Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Most organizations are behind on hardening their endpoints with zero trust, enabling cyberattackers to use malicious scripts and PowerShell attacks to bypass endpoint security controls. The problem is becoming so severe that on May 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert titled, “Weak Security Controls and Practices Routinely Exploited for Initial Access” (AA22-137A).
The alert warns organizations to guard against poor endpoint detection and response, as cyberattacks are getting harder to detect and protect against. According to a recent survey from Tanium, for example, 55% of cybersecurity and risk management professionals estimate that more than 75% of endpoint attacks can’t be stopped with their current systems.
Why endpoints lack zero trust
Cyberattackers are adept at finding gaps in endpoints, hybrid cloud configurations, infrastructure and the APIs supporting them. Dark Reading’s 2022 survey, “How Enterprises Plan to Address Endpoint Security Threats in a Post-Pandemic World,” found that a large majority of enterprises, 67%, changed their endpoint security strategy to protect virtual workforces, while almost a third (29%) aren’t keeping their endpoints current with patch management and agent updates.
Dark Reading’s survey also found that while 36% of enterprises have some endpoint controls, very few have complete endpoint visibility and control of every device and identity. As a result, IT departments cannot identify the location or status of up to 40% of their endpoints at any given time, as Jim Wachhaus, attack surface protection evangelist at CyCognito, told VentureBeat in a recent interview.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
Enterprises are also struggling to get zero-trust network access (ZTNA) implemented across all endpoints of their networks. Sixty-eight percent have needed to develop new security controls or practices to support zero trust, and 52% acknowledge that improved end-user training on new policies is needed. Enterprise IT teams are so overwhelmed with projects that getting security policies and controls in place for zero trust is challenging.
Endpoints become a liability when they’re behind on patch management
For example, according to Ivanti’s research, 71% of security and risk management professionals perceive patching as overly complex and time-consuming. In addition, 62% admit that they procrastinate on patch management, allowing it to be superseded by other projects. Supporting virtual teams and their decentralized workspaces makes patch management even more challenging, according to security and risk management professionals interviewed in Ivanti’s Patch Management Challenges Report. For example, the report found that cyberattackers could use gaps in patch management to weaponize SAP vulnerabilities in just 72 hours.
Ransomware attacks increase with patch update delays
Outdated approaches to patch management, such as an inventory-based approach, aren’t fast enough to keep up with threats, including those from ransomware.
“Ransomware is unlike any other security incident. It puts affected organizations on a countdown timer. Any delay in the decision-making process introduces additional risk,” Paul Furtado, VP analyst at Gartner, wrote in his recent report.
There has been a 7.6% jump in the number of vulnerabilities associated with ransomware in Q1 2022, compared to the end of 2021. Globally, vulnerabilities tied to ransomware have soared in two years from 57 to 310, according to Ivanti’s Q1 2022 Index Update. CrowdStrike’s 2022 Global Threat Report found ransomware jumped 82% in just a year.
Scripting attacks aimed at compromising endpoints continue to accelerate rapidly, reinforcing why CISOs and CIOs are prioritizing endpoint security this year.
Not getting patch management right jeopardizes IT infrastructure and zero-trust initiatives company-wide. Ivanti offers a noteworthy approach to reducing ransomware threats by automating patch management. Its Ivanti Neurons for Risk-Based Patch Management is taking a bot-based approach to identifying and tracking endpoints that need OS, application and critical patch updates. Other vendors offering automated patch management include BitDefender, F-Secure, Microsoft, Panda Security, and Tanium.
Too many endpoint agents are worse than none
It’s easy for IT and security departments to overload endpoints with too many agents. New CIOs and CISOs often have their favored endpoint protection and endpoint detection and response platforms — and often implement them within the first year on the job. Over time, endpoint agent sprawl introduces software conflicts that jeopardize IT infrastructure and tech stacks.
Absolute Software’s 2021 Endpoint Risk Report found endpoints have on average 11.7 security controls installed, each decaying at a different rate, creating multiple threat surfaces. The report also found that 52% of endpoints have three or more endpoint management clients installed, and 59% have at least one identity access management (IAM) client installed.
What endpoints need to provide
Securing endpoints and keeping patches current are table stakes for any zero-trust initiative. Choosing the right endpoint protection platform and support solutions reduces the risk of cyberattackers breaching your infrastructure. Consider the following factors when evaluating which endpoint protection platforms (EPPs) are the best fit for your current and future risk management needs.
Automating device configurations and deployments at scale across corporate-owned and BYOD assets
Keeping corporate-owned and bring-your-own-device (BYOD) endpoints in compliance with enterprise security standards is challenging for nearly every IT and security team today. For that reason, EPPs need to streamline and automate workflows for configuring and deploying corporate and BYOD endpoint devices. Leading platforms that can do this today at scale and have delivered their solutions to enterprises include CrowdStrike Falcon, Ivanti Neurons and Microsoft Defender for Endpoint, which correlate threat data from emails, endpoints, identities and applications.
Cloud-based endpoint protection platforms rely on APIs for integration
IT and security teams need endpoint protection platforms that can be deployed quickly and integrated into current systems using APIs. Open-integration APIs are helping IT and security teams meet the challenge of securing endpoints as part of their organizations’ new digital transformation initiatives. Cloud-based platforms with open APIs baked in are being used to streamline cross-vendor integration and reporting while improving endpoint visibility, control and management.
