How Endpoint Protection Solutions Have Evolved with Security Threats
Changing circumstances and attacks require security professionals to devise new defenses.
From the first computer worm in 1971 and the first denial of service attack in 1989 to the modern era of ransomware and state-sponsored advanced persistent threats, cybersecurity has changed immensely and continuously over the past five decades. As threats have evolved, so have security tools, rising to meet new challenges.
Endpoint protection technology plays an important role in this changing landscape, defending some of the most exposed components of an organization’s technology infrastructure from increasingly sophisticated attacks. Organizations that find themselves relying on outdated endpoint protection strategies expose themselves to significant risk when they operate in the modern threat environment. Next-generation endpoint protection technologies reach beyond the simplistic signature detection techniques of years past to incorporate many advanced features that help detect novel attacks, manage endpoint security proactively and identify the root causes of security compromises.
Endpoint protection isn’t new. The discipline of protecting workstations, servers and mobile devices against malware and other threats is as old as the cybersecurity profession itself. Most organizations purchased anti-virus software subscriptions long before they hired a single cybersecurity professional. Those original purchases often drove cybersecurity investments for years afterward and became the first components of a broader cybersecurity program that embraced a defense-in-depth approach to protect systems and information from threats to their confidentiality, integrity and availability. Those broader strategies evolved to include email security, web application security, intrusion detection and prevention, and other supporting technologies.
The earliest approaches to endpoint protection focused on signature detection strategies. Malware authors would develop new viruses, worms, Trojan horses and other software threats and release them into the wild. After spreading to systems around the world, samples of the malware would wind up in the hands of security researchers at anti-virus firms. Those researchers would analyze the malware and develop unique fingerprints in the code that endpoint protection tools could use to identify future infections. They would then release those signatures to their customers in anti-virus updates, protecting systems against future infections by the same strain. The cycle would then begin anew, as malware authors modified their code to evade detection.
The signature detection approach is reliable and consistent. When anti-virus software encounters a known threat, it can easily recognize and eradicate it. This technology remains a foundational element of endpoint protection strategies today because it works. However, while signature detection remains a necessary component of endpoint protection strategies, it is no longer sufficient to provide robust protection. The signature detection approach leaves enterprises wide open to zero-day attacks that use new malware strains to exploit previously unknown vulnerabilities. Modern threats require a modern response.
New Targets and Shifting Strategies
The threat landscape isn’t the only source of change, either. Enterprise computing is also shifting significantly. With more data and workloads moving to the cloud, the challenge of protecting assets spread across multiple locations becomes more complex. Something will eventually slip through the cracks if organizations don’t take steps to carefully manage their deployed computing base and defend it against attacks.
Adversaries understand the complexity facing enterprise security teams and seek to exploit the weak links in the chain by using a diverse set of tools to compromise security. They realize that end users are often the soft spot in enterprise security, and they deploy attacks that target those users through spear-phishing emails and other focused attacks.
Endpoint protection strategies have evolved to provide a strong defense in this new environment. Modern endpoint security tools still incorporate reliable signature detection technology but now supplement it with newer techniques, including behavioral analysis, sandboxing, predictive analytics and threat intelligence. While different vendors adopt different tactics for combating modern endpoint threats, the common theme is that they all deploy a multipronged defensive strategy to increase the likelihood of rapid detection, blocking and eradication of attacks.
Threat hunting plays a crucial role in enterprise security strategies. This approach, built on the presumption of compromise, seeks to identify existing and future intrusions into an organization’s networks and systems. Threat hunters analyze the approaches attackers have historically used and complement this knowledge with current threat intelligence to better understand adversary tactics and identify the use of those tactics within their environments. During their initial efforts, threat hunting programs generally uncover one or more existing compromises on a network that went undetected with traditional security controls. Attackers who are able to persist in this manner increase their dwell time, the amount of time after a compromise that they are able to retain access to the organization’s systems.
Reducing the Time to Detect an Attack
Many organizations are choosing to deploy managed threat hunting services that operate 24/7, seeking to immediately identify anomalous network behavior and spot compromises before they can cause significant damage. Cybersecurity leaders are accepting the fact that their systems will eventually be the victim of an attack and are seeking to reduce the dwell time of attackers from weeks or days down to hours or minutes. Time is of the essence during a security incident, and the faster a cybersecurity team can react and remediate a problem, the better an organization can protect the valuable data on its network.
Another common feature of next-generation endpoint protection solutions is their incorporation of endpoint detection and response (EDR) technology. This technology moves beyond simple detection of a security compromise and manages an active response that contains the damage, isolates affected systems and recovers normal operations as quickly as possible. EDR approaches minimize requirements for human interaction, facilitating a rapid and effective response. EDR tools also provide root cause analysis of threats and incidents, allowing organizations not only to recover from a security incident but also to learn from the experience and improve their security controls. Although EDR tools are highly effective, they do require the supervision of highly skilled security professionals. For this reason, many organizations opt for managed EDR services that include professional monitoring and analysis.
The COVID-19 pandemic has rapidly changed the ways many organizations think about work styles in general, and computing in particular. Before the pandemic, organizations were already shifting toward telecommuting models that allowed many employees to work from remote locations and at unusual hours. The pandemic accelerated this change, pushing organizations toward greater adoption of telework-friendly cloud applications and forcing cybersecurity teams to rapidly adapt their controls to protect confidentiality, integrity and availability in this shifting environment. For example, email is still a primary attack vector for many adversaries. Shifting to a remote work model means that endpoints now may often fall outside of the protection afforded by network-based controls. In this new world, the combination of cloud-based solutions and next-generation endpoint protection provides robust control, wherever the end user is located.
To learn more about how you can improve your endpoint security, read the white paper “Security Threats Demand Next-Generation Endpoint Protection” from CDW.