Endpoint protection: how not to get lost in a variety of products.
Guidelines for choosing a solution
Peeling Endpoint Security Market. Why is endpoint security such a crowded market? Is it a complex cyber problem to solve?
Is Antivirus Dead?
About a decade ago, the statement “Antivirus is dead” started doing the rounds in cybersecurity circles and became a topic of much debate. A decade later we are living in a world where Antivirus technology has evolved into a major segment of Endpoint security, with its components around Prevention, Detection and Response. Most vendors now refer this to as EDR (Endpoint Detection and Response).
Signature based protection, which is just another way of referring to antivirus, is something which even today helps enterprises filter out known threats. Known threats make up a substantial proportion of the threats most organizations face. It can do this job in real time, relieving the load on other engines that use modern techniques that go beyond signatures, to detect attacks.
Deciphering the crowded endpoint security market
Two decades ago when I started in cybersecurity, there were around three companies in the market that I could choose between for enterprise endpoint protection solutions. Fast forward to today and you can now count at least thirty plus vendors that offer just endpoint protection, each claiming to offer the flavor-of-the-month three letter acronym be it EPP, EDR, XDR or the like.
IT landscape has changed dramatically in the last decade. Hybrid working makes endpoint the biggest attack vector that may reside at times outside of all corporate security boundaries. Explosion of devices from desktop to mobile with new Operating Systems made traditional endpoint defense strategy more challenging. This gave a very lucrative environment for startups which believed it has the silver bullet to address the industry challenges. Problem is, cybersecurity is evolving at breakneck speed, whether that be from the point of view of the threat landscape or the economics. Threat Actors constantly use new techniques to evade a protection capability. From a financial side, it is extremely hard for a dedicated cybersecurity solutions provider to survive in the market unless it has a solid customer base to upsell and cross sell to, all while adding new customers.
The one loser in either scenario is the organizations that chooses to deploy a solution from the company, thinking it would be the “silver bullet” to all their cybersecurity woes. As new tech buzzwords do the rounds, those that chase the “new shiny object” end up with a considerable amount of disjointed, and often redundant, solutions in their environment. I have seen enterprises running four to five agents just to cater their endpoint protection requirements bought at separate times for those unique use cases.
The impact of this is felt both at the endpoint, in terms of a poor user experience, but also in the SOC (Security Operations Center) team where analysts end up with multiple consoles with disparate information. More time spent trying to piece all the information together means less time spent where it really matters which are monitoring detections, doing threat analysis, finding gaps, and continuously finetuning the environment.
Endpoint alerts are the goldmine for the SOC
Endpoint has become a critical control for organizations with hybrid workforce becoming a norm. It is where humans interact directly, and the threat shows its full capability. There was a time when an Antivirus solution was under the authority of the desktop team; it was all about installing and updating those DATs, which was an operational task only. With limited traffic being encrypted, most detection would happen at the Firewall, IPS or Web level.
But today, endpoint security alerts are the focus for cybersecurity and SOC teams. With increasingly encrypted traffic, we are seeing a tremendous uptick in the number of threats at the endpoints that generate an exponential number of alerts from sensors. A threat showing up at the endpoint means it has bypassed the IPS, Firewall, Web, Email security at some level. Every threat at the endpoint needs to be carefully analyzed by the SOC to help the Security team to improve the network and content controls in place.
Indicative alerts successfully handled by the security technologies should not be left without analysis. It might be a scanner or credential related tool which itself may not be a high severity alert when it is handled but can be part of a long-term targeted campaign which eventually could reach its goal if left unhandled. Most advanced attacks have indicators for months involving common tools to get key organisational information until the final payload was detonated. Trusted level SOC is key for organisations to know attacks early in its life cycle and endpoint alerts is a critical feed.
With shortage of cybersecurity talent in the rise, we would see increase in adoption of AI not only to improve the detections in the backend but also assist the analyst in focusing on the key tasks. Integrating analyst interface with AI natural language interacting model like ChatGPT will greatly improve the efficiency of SOC to the future.
