Defining endpoint security in a zero-trust world
Attackers strike at businesses with identity theft as their top goal
CISOs and CIOs told VentureBeat they’ve seen spikes in identity-driven attacks in the first three months of 2023.
Getting identity right is core to a robust zero-trust framework. It takes endpoint resilience, improved sensing and telemetry data analysis techniques, and faster innovation at protecting identities.
Control identities to control the company
By capitalizing on gaps in cloud infrastructure to find weak or unprotected endpoints, it’s not surprising that there’s been a 95% increase in attacks on cloud infrastructure, with intrusion attempts involving cloud-conscious threat actors tripling year over year. From cybercriminal gangs to state-funded advanced persistent threat (APT) groups, attackers know that defeating just one endpoint opens up an organization’s infrastructure to credential, identity and data theft.
CrowdStrike’s 2023 Global Threat Report identified why identities are under siege. They’re among an organization’s most valuable assets, rich with personal data that commands a high price on the dark web. CrowdStrike’s Intelligence Team found a disturbing trend of attackers becoming access brokers, selling stolen identities bundled in bulk for high prices on the dark web.
Endpoint attacks spike early in 2023
The proliferation of cloud and endpoint attacks is making 2023 a more challenging year than many CISOs bargained — and budgeted — for. CISOs in the banking, financial services and insurance industries told VentureBeat, on condition of anonymity, that attacks on every type of endpoint have quadrupled in just four months. Data they can capture shows cloud infrastructure, Active Directory, ransomware, web application, vulnerability exploitation, and distributed denial of service (DDOS) attacks spiking sharply in the last 120 days.
2023 is already a year more challenging than CISOs expected because of added pressure to consolidate tech stacks and keep budgets under control (or reduce them) while dealing with a spiking growth rate of attacks. CrowdStrike’s cofounder and CEO, George Kurtz, was prescient when he explained during his keynote at the company’s Fal.Con event in 2022 that “the reality is people are exploiting endpoints and workloads. And that’s really where the war is happening. So you have to start with the best endpoint detection on the planet. And then from there, it’s really about extending that beyond endpoint telemetry.”
CISOs told VentureBeat their consolidation plans for endpoint security and endpoint detection and response (EDR) are now cloud-based for the most part. Having endpoint security, EDR, and extended detection and response (XDR) based in the cloud solves several challenges related to their on-premises counterparts, the greatest being ongoing maintenance and patching costs. Leading vendors providing XDR platforms include CrowdStrike, Microsoft, Palo Alto Networks, TEHTRIS and Trend Micro.
Resilient and self-healing endpoints are table stakes
Defining endpoint security in a zero-trust world must start by recognizing how quickly endpoint protection platforms and identity management systems are converging. Every enterprise’s network endpoints have multiple digital identities, starting with those assigned by apps, platforms and internal systems accessed from the endpoint to the device’s identity.
Cloud services are forcing the overlap of endpoint protection platforms and identity management. For example, Microsoft Azure’s App Service supports assigning several user-assigned identities to a specific application, which adds greater complexity to the range of identities supported by endpoints. The same holds for devices. Cisco’s Identity Services Engine (ISE) can define endpoint identity groups by their authorizations. These services reflect what’s happening quickly in the market — identities are quickly becoming core to endpoints.
CISOs need better visibility into every identity an endpoint has. Zero-trust frameworks and a mindset of least-privileged access are needed. Those needs are driving the following in enterprises’ endpoint strategies today:
Continuously monitor and validate
It’s central to getting zero-trust frameworks solid and scalable, and the telemetry data is invaluable in identifying potential intrusion and breach attempts. The goal is to monitor, validate and track every endpoint’s real-time data transactions to help identify and respond to potential threats. Leading vendors providing this capability include Cisco’s SecureX, Duo, and Identity Services Engine (ISE); as well as Microsoft’s Azure Active Directory and Defender. CrowdStrike’s Falcon platform, Okta’s Identity Cloud, and Palo Alto Networks’ Prisma Access solution are also vendors providing continuous monitoring for enterprise customers today.
Harden endpoints
It’s common knowledge that attackers scan every potential open port and endpoint an enterprise has, hoping for just one to be either unprotected or misconfigured. Absolute Software’s 2021 Endpoint Risk Report found that over-configured endpoints are just as vulnerable as not having any endpoint security in place. Absolute’s research found 11.7 security controls per device, with the majority containing multiple controls for the same function.
