innovators, today it’s almost a mainstream delivery mechanism. Mobile malware grew 197% between Q4 2012 and Q4 2013, according to McAfee’s Q4 2013 Threat Report.

The death of endpoint security? Not yet
As more devices join the universe of computing endpoints, we should expect a similar uptick in exploits and malware. The endpoint will always be an attractive target for those who seek to intercept or steal information or infiltrate networks.

Given the scope of the problem, it’s fashionable nowadays to claim that endpoint security is ineffective. Endpoints are often considered the weakest link in the security infrastructure, because they are furthest from any central control and there is generally a human using them.

But to claim that endpoint security is dead is to oversimplify the challenges corporations currently face. Now more than ever, endpoint security has a critical role to play in ecosystems that protect highly diverse corporate computing environments against complex security problems.

Layered defenses, but across multiple dimensions
Despite what any security vendor may wish you to believe, there’s no single way to secure either your personal data and identity or corporate systems and data. While layered defenses have been a best-practice in corporate security for many years, in today’s increasingly complex security environment we need to expand our thinking to layers across many dimensions. Specifically, security requires holistic approaches that span people, infrastructure, data, and applications.

People: The boundaries between personal and professional online activities and identities are blurring. Corporate security measures must accept this reality and support people with everything from online identity controls to simplified, embedded processes, making secure computing as easy and transparent as possible.

Infrastructure: Corporations are very adept at securing traditional infrastructure elements such as desktops, laptops, and servers. The security and policies applied to these devices may not be effective with devices as diverse as phones, tablets, wearables, and the Internet of Things. Security controls and measures need to become more intelligent and integrated in order to secure the ever-expanding universe of endpoints and devices.

Data: Pervasive computing capability means that data is highly nomadic. As network boundaries erode, you need to put controls around the data itself. In addition to access and authentication controls, companies must track and audit where sensitive data travels, while empowering people to collaborate and be productive.

Applications: Security isn’t something that can be tacked onto an application at the end of its development. Even in an environment with significant time-to-market pressures, application developers need to be part of the holistic approach to security, delivering vulnerability free software that considers the implications of sensitive and/or regulated data.

Security for the way we live
The biggest shift I see in the industry is that we need to move beyond thinking of security as a set of extra steps, processes, or systems built around our computing environment. As computing becomes more pervasive and embedded, often unseen, in our daily lives, we need to design holistic approaches to security that match the way we live and work.

It’s an exciting time to be in the security industry. There won’t be just one single answer or solution. Many players will be involved in a holistic, systems-based approach to security. And the environment will continue to evolve, as endpoints expand and innovative new technologies enter both our business and personal lives. Security practitioners and developers will be challenged to be innovative and collaborative in adapting to the constantly evolving threat environment.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Arunk336
50%
50%
Arunk336,
User Rank: Apprentice
11/7/2017 | 1:58:00 AM
Re: The endpoint is not dead
You create the best enjoy to get the mozilla firefox free download latest version it is the one of the best for the users click the link mozilla firefox you upgrade your old browser have the full download speed i sure you like this very much most people connect this worldwide.
Martmorce
50%
50%
Martmorce,
User Rank: Apprentice
11/26/2014 | 5:15:22 AM
Internet Security
Free software packs are the most widely used on the system. They are the one off the biggest threat for the security.
William L. Lind
50%
50%
William L. Lind,
User Rank: Apprentice
7/25/2014 | 8:29:19 AM
Re: The endpoint is not dead
The government should ensure about internet security. The use of the internet should be free of malware. But unfortunately the rate of using malware are increasing day by day at a raid pace. Some essay writing service reviews did it correctly. I appreciate those companies.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/24/2014 | 2:00:33 PM
Re: The endpoint is not dead
Thanks, Candace. To your point about endpoint security being comprised of a broad spectrum of technologies, Rick Gordon, Managing Partner at Mach37 an early-stage tech venture development company, backed your take up in a Dark Reading Radio broadcast earlier this month. He said he was seeing some startup activity in endpoint security and "the emergence of next generation leaders."  

Good news for the customer base.. more competition for McAfee & other mainstream players.
Candace Worley
100%
0%
Candace Worley,
User Rank: Author
7/24/2014 | 12:06:53 PM
Re: The endpoint is not dead
The security industry has been dancing around the idea that anti-virus is dead for many years, so it is not really shocking when someone says it out loud. My take on this topic is that it is not so much that AV is dead as it is taking a less prominent role. Endpoint security is inclusive of a broad spectrum of technologies many of which are critical in applying good security hygiene. Rather than being the primary medium through which organizations secure their endpoints AV is now in a supporting role with companies relying heavily on a multi-tiered approach. It takes a village, from the endpoint to the heart of the network, to protect all businesses from the most advanced threats out there.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/23/2014 | 9:00:18 AM
Re: The endpoint is not dead
I think as malware evolves so must endpoint. I have seen crowdstrike adapt such as providing a real-time cloud endpoint solution. Other companies have simply incorporated it into a UTM strategy. But to say endpoint security is ineffective is just a blanket statement. Any security control by itself is relatively ineffective, especially when comparing it against specific threat vectors. It takes different safegards working together (IDS/IPS, Firewall, Anti-Virus, WebSecurity, DLP) to make a cohesive effective solution. And even those working in tandem isn't 100%. Awareness and end user education is also a big must for a secure environment.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/22/2014 | 11:00:25 AM
The endpoint is not dead
Thanks for a very interesting blog, Candace. Curious to know if when you mention "it's fashionable nowadays to claim that endpoint security is ineffective" are you referring to quotes from Symantec's execs that antivirus is dead, or something more general? 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.
CVE-2019-20391
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20392
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20393
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.