Selecting the right provider
There should be few criteria which are key when selecting a security solution provider. I have come across organizations that choose vendors based purely on an analyst recommendation or comparison tests. Every business is different, and the choice of vendors should be based on your business and use cases, not a global analysis or test results. If the analyst rates a vendor high on cloud and multi tenancy and if that is not applicable for the organization, the report does not serve its purpose. It is critical to read the fine print of analyst reports and third-party test results to understand if its applicable for your organization. It is normally a good practice to sign up with a vendor whose solution you are seeking is part of its core portfolio and makes up a considerable part of its overall revenue. Such vendors will have their full executive sponsorship behind their organizational goal. It is a good practice to include a check list that confirms that the vendor in consideration has an active, and has a direct presence, in your market for a long time to support your business faster and effectively. Presence of a managed service ecosystem, which a lot of business look for these days should be also part of the evaluation if its applicable for the business. The vendor you choose should have a strong research arm. The research team with enough capacity to detect attacks and vulnerabilities early, and these detections should feed into its technology. Public-Private collaboration of vendor research team with law enforcement, intelligence organizations is key in providing actionable intelligence to take out cybercriminals from its roots. Customers using the technology should have the ability to tap into the research team for enriching their threat data, to respond to incidents earlier in the threat cycle.
What does a good endpoint security platform look like?
Having had a front row seat to the endpoint security market evolution over the last two decades, my one takeaway is that there is no set and forget approach to endpoint security. A “Good enough” endpoint security approach is as good as no security at all to cover Enterprise threat landscape. To build a robust endpoint security defense, I would suggest you take a modular approach which in high level includes ● Prevention Sensors which can prevent knows malicious files in real time by using signatures, access protection policies, exploit prevention content, memory protection, file reputation and any other techniques which can take action on the fly. ● Advance Prevention Sensors which can do advanced inspection – using Artificial Intelligence, Sandbox integration, Script analysis etc. - and improve their learning over time. Some of this might not be in real time, particularly if the threat is being seen in the environment for the first time. However, the sensors add protection, without user intervention, as soon as the engine realizes the threat is malicious, usually within seconds. Any learnings are also shared across the sensors, empowering them to block the threat, in real time, the next time it is seen in the environment. ● Advanced Detection Sensors which are used by SOC teams to focus on strategic defence. The industry calls this EDR. SOC teams use these sensors to gather, summarize, and visualize evidence on demand or in a scheduled manner. Since the data in play is on a much larger scale here, use of AI and Cloud is used extensively in its implementation. As an easy summary, these sensors can be extremely useful when an attack is in active stage. ● Forensics Sensors which are used by IR (Incident Response) team during a managed defense program to constantly analyze the live memory, attack behavior tactics, techniques, and procedures, in a combination of scheduled and automated methods. These sensors are highly effective on evidence collection also in post incident analysis. These sensors should be also backed up by strong Threat Intelligence, staying ahead of the evolving threat landscape to expose and reduce attack surfaces. If your business is spanned across physical, virtual and cloud, it is key that the vendor of choice should provide a hybrid deployment and management architecture. Security vendors should not force you to change your business model, rather adopt to yours. Having multiple vendors for different services will not provide the shared intelligence and unified experience stated across this document. As is clear by now, each of these sensors have their own purpose but they have been used interchangeably creating confusion in the market. The important to note that the sensors should be able to talk to each other, share and report information. Operating these as silos defeats the whole goal. If you noticed, we did not even touch XDR in this topic, we covered just one branch of XDR, which shows the scale of an XDR platform. The endpoint platform should be based on an open architecture which enables it to easily integrates in bidirectional to the XDR Platform. XDR provides wider intelligence to other security investment whether it is in Network, Email, Cloud or in SOC. It should also provide automated responses wherever possible with minimal user intervention.