The traditional antivirus with signature-based analysis at its core is still the stronghold of numerous organizations’ endpoint security, but this is at odds with the rapid evolution of cyberattacks.
How can endpoint detection and response (EDR) systems help enterprises meet the new challenges? How do present-day antivirus tools differ from their predecessors? And what are the prerequisites for building an effective security system that keeps intruders at bay? Let’s get to the bottom of this.
The main threats to endpoints
Executable files with malicious code inside used to dominate the threat landscape. Antiviruses can identify and stop this foul play in a snap. Proxybros editors, whose expertise is extremely high, say that today malicious actors are growingly leveraging legitimate tools in their attacks, and therefore new threat scenarios resemble the normal activities of users and processes, allowing criminals to get around the classic defenses.
Enterprises are on the receiving end of phishing hoaxes, exploit-based incursions, mobile malware, and scripts that weaponize the functionality of legitimate operating system components. Insider threats and human error account for a good deal of security incidents, too.
The goal of the average cyber-attack is either to disrupt business processes or to steal information. In both cases, endpoints are in the crosshairs of malefactors, and therefore they must be properly secured.
It’s also worth considering that the ecosystem of an organization’s endpoints can be very heterogeneous. The approaches to protecting company-issued devices and those owned by users are different. For example, a ransomware attack against corporate computers can entail devastating consequences, whereas losing data on an employee’s device is a fairly trivial problem in the context of the organization overall.
The visibility of processes that run on endpoints is another significant piece of the defense puzzle. Analyzing this data through the use of machine learning and other top-notch technologies allows security teams to identify new threats based on behavioral factors.
When it comes to protecting endpoints that use Linux or macOS, there are quite a few malicious programs targeting these operating systems. In addition, phishing attacks aren’t as platform-sensitive as before, and lots of attacks take place through browsers whose kernels may have cross-platform loopholes.
Endpoint security solutions are currently booming. This “renaissance” stems from the above-mentioned obscurity of the security perimeter, the diversity of software platforms, and the mass transition to remote work.
Endpoint security tools
To maximize protection in today’s complex threat environment, classic AV software should be complemented with EDR and tools that fend off advanced threats, such as exploits, scripts, and zero-day vulnerabilities. Data loss prevention (DLP) systems, USB media control, and hard drive encryption are important for some workstations. However, a combination of these products will badly affect the performance of the average computer.
With that said, it is important to build a security strategy around the function of a specific endpoint in a company’s digital infrastructure rather than deploy a stack of products many of which are redundant. Protection methods for a remote employee’s laptop and a workstation in the office will be different. Regardless of the mechanisms, setting up automatic procedures to collect and analyze telemetry from all disparate nodes is crucial.
On the other hand, the idea of adjusting the security of workstations to their environment contradicts the Zero Trust philosophy. An applicable solution would be to install a security agent on each endpoint to track user actions.
Many enterprises face a dilemma: should they rely on an EDR product from a single vendor or use best-in-class solutions from different vendors? With a multi-vendor approach, there may be issues with interoperability between the different systems. Therefore, a reasonable tactic is to deploy a comprehensive product from one trusted provider and cover the missing features with separate solutions from other vendors.
Another challenge is obtaining curated detection content for security monitoring tools in use. SIEM and EDR vendors normally deliver detection content as part of their solutions, but it is quite a daunting task for teams to keep their security tools continuously updated with the latest detection content for critical threats. For organizations with multi-vendor environments, obtaining cross-platform use cases from third-party detection content providers or content marketplaces, such SOC Prime’s SaaS platform, can be a feasible solution to overcome the migration bottlenecks.
Endpoint protection best practices
The technique called Moving Target Defense (MTD) is very promising. It boils down to constantly modifying the target system to make it unpredictable for a perpetrator and complicate the attack process. One way to implement MTD is to randomly change the location of processes in a device’s memory.
Although this technology isn’t widely used so far, experts argue that it will eventually become an inalienable part of the EDR feature stack or even a default component of some operating systems. At this point, MTD solutions are mostly used by organizations that handle large amounts of sensitive data, such as customers’ personally identifiable information (PII) and financial records.
