Endpoint security still inadequate despite growing threats
According to Promisec data, 89 percent of VP and C-Level IT leaders who responded in a Promisec survey have a heightened fear of a breach over the next year while only 32 percent of respondents have advanced endpoint security in place.
The fact that 73 percent of the respondents agree that endpoints are the most vulnerable point for attack should magnify concerns. The demand is there and analyst market valuations for endpoint security reflect that. The market value should grow from $11.62 billion this year to $17.38 billion by 2020, according to a recent MarketsandMarkets report. Analyst group TechNavio pegs the growth at a CAGR of 10.4 percent over the period 2014-2019.
[ ALSO ON CSO: New endpoint security tools target zero-day attacks ]
Enterprises need guidance in protecting endpoints and alleviating the fears represented by these numbers. CSO will oblige.
Some of the gaps and vulnerabilities in endpoint security are the lack of complete and regular rollouts of software patches, gaps in application blocking, and the continued appearance of shadow IT, says Steve Lowing, director of Product Management, Promisec.
“Enterprises don’t get close to complete coverage in patching some of the riskiest systems, which includes endpoint systems,” says Lowing. There are challenges that make it clear how this can happen such as when the devices are BYOD. These assets are not on the corporate network enough of the time to guarantee a window where the enterprise is certain they are bringing it up to a certain standard of perfection in security, Lowing explains.
During those windows of opportunity, the enterprise can use tools such as NAC to prevent access to the corporate network by endpoints until device-based security applications such as anti-virus and anti-malware update, run a thorough scan of the device, and clean it. Security software is only one layer of the necessary protection.
“We’ve found that making sure things like [antivirus] are always up to date is not sufficient to ensure proper coverage of endpoints,” says Lowing.
Ed Cabrera, VP of Cybersecurity Strategy, Trend Micro
Application blocking is growing in use, but there are still gaps in the deployment of that kind of solution. Shadow IT is a growing vulnerability with the increasing types of unauthorized BYOx (Bring Your Own Everything, including BYOA, BYOC) that people bring to or use for work because IT is not supporting it and may not even be aware it’s there.
Gaps and vulnerabilities in endpoint protection exist far beyond employee devices. IoT has the weakest endpoint protection because it has the weakest device resources. “IoT devices are not powerful enough to support traditional endpoint security solutions. It is harder to implement host based intrusion detection and prevention capabilities because of limited processing power, storage and memory,” says Ed Cabrera, vice president of Cybersecurity Strategy, Trend Micro. This will be a challenge for as long as IoT devices maintain their diminutive technology profile.
Enterprises should apply best practices for patching, which require test environments for any systems that are included in patch management endeavors. The enterprise should use policies to automate pushing tested patches out to devices, which should occur within a week of satisfactory test completion.
Perform this patch testing and promotion to production for as many systems as you can, at least including popular browsers, applications, and operating systems. Vendors offering endpoint patch management solutions include Lumension, IBM, and Symantec. “There are simple tools like Ninite that can help update an endpoint based on the application’s update needs,” says Lowing. Ninite is not a Promisec product.
Establish better control of applications. As with any security tool, it is unlikely that application control products will suit your endpoint environment out of the box. Administrators will have to learn and configure the software and its settings as these apply to each endpoint. Simply purchasing the product and throwing it in your network will not work.
To adjust application control to your device fleets, roll blacklisting/whitelisting tools gradually in order to address the unique needs of each endpoint and to appropriately deny applications by default. The enterprise should augment application controls by proactively validating any changes in the environment (file, registry, driver); the enterprise should do this by identifying the type of change using the latest threat intelligence services, Lowing instructs.
[ ALSO ON CSO: Review: Breakthroughs in endpoint security ]
By maintaining a pristine backup image that includes the device OS, applications, device policy, and controls that are required for that endpoint, the enterprise will have a reference point for spotting change. Application controls and blocking can defend against any detected, unauthorized change based on differences between the image and the contents of the live endpoint. The enterprise should actively update this golden image baseline as new patches come out for optimal control and reduction of the attack surface, Lowing recommends. Application blocking can help address Shadow IT, which includes unauthorized BYOx.
If and when IoT devices have the energy capacity and other resources to serve as a foundation for endpoint-based security technologies, the ones you should look for include IDS/IPS, which you would in this case install on each device. Network IDS/IPS together with reputation data from a mature threat intelligence solution would target attackers attempting to control IoT devices today. In one example, an advanced threat intelligence solution examines network traffic using sandboxing and detection engines to pinpoint viruses, malware, command and control servers and transmissions, and any signs of threats, according to Cabrera.
Though endpoints are a burgeoning attack surface that is sprawling ever further, the benefits and profits simply from IoT and mobility, for example, continue to outweigh the risks. Enterprises will have to extend themselves to ensure they are taking full advantage of the proper use of existing security measures that do help. Companies should continue to urge vendors to produce increasingly advanced endpoint specific security options.