Additionally, Gartner predicts that by the end of 2023, 95% of endpoint protection platforms will be cloud-based. Leading cloud-based EPP vendors with open-API integration include Cisco, CrowdStrike, McAfee, Microsoft, SentinelOne, Sophos and Trend Micro. Gartner’s latest hype cycle for endpoint security finds that the current generation of zero trust network access (ZTNA) applications is designed with more flexible user experiences and customization, while improving persona and role-based adaptability. Gartner observes that “cloud-based ZTNA offerings improve scalability and ease of adoption” in its latest endpoint security hype cycle.
Endpoint detection and response (EDR) needs to be designed
Endpoint protection platform providers see the potential to consolidate enterprises’ spending on cybersecurity while offering the added value of identifying and thwarting advanced threats. Many leading EPP providers have EDR in their platforms, including BitDefender, CrowdStrike, Cisco, ESET, FireEye, Fortinet, F-Secure, Microsoft, McAfee and Sophos.
Market leaders, including CrowdStrike, have a platform architecture that consolidates EDR and EPP agents on a unified data platform. For example, relying on a single platform enables CrowdStrike’s Falcon X threat intelligence and Threat Graph data analytics to identify advanced threats, analyze device, data and user activity and track anomalous activity that could lead to a breach.
Many CISOs would likely agree that cybersecurity is a data-heavy process, and EDR providers must show they can scale analytics, data storage and machine learning (ML) economically and effectively.
Prevention and protection against sophisticated attacks, including malware and ransomware
CIOs and CFOs are pressured to consolidate systems, trim their budgets and get more done with less. On nearly every sales call, EPP providers hear from customers that they need to increase the value they’re delivering. Given how data-centric endpoint platforms are, many are fast-tracking malware and ransomware protection through product development, then bundling it under current platform contracts.
It’s a win-win for customers and vendors because the urgency to deliver more value for a lower cost is strengthening zero-trust adoption and framework integration across enterprises. Leading vendors include Absolute Software, CrowdStrike Falcon, FireEye Endpoint Security, Ivanti, Microsoft Defender 365, Sophos, Trend Micro and ESET.
One noteworthy approach to providing ransomware protection as a core part of a platform is found in Absolute’s Ransomware Response, building on the company’s expertise in endpoint visibility, control and resilience. Absolute’s approach provides security teams with flexibility in defining cyber hygiene and resiliency baselines. Security teams then can assess strategic readiness across endpoints while monitoring device security posture and sensitive data.
Another noteworthy solution is FireEye Endpoint Security, which relies on multiple protection engines and deployable modules developed to identify and stop ransomware and malware attacks at endpoints. A third, Sophos Intercept X, integrates deep-learning AI techniques with anti-exploit, anti-ransomware and control technologies that can predict and identify potential ransomware attacks.
Risk scoring and policies rely on contextual intelligence from AI and supervised machine learning algorithms
Look for EPP and EDR vendors who can interpret behavioral, device and system data in real time to define a risk score for a given transaction. Real-time data analysis helps supervised machine learning models improve their predictive accuracy. The better the risk scoring, the fewer users are asked to go through multiple steps to authenticate themselves. These systems’ design goal is continuous validation that doesn’t sacrifice user experience. Leading vendors include CrowdStrike, IBM, Microsoft and Palo Alto Networks.
Self-healing endpoints designed into the platform’s core architecture
IT and security teams need self-healing endpoints integrated into EPP and EDR platforms to automate endpoint management. This both saves time and improves endpoint security. For example, using adaptive intelligence without human intervention, a self-healing endpoint designed with self-diagnostics can identify and take immediate action to thwart breach attempts. Self-healing endpoints will shut down, validate their OS, application and patch versioning and then reset themselves to an optimized configuration. Absolute Software, Akamai, Blackberry, Cisco’s self-healing networks, Ivanti, Malwarebytes, McAfee, Microsoft 365, Qualys, SentinelOne, Tanium, Trend Micro, Webroot and many others have endpoints that can autonomously self-heal themselves.
Relying on firmware-embedded persistence as the basis of their self-healing endpoints, Absolute’s approach is unique in providing an undeleteable digital tether to every PC-based endpoint.
“Most self-healing firmware is embedded directly into the OEM hardware itself,” Andrew Hewitt, senior analyst at Forrester, told VentureBeat.
Hewitt added that “self-healing will need to occur at multiple levels: 1) application; 2) operating system; and 3) firmware. Of these, self-healing embedded in the firmware will prove the most essential because it will ensure that all the software running on an endpoint, even agents that conduct self-healing at an OS level, can effectively run without disruption.”
Ransomware attacks will keep testing endpoint security
Cyberattackers look to bypass weak or non-existent endpoint security, hack into IAM and PAM systems to control server access, gain access to admin privileges and move laterally into high-value systems. This year’s CISA alerts and increasing ransomware attacks underscore the urgency of improving endpoint security.
Ransomware attacks have increased by 80% year-over-year, with ransomware-as-a-service being used by eight of the top 11 ransomware families and nearly 120% growth in double-extortion ransomware. Additionally, a Zscaler ThreatLabz report found that double-extortion attacks on healthcare companies are growing by nearly 650% compared to 2021.
Enforcing least privileged access, defining machine and human identities as the new security perimeter, and at the very least, enabling multifactor authentication (MFA) are critical to improving endpoint security hygiene.