Market research institutions and analysts have been predicting the rise of endpoints for years. Analysts project the rise of IoT devices due to 5G networks, which the U.S. and other countries have started deploying. The weak security of IoT-enabled devices has raised serious concerns. But when the pandemic was announced in March, the narrative changed — as employees packed up and moved their workstations to their homes. The surge in connected devices used by work from home employees worries CIOs and CISOs, who are already under pressure to accelerate digital transformation plans.
By Brian Pereira, Editor-in-Chief, CISO MAG
By Gartner estimates, in 2019, there were 365 million desktops used in offices worldwide. Today, over 1 billion people work from home – employed by 90% of organizations. Employee endpoints have tripled. In recent months, the demand for PCs, laptops, and tablets shot through the roof – there are times when retailers run out of stock. But the apprehensions are not due to the shortage of devices and poor connectivity at home; the bigger concern is inadequate security of those devices that could lead to data breaches.
Enterprise networks and devices behind corporate firewalls are protected by technology stacks and layers of security controls, governed by security policies and compliance. Security and operating system updates are regularly pushed to devices. USB ports and selective network ports are blocked. Storage and backups are frequently conducted on enterprise-approved cloud services. Protective firewalls encircle the network and there are various tools like identity and access management. But at home, it’s a different scenario, akin to leaving your front door open for anyone to walk in.
As employees transitioned to their home offices, there was little time to reconfigure laptops and enforce new controls and security policies. The cybersecurity strategies for most organizations are not designed for remote work environments and need major changes to address the cyber threats posed by remote work.
Home networks and endpoints operate in non-trusted environments and definitely up the risk quotient for corporate networks. Zero trust? Ha! The threat of data leakage looms high. There are all kinds of threats posed by remote workers. The probability of remote workers violating corporate security policies is high. And that’s a worry for organizations that have intellectual property and customer data.
The responsibility of managing endpoint security fell squarely on the remote worker. Months later, security may have vastly improved as IT enforced new policies and controls. But, what’s to stop an employee from clicking on a malicious link or malicious attachment in a phishing e-mail? Is the IT team really checking if an employee is using the office laptop to watch a movie on Netflix, or watching something far worse? How many adopt URL filtering or block social media? And what’s to stop an employee from backing up enterprise data to their personal cloud storage or removable storage media? Then there are home routers with factory-default passwords, susceptible to hacking from that kid next door (step-by-step instructions on YouTube and other websites)
To counter these challenges, some organizations opted for VDI (Virtual Desktop Infrastructure) and desktop-as-a-service. But could this solution entirely prevent risks like data leakage? How do you stop an employee from using their phone camera to take snapshots of what is shown on the screen? Keep the webcam on all day?
IT mandated the use of corporate-approved VPNs and anti-malware. A CISO MAG 2020 survey found that one in three employees do not use a VPN. In any case, VPNs are notorious for their rigid rules and cannot check abnormal user behavior.
Changing Attack Surface
Cybercriminals are taking advantage of the surge in remote work to exploit new attack vectors exposed by reliance on telework infrastructure with weak infrastructure. CISO MAG online reports on attacks on remote workers with COVID-related themes. The numerous scams are themed on fake news about the spread of the virus, and availing N95 masks and PPE kits in bulk, at “dirt cheap” prices. These days there are BEC (Business Email Compromise) attacks with themes around COVID vaccine research breakthroughs and the availability of vaccines. These scams are engineered to exploit a human weakness — FUD (fear, uncertainty, and doubt).
Operation Falcon conducted by INTERPOL is a recent example. Three Nigerian BEC scammers, who are part of a larger cybercriminal group dubbed TMT, were arrested in the city of Lagos. The analysis of their operations has revealed that the gang focuses on the distribution of phishing emails that contain popular malware strains under the guise of purchasing orders, product inquiries, and even COVID-19 aid impersonating legitimate companies. The attackers then use Gammadyne Mailer and Turbo-Mailer to send out phishing emails, which are then tracked using MailChimp, to see whether a recipient victim has opened the message. This is another example of an attack through the endpoints.
