As endpoints proliferate, so do the number and types of cyberthreats targeting them.
Already irresistible to attackers, network-connected endpoints have become increasingly vulnerable as more workers mobilize and access internal systems.
The old standby, signature-based anti-virus, falls short in a world where known malware is no longer a big gun in cyber arsenals.
In fact, according to a 2018 Ponemon survey, 76 percent of organizations with assets compromised by endpoint breaches said attackers used some kind of zero-day approach.
That’s four times the number of respondents whose endpoints were breached by known malware (19 percent).
In response, IT teams are fighting back with integrated endpoint security technologies, including endpoint detection and response (EDR), next-generation anti-virus and application control.
Used in combination, they can detect a range of endpoint threat types, stop attacks in progress, track down exploits before they can execute, analyze anomalous behaviors, whitelist critical applications and help teams respond to and remediate attacks.
“In a growing company, you bolt on security as you go,” says William Bocash, IT manager at Stonewall Kitchen, a York, Maine-based specialty foods manufacturer and retailer with 500 employees. “You start with anti-virus, then add security information and event management, a logging system, intrusion detection, and other tools as they hit the market.”
The problem with that approach is that 10 years later, “you’ve got a mess of products that don’t talk to each other.”
With so many threat vectors exposed, businesses are finding that an integrated security response makes more sense than trying to deploy discrete solutions for each type of threat.
Land O’Lakes, a dairy company based in Arden Hills, Minn., is one example. With more than 8,000 endpoints and 10,000 employees to protect across 290 facilities, Land O’Lakes deployed McAfee’s integrated endpoint security platform.
The stack bundles next-generation anti-virus, EDR, behavioral analytics and other tools in a single agent.
“There are lots of security tools out there, but if you don’t integrate the stack, you’ve got to associate all that information and make the connections yourself,” says Land O’Lakes CISO Tony Taylor.
Businesses Shorten Response Time with Cloud-Based Solutions
McAfee’s integrated suites help Taylor’s team coordinate security events across its environment. By using its ePolicy Orchestrator console, Land O’Lakes’ security team can centrally monitor and manage its endpoints. “When a trigger goes off, I can look at all 8,000 endpoints in minutes, rather than days,” says Taylor.
Land O’Lakes also uses McAfee’s security information and event management and data loss prevention offerings to protect endpoints across the enterprise and in the cloud.
While the company runs most of its McAfee products on-premises, it is planning to migrate to the provider’s cloud-based MVISION, which includes the ePolicy Orchestrator and EDR.
When successful, attacks often impact more than one endpoint. IT professionals surveyed by the SANS Institute in 2018 said 84 percent of their endpoint breaches over the previous year involved multiple endpoints.
It makes sense, then, that security software spending in 2018 — $34.4 billion worldwide — was higher for endpoint security than any other segment, according to IDC. That trend, IDC predicts, will continue through the 2022 forecast period.
“Organizations have to manage endpoint security across hybrid, multicloud environments,” says Robert Westervelt, a research director in IDC’s security products group. “That’s a huge challenge right now, because they’re trying to extend solutions designed and configured for the traditional IT environment.”
Security as a Service Cuts Out Wasted Time
Some IT leaders discover the value of security integration after difficult experiences. Take Joe Mrazik, network administrator at Kaas Tailored, a Mukilteo, Wash.-based provider of furnishings for the aerospace, retail and hospitality industries.
Mrazik became a Security as a Service convert in the wake of a “horror story” breach that started with a Windows workstation.
The workstation’s system time had changed, an action that requires administrator privileges. Mrazik took the machine offline and started investigating. He found event logs filling up with strange login attempts and signs of administrative account takeovers.
Though Kaas’s anti-virus vendor at the time provided reports, Mrazik and his small IT team were forced to manually filter them.
“We’d spend hours sifting reports and logs, but by the time we got a lead, everything had changed,” he says. Meanwhile, the malicious code spread, eventually reaching their domain controllers.
“We’d think we’d cleaned it up, and the next day it would be somewhere else,” says Mrazik. They worked around the clock for a week before stabilizing the environment, but never found any malware file.
MORE FROM BIZTECH: Learn more about how to find and keep top cybersecurity talent.
Use the Cloud to Get Updates in Real-Time
After calculating the costs of that slog, and tired of pushing out anti-virus updates that were already stale because they didn’t cover just-released threats, Mrazik decided to explore alternatives. After seeing a demonstration of Carbon Black’s CB Defense, he was sold.
The cloud-based product bundles together EDR and next-generation anti-virus, as well as predictive analytics and response and remediation tools.
“Now we get real-time updates, which I don’t have to manage,” Mrazik says. And with Carbon Black’s unified management console, “we can get information on every endpoint and know it’s current and alive.”
Advanced endpoint security platforms generally include centralized management consoles that provide visibility into the vendor’s endpoint tools.
However, more integration is needed to consolidate views into third-party endpoint products, and across the security solution landscape in general.
Typically, organizations have deployed new endpoint tools as threats evolved, only to find themselves saddled with a slew of siloed products.
Vulnerability Scans Save Companies from Malware for Less
Two years ago, when Stonewall Kitchen moved to replace its legacy anti-virus package, it also chose CB Defense.
With regulatory mandates, no dedicated security staff and endpoints in corporate offices, manufacturing plants, distribution centers and retail stores, an integrated cloud-based solution made sense, says Bocash.
“The biggest ROI was eliminating the overhead that came with maintaining our on-premises legacy anti-virus solution — the software updates, Windows updates and hardware forklift upgrades were killing us,” he says.
What’s more, nearly every month, Stonewall Kitchen’s internal security vulnerability scan would find something not covered in its latest anti-virus update.
“We’d suddenly be out of compliance with the Payment Card Industry Data Security Standard, and were constantly fighting to stay on top of that,” Bocash says. “Now we can focus all of those resources into actually using our security system’s capabilities.”
MORE FROM BIZTECH: Check out these three best practices businesses can employ for endpoint protection.
New Tools Help IT Teams Identify Threats as They Come
The team now has the time for forensics and threat investigations, using CB Defense’s forensics tools.
“Previously, we had very few investigative tools,” says Bocash. “If we were breached, we couldn’t tell where it came from, where it went or how much damage it caused.”
Mrazik now also has more time to delve into attack characteristics using the same tools. When the system flags something, he can go directly through the process screen to determine where a threat came from, who initiated it, what it spawned and what was allowed or blocked.
Yet even with a solution that continuously monitors endpoints, says Mrazik, securing them is never a matter of “turning out the lights and closing the door.”
IT still needs to maintain firewalls, patch vulnerabilities, update whitelists and blacklists, and understand the dynamic threat landscape.
Indeed, the days when IT took a set-it-and-forget-it approach to endpoint security are over, says Bocash. “With ransomware, nonmalware and advanced threats on the rise, you have to be in your security systems every single day.”
Moreover, though it’s crucial to collect security metrics — endpoints protected by the latest updates, types of events seen and classified, threats detected, attacks stopped in a specified time frame — they only tell part of the story, says Taylor.
“While it’s interesting to see how many times endpoints are attacked, such metrics quickly lose their luster, because we’re all continuously attacked.”
Instead, IT security leaders should use metrics and all other available information to answer big-picture security questions, says Taylor.
“We need to work with management to understand our risk exposure and potential reputational damage.”