Accepted wisdom is already shifting to the view that network security must go beyond the setting up of firewalls, antivirus protection, and peripheral defenses. With BYOD (Bring Your Own Device) and the rise of the mobile workforce, vulnerabilities and a proliferation of possible access points for malicious intruders are being introduced by user devices such as laptops, mobile phones, USB storage drives and tablets.
Endpoint security is now the vogue – but approaches to this are also undergoing a transition.
Endpoint Security and Evolving Threats
To date, endpoint security strategies have been focusing on antivirus software and anti-spam measures, supplemented by host intrusion detection systems (HIDS) and/or host intrusion prevention systems (HIPS). These provide some hedge against conventional malware – but malicious code is evolving to keep pace, and these standard measures are proving ineffective against Advanced Persistent Threats (APT), and those orchestrating their deployment.
Cyber-attacks are now co-ordinated campaigns, which often begin with the establishment of access to an organization’s network or infrastructure using malware, an endpoint, or other methods. Once gained, the attacker’s position may be used as a reconnaissance point for gaining more information about the make-up of a system and its most valuable assets – then as a staging point from which the attack can move more deeply into the targeted system.
Endpoints are particularly favoured by this new breed of cyber-criminal, as the attackers only need to gain access from a single point, in a network that might include a multitude of potential entry points.
An Impetus to Change
The recent high-profile (and high media profile) attacks on big brand names like Target, Sony and Home Depot brought home to many organizations the reality of the Advanced Persistent Threat environment that now exists – and the need to upgrade monitoring, protection, and incident response activities, to avoid the cost and potential embarrassment of falling victim to an assault.
A New Kind of Response
Though signature-based endpoint defences like the traditional antivirus still remain in wide use, these solutions still impose a heavy load on the user in terms of software installations, constant updating, and stress on overworked processors. And their capacity to deal with today’s advanced threats is limited.
Many organizations now feel a need for endpoint security solutions which are lightweight, agile, and powerful enough to provide both detection and remediation capabilities. Ideally, they should be:
- Able to work with existing security software and measures, to identify activity that may indicate an attack.
- Able to exploit threat intelligence from global sources, to assist in identifying previously unknown threats. This should include real-time information from Cloud and network intelligence sources.
- Able to investigate and monitor all resources and devices that might be at risk, and to provide security personnel with proactive reporting during everyday operations.
- Equipped with tools to respond to an ongoing attack, including containment of the damage, validation of other resources on the network, and remedial actions to restore system integrity.
- Able to provide forensic evidence in the event of an attack, and to determine the spread and extent of any compromise or damage that occurred.
- Fully integrated, and able to be deployed at endpoints throughout the corporate network (on premises, and mobile/remote).
Agents and Monitors
So-called “next generation” endpoint security solutions analyse network connections, processes and changes in activity to spot behaviour that might indicate some form of infection or attack. The analysis may be very detailed, and for enterprises, the tools involved raise the question of how best this protection may be deployed.
On the one hand, next generation endpoint protection may ship as agent software – much as traditional antivirus packages do. And much like antivirus agents, the client packages require regular updating, licensing, and configuration. But they do provide a wealth of analytical information on the behaviour of endpoint devices and the network itself – data that, unless properly interpreted and reported on by a powerful analytics engine could prove overwhelming in volume, and incomprehensible for providing actionable insights.
A smaller volume of data is typically provided by the other endpoint option, which involves tapping into switches and routers, and monitoring services, instrumentation, and infrastructure on a network. Analysis can throw up issues like devices attempting to create unauthorised or unsolicited connections, whether USB hardware has been connected to a system, which users are logged into the network, etc.
Whether an enterprise opts for in-place monitoring or installing agents will ultimately depend on the budget, staffing (as personnel are required to manage endpoint protection software, and make sense of the data it generates), working practices and business needs of the organization concerned.
With the analysis of endpoint security data so crucial to an effective deployment, some organizations are outsourcing this function to service providers, who may use third-party tools and sensors to gather data on a client’s network, and supplement these findings with information aggregated from threat intelligence sources and other commercial security consultants.
There have also been moves to develop endpoint agent software with analysis engines that include remediation tools to automatically block malicious activities, and issue alerts to security staff, when this occurs.
A Growing Market
The past two years have each seen a doubling of the market for next generation endpoint security tools – a sector which is expected to grow at a compound annual growth rate (CAGR) of 67%, for the next five years. Startup companies have been responsible for most of this growth and have joined a sector that already includes endpoint security offerings from a number of established firms.
A Gradual Uptake
There’s still some resistance to the trend, with organizations preferring to hold onto their existing set-ups of firewalls, signature-based antivirus and anti-malware suites, and HIPS. But the evolving state of endpoint security technology and moves being suggested by standards organizations and regulatory authorities may see a greater shift toward the next generation platforms.
A Drive Toward Certification
Compliance regimes such as the Payment Card Industry Data Security Standard (PCI DSS) have also had an effect on the state of the security software market to date. PCI DSS for instance requires retail outlets and any other organization that processes customer credit card transactions to have antivirus software installed on any system that might become a target for malware.
But developments in the next generation endpoint security sector have seen packages emerging that meet compliance standards and are likely to result in certain endpoint products gaining the legal status of an antivirus. This naturally will assist the growth of the next generation market.
In addition, enterprises may be more at liberty to adopt a hybrid approach, mixing cheap lightweight or free antivirus solutions with dedicated endpoint security tools from the next generation.
Share this Post