Security

What is Next-Generation Endpoint Security?

For businesses with a distributed workforce, endpoint security is more complicated than ever. Modern tools can help organizations get a handle on the threat landscape.

Phil Goldstein

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist.

As remote work continues to be the norm for many companies, workers are now the first line of cybersecurity defense. The shift to remote and hybrid work environments has presented fresh security challenges to small businesses, which often do not have the IT security resources of larger enterprises.

With so many users working from home amid the coronavirus pandemic, securing their devices remains critical for IT leaders, who must consider all of the available tools in their defensive arsenal. Some of the most potent protective measures include a class of cybersecurity defenses known collectively as next-generation endpoint protection tools.

Next-generation endpoint protection technologies go beyond the simple, signature-based anti-virus detection techniques of the past, increasingly leveraging artificial intelligence and machine learning to enhance security.

Such solutions still use reliable signature detection, but also include new approaches, including endpoint detection and response (EDR), behavioral analysis, sandboxing, predictive analytics and threat intelligence.

“In the ‘new normal,’ with widespread remote work and distributed IT environments, CISOs and other technology leaders are more interested than ever in next-generation endpoint protection solutions,” Michael Sorokin, an solution architect at CDW who focuses on security technologies, writes in a CDW blog post. “IT leaders who haven’t already deployed NGEP technology are hearing about it from their peers and are eager to put solutions in place.”

What Is Next-Generation Endpoint Protection?

Signature-based security, which relies on comparing threats to a database of previously identified malicious code, still catches roughly 70 to 80 percent of cybersecurity threats, says Arnie Lopez, vice president of worldwide systems engineering at McAfee. That’s not enough to tackle today’s threat landscape.

Next-gen endpoint protection tools provide organizations with the ability “to report on security incidents in great detail, utilize intelligence about threats worldwide and work effectively with other tools in an organization’s cyber defenses,” writes Jeff Falcon, practice lead within CDW’s cybersecurity practice, in a CDW blog post.

Next-gen endpoint security tools provide organizations with a greater degree of context around security events. “By drilling down into the specific details of an incident, such as who the target is, what the attacker is trying to exploit and what other kinds of incidents may be taking place, a next-gen endpoint solution can identify the intent of an attack,” Falcon writes. “With this information, an organization can prioritize the mitigation of high-risk vulnerabilities.”

Additionally, next-gen endpoint protection tools use threat intelligence to help identify attacks and develop stronger defenses, Falcon writes. Next-gen endpoint security tools also enable automation and orchestration into a business’s defensive capabilities and integrate effectively with other cybersecurity solutions. “By building next-gen endpoint solutions into an organization’s incident response, an IT team can get a better picture of the overall security posture,” Falcon writes.

Next-Generation Endpoint Protection vs. Traditional Endpoint Protection

Traditional endpoint security solutions rely heavily on a signature database, but maintaining such databases in a world of ever-evolving threats is growing increasingly unsustainable.

Additionally, there is an inherent lag time in the distribution of threat signatures to all the endpoints. A real-time security approach that leverages artificial intelligence and machine learning can help overcome that.

Next-generation endpoint security tools with access to real-time threat intelligence can analyze this information and deploy immediate updates to users’ endpoints. This enables agency IT security leaders to block IP addresses, update malware signatures and identify new adversary tactics quickly, providing rapid detection of evolving threats.

Organizations must be smarter about how they determine what is actually a threat, Lopez says, using data not just from endpoints such as laptops and mobile devices but also from the network edge, secure web gateways, firewalls and email getaways. Next-generation endpoint security tools enable agencies to, for example, detect command-and-control server activity that might not be apparent on an endpoint, then feed that data into their telemetry so that they can make smarter security decisions.

Another pillar of next-generation endpoint security is EDR, which moves beyond simple detection of a security compromise and manages an active response that contains the damage, isolates affected systems and recovers normal operations as quickly as possible.

EDR solutions combine a client that is actively conducting anti-virus, firewall security and intrusion prevention, as well as solutions that will immediately respond once a threat is detected.

