Endpoint security isn’t a fair fight. Companies have to protect each and every endpoint, while attackers only need to breach one. That might explain why attackers love your endpoints.
If you ask me, there are 3 items companies need to follow to secure their endpoints.
- First, deploy multi-factor authentication on all your endpoints.
- Second, conduct regular end-user security awareness training.
- And third, deploy and use endpoint security tools for visibility, posture hardening, and protection.
This blog will walk through 9 trends in endpoint security, the 3rd item above.
The endpoint security market is flourishing. Endpoint security is focused on locking down endpoints — individual computers, workstations, servers and cloud VMs — in order to keep data safe. But keeping enterprise endpoints protected not only from basic malware attacks but also from sophisticated fileless attacks is a challenge.
Of course, as attackers and threats evolve, endpoint security solutions must evolve as well. Endpoint security vendors are expected to stay one step ahead of the advances in attack techniques. And enterprise security teams must try and keep pace with the changes in endpoint security products, endpoint security vendors, and sort through the marketing messaging.
Traditional anti-virus (AV) solutions are still very much the primary endpoint security approach for many organizations, but there is a definite shift toward more contemporary, “next-gen” or “advanced” solutions that are better suited to handle modern, increasingly sophisticated threats.
So let’s start with a refresher on “what is endpoint security?” before we jump into the endpoint security trends.
What is Endpoint Security?
Since there is so much good content out there to answer this question, I decided not to reinvent the wheel. Instead I selected the following from a 2018 article in CSO Online by Josh Fruhlinger titled “5 top trends in endpoint security for 2018”.
“Endpoint security is a security approach that focuses on locking down endpoints— individual computers, phones, tablets and other network-enabled devices — in order to keep networks safe. That might sound like a fancy name for putting a firewall and antivirus software on your PC, and indeed in the early days of the category there was some suspicion that it was a marketing buzz phrase to make anti-virus offerings sound cutting edge.
But what distinguishes endpoint security offerings from simple home computer protection is that idea that the security tools on the endpoints are managed centrally by corporate IT. The security measures run on two tiers: there are software agents that run in the background on endpoints, and a centralized endpoint security management system that monitors and controls the agents. That management system can be a control panel monitored by IT staff or an automated system … or some combination of the two.
You'll sometimes hear the phrase endpoint protection used interchangeably with endpoint security. Gartner defines an endpoint protection platform as "a solution that converges endpoint device security functionality into a single product that delivers antivirus, anti-spyware, personal firewall, application control and other styles of host intrusion prevention (for example, behavioral blocking) capabilities into a single and cohesive solution." So, strictly speaking the term can include products that aren't centrally managed, though just about anything marketed to enterprise-class customers will be. And, yes, you do sometimes catch companies touting their anti-virus products as "endpoint protection." Let the buyer beware.”
by Josh Fruhlinger, CSO Online, May 11, 2018
Now for the key trends I see shaping endpoint security in 2019 and beyond.
SaaS Based or Cloud-Delivered Endpoint Security
Enterprise use of SaaS-based or cloud-delivered (you pick which name you like best) endpoint security solutions continues to increase. The obvious benefits of cloud-delivered security listed below are the driving force behind this adoption.
- The simplicity of the deployments.
- The cost-savings with cloud storage and computing scalability.
- The low maintenance requirements.
- The simple on-going feature deliveries of a SaaS model.
And centralizing endpoint security data collection provides for superior threat detection analytics in real-time using machine learning and other detection techniques and offloads these analytics to the cloud reducing possible negative performance impacts on the endpoints.
Finally, the centralization of endpoint security data in the cloud provides for improved enterprise correlation of events across all sites and locations.
The only downside to cloud-delivered security solutions is that it introduces data privacy and possibly regulatory issues for certain organizations. To minimize these worries vendors can provide visibility into the data uploaded to the cloud and implement data masking where necessary
Machine Learning (ML) for Improved Endpoint Protection
Machine learning, or what is often referred to in marketing materials as artificial intelligence (AI), is all the rage in the cyber-security world and that is also the case in endpoint security. But I don’t mean to belittle the topic, as it’s a very important endpoint security trend that is not going away. Roark Pollock addresses the topic well in the following excerpt from his blog titled “The Growing Role of Artificial Intelligence in Cybersecurity”.
"The problem with the traditional endpoint security approach is that in recent years cyber threats have become too numerous and too sophisticated for legacy anti-virus to keep up. For example, in 2017 experts discovered over 7.4 million new malware specimens, leading some to call it the "Nightmare Year" for cybersecurity. To put that figure in perspective, it represents a 5,600% increase over the past decade.
