Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More
One of the main reasons companies keep being breached is that they don’t know how many endpoints are on their networks and what condition those endpoints are in. CISOs tell VentureBeat that unifying endpoint security and identities will help to reduce the number of unknown endpoints and harden identity management against future attacks. But most organizations are still flying blind in terms of knowing the current state of every network endpoint.
Cybercriminal gangs, advanced persistent threat (APT) groups and other cyberattackers know that most organizations have an imprecise count of their endpoints. These groups are also very aware of the wide gap between endpoint security and identity protection. They use ChatGPT and other generative AI tools to fine-tune their tradecraft and launch attacks.
Sixty percent of enterprises are aware of less than 75% of the endpoint devices on their network. Only 58% can identify every attacked or vulnerable asset on their network within 24 hours of an attack or exploit. It’s a digital pandemic no one wants to talk about because everyone knows an organization and team that’s been burned by not knowing about every endpoint. It’s also common to find organizations that are failing to track up to 40% of their endpoints.
Endpoints need to deliver greater resilience to prove their value
CISOs and CIOs tell VentureBeat that with revenue falling short of forecasts, cybersecurity budgets have come under increased scrutiny. New sales cycles are taking longer, existing customers are asking for price breaks and extended terms, and it’s proving to be a challenging year for finding new enterprise customers, according to CISOs VentureBeat interviewed across the financial services, insurance and manufacturing sectors.
Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.
“To maximize ROI in the face of budget cuts, CISOs will need to demonstrate investment into proactive tools and capabilities that continuously improve their cyber-resilience,” said Marcus Fowler, CEO of AI cybersecurity company Darktrace.
Boston Consulting Group (BCG) wrote in its recent article As Budgets Get Tighter, Cybersecurity Must Get Smarter that “CISOs will be pressed to explore increased training, process improvements, and shifts in corporate culture to improve their security postures without expanding their budgets.”
BCG also reported that 78% of advanced firms regularly measure the ROI of their cyber-operation improvements. Consolidation is a high priority, as VentureBeat has discovered in the many interviews it has with CISOs. The BCG study found that firewalls, user authentication and access management, and endpoint protection platforms are among the most common areas where CISOs seek to consolidate spending. In short, for endpoint security platforms to keep their place in budgets, they must deliver greater resilience.
“When we’re talking to organizations, what we hear a lot of is: How can we continue to increase resiliency, increase the way we’re protecting ourselves, even in the face of potentially either lower headcount or tight budgets? And so it makes what we do around cyber-resiliency even more important,” said Christy Wyatt, president and CEO of Absolute Software, in a BNN Bloomberg interview. “One of the unique things we do is help people reinstall or repair their cybersecurity assets or other cybersecurity applications. So a quote from one of my customers was: It’s like having another IT person in the building.”
The Top 10 endpoint security challenges — and potential solutions
Improving any organization’s endpoint security posture management demands a focus on consolidation. As the BCG study illustrates, CISOs are under significant pressure to consolidate their endpoint protection platforms. Look for the leading providers of endpoint protection platforms (EPPs), endpoint detection and response (EDR) and extended detection and response (XDR) to either acquire more complementary technologies or fast-track development internally to drive more consolidation-driven sales. Among these providers are Absolute Software, BitDefender, CrowdStrike, Cisco, ESET, FireEye, Fortinet, F-Secure, Ivanti, Microsoft, McAfee, Palo Alto Networks, Sophos and Zscaler.
The top 10 challenges that will define their M&A, DevOps and technology partnership strategies are the following:
1. Not having enough real-time telemetry data to extend endpoint lifecycles and identify intrusions and breaches
Real-time telemetry data from endpoints is table stakes for a successful endpoint security strategy that can to identify an intrusion or breach in progress. It’s also invaluable for identifying the hardware and software configuration of every endpoint, to every level — file, process, registry, network connection and device data.
Absolute Software, BitDefender, CrowdStrike, Cisco, Ivanti, and Microsoft Defender for Endpoint, which secures endpoint data in Microsoft Azure, as well as other leading vendors capture real-time telemetry data and use it to derive endpoint analytics.
CrowdStrike, ThreatConnect, Deep Instinct and Orca Security use real-time telemetry data to calculate indicators of attack (IOAs) and indicators of compromise (IOCs). IOAs focus on detecting an attacker’s intent and identifying their goals, regardless of the malware or exploit used in an attack. Complementing IOAs are indicators of compromise (IOC) that provide forensics to prove a network breach.
