One in every four organizations is looking to refine their endpoint security strategy in the next 12-18 months, according to a recent survey by ESG. This desire for change is surprising in an industry that has existed for more than two decades. Why—more than twenty years later—are organizations still constantly looking to refine their security strategy?
The interest in new endpoint security controls is driven by several factors, including fear of breach or business disruption, desire to strengthen security strategy following a breach or malware incident (e.g. ransomware, phishing), development of an incident response program, consolidation of disparate security tools, migration to the cloud/SaaS, or organizational changes like a merger, acquisition, or new security leadership.
With an increasingly large number of endpoint security options to choose from, how do organizations ensure that their selection and overall strategy is the best fit for their needs and not influenced by marketing hype? To develop an effective endpoint security strategy, organizations should focus their research and evaluation process on the following five elements: endpoint detection and response, prevention, hardening and risk analytics, operational simplicity, and product evaluation.
Endpoint Detection and Response
The first critical element of an endpoint security strategy is detection and response (EDR). These solutions are designed to assume a compromise has occurred. To support this, they constantly monitor and analyze endpoint events to provide suspicious activity detection and containment. Using historic and live data search and investigation, threat hunting capabilities, and insights these solutions can identify what happened before, during and after the attack.
No organization is 100 percent unbreachable. Therefore, it is especially important to invest in EDR if an organization’s risk of targeted attacks is high. Organizations should also be aware that successful use of EDR demands the assistance of security specialists who are able to monitor, understand, and quickly act upon alerts. Less mature organizations with smaller staffs or budgets should consider managed service providers to harness the detection and response power of this kind of technology.
Many organizations believe the “Sophisticated Attack Myth”—that attacks occur simply because the actor was too sophisticated for the organization’s security system to stop them. In reality, many of these attacks can be automatically halted with strong prevention, which should be a key pillar of any endpoint security strategy. While legacy antivirus (AV) solutions may no longer provide enough protection on their own, commercial-grade advanced protection solutions are available to help. Consider a solution that offers automatic detection and remediation of known and zero-day threats including fileless attacks. Mature machine learning, advanced exploit mitigation, web-threat protection and automatic behavioral detection and response are the most important capabilities. And keep in mind that strong prevention will dramatically reduce resources needed for incident response and threat hunting.
Hardening and Risk Analytics
Most intrusions are not zero-day attacks. Bad actors rely on weaknesses in their target’s environment, such as software vulnerabilities and system misconfigurations.
Attackers often closely monitor when vendors disclose vulnerabilities and use this window of opportunity to access an organization’s systems while they know their target is susceptible and likely has not yet implemented the patch. Organizations with a less mature vulnerability management strategy should focus on expanding vulnerability and patch management programs to include third-party applications. Due to the time-sensitive nature of patching, it is important to prioritize tasks and alerts. Start by patching most commonly used applications like Windows, Office, browsers, Adobe and Java, which are known to frequently disclose vulnerabilities and release patches. Patching should be aggressive for end user devices, and organizations may wish to automate patching for these systems.
The security team should also have real-time visibility of systems that are vulnerable due to missing critical security patches and misconfigurations that pose security risk such as weak passwords, unnecessary services, etc. Having access to this type of information is important as it helps security analysts in prioritizing and speeding up incident investigation with additional context. It also allows organizations to break down silos and foster collaboration, ensuring that other groups within the company also take responsibility for enhancing security.
More products or agents do not necessarily mean more security. Often, they simply mean more administrative overhead and interoperability challenges. Consider a vendor that offers solutions with multiple capabilities in a single agent and a single management platform. Cloud-deployed (SaaS) solutions can also help to reduce an organization’s management burden and provide faster deployments and tighter security as systems are always on the most up to date version of the solution. Avoid products that are hard to manage or generate too many alerts and false-positives.
The cybersecurity industry is a crowded place, making it challenging for organizations to assess which products will have the biggest impact and the best return on investment. Before purchasing a new solution, perform a thorough evaluation, including a proof of concept. And understand that test environment results may be very impressive, but may not reflect how the product will perform under the day-to-day requirements of your environment.
A good next step is to engage with a neutral third-party to measure the non-functional requirements of a solution such as threat detection efficacy, impact on system performance and false-positives. Organizations with limited budget and resources should refer to neutral third-party evaluations and ensure that the vendor has performed consistently well in multiple tests instead of a one-off test.