Thankfully, recent advancements in machine learning – the building of algorithms that use statistical techniques to improve their own code – are enabling a more effective approach for endpoint security. Rather than trying to “teach” software all of the individual threats to look for, engineers can instead feed machine learning algorithms millions and millions of examples of cyber threats, allowing the systems to “learn” for themselves how to distinguish friend from foe. Thus, when hackers produce new variants of viruses and malware to avoid the signature-detection of traditional antivirus, machine-learning based endpoint security, understanding the patterns and anomalies that characterize malware, is rarely fooled. One recent study found that an AI-powered system identified zero-day threats correctly 98.88% of the time, compared to the 71.16% success rate of traditional AVs.
So, does this mean machine learning is the silver bullet of endpoint protection? Not quite. The technology has limitations, most notably that it takes enormous amounts of data and computing power to make it work properly. But machine learning is so effective that even hackers are using the technology, training their programs to evade even the most sophisticated defenses. Increasingly, cybersecurity is becoming a matter of AI versus AI.”
Enterprises have been quick to see the value of machine learning models in detecting malicious files, automating basic security tasks, and enhancing their SOC team's work around threat hunting.
The key challenge with ML is discerning the actual value beyond the buzz word, and the best approach is to focus on measurable outcomes.
Endpoint Agent Consolidation
Endpoint security has been undergoing consolidation from the very early days, and it continues today. In the early days anti-virus and anti-malware and personal firewall products were being consolidated into a single suite. Now we’re seeing consolidation of siloed endpoint security tools into a single agent that enables centralized management of these multiple security functions. Regardless of the functions being incorporated into a single agent, the emphasis is on simplifying the overall solutions for customers.There is a baffling number and type of tools today that profess to offer or help with endpoint security each of which have their own individual agent running on the endpoint. That explains why companies report to having ten or more agents running on their endpoints for a wide array of security functions. Thus, endpoint security vendors are responding by simplifying their offerings and consolidating their functionalities into a single agent.
Rapid Consolidation of EPP and EDR
Similar to the consolidation happening at the endpoint agent level, there is also a massive move underway in the endpoint security market with the consolidation of what Gartner refers to as endpoint protection platforms (EPP) and endpoint detection and response (EDR). Established EPP / tradition AV vendors are rapidly moving to add EDR capabilities. While dedicated contemporary EDR vendors are adding prevention capabilities. This is bringing about a rapid consolidation of these heretofore massive individual markets.Today, companies want endpoint security solutions that combine pre-execution prevention, post-execution detection, and response / remediation capabilities at a minimum into one, holistic solution. Currently, Gartner estimates that “approximately 40% of EDR deployments are using both EDR and EPP from the same vendor.” Assuming this trend continues, we can probably expect to see this number increase in future years.
Feature / Functionality Trends
Fileless Attack Vector Prevention
It is clear that endpoint security solutions must move beyond simply preventing known file-based malware which has been the realm of traditional anti-virus solutions for years. Today, fileless attacks and the need to prevent fileless attacks is on the rise and recognized by most cyber-security practitioners. Below is an excerpt from a recent blog titled “Artificial Intelligence (AI) in Cybersecurity: Stopping Fileless Attacks” that explains how and why ML is being used to prevent fileless attack vectors in endpoint security.
“One area in which AI security models are proving to be particularly effective is in defending endpoints against so-called “fileless” attacks. These attacks were first identified as early as 2001, but they’ve only come to the forefront of cybersecurity recently. In fact, last year according to “The 2017 State of Endpoint Security Risk” report by the Ponemon Institute, fileless attacks where included in an estimated 77% of successful data breaches worldwide. In that same report, Ponemon reports that 35% of all cyber-attacks are fileless exploits.
So, what are fileless attacks and what makes them so successful at infiltrating endpoints? Most often, traditional malware infiltrates digital endpoints by stowing away in long term storage, trying to trick users into executing malicious files so that it can take control.
Fileless malware, on the other hand, circumvents the stowaway step by infiltrating an endpoint’s memory directly. It does this by manipulating a system’s registry – the database where the system’s low-level settings are kept – acting as a kind of deviant administrator to steal information or disable key features.
Often, this means that no action is required by the user for the “non-malware” to take hold. Even more important, this property makes it extremely difficult for traditional anti-virus software to detect. Signature-based scans typically don’t interact with an endpoint’s registry at all. And even if the AV does come into contact with the malicious code, its built-in heuristics will only rarely identify the fileless threat.