Next-generation endpoint tools are ideal for securing users’ endpoints at home, Lopez says. “They have their IT-supplied desktops or laptops, but they’re also sometimes having to join from tablets, mobile devices,” he says. “So, having mobile capabilities for your endpoint security is also a big part of next-gen endpoint security.”

Another capability that is popular in next-generation endpoint security protection is rollback remediation, Lopez says. “As much protection as you put in place, anyone that tells you you’re 100 percent safe has not been doing this for a living. Things are going to happen, and things are going to get through,” he says. “How do you deal with it when it happens?”

Rollback remediation allows agencies to use previously created images, or versions, of a user’s system. When malicious activity and changes are detected, such tools can reverse the changes and restore the system to its previously healthy state. “Then, you should not lose everything you were working on,” he says. “You’ll just lose 10 to 20 percent, versus everything.”

How Next-Generation Endpoint Protection Uses AI and Machine Learning

Next-generation endpoint security takes cybersecurity to the next level in terms of behavioral analysis, Lopez notes. To do that effectively, however, such platforms must leverage AI and machine learning techniques.

Next-generation endpoint security tools can help IT security professionals understand whether they are encountering valid applications or uses of system capabilities, such as Remote Desktop Protocol (RDP).

As these tools start ingesting data on user behavior and begin looking for anomalies in users, applications and even network traffic, there is a high possibility that false positives will occur. The platforms may detect what might seem to be anomalous malicious activity that is, in fact, benign.

Small businesses in particular tend to have limited IT staff, and they can spend a great deal of time chasing down false positives. Machine learning can help staff determine what is and is not an actual threat, saving time and valuable resources, according to Lopez.

“Engineers simply don’t have the time to carefully review endpoint protection logs and react appropriately,” Sorokin writes. “Fortunately, modern NGEP platforms arrive with enhanced analytics and machine learning capabilities that reduce the need to carefully monitor these systems.”

By leveraging AI, next-gen endpoint protection platforms “can alert administrators to endpoint situations that require immediate attention and may even recommend remediation activities to address a specific security vulnerability before an adversary can take advantage of the weakness,” Sorokin writes.

DIVE DEEPER: Should businesses take a best-of-breed or a single-vendor approach to security?

The Threats Next-Generation Endpoint Protection Helps Combat

Although specific next-generation endpoint solutions on the market today — from a wide range of vendors, including McAfee, Forcepoint, BlackBerry Cylance, Palo Alto Networks, Sophos, VMware Carbon Black, SentinelOne and more — bundle in a variety of protection capabilities, “at the core of all solutions is providing protection against malicious code and malicious behavior that can affect the endpoints,” says Duane Schell, CTO for the state of North Dakota.

This includes threats such as spyware, viruses, malware and, of course, ransomware, which Schell notes remains a top-of-mind threat.

Signature-based solutions also do not catch zero-day attacks, which are more difficult to stay on top of with small IT security staffs. As FireEye notes, “a zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability.”

Machine learning, threat intelligence and remediation rollback can help significantly to combat those threats, Lopez says. “You’ve got sometimes two people that are the security engineers and network engineers, and they also do the response. They’re pseudo-SOC threat hunters at the same time,” he says. “So, those zero-days are the ones that are really taking up most of their time.”

Another kind of threat that next-generation endpoint tools can help guard against are PowerShell-based attacks. “PowerShell can be used for good, but typically it’s not,” Lopez says. “So, be proactive and ask why you need to have a partial script on an executive admin’s endpoint, as an example.”

Machine learning tools can then determine what that individual user’s role is and whether there is a valid use for something like a PowerShell script, he notes. A similar process can determine whether RDP is being used appropriately or whether it is being used to launch ransomware.

Additionally, Sorokin writes, next-gen endpoint solutions include “ransomware prevention modules” that protect systems against ransomware threats, “but those modules need to be activated and properly managed. Organizations should consider bringing in experts to conduct an endpoint protection health check and verify that they’re well prepared to defend against ransomware threats.”

Chinnapong/Getty Images