How to Implement an Effective Endpoint Security Strategy
With today’s advance threats that effectively target organizations end users’ endpoints, it is no longer sufficient to simply have an endpoint protection solution. So why do so many organizations still rely on just an anti-malware, next-gen anti-virus, or endpoint detection & response (EDR), when it’s been shown that savvy adversaries have devised ways to evade or even disable drivers that render these protective tools ineffective?
Defense-in-Depth is an effective cybersecurity strategy that ensures organizations have multiple security measures in place to protect the organizations assets. For example, it is common practice to have an organizational network perimeter firewall to keep the adversaries out, while also implementing localized web application firewalls to protect the host applications. Similarly, to protect end users’ identities, multi-factor authentication (MFA) and user behavior analytics (UBA) have been shown to dramatically reduce the threat vector of identity-based attacks.
It is estimated that as many as 70% of successful data breaches originate at endpoint devices. Furthermore, a vast majority of breaches (74%) include the human element where error, privilege misuse or use of stolen credentials have resulted in a data breach. The correlation between endpoint devices and the human element – the end users who log in and use these devices – should therefore be viewed as a critical “protect surface” that when adequately protected can dramatically reduce cybersecurity risk.
In addition to protecting the endpoint devices with technologies like EDR, it is equally important to protect against the risk of elevated privileges or privileged access posed by adversaries against end users and credentials on the endpoints. As previously stated, adversaries exploit these privilege accounts to bypass endpoint protections. A common attack tactic used by adversaries is privilege escalation, not only to gain control of the endpoint but also to attempt to move laterally across the network in search of higher value targets.
How to Implement an Effective Endpoint Security Strategy
By now it should be evident that a “Defense-in-Depth” strategy should a be a part of your organization’s endpoint security strategy. It goes without saying that adversaries will continue to find novel and innovative ways to target this critical protect surface of the endpoint. So, what else should be part of the security strategy?
“Harden the Terrain”
It is a good cybersecurity practice to shrink the attack surface so that if and when the attackers compromise your system, the damage can be limited, if not completely neutralized. How do you harden the terrain to improve endpoint security?
- Harden the Endpoints: Good cyber-hygiene practice should include regular vulnerability and patch management. It is essential that the organization regularly installs security patches that come from vendors, especially those deemed critical and known exploitable. CISA regularly updates the list of Known Exploited Vulnerabilities which is a good resource that can help your organization prioritize its resources. Endpoint configuration management to ensure that settings are continuously monitors and policies continuously applied is also fundamental cyber-hygiene.
- Enforce Principle of Least Privilege: Assume breach is a mindset that can help organizations think like an attacker which can result in a more effective cyber defense posture for the enterprise. Part of improving the defensive posture is to remove users’ standing administrative privileges on endpoint and to grant just-enough privileges, governed with policies and only when needed. This principle of least privilege can effectively stop attackers in their tracks since their attack techniques are rendered ineffective without proper elevated privileges on the endpoint. Furthermore, this principle can prevent the tampering of critical components used by other endpoint protection tools.
- Implement Zero Trust on Endpoints: Zero Trust is shown to be another effective strategy in reducing cybersecurity risk for the organization. Zero Trust is a security model that’s rooted on the principle of “Never trust, always verify”. It’s a paradigm shift from perimeter-based security whereby IT uses tools like firewalls and IDS/IPS to keep bad actors out, to a mindset of “assume breach” where IT operates with the notion that bad actors are already (or will soon be) in the network. For endpoints, establishing Zero Trust policies that allow only trusted applications to execute – a technique often referred to as Application Control – prevents rogue or untrusted applications from doing harm. Organizations can prevent malicious applications such as Ransomware from encrypting or exfiltrating files on endpoints.
- Monitor Continuously with Advanced Analytics: The adversaries don’t rest, nor should we. By using advanced analytics and real-time detection of endpoint and identity-based threats, the organization can mitigate a cyber-attack. Mean time to identify, detect and respond can be dramatically improved with techniques like behavioral analytics, AI/ML and automation.
By following these widely accepted cybersecurity strategies of “Defense-in-Depth” and “Hardening the Terrain”, the organization can be well underway in securing the critical protect surface of the endpoint. By Hardening the Endpoint and following the Principles of Least Privilege, Zero Trust and Continuous Monitoring, security is further enhanced to protect the more important nexus of endpoints and users.