Gone are the days when an organization could protect itself by simply adopting a handful of security technologies and practices focused on the internal network. Mobile and cloud technologies have expanded enterprise boundaries, and increasingly dangerous threats from cybercriminals now require organizations to move strategically from a threat prevention mindset to an approach that focuses on detecting and responding to attacks, and then recovering from them.
At the same time, today’s mobile and cloud computing paradigm demands immediate access to data at all times from any location, says Lenny Zeltser, a senior instructor in malware analysis at the SANS Institute, a cybersecurity training organization.
As a result, organizations find themselves struggling to maintain control over the enterprise networks that employees and contractors use to interact with a wide range of sensitive data. “The network perimeter became ephemeral, with access occurring from homes, satellite locations, internet cafes and other networks that the organization cannot secure in the way that it attempted to lock down its corporate network,” Zeltser says.
To address powerful new threats while protecting a shifting landscape on which sensitive data resides, many organizations are employing endpoint security solutions with powerful capabilities such as artificial intelligence (AI) and machine learning.
IoT and Cloud Change the Definition of Endpoints
The evolution of the network has redefined what organizations view as an endpoint.
“Traditionally, we identified network endpoints as any device that manages communication across a network from within a corporate firewall, such as a modem, router, printer or PC,” says Sri Sundaralingam, Symantec’s enterprise security product marketing lead.
The cloud allowed organizations to expand network access to devices and services outside the firewall, forcing the entire IT community to rethink what should be classified as an endpoint. “Today, we consider the modern network endpoint to include any device that can access a corporate network, and that includes PCs, smartphones, tablets, wearables, Internet of Things devices and more,” Sundaralingam says.
There’s now a vast number of devices connecting to enterprise networks, a wide variety that includes endpoints as diverse as building controls, vending machines and Internet of Things (IoT) components, such as industrial sensors and switches.
“These devices typically carry less protection from attacks than a laptop or phone and must be monitored for compromise,” says Larry Lunetta, vice president of security solutions marketing at Aruba Networks. Organizations also need to pay close attention to endpoints used by an increasingly mobile workforce, as well as branch offices connecting directly to the internet.
Organizations are beginning to understand that breaches are inevitable and that they must strive to prevent as many attacks as possible. “They have to prepare to detect successful attacks and respond appropriately,” says Jim Waggoner, senior director of endpoint product management for FireEye. These capabilities are known as endpoint detection and response (EDR).
EDR tools address the need for continuous monitoring of and response to increasingly sophisticated network threats. EDRs differ from standard endpoint protection platforms (EPPs), such as anti-malware solutions, in that they aren’t designed to automatically stop threats during the pre-execution phase.
An EDR goes beyond EPP’s basic capabilities to offer deep visibility, providing insights that help security analysts discover, investigate and respond to advanced threats targeting multiple endpoints. For extra protection, many security tools combine both EDR and EPP capabilities.
AI and Machine Learning Help Identify Cybersecurity Threats
Unfortunately, most serious network attacks do not stop at the endpoint. “The endpoint is simply the jumping-off location for a more aggressive and expansive attack that involves small steps over days, weeks or months,” Lunetta says. “Artificial intelligence and machine learning can see small changes in endpoint behaviors, put them in context over time and raise a risk score within a security solution to an alert threshold so it can be investigated and mitigated before damage is done.”
According to the CDW Cybersecurity Insight Report: Volume 1, 39 percent of survey respondents are considering next-generation endpoint defense technologies, which combine machine learning, threat intelligence and behavioral analysis to thwart sophisticated attacks and protect both the endpoint and enterprise network.
Machine learning and AI also excel at identifying new types and variations of malware that haven’t existed in the wild for very long. “Every organization needs multiple detection engines to help prevent attacks, such as ransomware and commodity malware,” Waggoner says.
Sundaralingam agrees that sophisticated technologies are now essential for detecting and preventing malicious attacks. “Advanced machine learning employs a multilayered threat assessment that analyzes how static files behave and interact with other files, machines and URLs,” he says. Machine learning can also scrutinize vast amounts of data to determine if a type of code seen on only one or perhaps a handful of machines around the world is likely to be malicious.
“Put simply, advanced machine learning acts as the first responder when an attacker gains access to private data, and effectively detects malware in the pre-execution phase to seamlessly respond and stop large known and unknown threats,” Sundaralingam says.
“By combining machine learning and behavioral analysis with endpoint technologies,” he adds, “companies are able to minimize false positives and maximize protection when faced with large-scale attacks like WannaCry.”
Computers are inherently better at some tasks than humans, including the ability to analyze large volumes of data to spot hidden patterns that can indicate a possible network threat. “Many endpoint anti-virus and related technologies now incorporate AI to detect malware in a way that extends the approaches available to us earlier,” Zeltser says. “This is an evolutionary step that allows the defenders to keep up with the constantly changing threat landscape.”