Endpoint security: Is it enough?
10 July 2017 |
The endpoint security market is set to reach $27.8 billion by 2025, but why exactly is it so important now than ever? Is it because only when you have deployed endpoint protection, can you have true visibility of the entire work network and environment?
BYOD devices make the situation tricky and unless each and ever device is secure, your security solution isn't really foolproof. There is also the case of- if you can see every entry and exit point in a room, chances of someone getting in unnoticed is vastly reduced. Combine these two reasons with the fact that hackers could technically mimic an employee's journey across a network using a badly protected endpoint device and you have a critical situation at hand.
And we aren't even talking about the fact that endpoints are what connect your fool-proof and secure systems to what's arguably the most insecure part of the business- human beings.
Tony Rowan, Director Solutions Architecture, EMEA & APAC, SentinelOne thinks endpoint encryption is relevant and important now because antivirus, in its current form is broken. "It is too big, too messy and too out-of-touch with what's out there most of the time. It is also too complicated to function properly and protect what's out there."
"Maliciousness isn't really in what malicious actors are trying to download onto your machine but in what information about you, they are trying to collect from it.
"Behaviour analysis is at the core of what we do, we classify all behaviour and by storing all of a machine's behaviour, and, using directed machine learning embedded in algorithms, we know the difference between good or bad. People can say: "That's just heuristics". But it isn't because it would be that if we were to use an isolated event. The particular behaviour we seen now is different to what we see later on. Complex behavioural analysis done locally on the machine is the answer to seamless machine learning and, in turn endpoint protection.
Automatic kill and quarantine are usual practice and we also look into forensics so we discuss different signatures for different events. We have a WannaCry signature and one for Petya/NotPetya. We also use static analysis- hashes are the fingerprints of the machine and looking into that closely allows us to eliminate a lot of malware.
But hackers and malicious actors are getting smarter as Dan Larson, Vice President Product Marketing at CrowdStrike points out: "Traditionally you would think that endpoint security was not enough. I worked for a EPS vendor for ten years and just look at the headlines. Just look at the headlines... Every breach has had a firewall and endpoint security solution in place. And the bad guys have adapted their attack techniques to use things that are known to bypass those barriers. For example, the hot topic right now is the notion of a file-less attack. If you don't write a file for the system, there is nothing for the anti-virus software to analyse. For a number of legacy endpoint technologies this is terrible news.
"Our job is to know what the adversaries are doing and so we can build detections for stuff that the adversaries are building. We started as being a second layer of protection but over the past few years we have become a replacement for anti virus and for other endpoint security.
"Beauty of protecting endpoints is that the thing you install on the device is so small that it doesn't matter if it is on premise, on the desktop or in the cloud. The modern workforce is not in the office all the time. They are not behind the firewall or network security. So endpoint security is more important than ever.
"Most importantly, it is a tool that SME's need to be using more. Because most of these organisations might not even have a security person. They probably have just one IT guy and that person's job is to do everything. If you look at the traditional model where every business needs to buy multiple products for firewall, for endpoints etc, that's just too much for a small team to handle. Products that combine multiple tasks into one are best suited.
"Endpoint security works everywhere unlike legacy systems- and that's part of its effectiveness especially being so easy to install.
"Advanced attacks are currently front of the mind. For a long time people thought advanced attacks happened to governments and Fortune 500 companies. But if you look at the recent WannaCry attack- that was a government-level attack- it got out of hand because relevant information was handed over to script kiddies. So the notion that you only had to worry if you were big is gone now. You are susceptible to the most sophisticated attacks now whoever you are. That's the new normal.
Rowan agrees with Larson's point when asked why more preventative action is't being taken now that everyone knows what vulnerabilities are out there: "It is the old issue of complacency that this will never happen to us! Some don't understand the risk, and it will take some a very long time to get over it. Everyone is almost hiding their head in the sand. Infact, I don't think some of them understand the risk or what's out there. It will take them a long time to recover from something like Petya/NotPetya.
"The virus came with a worm element- which means it is self-spreading. And so once the infection took hold, it spread very rapidly. Whereas with most ransomware, you need to click on the link and then it needs all the computers in the network to click on it for it to paralyse the system. But this one was more potent.
Ultimately both agree wholeheartedly that SMEs are more at risk because of fewer resources and budget constraints.
There is a recognition in the industry that breaches are the new normal and the visibility for organisations to know if they have been breached in real-time is very poor. So with GDPR, there will be a requirement to report all breaches within 72 hours. The average time is 229 days for companies to understand they have been breached. So hopefully it will be a wakeup call to the industry to say that the times when adversaries would go unnoticed needs to be gone. And that 229 days is unacceptable!
The human element to cybersecurity will always mean that the job of securing perimeters will never be 100% water-tight. And with so-called perimeters diluting with the onslaught of BYOD, the need for endpoint security couldn't be more acute as now, because as Rowan points out- attacks can be a mixed bag: "Some are very well done, while others are so poorly done that I sometimes wonder why they went to the effort! I saw one with the Barclays bank logo where it looked like they had taken a copy from a 20-year old cheque book!