Given the complex nature of today’s IT infrastructures, organizations need to understand how to design security programs in a way that monitors and protects every aspect of their network. Too often headlines have been made by complex networks lacking the necessary visibility to detect threats before it is too late.
A big part of that visibility revolves around what many consider to be the foundation of network architecture: the endpoints. These are the devices that drive the day-to-day business functions which allow organizations to be successful. That is why it is so important to monitor the array of endpoints throughout your environment so you can detect threats as early as possible.
What is an Endpoint?
Before you can effectively monitor endpoints, you need to thoroughly understand endpoint security technology. And, to do that, you must first be able to answer an essential, fundamental questions: what is an endpoint?
It’s a simple question but the answer can vary depending upon who you are asking. Some security tools vendors will tell you that an endpoint is defined as a computer — whether it be a laptop or desktop — installed with the most common operating systems in use today. Others will tell you the definition is much broader than simply limiting the idea of an endpoint to a Windows or MacOS machine. So why the discrepancy?
The disconnect can lie in accepting definitions solely from product vendors who are trying to sell a set of technology. For example, there are some vendors who offer endpoint agents that only work on a limited set of devices. These vendors are then faced with the choice of either admitting that their endpoint agent does not cover the full spectrum of what can be classified as an endpoint, or modifying their definition of “endpoint” to match their offerings.
For the purposes of this discussion, then, we will define “endpoint” by the very words that make up the term. An endpoint is any device that resides at the end point of a network connection and can communicate on said network. This gives us a much broader definition that includes much more than just desktops and laptops, including servers, mobile devices, IoT technology, and more.
In short, an endpoint is anything on your network that can receive and transmit data.
Understanding this is crucial to planning a sound security strategy. Attackers have shown themselves capable of leveraging any device from the above list to breach an environment and execute malicious activity. If we limit what we consider an endpoint to just computers, then we risk missing essential visibility that can help an organization detect a potential incident. A successful approach to endpoint security is one that includes some form of visibility into any device that can transmit and receive data on your network.
Now that we understand what an endpoint is we can dig deeper into the concept of endpoint security. Endpoint security is an umbrella term for a larger subset of technologies with varying approaches to how they monitor and safeguard these end devices. Let us review a few of the more common endpoint security tools in the market today.
Antivirus/Next Generation Antivirus
Antivirus is the original technology in this space. Although there are varying claims as to who created the first widely available antivirus software, this technology has been available commercially since the late 1980s. Designed to scan and detect malicious software, or malware, that could infect computing devices, antivirus software marked a major step forward in protecting endpoints from malicious actors.
In its most basic form antivirus software will scan the host machine it is installed on to try and identify known viruses. What occurs once a virus is detected is dependent upon the type of antivirus software being used. Some versions of antivirus simply alert that a virus has been detected and place the emphasis on the user to remove the unwanted code. Other forms of antivirus include the ability to quarantine the unwanted code or automatically remove it.
Traditional antivirus is often seen as an outdated or legacy approach to protecting endpoints since there are some drawbacks to its design. For example, it is dependent on a database of virus signatures that must be included with the software. This is a database of code that is “known bad” that the antivirus tool is scanning for. If a signature does not exist for the virus, or if the database is outdated, then traditional antivirus will not detect the malicious code. Unfortunately, the process of updating these signatures, or virus definitions, can be burdensome to administrators and the databases can grow quite large.
Modern antivirus has gone through a series of evolutions to its current state and solves some of the drawbacks of legacy antivirus. Some vendors have found ways to leverage the cloud to eliminate the need to download large sets of virus definitions and instead stream the results of a scan up to a cloud-based database of signatures assumed to be the result of malware. This form of antivirus will then interrupt the process and prevent further execution.
Endpoint Detection and Response
One of the primary flaws of antivirus is its dependence on detecting malware that is already defined as “known bad.” Emerging malware such as zero days go undetected until a signature is developed and downloaded. Antivirus also offers little protection from live attackers executing actions that are not based on malware.
For example, what happens when a malicious actor gains remote access to an endpoint within your environment and begins running commands? Since this attacker is not using malware for their actions, legacy antivirus will not trigger an alert.
Endpoint detection and response, or EDR, was developed as a response to the drawbacks of legacy antivirus. Instead of running point-in-time scans as most antivirus was designed to do, EDR records critical activity that occurs on an endpoint to observe behaviors. Process executions, command line activity, running services, network connections, and file manipulation are just some of the activities that EDR tools are designed to record. Many EDR vendors also include a series of analytics that run across recorded actions to identify suspicious behaviors. The idea is that — although the signatures, names, and hashes of malware may change — the behavior of malicious software often remains the same.
The same can be said for many threat actors, whose actions can be detected when observing the behaviors occurring on the endpoint. This is where the “detection” part of EDR comes in. When a suspicious action occurs, the EDR agent installed on the endpoint will trigger an alert, letting the security professional know that something potentially malicious has been detected.
