Organizations are Failing to Take Basic Precautions That Could Keep Attackers Out...
If you were a robber which house would you break into: the one with the chain link fence and security cameras, or the one without? This should be a no-brainer. But the message doesn’t seem to translate to the digital world. Historically CIOs/CISOs have had to trade off security with productivity ‒ the more they lock down employees, the less flexible they are in terms of empowerment. But, it’s time to consider the absolute necessity of empowerment, and the concomitant need for security.
We need to acknowledge that mobility is a basic business necessity of our day and age. Employees can no longer be chained to their desktops. Of course, this increases the risk of unauthorized access or attacks, but forward-looking organizations such as Google view the network perimeter as indefensible anyway, and focus energy on securing applications in the cloud, and on securing the endpoint and access to the application. With that model, every internal application is basically available over the Internet, and can be accessed from a secure device whose posture, user identity and access they can control. In other words, the perimeter-based security model that has failed us so often over the years, is finally thrown out to be replaced with a requirement for robust endpoint security ‒ only.
While flexibility offers countless benefits for corporations and their employees, this new emphasis on mobility has also introduced a new set of risks, and this in turn re-ignites a focus on endpoint security.
Mobility increases risk by giving attackers the ability to access a device (physically, or electronically) in a malicious environment under an attacker’s control. Data on a device outside the enterprise perimeter might be lost. Our threat model must also include physical access to the device by the attacker. In the “evil maid” attack, for example, a device in a hotel room is accessed by an “evil maid” who inserts a USB key with malware. Additionally a device that uses a hostile network could be subjected to a range of attacks, including worms and device driver attacks.
But the change in endpoint risk has been fueled by rapid evolution of our consumption of electronic content, our remote access of malicious sites, and our need to access untrusted content (files, documents, executables) delivered through “Internet-facing” applications. New classes of attacks have arisen quickly. Malvertisements are shaking the core of the free Internet’s business model. Ransomware is taking advantage of desperate users who want access to their files. Most organizations are being hit with attacks that are targeted and crafted to bypass their perimeter and network security, and their legacy AV stacks.
This comes at a time when many organizations are still failing to take basic precautions that could keep attackers out. The SANS Institute has found that about 80 percent of attacks could be prevented with some of the most simple and common practices, such as updating and patching software in a timely manner, setting secure configurations and having tight control over user access and administrative privileges.
After years of little innovation, focus is finally returning to security on the endpoint: 71 percent think managing endpoint risk has become exceptionally difficult in the last two years, according to Ponemon Institute’s 2015 State of the Endpoint Report. With more devices and entry points to account for ‒not to mention malware‒ companies are finding it hard to keep up. They sweat over the data breach headlines but then blindly put their faith in traditional security products like AV that aren’t effective. In response they reach for endpoint detection and response (EDR) products which can’t protect the endpoint but offer a Splunk-like ability to search for signs of an attack, pending you have an Indicator of Compromise. Ultimately both tool sets are needed ‒ to search for an unseen breach in progress, and later to protect the endpoint from either lateral movement of an attacker internally, or attacks from untrusted environments and vulnerable applications.
So, how should CIOs/CISOs manage these risks? While there are no silver bullets, the strategy that is working best for the organizations I speak to is a proactive stance: A new generation of endpoint security suite providers has emerged, and there is a clear need to identify which of the offerings can both detect breaches and secure your endpoints, while allowing you to empower your users. It is imperative that you begin to re-evaluate the endpoint, and to move beyond legacy endpoint protection platforms that simply cannot protect the endpoint or detect rapidly evolving attacks.
I am a proponent of isolation and segregation. I recommend to all enterprises that they never trust their PCs ‒ even the ones on their network. Treat every device as though it is attached to a hotel network. Assume that the user will click on anything. The only way to do this is to isolate the enterprise infrastructure as granularly as possible, segregate the network, and move from a model of “block the known bad” to “isolate but execute everything” to both secure the environment and empower the user. Just as a burglar won’t bother to break a window if it has bars on it, cybercriminals will move on to an easier target if there are enough roadblocks in their path. The economics, which I see as a multiple of time, cost and effort, are fundamentally the same.
As endpoint threats continue to grow, the organizations that approach risks with a proactive mindset will be less likely to be left exposed — and become the next data breach headline.