Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Al Huger, Vice President and General Manager of Platform & Response, Cisco Secure
Al Huger, Vice President and General Manager of Platform & Response, Cisco Secure
Sponsored Article

The Growing Importance of Endpoint Security

Endpoint security is a cornerstone of modern security enabling a control plane for a broader architecture that can help to enable XDR, SASE, and zero trust.

Make no mistake about it, endpoint security has always been important. In the transition to remote work environments in the wake of COVID-19, endpoint security has become even more pressing than perhaps ever before.

Work from home existed before the pandemic, but not at the same scale or with as much at stake. Seemingly overnight, the majority of endpoints migrated outside of the corporate network perimeter. Endpoint security has long been a focus for the IT industry and will remain so for years to come, because the majority of threats organizations of all sizes are facing are headed to an endpoint, whether it is a desktop in an employee's home or the database server holding the authentication information for your entire company.

The simple truth is that the endpoint is today, and has always been, a gateway to everything that your company cares about relative to its intellectual property.

Endpoint Security by the Numbers
According to the new Cisco Security Outcomes Study: Endpoint Edition, organizations are struggling with endpoint security. The report found that over 40% of global organizations had a major security incident in the last two years. Organizations that haven't prioritized an integrated platform with endpoint security as a core element were almost twice as likely to have suffered a major security incident.

An analysis of critical severity indicators of compromise (IoCs) detected by Cisco Secure Endpoint found that there are four primary techniques used by attackers. Topping the list are dual-use PowerShell tools. While this can include PowerShell frameworks such as PowerShell Empire, and frameworks that can leverage PowerShell, such as Cobalt Strike and Metasploit, it is also common to see simple PowerShell command-line activity and custom PowerShell scripts being used to secure access or move laterally within networks. PowerShell is popular with threat actors because it is largely installed by default in enterprise computers and the activity usually is not closely monitored.

Coming in second in the list of top IoCs is ransomware. For many financially motivated threat actors, delivering ransomware to endpoints and successfully encrypting the data there is the major objective of their activity on the network. The past few years have seen a major surge in ransomware activity globally. Modern endpoint security software like Cisco Secure Endpoint provides multiple layers of protection to prevent actors from reaching this goal.

The third most frequently observed IoC group is fileless malware. It infects endpoints via suspicious memory process injections and registry activity. Threat actors use this technique to try and avoid detection by older endpoint protection technologies.

Rounding out the top four list of IoCs is credential dumping. Among the most widely used credential dumping tools is Mimikatz, which scrapes user credentials from endpoint system memory. Ultimately, these credentials will be used to move laterally with the goal of compromising the Enterprise Active Directory servers to either allow broad distribution of ransomware or unfettered access to other target data.

It's clear that endpoints that are under attack face a variety of different sophisticated techniques as actors secure initial access, move laterally through the network, escalate their privilege, and exfiltrate and encrypt data. It's not just the viruses, worms, and Trojans that the first generation of endpoint security technologies protected against either. The modern threat landscape requires a more sophisticated approach than simply scanning endpoints for malware.

Endpoint Is the Last Line of Defense
While modern cybersecurity threats take many different forms, it's clear that in order to defend against threats, organizations need the ability to detect and block a variety of actor actions on the endpoints.

Endpoint security remains the critical linchpin of modern IT security efforts. In the past, actors were largely primarily targeting servers and databases, but today endpoints are both the means of traversing the network and the ultimate objective. Because of this, visibility into the activity on endpoints is critical in order to track and block attacker actions.

Compliance with any number of different regulatory or cybersecurity policies often involves an organization being able to demonstrate that it has controls in place to identify potential risks and attacks. Having the ability to query endpoints across the enterprise to understand their current operating state and history provides both a powerful security tool and support for the audit process.

Taking a Platform Approach to Endpoint Security
Endpoint security is also a core element of the modern platform architectures for cybersecurity, including SASE, zero trust, and XDR. SASE provides a holistic approach to enable security at the edge of the network, zero trust continuously validates access, while XDR enables detection and response to potential threats.

Endpoint security is increasingly the last critical line of defense for remote employees and the devices they use every day. Endpoint security is now also the control plane for the security industry and a core element of a platform approach that ties different elements of security together.

About the Author

Al Huger is Vice President and General Manager of Platform & Response at Cisco Secure. Al has a rich background in building products focused on security intelligence, vulnerability management, incident response, cloud-based services (SaaS), big data analytics platforms, and managed security services. Al has held technical executive roles in the computer and networking security industry for the past 25 years and is a three-time veteran of launching successful startup companies, Al co-founded and sold companies to McAfee/Intel, Symantec, and Sourcefire.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-01-31
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the paramete...
PUBLISHED: 2023-01-31
ubireader_extract_files is vulnerable to path traversal when run against specifically crafted UBIFS files, allowing the attacker to overwrite files outside of the extraction directory (provided the process has write access to that file or directory). This is due to the fact that a node name (dent_no...
PUBLISHED: 2023-01-31
A path traversal vulnerability affects jefferson's JFFS2 filesystem extractor. By crafting malicious JFFS2 files, attackers could force jefferson to write outside of the extraction directory.This issue affects jefferson: before 0.4.1.
PUBLISHED: 2023-01-31
A path traversal vulnerability affects yaffshiv YAFFS filesystem extractor. By crafting a malicious YAFFS file, an attacker could force yaffshiv to write outside of the extraction directory. This issue affects yaffshiv up to version 0.1 included, which is the most recent at time of publication.
PUBLISHED: 2023-01-31
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 o...