Endpoint security is a key consideration for all CISOs and security professionals facing the reality that cyberattacks are now considered inevitable. Industry experts discuss how they think CISOs should best assess how to secure the endpoint – and how Artificial Intelligence and Machine Learning are revolutionising endpoint security.
How should CISOs assess how best to secure the endpoint?
Ray Kafity, Vice President, Middle East, Turkey and Africa at Attivo Networks
Several measures can be implemented by CISOs to help gauge the effectiveness of endpoint security and protect against putting organisations and their critical assets at risk. Some of these include:
Know your security architecture: It’s important to have a baseline understanding of one’s security infrastructure, compliance requirements, associated threat risks and exposure. These are the first steps in establishing an organisation’s security posture and preparing for cyberthreats.
Prevention capabilities: The security fundamentals start with preventing attackers from getting into the network. Typical prevention systems include firewalls, gateways, sandboxes, network access control, endpoint security and other systems that keep track of attacks and block them from entering the network. Choose an endpoint security solution that extends the value of prevention systems by manually or automatically sharing newly discovered attack information and signatures to block and isolate an attacker.
Detection capabilities: Modern-day security posture assumes the network has been compromised and attackers are already inside. Zero-day exploits, ransomware/malware, stolen credential, man-in-the-middle activity, phishing and insider compromises are just some of the many ways that an attacker can bypass perimeter security. Deception technology provides early and efficient detection of potential threats and attacks across the network, data centre, cloud, IoT devices, SCADA, POS, network infrastructure and more. Moreover, endpoint deceptions provide early and highly effective detection against attackers seeking to harvest credentials by redirecting them to deception assets.
Rapid and accurate detection: Dwell time is a major issue today. According to recent research, it still stands at over 100 days and can be considerably longer in other countries. Clearly, adversaries are afforded way too much time to move around inside your enterprise once they’ve breached it. Therefore, it is important for endpoint solutions to identify infections or policy violations quickly and thus shrink the dwell-time. These alerts must also be accurate and easily actionable so they are not lost amongst false positive alert noise.
Automated response: Choose endpoint solutions that reduce management complexities, share attack data and provide accelerated response by easily connecting the dots across the network and all endpoints to quickly shutdown and remediate an attack.
Streamlined integration: Many organisations use multiple security tools. Each product has its own management process and displays information in different ways. This results in complexities pertaining to allocation of resources, deciphering threat information to understand the full scope of an attack and responding to threats quickly. Selecting solutions that have streamlined, native integrations for information sharing and automation with a variety of security vendors will dramatically simplify security operations and accelerate response time.
Rob Lay, Director Solution Architect, Europe, Optiv
CISOs need to think about what the overall strategy for security within their business is. Is the focus more on defending and protecting the environment or ensuring a rapid and effective response to incidents as they occur? With the recent high-profile data breaches, the risk of a cyberattack is no longer ‘if’ but ‘when’ and there is a growing recognition that it’s not possible to avoid incidents. Businesses need to shift their focus on how to respond quickly and effectively to threats rather than just investing in mitigation.
The endpoint estate in most businesses is significant and with the right technology on the endpoint this provides significant coverage for threat hunting or anomaly detection capabilities that support efforts in identifying, analysing and responding to incidents.
When planning an endpoint protection strategy, CISOs should think about the integration abilities, both current and road-mapped. As cybersecurity becomes more integrated, it’s important that decisions on specific technologies don’t impact future capabilities through lack of integration.
Additionally, CISOs should take stead of what other tools are deployed on the network as this can have an effect on the best approach for the business. For example, based on what solutions are on the estate, would an additional endpoint technology that provides endpoint detection and response (EDR) capabilities be the right way forward? Or should the existing endpoint solution simply be replaced? It’s important that CISOs take a methodical, planned approach to this. Only by considering endpoint security as part of a broader strategy can it be an effective element of an organisations’ defence.
Karl Lankford, Lead Solutions Engineer, EMEA Bomgar
While the goals for cybercriminals have stayed the same, their tactics have changed. With an increase in attacks and a wider variety of methods of compromising networks, traditional protections are no longer effective. To stop these breaches and secure the endpoint, businesses need to look at different types of defences aside from just anti-virus and perimeter security.