IOAs must be automated to provide accurate, real-time data in order to understand attackers’ intent and stop intrusion attempts. CrowdStrike was the first to launch AI-powered IOAs that capitalize on real-time telemetry data to protect endpoints. The company says AI-powered IOAs work asynchronously with sensor-based machine learning and other sensor defense layers.
2. Overconfigured, overloaded endpoints — a breach waiting to happen
CISOs tell VentureBeat it’s common for endpoints to have several, sometimes over a dozen, endpoint agents installed. Often as one CISO leaves and another is hired, one of their first actions is installing their preferred endpoint system. Memory conflicts, faults and performance drains are common. Absolute’s 2023 Resilience Index found that the typical enterprise’s endpoint devices have over 11 security apps installed, with an average of 2.5 apps for endpoint management alone, followed by antivirus/anti-malware (2.1 apps on average) and encryption (1.6 apps). CISOs tell VentureBeat that overloading endpoints is a common problem, often brought on when new security teams and managers are coming in.
What makes this one of the most challenging problems to solve is that endpoints are so overbuilt with prerequisite software for each client. CISOs advocate thoroughly auditing the master images for each endpoint type or category and then consolidating them down to the bare minimum of agents. This helps reduce costs and improves efficacy, visibility and control.
3. Relying on legacy patch management systems that force device inventories
CISOs say their teams are already stretched thin keeping networks, systems and virtual employees secure. They often run out of time before patches need to be installed. Seventy-one percent of IT and security professionals find patching too complicated and time-consuming, and 53% spend most of their time organizing and prioritizing critical vulnerabilities.
VentureBeat has learned through previous CISO and CIO interviews that taking a data-driven approach can help. Another innovation that several vendors are using to tackle this problem is artificial intelligence (AI) and machine learning (ML).
Ivanti’s State of Security Preparedness 2023 Report found that 61% of the time, an external event, intrusion attempt or breach reinitiates patch management efforts. Though organizations are racing to defend against cyberattacks, the industry still has a reactive, checklist mentality.
“With more than 160,000 vulnerabilities currently identified, it is no wonder that IT and security professionals overwhelmingly find patching overly complex and time-consuming,” Dr. Srinivas Mukkamala, chief product officer at Ivanti, told VentureBeat during a recent interview. “This is why organizations must utilize AI solutions … to assist teams in prioritizing, validating and applying patches. The future of security is offloading mundane and repetitive tasks suited for a machine to AI copilots so that IT and security teams can focus on strategic initiatives for the business.”
Leaders in this area include Automox, Ivanti Neurons for Patch Intelligence, Kaseya, ManageEngine and Tanium.
4. Keeping BYOD asset configurations current and in compliance
Keeping corporate-owned device configurations current and compliant takes the majority of time security teams can devote to endpoint asset management. Teams often don’t get to BYOD endpoints, and IT departments’ policies on employees’ own devices are sometimes too broad to be valuable. Endpoint protection platforms need to streamline and automate workflows for configuring and deploying corporate and BYOD endpoint devices.
Leading endpoint platforms that can do this today at scale and have delivered their solutions to enterprises include CrowdStrike Falcon, Ivanti Neurons and Microsoft Defender for Endpoint, which correlates threat data from emails, endpoints, identities and applications.
5. Implementing a targeted UEM strategy to block attacks aimed at senior management over their mobile devices
Whale phishing is the latest form of cyberattack, affecting thousands of C-suites. Ivanti’s State of Security Preparedness 2023 Report found that executives are four times more likely to become phishing victims than employees are. Nearly one in three CEOs and members of senior management have fallen victim to phishing scams, either by clicking on a link or sending money.
Adopting a unified endpoint management (UEM) platform is essential for protecting every mobile device. Advanced UEM platforms can automate configuration management and ensure corporate compliance to reduce breach risk.
CISOs want UEM platform providers to consolidate and offer more value at lower cost. Gartner’s latest Magic Quadrant for Unified Endpoint Management Tools reflects CISOs’ impact on the product strategies at IBM, Ivanti, ManageEngine, Matrix42, Microsoft, VMWare, Blackberry, Citrix and others.
