In our last post, we talked about application security and how the security measures at the application level prevent data or code within the application from being stolen or hijacked. This post will cover protecting and securing endpoints, which are remote computing devices that communicate with a network. Servers, virtual environments, desktops, laptops, workstations, tablets, smartphones, and IoT devices are all examples of endpoints.
Why endpoint security is important
Improperly protected, monitored, and secured endpoints offer an entry point to assets and information on your organization’s network, allow attackers to exfiltrate data or hold it hostage, and even take control of devices for use in a denial-of-service attack. As organizations move to a hybrid work model and allow employees and other users to connect via mobile and personal devices, attackers find endpoints to be an even more attractive target. The shift to cloud computing services increases challenges in managing and monitoring endpoints because virtual environments also need to be monitored and protected. Tracking access across all these environments can be a challenge for small IT teams.
Endpoint security services help prevent cyber-attacks by protecting critical systems, intellectual property, employees, data, and other third parties from ransomware, malware, phishing, and other attacks. The costs of not securing endpoints may include data loss, regulatory fines, and damage to your organization’s reputation.
Basics of endpoint security
To say endpoints are everywhere is an understatement. Every smart device in your home, including your thermostat and refrigerator, speaker, and smartwatch, is connected to a network. So is your personal laptop and the computer you’re using for work. Even if you’re not working on your laptop in coffee shops, chances are you brought your phone in to pay for your coffee at a point of sale (POS) device — and both of those are endpoints too. Endpoint security uses several practices to block threats, regardless of where you are and how you’re accessing your network, such as:
- Endpoint encryption: Encryption protects data so it can’t be deciphered without a key.
- Forensic analysis: Together with an endpoint detection and response (EDR) solution, forensic analysis helps monitor, collect, and analyze all endpoint activity to create a digital footprint of incidents.
- IoT protection: Very few IoT devices are secure by default, and very few end users are likely to update IoT devices to secure standards. An EDR system can also manage, monitor, and scan IoT devices for vulnerabilities.
- Email gateways: Criminals frequently attack networks through email. Email gateway software allows safe emails to go through and quarantine potential threats. Email gateways also block viruses and malware and filter web content and URLs.
- Quarantine protection: This is separating dangerous files to prevent harm to devices and networks. Rapidly isolating harmful files is essential to endpoint security and quarantining also allows valuable files to be cleaned rather than discarded.
Keeping everything secure is a real challenge, particularly because IT departments are pressured to prioritize deadlines and business goals over security. In the 2021 Verizon Mobile Security Index, 40% of respondents felt that mobile devices were the company’s most significant security risk, yet 76% felt pressure to sacrifice the security of mobile devices for the sake of expediency.
To meet modern requirements for endpoint security, endpoint security solutions should be cloud-based and use machine learning (ML) and artificial intelligence (AI) to monitor beyond simple virus or malware signatures because malware can now evolve and self-mutate each time an infection occurs. Next-generation antivirus (NGAV) looks for patterns of behavior instead, such as a file that’s downloaded, changes names, changes permissions, launches, and is now monitoring keystrokes. Together with EDR, NGAV provides the monitoring necessary to adapt to stop threats proactively.
Common mistakes in endpoint security
Many small organizations aren’t even aware of the importance of endpoint security. Not too long ago, we didn’t have smartphones and IoT devices, and our home network didn’t serve as our office network as well. Very few individuals know how to change the default passwords on IoT devices, and manufacturers seldom make it easy. Most people connect to networks without considering the risks to endpoint security. As organizations and individuals, you need to consider all the endpoints connecting to your network — and how they could put you or your organization at risk. Below are a few mistakes that can harm an organization in terms of endpoint security:
- Worst: Using traditional antivirus software that’s based on a virus signature. These solutions are good at finding known viruses but fail to identify new types of attacks. Older solutions are no longer updated and struggle to identify and block ransomware and malware.
- Bad: Not centrally monitoring, maintaining, and managing endpoints and not using NGAV make it extremely difficult to detect and block cyberattacks. As with previous layers, not keeping systems and software up to date is a bad security practice in endpoints, as it is with applications.
- Better: Endpoint security that enforces security practices and is joined to a central domain provides some protection for endpoints. For example, using Active Directory to manage user authentication and authorization, force security controls, manage updates, and require users to update passwords (and use secure ones).
These mistakes can significantly impact your business because cybercriminals have resources you might not expect. For example, DarkSide, which was behind the recent Colonial Pipeline ransomware attack, “DarkSide writes the software, they bill the victims, host stolen data, and even handle tech support and media relations, researchers say.” Affiliates are the ones that carry out the attack and collect the bulk of the ransom. Ransomware-as-a-Service, Malware-as-a-Service, and even DDoS-as-a-Service all exist, making the barrier to entering cybercrime relatively low.
Best practices for endpoint security
Gartner’s 2021 Magic Quadrant for Endpoint Protection Platforms defines the market as: “Endpoint protection platforms provide the facility to deploy agents or sensors to managed endpoints including PCs, servers and other devices.” This endpoint security or endpoint protection platforms prevent a wide range of both known and unknown malware and threats. They also help teams investigate and remediate any incidents when malicious activity makes it through your security. To protect your employees and clients, follow these best practices for endpoint security:
- Use an EDR tool, such as SentinelOne. ActiveEDR identifies malicious acts in real-time, automates required responses, and allows threat hunting. Next-generation EDRs provide active monitoring and a security function that regularly audits and tracks endpoints. Ensure that it deploys across clouds, containers, and server workloads and provides the enterprise IoT footprint visibility.
- Make sure you have Endpoint Protection (EPP). Use an AI solution that defends against new threats, even if it’s a virus never seen before. ActiveEDR doesn’t rely on cloud connectivity to make a detection — because it acts on the behavior rather than the virus signature. In this way, EPP can detect threats early, mitigate harmful program activities, and report information to the management console, informing IT administrators and security analysts of new threats without a barrage of alert messages.
- Monitor your platforms and management console. Managed detection and response (MDR) puts eyes on the glass of all the servers around the clock. In addition to the software capabilities, people are always watching, reviewing identified threats, managing them, and responding to them. While ActiveEDR provides considerable protection, it can’t block everything, so having services that watch and manage threats that get past your security controls significantly increases protection.
- Get comprehensive coverage that doesn’t require connectivity, isn’t impacted by cloud latency, and isn’t dependent on human intervention. Look for a solution that can defend and heal itself by stopping processes, quarantining malware or viruses, remediating problems, and even roll back events to keep endpoints clean.
Again, training your staff on endpoint security and its relation to security across your organization is essential. The best practices outlined above, particularly when implemented with next-generation tools, will help you stop cyberattacks that could cause significant damage to your business.
How Netgain protects our clients
Netgain’s security and technology professionals understand the threats posed by malicious actors, unexpected downtime, and lack of compliance with regulations. Our team can recommend tools and best practices and help you implement security controls and other monitoring tools that can help protect your endpoints.
We use advanced endpoint protection, detection, and response platform called SentinelOne. This has been deployed across the entire hosted client and internal IT estate and leverages behavioral AI to help prevent and detect a wider range of real-time attacks. We have also deployed SentinelOne’s 24×7 monitoring service, which analyzes real-time telemetry and provides alerting and remediation on suspicious activity.
Stay tuned for our next post, which covers network security. Closely related to endpoint security, network security protects the integrity and usability of both your data and your network using a combination of hardware and software technologies. Network security targets threats and stops them from entering or spreading on your network, helping your organization block threats at the network level.