What is an endpoint?
An endpoint is a hardware device that provides a user with access to a distributed computer system. These devices include mobile phones, tablets, laptops and desktop PC machines. When connected to a local area network or the Internet, all have the potential to access the information assets of an organisation.
Why are they important?
Endpoints are at the heart of every modern cyber attack. Hackers commonly use them as an entry point for an attack as by definition they are the user interface to an IT system. Each endpoint can provide critical information including process actions, file access information, network events and endpoint configuration changes. They are also linked to each other and this allows hackers to laterally move across other machines in the organisation they are attacking.
Bring your own security risk
Companies that allow employees to ‘Bring Your Own Device (BYOD)’, allowing laptops and smart phones for use at work, will always face endpoint device security challenges. A user may have many endpoint devices, each running a different operating system and each connected to shared resources that includes email, databases and CRM applications. A smaller business may be completely reliant on cloud-based services that offer access from any internet enabled endpoint. While the data stored in the cloud may be secure, the cloud provider is not responsible for the security of the endpoint device. Endpoints also provide good cover for attackers, as security professionals are often reluctant to intervene on these devices fearing that any action taken will negatively impact the user experience.
How can endpoints be protected?
Antivirus software (AV) is traditionally installed on endpoint devices and is designed to detect malicious programs, block them from running and offer security professionals a way to remove them. It works by recognising the ‘signature’ of virus or worm and matches it to a known signature recorded in a database.
However, cyber attacks have grown more advanced and signature – based antivirus software is no longer an effective security solution. Today attackers can use file-less malware, zero-day exploits and advanced persistent threats in an attack campaign. These new threats don’t use signatures and traditional antivirus programs can’t detect them.
With AV losing its edge, security vendors have named next-generation antivirus (NGAV) as the legacy product’s successor. While the exact definition of NGAV is unclear, most solutions use a holistic approach of monitoring every process occurring on each endpoint over a period of time. This includes reviewing file attributes, file content, system calls and network activity.
Both AV and NGAV handle detection by looking for specific attack characteristics but don’t account for human ingenuity or attacker behaviour. Attackers will adapt, change their tactics and eventually work out how to get around next-generation antivirus. Neither the legacy product nor its successor offer true behavioural detection.
Monitoring the behaviour of attackers
Endpoint Detection and Response (EDR) applications are used to record endpoint-system-level behaviours and events and store this information either locally on the endpoint or in a centralised database. Using known indicators of compromise (IOC) and behaviour analytics techniques, EDR software continually searches the data to identify early identification of breaches (including insider threats), and rapidly respond to those attacks. These tools also help with rapid investigation of the nature, scale and scope of the attack after it has been completed.
If would like to know more about how to protect the endpoints in your organisation from cyber attack, I can recommend that you review the features and benefits of the CYBERSHIELD MDR-ENDPOINT service package.