The beauty of machine learning-powered systems is that they don’t rely on signatures, heuristics, or traditional scans at all. Instead, they apply sophisticated algorithms to vast amounts of information, continuously updating themselves to recognize threats, new or old, based on patterns in the data. This makes them extremely effective at identifying and protecting against fileless attacks.
In the era of fileless attacks, AI is by far the best approach for cybersecurity. That’s why we’ve recently integrated machine learning models with the Ziften endpoint protection platform for multi-vector cyber-attack prevention that includes preventing fileless attacks.”
Some endpoint security vendors are working to provide defense against fileless attack vectors as it's a crucial capability that all endpoint security vendors will need to offer to worried customers. Expect to hear more around this topic in 2019.
Endpoint Hygiene / Proactive Endpoint Hardening
While not always the top of mind when we discuss endpoint security, one of the most important things any organization can do is maintain good IT hygiene on their endpoints. This very task is in fact the starting point for threat prevention and it is becoming a key component of some endpoint security solutions.Proactive and continuous endpoint security state assessments provide configuration details to spot security and vulnerability problems before they become a breach. Endpoint security suites are beginning to treat proactive endpoint monitoring and hardening functions on the same level as threat monitoring and prevention and are offering functions for both.Endpoint hardening specifically refers to actions taken to ensure security configurations and controls on endpoint devices comply with stated corporate policies, and that known unpatched vulnerabilities on each endpoint are highlighted and addressed in priority order. Additionally, hardening can refer to the exclusion of banned applications, identification of unmanaged assets on the network, and restriction to or limiting of particular OS services.
Focus on Simplicity
Perhaps this should have been the first trend on this list. The easier endpoint security tools are to use and maintain, the more likely it is that organizations will derive the full value the tools have to offer. For the most part, companies prioritize preventive actions over sophisticated response or forensic investigation capabilities. But we all recognize the need for a balance between prevention and detection and response skills. Thus, the following items are becoming increasingly important in simplifying endpoint security tools.
Single agent tools
– We previously discussed this point, but a single agent for multiple functions greatly eases the burden on already overworked security teams.
Cloud-based endpoint security
– Again, we already discussed this, but not only are cloud-delivered security solutions typically less expensive, they are also much simpler from a deployment and maintenance perspective.
Automation of common IR tasks
– It’s well known most security teams are responding to too many incidents, and to ease this workload endpoint security vendors are focused on automating incident response and remediation actions or at least providing detailed workflow guidance.
– Usability is hard to define, but the lack of simple usability is easily recognized and CISO’s and their organizations are making this single item one of their most important criteria in purchasing decisions, if not the most important criteria.
At the end of the day, CISOs are faced with a need to improve SOC operator productivity and to lower the prerequisite skills and knowledge required for security administrators to respond to incidents and alerts. That places a lot of weight on the value of simpler, more automated solutions that are easier to deploy, manage, and maintain.
Endpoint Security for Servers, and Cloud
Endpoint security isn’t just for endpoints. As EDR and endpoint security become more synonymous, expect to hear more about endpoint security delivering on the unique demands of cloud workload protection. Much of the focus of EDR has been on end-user client devices or what most think of when they hear the term “endpoints”. But the same need exists for on-premises Windows and Linux servers, and for virtual and container workloads in private or public cloud environments. Common endpoint security solutions across all of these “endpoints” is starting to occur and will become more universal.
Endpoint Security as a Business Conversation
Endpoint security is more than a technology, a tool, a product suite, or a solution – for CISO/CIOs it is a necessary business conversation. And for these security executives, they have to be able to answer some key questions for all of their internal and external constituents. Specifically, questions such as:
- How are we doing? Are the endpoint security policies and controls we’ve implemented working? How are we demonstrating / measuring this over time? Are these controls actually implemented? And how is our security posture compared with our industry peers?
- What should we do to improve? How do we improve our security posture? What are the highest priority next steps we should take – because we can’t do everything? Should our posture drop or worsen, how should we best respond?
- How do we do it? Should improvements or responses be necessary, what resources will be needed, what best practice guidance is available, and what automation is in place? How are we best prepared to respond with the people and skills sets we have available.
Having regular answers to these questions at their fingertips is a job requirement for security executives just like other functional executives in the organization have to answer their own set of questions.
So, let me reiterate my initial statement – do the following 3 things to help protect all your endpoints:
- 1. Deploy multi-factor authentication.
- 2. Conduct regular end-user security awareness training.
- 3. Deploy endpoint security providing visibility, posture hardening, and protection.
If you’re doing these things, you’re following best practices in my opinion.
And if you’d like to learn more about Ziften endpoint security, check us out at: https://ziften.com.