Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Al Huger, Vice President and General Manager of Platform & Response, Cisco Secure
Al Huger, Vice President and General Manager of Platform & Response, Cisco Secure
Sponsored Article

The Growing Importance of Endpoint Security

Endpoint security is a cornerstone of modern security enabling a control plane for a broader architecture that can help to enable XDR, SASE, and zero trust.

Make no mistake about it, endpoint security has always been important. In the transition to remote work environments in the wake of COVID-19, endpoint security has become even more pressing than perhaps ever before.

Work from home existed before the pandemic, but not at the same scale or with as much at stake. Seemingly overnight, the majority of endpoints migrated outside of the corporate network perimeter. Endpoint security has long been a focus for the IT industry and will remain so for years to come, because the majority of threats organizations of all sizes are facing are headed to an endpoint, whether it is a desktop in an employee's home or the database server holding the authentication information for your entire company.

The simple truth is that the endpoint is today, and has always been, a gateway to everything that your company cares about relative to its intellectual property.

Endpoint Security by the Numbers
According to the new Cisco Security Outcomes Study: Endpoint Edition, organizations are struggling with endpoint security. The report found that over 40% of global organizations had a major security incident in the last two years. Organizations that haven't prioritized an integrated platform with endpoint security as a core element were almost twice as likely to have suffered a major security incident.

An analysis of critical severity indicators of compromise (IoCs) detected by Cisco Secure Endpoint found that there are four primary techniques used by attackers. Topping the list are dual-use PowerShell tools. While this can include PowerShell frameworks such as PowerShell Empire, and frameworks that can leverage PowerShell, such as Cobalt Strike and Metasploit, it is also common to see simple PowerShell command-line activity and custom PowerShell scripts being used to secure access or move laterally within networks. PowerShell is popular with threat actors because it is largely installed by default in enterprise computers and the activity usually is not closely monitored.

Coming in second in the list of top IoCs is ransomware. For many financially motivated threat actors, delivering ransomware to endpoints and successfully encrypting the data there is the major objective of their activity on the network. The past few years have seen a major surge in ransomware activity globally. Modern endpoint security software like Cisco Secure Endpoint provides multiple layers of protection to prevent actors from reaching this goal.

The third most frequently observed IoC group is fileless malware. It infects endpoints via suspicious memory process injections and registry activity. Threat actors use this technique to try and avoid detection by older endpoint protection technologies.

Rounding out the top four list of IoCs is credential dumping. Among the most widely used credential dumping tools is Mimikatz, which scrapes user credentials from endpoint system memory. Ultimately, these credentials will be used to move laterally with the goal of compromising the Enterprise Active Directory servers to either allow broad distribution of ransomware or unfettered access to other target data.

It's clear that endpoints that are under attack face a variety of different sophisticated techniques as actors secure initial access, move laterally through the network, escalate their privilege, and exfiltrate and encrypt data. It's not just the viruses, worms, and Trojans that the first generation of endpoint security technologies protected against either. The modern threat landscape requires a more sophisticated approach than simply scanning endpoints for malware.

Endpoint Is the Last Line of Defense
While modern cybersecurity threats take many different forms, it's clear that in order to defend against threats, organizations need the ability to detect and block a variety of actor actions on the endpoints.

Endpoint security remains the critical linchpin of modern IT security efforts. In the past, actors were largely primarily targeting servers and databases, but today endpoints are both the means of traversing the network and the ultimate objective. Because of this, visibility into the activity on endpoints is critical in order to track and block attacker actions.

Compliance with any number of different regulatory or cybersecurity policies often involves an organization being able to demonstrate that it has controls in place to identify potential risks and attacks. Having the ability to query endpoints across the enterprise to understand their current operating state and history provides both a powerful security tool and support for the audit process.

Taking a Platform Approach to Endpoint Security
Endpoint security is also a core element of the modern platform architectures for cybersecurity, including SASE, zero trust, and XDR. SASE provides a holistic approach to enable security at the edge of the network, zero trust continuously validates access, while XDR enables detection and response to potential threats.

Endpoint security is increasingly the last critical line of defense for remote employees and the devices they use every day. Endpoint security is now also the control plane for the security industry and a core element of a platform approach that ties different elements of security together.

About the Author

Al Huger is Vice President and General Manager of Platform & Response at Cisco Secure. Al has a rich background in building products focused on security intelligence, vulnerability management, incident response, cloud-based services (SaaS), big data analytics platforms, and managed security services. Al has held technical executive roles in the computer and networking security industry for the past 25 years and is a three-time veteran of launching successful startup companies, Al co-founded and sold companies to McAfee/Intel, Symantec, and Sourcefire.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file