“The most common attacks are the results of using the endpoint segment as an entry vector, to get into the organization,” says Prateek Bhajanka, Senior Principal Analyst, Gartner. “It is ransomware campaigns and the ransomware infections that we generally know about — WannaCry, NotPetya, and other ransomware campaigns and infections. Besides ransomware, there are phishing campaigns, spear-phishing campaigns, attacks like social engineering, and business email compromise. Data breaches result in data exfiltration and these propagate through an endpoint segment.”
And as you connect the endpoint to the corporate network, these attacks spread laterally. Hackers target endpoints as an entry point, with the intention of moving laterally in the network, to take over privileged accounts.
Over the years, endpoint protection has evolved from prevention (antivirus, data encryption, intrusion prevention, data loss prevention) to detection and response (EDR). So, we now have various types of endpoint security and endpoint security tools and endpoint services.
“When we talk about endpoint security technology, it is not just the anti-virus that we need anymore. We need a technology stack that can protect the organization across the layers, not just endpoint, and not just from malware, but also from phishing attacks. It should protect the endpoints from malicious websites that you may be browsing on a daily basis,” says Bhajanka.
The attacks on endpoints may result in account takeover and credential theft. That’s why endpoint security goes beyond antivirus.
A New Approach
Traditional approaches to protecting endpoints from behind corporate firewalls are no longer applicable in today’s context and need a new approach.
“There is no perimeter anymore, and the organization has become boundary-less,” says Bhajanka. “And at the same time, the attack surface of an organization has also become wider and endless for the reason that now you may have one associate working from different locations in different cities. That makes endpoint security a top priority for CISOs and security professionals.”
Bhajanka suggests that security should be deployed in such a way that it should not matter where you work from – it should offer the same level of security.
According to Check Point, a modern-day endpoint security strategy must include the following:
Prevention-first Approach: The number and sophistication of cyberthreats are growing rapidly. A focus on prevention is essential to ensuring that lean security teams are not overwhelmed and for minimizing the cost and impact of cyberattacks on the organization.
AI-driven Security: Security teams lack the ability to scale to meet their growing workloads. Leveraging AI to automate and expedite threat detection, investigation, and response maximizes the efficiency and effectiveness of limited security personnel.
Strong Remediation and Recovery Capabilities: With a remote workforce, employee computers will be compromised by cybercriminals. Security teams need to have the policies, procedures, and tools required to rapidly, and effectively remediate a security incident.
Consolidated Security: Reliance on an array of standalone security solutions means that security analysts waste valuable time switching between dashboards and lack the comprehensive visibility required to detect and respond to incidents. Next-generation security requires a consolidated security architecture with single-pane-of-glass visibility and management.
Strong Real-Time Threat intelligence: The cyber threat landscape evolves rapidly, with many campaigns active for only minutes or hours. Access to real-time, strong threat intelligence is essential to an organization’s ability to protect against the latest threats, not ones from days or weeks ago.
Unified to Reduce TCO: Deploying separate solutions for EPP, EDR, NGAV (next-gen antivirus), VPN, etc. creates a complex environment that is difficult and expensive to configure and maintain. Deploying a unified security solution is essential to minimizing the total cost of ownership (TCO) of enterprise cybersecurity.
Cloud-Based: As corporate resources move to the cloud it is essential that cybersecurity solutions follow. A cloud-based security solution provides native protection to cloud assets as well as taking advantage of the flexibility and scalability offered by the cloud.
Additionally, it should be policy-driven. Ensure that there are tight security controls at all endpoints, backed by stringent security policies. Apply a zero-trust, least privilege access for all endpoints by default.
Traditional approaches to endpoint protection are no longer adequate in a distributed or remote work environment. Organizations need to deploy enterprise-grade security controls and update security policies for remote working.
There are various endpoint solutions available in the market. Look for a unified solution to simplify the management of- and increase the effectiveness of endpoint security solutions. Deploying a unified security solution is essential to minimizing the total cost of ownership (TCO) of enterprise cybersecurity.
Create a rapid action task force and strategy to remediate and protect endpoints.
As corporates move more infrastructure to the cloud, one needs to think holistically — to not just secure endpoints but also “workloads” and infrastructure. Deploy “intrinsic” security with AI, analytics, and predictive capabilities. And take a prevention-first approach.
This story first appeared in the December 2020 issue of CISO MAG.
Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).