By making it difficult for cybercriminals to deal with an effective layer of protection, an organization forces them to slip up. This approach facilitates attack detection and speeds up the response. Furthermore, if the resources required to orchestrate an attack outweigh the benefits, the attacker will simply choose another target.
Many business owners wonder why the problem of ransomware attacks is still making itself felt despite the growing sophistication of enterprise security tools. This issue has several facets. Although anti-ransomware techniques are constantly improving, the ever-increasing complexity of these attacks requires a comprehensive approach to security rather than a point-by-point use of specialized products.
Also, data encryption is only the final part of such attacks. Security solutions must be able to foil “collateral damage”, such as the theft of valuable information or gaining control of a domain. In part, this cybercrime economy exists because a lot of victims use ineffective protection mechanisms, and some don’t implement any defenses at all. Another apparent factor is that these attacks will continue as long as companies pay ransoms.
In essence, the ransomware plague parasitizes the unsatisfactory digital hygiene of some companies, which makes it relatively easy for attackers to gain access to a targeted infrastructure. It’s also worth noting that many ransomware raids involve phishing and other social engineering techniques that are problematic to combat with automatic tools.
A separate category of attacks involves the abuse of legitimate utilities. Such threats can be pinpointed by EDR systems that come with application control features. EDR boasts the ability to spot abnormal application-specific activity. Creating a self-contained system based on a list of allowed processes and applications can further reduce the likelihood of attacks that piggyback on legitimate software.
Fighting for system resources
If you install multiple protection tools on an endpoint device to step up its security, the system performance can take a nosedive. EDR providers are bound to look for trade-offs between security and productivity. A fairly effective way to achieve acceptable performance is to separate threat management into stages.
When trying to strike a balance here, each company must decide whether to install more security modules with relatively “lenient” policies or to reduce the number of tools in use while taking the route of Zero Trust.
How will the EDR market evolve?
Further enhancements of threat analysis techniques and the use of additional tools geared toward automatic cyber-attack detection and response are the main vectors of endpoint security development down the road.
The classic signature-based antivirus can already be superseded by a next-generation solution that leverages machine learning techniques. EDR systems will continue to evolve into what’s called extended detection and response (XDR), which underscores the importance and relevance of the data they receive from workstations.
An endpoint security tool is only one of the mechanisms that protect a present-day organization. It exists in an ecosystem of other technologies that will be consolidated in the future, phasing out narrowly focused solutions in favor of all-embracing agents.
As the endpoint is an increasingly valuable element of any digital infrastructure, major vendors will continue to invest in tools to protect it, and the market will keep growing. There is a tendency of forming collective defense principles that involve an automatic exchange of security-related data between devices.
Meanwhile, some experts do not expect an explosive growth of new technologies in the near future. Instead, vendors will concentrate on improving the existing tools. This will result in a seamless integration of software agents with the cloud, network, and on-premise systems, as well as the improvements of these applications’ user experience facets.
The “center of gravity” will probably shift from endpoints toward XDR and managed detection and response (MDR) systems. All resource-intensive computations will move to the cloud, and endpoint security will become a service. Although the “good old” antivirus has already reached its technological threshold, it will most likely remain a part of the endpoint security equation.
Endpoints are critical elements of any digital infrastructure. Modern tools, such as XDR and MDR products, security information and event management (SIEM) systems, and data loss prevention (DLP) solutions definitely strengthen an organization’s security but may not address all the issues relating to workstations, many of which can be outside the security perimeter.
Implementing custom use cases easily convertible to multiple SIEM, EDR, or XDR formats can also significantly contribute to boosting the organization’s detection and response capabilities. Leveraging online translation engines, like Uncoder.IO, can help organizations save hours on developing threat detection content that can be applied across multiple solutions.
Vendors specializing in endpoint protection understand and accept the current challenges, moving away from the signature-based antivirus paradigm to more sophisticated solutions that cover multiple attack vectors at once, come with resource-friendly agents, and combat new threats efficiently. One of the biggest roadblocks along the way is to overcome stereotypes that cause some companies to underestimate the importance of endpoint security as such.