Self-healing endpoints help reduce software agent sprawl by delivering greater resilience. By definition, a self-healing endpoint will shut itself down and validate its core components, starting with its OS. Next, the endpoint will perform patch versioning, then reset itself to an optimized configuration without human intervention.
Absolute Software, Akamai, Ivanti, Malwarebytes, Microsoft, SentinelOne, Tanium, Trend Micro and many others have endpoints that can autonomously self-heal. Absolute Software is noteworthy for providing an undeletable digital tether to every PC-based endpoint that continuously monitors and validates every endpoint’s real-time data requests and transactions.
Absolute’s Resilience platform is noteworthy for providing real-time visibility and control of any device, on a network or not, along with detailed asset management data. Absolute also invented and launched the industry’s first self-healing zero-trust platform designed to deliver asset management, device and application control, endpoint intelligence, incident reporting, resilience and compliance.
Automate patch management
Hardened, self-healing endpoints are becoming indispensable to IT, ITSM and security teams, who are all facing chronic time shortages today. “Endpoint management and self-healing capabilities allow IT teams to discover every device on their network, and then manage and secure each device using modern, best-practice techniques that ensure end users are productive and company resources are safe,” said Srinivas Mukkamala, chief product officer at Ivanti, during a recent interview with VentureBeat.
He continued, saying, “Automation and self-healing improve employee productivity, simplify device management and improve security posture by providing complete visibility into an organization’s entire asset estate and delivering automation across a broad range of devices.”
CISOs have said their teams are so overwhelmed with workloads focused on protecting employees, systems and, in manufacturing, entire factories, that there’s not enough time to get patch management done. Ivanti’s survey on patch management found that 71% of IT and security professionals felt patching was overly complex and time consuming, and 53% said that organizing and prioritizing critical vulnerabilities takes up most of their time.
Given how critical it is to get patch management right, taking a data-driven approach can help. Another innovation that several vendors are using to tackle this problem is artificial intelligence (AI) and machine learning (ML).
Ivanti’s Neurons platform relies on AI-based bots to seek out, identify and update all patches across endpoints that need to be updated. Ivanti’s Risk‑Based Cloud Patch Management is noteworthy in how their platform integrates the company’s Vulnerability Risk Rating (VRR) to help security operations center (SOC) analysts take risk-prioritized action. Ivanti had discovered how to provide service-level agreement (SLA) tracking that also provides visibility into devices nearing SLA, enabling teams to take preemptive action.
Additional vendors offering automated patch management solutions include Broadcom, CrowdStrike, SentinelOne, McAfee, Sophos, Trend Micro, VMWare Carbon Black and Cybereason.
Kill lateral movement and reduce the attack surface
Having a breach mindset is key to getting stronger at zero trust. Assuming intrusion and breach attempts are inevitable is a strong motivator for IT and cybersecurity teams to sharpen their zero-trust security strategies, skills and knowledge. The goal is to make zero trust an integral part of an organization’s muscle memory.
The best way to accomplish that is by resolving to get zero-trust initiatives and strategies in shape. That includes getting microsegmentation — a crucial component of zero trust, as outlined in the NIST’s zero-trust framework — in place. Microsegmentation divides networks into smaller, isolated segments, reducing a network’s attack surface and increasing the security of data and resources.
Certain microsegmentation vendors can also quickly identify and isolate suspicious activity on their networks. Of the many microsegmentation providers today, the most innovative are Airgap, AlgoSec, ColorTokens, Illumio, Prisma Cloud and Zscaler Cloud Platform.
Of these, Airgap’s zero-trust isolation platform adopts a microsegmentation approach that treats each identity’s endpoint as a separate entity and enforces granular policies based on contextual information, effectively preventing any lateral movement. AirGap’s architecture includes an autonomous policy network that scales microsegmentation policies network-wide immediately.
Endpoint security in a consolidation-first era
2023 is becoming a much more challenging year than CISOs and their teams expected. The spiking attacks and more advanced phishing and social engineering attempts created using ChatGPT are stressing already overworked IT and security teams. At the same time, CISOs are facing budget constraints and orders to consolidate their tech stacks. Against this background of tighter budgets and more breaches, becoming more resilient with endpoints is where many start.
“When we’re talking to organizations, what we’re hearing a lot of is: How can we continue to increase resiliency, increase the way we’re protecting ourselves, even in the face of potentially either lower headcount or tight budgets? And so it makes what we do around cyber-resiliency even more important,” said Christy Wyatt, president and CEO of Absolute Software, in a BNN Bloomberg interview.