Evolving threats require smarter, more automated endpoint security solutions.
Employees today are increasingly likely to work from outside the office, employing a variety of endpoint devices including desktop computers, laptops, tablets and smartphones to complete business tasks. Various surveys indicate that the average U.S. employee uses at least three devices per day for work activities. For all their productivity and collaboration benefits, however, these devices also create multiple avenues for introducing viruses, worms andother malware into an organization.
According to the Ponemon Institute’s 2017 State of Endpoint Security Risk Report, organizations of all shapes and sizes reported they are struggling to manage and secure the ever-increasing number of endpoint devices being used in the workplace. Seventy percent of those surveyed said the risk is increasing because traditional antivirus solutions do not address emerging threats such as filelessmalware, PowerShell attacks anddestructive ransomware.
According to the study, 50 percent of businesses with antivirus tools in place were compromised in 2017, with these attacks costing an average of $301 per employee. Traditional endpoint security measures aren’t just ineffective, they are difficult and costly to manage. The study found that more than half of all endpoint security alerts are false positives, resulting in companies wasting an average of 425 hours a week investigating alerts at an average annual cost of $1.37 million.
Fileless malware attacks are particularly troublesome for antivirus software. Also known as zero-footprint attacks, these types of attacks don't actually install malware on a device. Instead, they use tiny but malicious PowerShell scripts that are stored in memory or in the system registry. They perform reconnaissance, collect sensitive information, and then disappear without a trace when the infected computer is rebooted. According to the Ponemon report, 77 percent of attacks in 2017 were filelessattacks, which are 10 times more likely to succeed than file-based attacks.
The rise of threats that leave few clues is one reason why Gartner expects organizations to begin shifting their security spending. The firm’s analysts expect organizations to focus more on detection and response rather than prevention-only approaches.
For most organizations, this approach represents a significant change from the strategies they’ve been using for decades. It is meant to address the reality that, even with the best defenses, breaches have become almost inevitable. Organizations must learn to quickly identify an intrusion once it happens, understand exactly what steps must be taken to minimize the damage, and then begin the process of identifying the source of the attack.
“The shift to detection and response approaches spans people, process and technology elements and will drive a majority of security market growth over the next five years,” said Sid Deshpande, principal research analyst at Gartner. “While this does not mean that prevention is unimportant or that chief information security officers are giving up on preventing security incidents, it sends a clear message that prevention is futile unless it is tied into a detection and response capability."
Advanced endpoint detection and response (EDR) solutions featuring automation and predictive technologies provide stronger defense against today’s threats. EDR tools use software agents to monitor all endpoints, as well as any cloud apps they’re connecting to, the authentication systems that gave them access, the firewalls that allowed the connections, and the local domain. All that data is recorded in a central database for further analysis, investigation, reporting and alerting.
Analytic engines powered by machine learning (ML) facilitate fast evaluation of that data and early detection of filelessmalware and other subtle threats that lack the usual artifacts of an infection. Unlike traditional signature-based tools that rely on known virus definitions, ML-based tools “learn” what malicious files look like based on a variety of traits. This enables them to find zero-footprint malware with far greater speed and accuracy.
The real work begins once a threat has been identified. Then organizations must remove all malicious artifacts, identify what data has been affected, reimage affected devices, change passwords, lock credentials and more.
After the Fact
Remediation begins with proper preparation and planning so that key personnel knowthe procedures they should follow when a breach occurs. The plan should define what constitutes an “incident,” which might include data exfiltration, unauthorized access, malware infection, a denial of service attack and other security-related events. Incidents should be categorized based upon the type of data involved, the type of perpetrator responsible, the scope of the event, and any legal or regulatory compliance requirements involved.
Once a potential incident has been identified, the response team will likely need to conduct an investigation in order to understand what type of event they are dealing with. The initial investigation should be conducted as rapidly as possible and involve digital forensic experts at an early stage. Forensic experts can analyze systems in a way that preserves evidence.
Only then can the IT team work to contain and eradicate the problem and recover systems, applications and data. As a final step, the response team should assess the incident and how it was addressed, and look for ways to improve the process.
The rise of mobile and cloud computing have contributed to an exponential increase in the number of devices being used to conduct business. Organizations must take steps to secure those devices, but traditional signature-based antivirus tools are no match for an emerging class of stealth threats. With their ability to rapidly examine endpoint data to identify malicious patterns, analytics-driven EDR solutions are becoming essential to endpoint security.