6. Too many IT, security and contractor team members with admin access to endpoints, applications and systems
Starting at the source, CISOs need to audit access privileges and identify former employees, contractors and vendors who still have admin privileges defined in Active Directory, identity and access management (IAM) and privileged access management (PAM) systems. All identity-related activity should be audited and tracked to close trust gaps and reduce the threat of insider attacks. Unnecessary access privileges, such as those of expired accounts, must be eliminated.
Kapil Raina, vice president of zero-trust marketing at CrowdStrike, told VentureBeat that it’s a good idea to “audit and identify all credentials (human and machine) to identify attack paths, such as from shadow admin privileges, and either automatically or manually adjust privileges.”
7. The many identities that define an endpoint need more effective key and digital certificate management
Every machine in a network requires a unique identity so administrators can manage and secure machine-to-machine connections and communications. But endpoints are increasingly taking on more identities, making it a challenge to secure each identity and the endpoint simultaneously.
That’s why more focus is needed on key and digital certificate management. Digital identities are assigned via SSL, SSH keys, code-signing certificates, TLS or authentication tokens. Cyberattackers target SSH keys, bypassing code-signed certificates or compromising SSL and TLS certificates.
Security teams’ objective is to ensure every identity’s accuracy, integrity and reliability. Leading providers in this area include CheckPoint, Delinea, Fortinet, IBM Security, Ivanti, Keyfactor, Microsoft Security, Venafi and Zscaler.
8. Unreliable endpoint systems that break easily, send too many false positives and take hours to fix
CISOs tell VentureBeat that this is the most challenging problem to solve — endpoints that can’t reset themselves after a reconfiguration or, worse, require manual workarounds that take an inordinate amount of resources to manage.
Replacing legacy endpoint systems with self-healing endpoints helps reduce software agent sprawl. By definition, a self-healing endpoint will shut itself down and validate its core components, starting with its OS. Next, the endpoint will perform patch versioning, then reset itself to an optimized configuration without human intervention.
Absolute Software provides an undeletable digital tether to every PC-based endpoint to monitor and validate real-time data requests and transactions. Akamai, Ivanti, Malwarebytes, Microsoft, SentinelOne, Tanium and Trend Micro are leading providers of self-healing endpoints. Absolute’s Resilience platform is noteworthy for providing real-time visibility and control of any device, whether it’s on the network or not.
9. Relying on a set of standalone tools to close endpoint gaps or get a 360-degree view of threats
Normalizing reports across standalone tools is difficult, time-consuming and expensive. It requires SOC teams to manually correlate threats across endpoints and identities. Seeing all activity on one screen isn’t possible because tools use different alerts, data structures, reporting formats and variables.
Mukkamala’s vision of managing every user profile and client device from a single pane of glass is shared by the CISOs VentureBeat interviewed for this article.
10. Closing the gaps in identity-based endpoint security with multifactor authentication (MFA) and passwordless technologies
To get MFA buy-in from employees across the company, CISOs and security teams should start by designing it into workflows and minimizing its impact on user experiences. Teams also need to stay current on passwordless technologies, which will eventually alleviate the need for MFA, delivering a streamlined user experience.
Leading passwordless authentication providers include Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access and Windows Hello for Business.
Enforcing identity management on mobile devices has become a core requirement as more workforces stay virtual. Of the solutions in this area, Ivanti’s Zero Sign-On (ZSO) is the only one that combines passwordless authentication, zero trust and a streamlined user experience on its unified endpoint management (UEM) platform.
Ivanti’s solution is designed to support biometrics (Apple’s Face ID) as the secondary authentication factor for accessing personal and shared corporate accounts, data and systems. Ivanti ZSO eliminates the need for passwords by using FIDO2 authentication protocols. It can be configured on any mobile device and doesn’t need another agent to stay current, CISOs tell VentureBeat.
With AI-driven breaches, the future is now
Attackers are sharpening their tradecraft to exploit unprotected endpoints, capitalize on gaps between endpoints and unprotected identities and go whale phishing more than ever before. Security and IT teams must take on the challenges of improving endpoint security in response. AI and machine learning are revolutionizing endpoint security, and the 10 challenges briefly discussed in this article are driving new product development across many cybersecurity startups and leading vendors.
Every organization needs to take these steps to protect itself from attackers who are already using generative AI, ChatGPT and advanced, multifaceted attacks to steal identities and privileged access credentials and breach endpoints undetected.