Additionally, EDR includes features that allow the security professional to take action once a detection has occurred on the endpoint. This is the “response” capability of EDR, and these features vary by vendor. Most EDR agents, however, include the ability to isolate the host system from the rest of the network. The idea is that if the host is infected with malware, isolating the machine will prevent the malware from propagating to other systems. If the endpoint is being remotely manipulated by a malicious user, then isolating the machine will stop the threat actor from pivoting deeper into the network and limit their impact. Beyond the isolation capability, some vendors offer more advanced responses including terminating processes or killing services. The ability to take these actions on an endpoint should be approached cautiously as there are situations where they may result in additional harm to the host system.
Endpoint Protection Platform
Although EDR drastically improves on the flaws of antivirus, it is not without some drawbacks of its own. One of the primary complaints related to EDR is its emphasis on detection of threats rather than prevention of threats. By design, EDR records the actions taking place on the endpoint and triggers an alert when suspicious activity is detected. Unfortunately, detection alone does not guarantee that the threat is mitigated.
Consider an environment that utilizes EDR but has limited security staff. This staff may be tasked with validating and responding to a high volume of alerts. This results in a delay between the time an alert is generated and the time an analyst responds to it. This is known as alert fatigue and can be hugely detrimental to an organization. There have been high-profile cases of organizations being breached only to find out that alerts were generated early in the attack. These detections were buried under a series of additional alerts and resulted in analysts not responding fast enough.
To combat this situation, Endpoint Protection Platforms (EPP) were developed to build off what was seen as the best aspects of both EDR and antivirus. These platforms record actions occurring on the endpoint in the same fashion as EDR. These actions are then processed against a database of known suspicious behaviors in near real-time. When it is assumed that a malicious action is about to occur, the EPP agent will interfere and prevent the threat from executing. Let us consider an example of how EPP might work. An EPP cloud database might have an entry that says Action A leading to Action B leading to Action C will result in a threat. Therefore, if the EPP agent installed on the endpoint observed Action A then Action B, which in turn is attempting to execute Action C, it will prevent this execution since it is assumed that it will result in a threat.
Prevention is the key differentiator between EDR and EPP. Where some EDR may include the ability to develop specific preventions, it is primarily designed to record endpoint activity and detect potential threats. EPP takes the proactive approach of focusing on prevention. In this way it often only records enough activity to allow it to decide if an action should be prevented from executing. By following this approach, EPP can prevent a range of both malware and actions attempted by threat actors.
Which Endpoint Tool is Right for You?
Determining which endpoint tool is right for your environment is often a difficult decision to make.
The needs and limitations of every organization are unique and should be considered when purchasing an endpoint tool. Antivirus software, both legacy and modern (commonly known as Next Generation Antivirus or NGAV), is often seen as an outdated approach to securing endpoints but that does not mean it does not have a place within some organizations. Smaller environments or those companies that are just beginning to develop their security program may find that they are only able to afford antivirus at the beginning. Although it may not have the same capabilities as more advanced tools, it is still better than no security on your endpoints.
EDR is an excellent choice for organizations that are well-staffed and capable of managing the alerts generated. The large amount of recorded activity also offers the additional benefit of a data set that your analysts can use for threat hunting exercises. Unfortunately, organizations with limited security staff may find EDR overwhelming. Alert fatigue can result in a false sense of security. Just because an alert was generated does not mean the problem was resolved. A detection that was not responded to is just as bad as no alert.
EPP on the other hand may be an excellent choice for an organization with a limited security staff that is looking to prevent threats. By automating the prevention of malicious activity, EPP takes some of the burden off your analysts.
This is not to say that there are no potential drawbacks to EPP, however. The EPP analytics are not guaranteed to always prevent threats from occurring. There is a balance that these platforms must find between preventing legitimate actions that simply appear suspicious versus allowing threats to run for fear of preventing business activities from being executed. In many cases these platforms will allow the customer to set their own standards for prevention. This can result in some environments lowering their prevention threshold, resulting in occasional malicious processes executing.
Think of it this way: if a sprinkler system’s sensitivity is too high, then it could be set off by the flame from a candle or smoke from cooking. This would result in extensive water damage to your home. To prevent this the sprinkler system sensitivity may be set so low that a fire could cause a large amount of damage before the sprinkler attempts to suppress it. This is the same balancing act many organizations face with their EPP.
Is Endpoint Security Enough?
Endpoint security is a critical part of any cybersecurity program, but it is by no means enough. Every endpoint security technology is dependent upon an agent that must be installed on the endpoint device itself. Without this agent, the endpoint platform is unable to view what is happening on that device.
Now consider your environment and ask yourself a few questions. Are you confident that you know of every endpoint device on your network? Do you have full control over every endpoint? Can you successfully deploy an agent to every endpoint device that communicates on your network? Can you prevent unauthorized devices from using your network? For most organizations, the honest answer to at least one of these questions is “no.”
This is the reason endpoint security alone if not enough to ensure the safety of your organizations. Attackers are skilled at identifying the weakest part of your environment. They will target the outdated, unpatched, forgotten systems that your company is unaware of. These are often the same systems that lack an endpoint agent either because they are not on the security teams’ radar, or because they are not supported by the endpoint vendor. If you do not find additional ways to monitor and detect threats within your organization you are putting yourself at risk of missing a breach — until it is too late.