Make no mistake about it, endpoint security has always been important. In the transition to remote work environments in the wake of COVID-19, endpoint security has become even more pressing than perhaps ever before.
Work from home existed before the pandemic, but not at the same scale or with as much at stake. Seemingly overnight, the majority of endpoints migrated outside of the corporate network perimeter. Endpoint security has long been a focus for the IT industry and will remain so for years to come, because the majority of threats organizations of all sizes are facing are headed to an endpoint, whether it is a desktop in an employee's home or the database server holding the authentication information for your entire company.
The simple truth is that the endpoint is today, and has always been, a gateway to everything that your company cares about relative to its intellectual property.
Endpoint Security by the Numbers
According to the new Cisco Security Outcomes Study: Endpoint Edition, organizations are struggling with endpoint security. The report found that over 40% of global organizations had a major security incident in the last two years. Organizations that haven't prioritized an integrated platform with endpoint security as a core element were almost twice as likely to have suffered a major security incident.
An analysis of critical severity indicators of compromise (IoCs) detected by Cisco Secure Endpoint found that there are four primary techniques used by attackers. Topping the list are dual-use PowerShell tools. While this can include PowerShell frameworks such as PowerShell Empire, and frameworks that can leverage PowerShell, such as Cobalt Strike and Metasploit, it is also common to see simple PowerShell command-line activity and custom PowerShell scripts being used to secure access or move laterally within networks. PowerShell is popular with threat actors because it is largely installed by default in enterprise computers and the activity usually is not closely monitored.
Coming in second in the list of top IoCs is ransomware. For many financially motivated threat actors, delivering ransomware to endpoints and successfully encrypting the data there is the major objective of their activity on the network. The past few years have seen a major surge in ransomware activity globally. Modern endpoint security software like Cisco Secure Endpoint provides multiple layers of protection to prevent actors from reaching this goal.
The third most frequently observed IoC group is fileless malware. It infects endpoints via suspicious memory process injections and registry activity. Threat actors use this technique to try and avoid detection by older endpoint protection technologies.
Rounding out the top four list of IoCs is credential dumping. Among the most widely used credential dumping tools is Mimikatz, which scrapes user credentials from endpoint system memory. Ultimately, these credentials will be used to move laterally with the goal of compromising the Enterprise Active Directory servers to either allow broad distribution of ransomware or unfettered access to other target data.
It's clear that endpoints that are under attack face a variety of different sophisticated techniques as actors secure initial access, move laterally through the network, escalate their privilege, and exfiltrate and encrypt data. It's not just the viruses, worms, and Trojans that the first generation of endpoint security technologies protected against either. The modern threat landscape requires a more sophisticated approach than simply scanning endpoints for malware.
Endpoint Is the Last Line of Defense
While modern cybersecurity threats take many different forms, it's clear that in order to defend against threats, organizations need the ability to detect and block a variety of actor actions on the endpoints.
Endpoint security remains the critical linchpin of modern IT security efforts. In the past, actors were largely primarily targeting servers and databases, but today endpoints are both the means of traversing the network and the ultimate objective. Because of this, visibility into the activity on endpoints is critical in order to track and block attacker actions.
Compliance with any number of different regulatory or cybersecurity policies often involves an organization being able to demonstrate that it has controls in place to identify potential risks and attacks. Having the ability to query endpoints across the enterprise to understand their current operating state and history provides both a powerful security tool and support for the audit process.
Taking a Platform Approach to Endpoint Security
Endpoint security is also a core element of the modern platform architectures for cybersecurity, including SASE, zero trust, and XDR. SASE provides a holistic approach to enable security at the edge of the network, zero trust continuously validates access, while XDR enables detection and response to potential threats.
Endpoint security is increasingly the last critical line of defense for remote employees and the devices they use every day. Endpoint security is now also the control plane for the security industry and a core element of a platform approach that ties different elements of security together.
About the Author
Al Huger is Vice President and General Manager of Platform & Response at Cisco Secure. Al has a rich background in building products focused on security intelligence, vulnerability management, incident response, cloud-based services (SaaS), big data analytics platforms, and managed security services. Al has held technical executive roles in the computer and networking security industry for the past 25 years and is a three-time veteran of launching successful startup companies, Al co-founded and sold companies to McAfee/Intel, Symantec, and Sourcefire.