After Operation Aurora in 2009, “we’ll catch it on the wire” was an oft-heard phrase reflecting a network-centric orientation to security and the concession that signature-based antivirus was ineffective against never-seen-before components of an advanced persistent threat, the behavior of which the industry now frames in the context of the cybersecurity kill chain.
The incessant rate of attacks against the increasingly mobile and multi-device operator of endpoints (whose human gullibility is the vulnerability that makes spear phishing and drive-by downloads serially successful) is such that many organizations are now revisiting their endpoint security strategies -- both products and processes.
But executing upon this imperative in a market rife with confusion and ripe for consolidation is not a small thing. Enterprise Strategy Group (ESG) has conducted interviews with dozens of enterprises that have navigated this market in transition en route to improving their endpoint security postures. What can we learn from those that have made the journey? Have they, in fact, reached their destination? Here’s a summary of our findings, which will be presented at this year’s RSA conference in March.
It starts with operational efficiency
In a holistic security methodology, prevention, detection, and response are not mutually exclusive concepts; they work in concert with prevention controls employed to reduce the attack surface area and with detection and response controls to deal with the inevitable introduction of the new and unknown. But some organizations simply do not have the resources nor the expertise to utilize detection and response solutions, and often opt for greater prevention efficacy, as measured not only in a reduction in malware detected by network-based sandboxes but also in fewer calls to the help desk. Operational efficiency is a critical success factor for all companies refreshing their endpoint security solution sets, especially those with fewer resources.
Add layers of prevention
Advanced prevention controls include containerization, binary runtime inspection, and application control. Some organizations that seek improved prevention effectiveness layer such controls by keeping signature-based antivirus in place for the more pedestrian viruses while also deploying an advanced control for advanced malware. Customers with an Enterprise License Agreement (ELA) with Microsoft may utilize Security Essentials as their antivirus engine and reallocate budget to an advanced anti-malware product.
Another layered prevention model is to employ antivirus to address the “known bad,” and application control for a default-deny approach of only allowing known good, an approach well suited for systems with little to no drift, but one that does require some care and feeding to create group-specific whitelists.
For large organizations, proactive monitoring
The second approach is one typically put in play by larger organizations that do have the resources, as well as the skill sets, to view prevention as simply reducing the attack surface and employing an endpoint detection and response solution (EDR) to proactively monitor system activity. Since the detection method of EDR products is fundamentally rooted in determining anomalous and potentially malicious deviations from a norm, the first step for users of these products is to determine what is normal. Establishing a baseline requires a contextual understanding of one’s own environment (i.e., what is normal) and then a period of suppressing alarms and cultivating rules to essentially train the EDR solution to alert at a higher level of fidelity, thus optimizing the signal:noise ratio so security analysts are not triaging an onslaught of false positives.
A prevent, detect and respond spectrum of starting points
These approaches are not mutually exclusive, and as ESG research has discovered, each one is typically a starting point at one end of the spectrum. Nearly all enterprises have plans to further secure their endpoints by applying additional controls to complete the prevent-detect-respond continuum. But while ESG research highlights the fact that customers prefer an endpoint security suite that aggregates prevention, detection, and response functionality from a single vendor, enterprises will also purchase and deploy point tools to protect their highest-value targets.
Another option for adding detection and response to the endpoint mix is for organizations without the resources to operate such a solution to engage with a managed security services provider (MSSP). Also on the radar screen of next steps is integration with analytics platforms for correlation and with network security controls to expedite detection, reduce dwell time, and terminate communication with a command-and-control server.
The new focus on protecting end users, and their multitude of endpoints, is indicative of an evolution from the old network-centric security model to one that is also host-centric across endpoints, server workloads, and IoT devices. Where customers start is largely a function of resources and skills, based on a balance between detection efficacy and operational efficiency. As the endpoint security industry goes through its transition, we can learn much from those who are at least part of the way along on their journey.
- Cybersecurity Smackdown: What Side Are You On?
- The Matrix Reloaded: Security Goals v. Operational Requirements
- Time’s Running Out for the $76 Billion Detection Industry