2019 Endpoint Guide: Threats, Security, Management, and ProtectionWith the current rise of endpoint devices, your organization is more susceptible to threats and cyberattacks. By: Secureworks
In the digital age, more and more employees work from remote locations. Whether you hire freelancers, offer work-from-home days, or allow people to work on the road, employees need to collaborate with their coworkers through email and phone calls, and attend meetings with video conference capabilities. However, many workers need to connect to your corporate network in order to access shared data and files.
Endpoint devices allow employees to remotely communicate and connect with your networks. Endpoint devices include:
Endpoints are one of the biggest targets for cyber criminals because these remote devices are especially vulnerable to various attacks. Criminals often attempt to use endpoint devices as entry points to access corporate networks and steal data, leverage existing software vulnerabilities, or hold information hostage. Learn more about endpoint devices, the possible threats, and today's most effective practices to detect, respond, and protect your endpoints from these threats.
Endpoint Management and Threats
Two of the biggest endpoint threats are phishing and ransomware attacks. According to the Secureworks® 2018 Incident Response Insights Report, email compromise and ransomware were the most prevalent threats.
Download full Incident Response Insight Report 2018 – Risk, Remedies, and Best Practices for Defending Against Cyber Threats.
Users can fall victim to an attack from opening seemingly harmless emails or web links. Drive-by download attacks can even compromise an endpoint when a user browses to a website without ever clicking on anything. However, cyber criminals bait users and, once they bite, they have an entry point to an organization's network.
Advanced Endpoint Threat Prevention is managed Next-Generation Antivirus, which helps organizations implement more effective and modern threat prevention tools. Businesses used to only need traditional antivirus software to protect their endpoints, but threat actors are now much more advanced.
According to a Ponemon Institute report surveying hundreds of IT security professionals, 63% thought companies could not monitor their off-network endpoints and 56% lacked a cohesive compliance strategy. Also, 50% of companies required 35+ full-time employees just to manage endpoints and an average of 425 hours are wasted every week investigating false security alerts. Efficient detection and protection is a must to protect your organization and potentially save millions in staff hours every year. Supplementing your staff with experts can also help you move to newer technologies faster.
Remote Endpoint Host Service and Security
Endpoint security providers can remotely monitor your organization and gain a complete view of your endpoint activity to effectively monitor threats. When users attempt to login to the enterprise's network, user credentials must be approved from the endpoint security system. The endpoint devices are scanned and analyzed to make sure they meet the corporate security policies.
This is similar to a guard stopping a contagious individual from entering a room full of people. If the guard recognizes someone is sick, he prevents the infectious person from possibly spreading disease to the others, i.e., spreading malware to the rest of your organization.
Endpoint Security Software
Endpoint security software should be installed on every endpoint device and your company's critical servers. The software looks for known and unknown malware, tools used by threat actors and other potential threats. Signature-based protection looks for known threats, like a virus or trojan, while behavior-based protection looks for suspicious activity that may or may not leverage malware. Security administrators can use software to restrict access to websites for individual users if there are potential security risks and threats, but even well-known websites that are considered to be reputable have been compromised so this is only marginally effective.
Endpoint security software applications include:
- Virtual Private Network (VPN) access control
- Antivirus (AV) or Next-Generation Antivirus (NGAV)
- Personal firewall
- Application control
Endpoint Security: Detection and Response
Endpoint security aims to secure each endpoint device in order to protect your organization. Threat actors employ advanced and evasive techniques to compromise endpoint devices and access your sensitive information so prevention alone is not enough. Effective endpoint security solutions involve monitoring and protecting your organization to help halt phishing, malware, ransomware, and other endpoint threats.
Endpoint security products use application control, device control, anti-malware, vulnerability patching, and other strategies to detect and eliminate cyber threats. 24/7 monitoring is essential to detect malicious activity and protect enterprise endpoints. Since constant and consistent monitoring is required, automated threat detection is essential to lower costs and protect devices. In 2017, the global average cost for a data breach was $3.62 million; in the United States, the average cost was $7.35 million.
Endpoint Protection Platforms
Endpoint protection platforms are a combination of endpoint security products, either managed by experts on your security team or by a third party.
Endpoint protection, sometimes called endpoint threat prevention, includes technology like AV and NGAV, which are focused on identifying threats and either blocking or quarantining them. This is necessary technology that reduces the threats that reach your organization, but all an attacker needs is one gap to get past these solutions. With over 350,000 new malicious programs or potentially unwanted applications registered each day by the AV-Test Institute it is impossible for any prevention technology alone to keep up.
Endpoint Detection and Response (EDR)
Endpoint detection and response helps find threats that slip past AV or NGAV. If managed by an MSSP, EDR may include actionable remediation recommendations. EDR tools and solutions focus on providing the visibility you need to detect, investigate and mitigate potential threats.
While EDR technology helps illuminate blind spots, it requires trained security analysts to interpret the output and take action. For example, if an intruder breaks a window or picks a door lock, your home security system will ring an alarm, alerting you of the potentially dangerous situation. Someone must still validate the threat to ensure the alert wasn't just a raccoon tripping your security camera motion detectors. EDR provides the earliest possible warning that an endpoint device may have been compromised, but just like a great home security system you need experts to understand the data so you can respond appropriately and effectively.
Managed Security Service Providers (MSSPs) such as Secureworks offer EDR as a managed solution called Advanced Endpoint Threat Detection (AETD) for organizations who need help getting the most value from their technology.
This goes beyond surveillance and includes an analysis of threats and incident response recommendations. The fully-managed service also includes daily intelligence updates to keep up with new threats.
Monitored Server Protection
Servers are also susceptible to malware and targeted attacks. Though they are typically inside the protected corporate network, they are often a target due to their high concentration of enticing data. Threat actors often move laterally between compromised endpoints and servers to bypass other security controls. Monitored server protection facilitates compliance and visibility for your critical servers. Secureworks also includes EDR for your monitored Windows and Linux servers to help you identify more threats.
Advanced Endpoint Security Solution
Secureworks' proprietary endpoint solution provides behavior-based analytics that can be partnered with other endpoint security vendor products. Sensors from Secureworks or partner vendors are installed directly on your endpoint devices, providing the telemetry needed to help identify threats that may slip past other security controls. This visibility is critical to identify threats that may be lurking in your organization.
Secureworks leverages the telemetry gathered either via our sensor or a partner's EDR sensor and evaluates that data via our analytics engines that incorporate our threat intelligence. This combination of human intelligence and machine learning allow us to bubble up important alerts fast, so you don't waste time on false positives or low risk issues. Secureworks currently process 250 billion logs per day from our global client base. Greater than 99% of events of interest are automatically resolved by the Secureworks Counter Threat Platform™ (CTP). This then leaves less than 1% of the events to be manually analyzed. When Secureworks escalates a critical ticket, we strive to ensure they are meaningful, have embedded context and are immediately actionable.
The goal is to reduce the time to detect and effort to respond to cyber-attacks so your security team has more time for initiatives that help grow your business. The partner program is designed to foster cooperation between security vendors, leading to a more comprehensive view of threat activity, better context for validating and addressing threats, and ultimately providing more consistent results and better outcomes.