Organizations are being attacked at an increasing rate with breaches causing significant financial and reputational consequences. In the State of Endpoint Security Risk Whitepaper, nearly two-thirds (64%) of respondents reported that their company had experienced one or more endpoint attacks over the past 12 months that successfully compromised data assets and/or IT infrastructure. This is a 17% increase from the previous year’s research (54% of respondents).
By Michelle Salvado, VP & GM Endpoint Security, FireEye
A number of factors contribute to this rise of attacks; from the increase in the number of threat actors to the sophistication of the attacks, to the widening attack surface. Financial gain is still the most common motive behind data breaches, but there has been a rise in breaches associated with government and corporate espionage — carried out by both criminal and government-sponsored groups. These groups have become more sophisticated, moving away from brute force methods and viruses, more often using social and personal attacks, such as phishing, to establish a foothold and then worm their way into an organization. With the growth of BYOD, the proliferation of mobile and cloud, and new IoT advancements, attack routes are ever-increasing.
Traditional defenses are inadequate today
Traditionally, cybersecurity departments would deploy desktop anti-malware to stop threats. These solutions compare an item, such as an attachment or URL, to an internal database of threat signatures. A new signature is created for a threat after it has caused issues (because an organization has been hit by it already). A file or URL is traced to a specific compromised site that is updated as a threat source, it is blocked and then the organization’s endpoints are updated with the new threat signature. This can also be the case for a known good location, which can be “whitelisted” or allowed based on its reputation. As necessary as it is, all of this takes a tremendous amount of time and resources. Sadly, as soon as a good “whitelisted” site is given a clean bill of health, it can be hacked and become a source of malware, indicating that static files are continually out of date.
Historically, these have worked well enough, if the endpoints are able to be updated frequently with new signature databases. In the last few years, new threats and new methodologies have been used to attack at a far faster rate than systems could be updated. Threats were created and targeted to bypass their existing identity base, using social or email campaigns, such as phishing or identity impersonation. Consequently, the percentage of threats they could block has significantly diminished.
So, the problem is not whether a site that relies on these traditional models will be penetrated; it’s when and whether anyone will discover it before it causes damage.
This situation is much like taking a conventional passenger van and putting it in a drag race against a Formula One racer. The van would be sorely outclassed against its competitor from start to finish. In effect, the F1 could make multiple laps before the van finished its first lap. This doesn’t mean the van has no value; it certainly does. But if it’s expected to play in this new field, it needs new capabilities. Unfortunately, even if we can make it faster, it still has a basic design that will always limit its top speed, no matter how much it is modified. A full redesign and new thinking of the van would be required before it would even have a chance to compete.
Closing the gaps
Essentially, there is a gap between conventional endpoint security methods and new-age technology to block advanced threats, dynamic detection that goes beyond signatures, and whitelists, which needs to be closed. Responding to threats requires an understanding of the attackers, their tools, techniques, and procedures, not just cataloging threats. Doing this requires analysts to use sophisticated tools to inspect and analyze all threats in real-time across an entire organization, from its core to all its endpoints.
Newer, advanced, and flexible endpoint protection, often labeled “next-generation” endpoint security solutions, can combat these threats by providing both advanced endpoint protection (EPP) — and newer endpoint detection and response (EDR) capabilities to find the breaches quickly when they occur. Some of the prime advantages of this next-generation endpoint security solution include:
- Defending the endpoint with a defense in depth mindset. Start with the best of legacy system signature-based detection to find and block common malware. Then, add in new capabilities, such as behavioral-based and machine learning engines to find the advanced threats.
- Finding the threats that have bypassed the advanced protection, advanced detection using intelligence-based indicators of compromise. Once found, inspecting and analyzing the breach to obtain a complete activity timeline or forensic analysis and gather details on any incident.
- Conducting complex searches of all endpoints to find known and unknown threats, isolate compromised devices for added analysis with a single click, then deploy fixes across all endpoints.
Even with all these capabilities to address the wide variety of threat types and methodologies organizations are constantly facing, integrated capabilities are the key to providing an effective defense. Next-generation endpoint security encompasses comprehensive endpoint visibility and threat intelligence, which enable analysts to adapt their defense based on real-time details to deploy informed, tailored responses to the threat activities. This must be delivered within an integrated and automatic threat detection and prevention system that is tightly coupled with threat intelligence and detailed threat visibility. Automation can address the overwhelming volume of threats, along with integrated threat intelligence and endpoint visibility, allow intelligence analysts to gather details on high-risk threats and quickly determine an effective response and deploy across the entire organization.
With this next-level of smart, comprehensive and integrated endpoint defense solutions, security professionals are enabled to block the common and advanced threats and find and respond to breaches when they do occur. Security professionals are no longer driving an outdated van trying to keep up with the F1 racer, but rather an advanced, rebuilt racer specific to this new environment.
About the Author
Michelle Salvado is the Vice President & GM for Endpoint Security at FireEye. She is an accomplished technical leader with deep knowledge of software engineering execution, operations, agile transformation, adoption, process implementation and continual improvement. She also possesses a strong focus on coaching leadership in an effort to achieve enterprise agility and has proven experience in building and managing software engineering and services organizations.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
Is Your Endpoint Device Secure? Take our Endpoint Security Survey and win exciting goodies. Don’t miss out! Take Survey Now!