The best place to start is to implement a least privileged security strategy using privileged access management tools. This ensures that the right person has the right level of access to do just the task they need on the network – rather than giving an unnecessary blanket level of access. Another layer of defence is privileged escalation and delegation management, which allows IT teams to remove excess admin rights throughout their organisations and only elevate privileges for approved applications and actions.
In fact, we’re seeing that some of the biggest threats to endpoint security is social engineering and phishing attacks which encourage a user to run an application that they wouldn’t normally run. CISOs should look at deploying application whitelisting on employee devices so that applications cannot run unless they have been explicitly approved.
Finally, it may sound simple, but businesses need to ensure that endpoints are patched in a timely manner. It’s understandable that CISOs might not want to interrupt business but known vulnerabilities must be patched straightaway and failure to do this could have dire consequences.
Vincent Bieri, Co-Founder of Nexthink
Many people believe that security management is all about deploying technology that will prevent threats from reaching your network. However, in today’s threat landscape the reality of these tools being able to defend all attacks is simply unrealistic and it’s clear that CISOs must look beyond traditional solutions and processes.
To protect endpoints more effectively CISOs must complement traditional preventive controls with the ability to detect and respond to inevitable breaches as quickly as possible. How quickly you detect the breach – and what actions you take to contain the damage – can make the difference between an inconvenience and a disaster. The news is full of examples where attackers were able to spend weeks, or even months, moving throughout a network undetected. In order to truly secure endpoints CISOs must ensure that they can detect and respond to a breach coming from one.
For CISOs this means that they must truly understand what is happening on each and every endpoint at any given time. The best way to obtain this critical information is through an end-user analytics platform that enables CISOs and their teams to detect unusual system and application behavior across all endpoints. Behaviours such as a spike in network traffic, connection with suspicious websites or unknown files executing are red flags and indicators of potential danger, and security teams can recognise them before even the end-user themselves.
Additionally, an end-user experience platform can validate that protective measures are enforced, including employee awareness and supporting the business without degrading performance and usability. With this transparent end-user behaviour and endpoint performance information, CISOs and their teams can retrain users or strengthen technical controls before a breach occurs.
For CISOs, a balance between preventative controls and breach detection and response through end-user management is the key to a strong endpoint security posture.
How is AI and machine learning revolutionising endpoint security?
Dr Anton Grashion, Manager – Security Practice at Cylance
It’s an easy question to answer. One of the key difficulties associated with endpoint security and, in fact, cybersecurity in general, is the presence and effect of ‘unknown unknowns’. When assessing risks to an organisation, it is these unknown unknowns that can lead to the underestimation of risk.
As an example, we can’t be sure what the next malware threat will look like, which is why signatures have to be propped up with all manner of other, mostly reactive, technologies. For the same reason, organisations require skilled operatives to sift through the large volumes of alerts that their EDR systems generate. What we have created is a huge number of barking dogs and not all alerts are worthy of exploration.
How AI and ML reverse this situation is made possible by the progress that researchers have made in algorithmic science, as well as the rise of Big Data analytic processing capabilities.
With the centralised analysis of hundreds of millions of file binaries (both known ‘good’ and ‘bad’ samples) collected from public and private malware repositories, the solution then extracts millions of features from each of these files and applies Artificial Intelligence and Machine Learning techniques to build highly accurate mathematical models. The models identify what are statistically good and bad features or combinations of features and are deployed to the endpoint in an extremely lightweight client.
When placed at the heart of a solution – as opposed to being an afterthought bolted on to legacy technology – AI and Machine Learning deliver predictive prevention and allow us to get ahead of the threat curve, especially for zero-day attacks, for the first time. This is a true revolution in endpoint security. No longer do we need a first victim in order to craft, all too slowly, a signature. No longer do we need to allow the threat to detonate and then track indicators of compromise, chasing complexity into the network. Instead we can assess the threat in milliseconds, pre-execution and stop it before it creates cascading and correlated issues to the security teams.
This not only revolutionises endpoint security but also completely re-maps the economics of cybersecurity by liberating expensive and scarce human resources from their detect and respond duties to those problems that are best solved by human expertise.
Deploying an advanced ML/AI endpoint solution also reduces the number of help desk tickets and improves productivity by being extremely lightweight in terms of resource usage (1-2% CPU 40-40MB of memory).
Add to this the benefit of not requiring a cloud connection, enabling work in air-gapped environments and not needing time-wasting daily updates, it is clear that AI and ML can truly revolutionise endpoint security.