Looking Beyond the Endpoint: It’s Time to Quit Spending on Ineffective Security Solutions
Updated: Feb 28, 2019
Until a few years ago, it was still possible to imagine a computer network that looked like a fortress. The earliest local area networks were physically isolated, with users and their terminals or PCs confined to a single building or to neighboring structures on a business campus and directly linked by cables. As connectivity grew, security firewalls were installed to shield systems and information from unauthorized access and external threats. These were essentially IP routers that examined traffic on a packet-by-packet basis, discarding or rejecting those deemed risky. Conceptually speaking, firewalls were built upon the premise that there existed a single point between these networks and the “outside world” through which all traffic must pass, and that it was possible to log and authenticate all of this traffic. By securing the gateway, the thinking went, administrators would be able to keep their networks safe.
Today’s business networks more closely resemble constellations than citadels. With the rise of cloud-based computing and mobile device use, network borders are increasingly polymorphous and permeable. From smart lightbulbs to tablets, more and more devices that were not traditionally part of corporate networks are now connecting to them, and more and more of the devices that were traditionally part of the network are connecting by way of other networks, such as home routers or Wi-Fi access in a coffee shop. For a majority of industry experts, the concept that networks have clearly-defined perimeters no longer makes sense.
What is Endpoint Security?
Endpoint security can be thought of as an effort to adapt yesterday’s “network as a fortress” concept for today’s distributed and complex systems. It attempts to protect networks at their ever-changing boundaries by individually securing each of the various devices that connect to them—whether these are laptop or desktop computers, smartphones, tablets, printers, or IoT “smart” appliances.
Endpoint security solutions are in widespread use today, with global businesses spending more than $10 billion on them each year. According to the 2018 Thales Data Threat report, organizations both within the U.S. and across the globe plan to spend more on endpoint protection than on any other category of security tool in 2018. Despite these investments, endpoint security solutions were ranked dead last in terms of effectiveness in the same research report. Not only are attacks on endpoints more numerous and sophisticated than ever before, but they are also more successful. In other words, businesses are currently spending the most on the least effective available network security solution.
How have Endpoint Solutions Evolved?
The first endpoint security products were signature-based detection programs. Housed on the device it protects or on a network server to which that device is connected, a signature-based detection program routinely scans all files run on a device or saved to that device’s hard drive for those with hash values—algorithm-generated numerical codes—that match the hash values associated with known malware.
But attackers quickly developed simple strategies for evading basic signature-based detection programs. Such programs are inherently reactive by design. Because signature-based detection relies upon comparing files to those known to be malicious, each new form of malware must be identified, catalogued and added to a central database of threats before the software can defend against it. Someone, somewhere, must become its victim before it will be recognized. The idea behind the design is that cybercriminals will always be one step ahead of defenders.
And because legacy signature-based endpoint protection is reactive, there is always a time lag between the detection of a new malware strain and the arrival of updated anti-malware files at the endpoint. Additional time is lost before the anti-malware detects the intrusion: in a 2014 Damballa study, the four most frequently-deployed antivirus products missed nearly 70% of malware in the first hour after the malicious files’ arrival, and took a full six months to identify all threats. Yet the amount of time that elapses between infection and detection is directly correlated with the severity of the damage a virus can cause, and this, in turn, is directly correlated with the costs of its repair and containment.
The threat landscape is constantly changing. To evade signature-based detection, newer malware is programmed so that its underlying code continually transforms itself: not enough to alter its function, but enough to ensure that its hash value will no longer match a known malware signature. Today’s anti-malware products employ heuristics to combat such threats. Heuristic solutions look for and guard against abnormal patterns of system behavior, such as massive data exportation or opening all .EXE files on the system. But heuristics are by definition imperfect; particularly troubling to administrators are the large numbers of false positives they are apt to generate.
Why Do Organizations Continue to Invest in Endpoint-based Solutions?
Endpoint security software is fairly easy to implement and understand. Signature-based antivirus programs were among the first to be marketed directly to consumers, and they’ve become widely familiar. Many users find the system scans this software performs, along with the alerts and notifications it routinely generates, to be comforting. They view the presence of endpoint protection as reassuring evidence that their devices are secure in the face of all external threats.
Unfortunately, the scope of cybercrime today is such that prevention cannot be 100% reliable. In spite of the fact that newer tools offer “advanced” threat detection and prevention with algorithms based on network behavior-based policies, machine learning or big data-driven predictive analytics, no endpoint-based solution can guarantee that it will stop all attacks.
You Need An End-to-End Approach
To protect themselves from today’s cyberattacks, which continue to grow in prevalence and sophistication, businesses must invest in comprehensive security solutions that protect all facets and components of their networks, not just the endpoints. Stakeholders—in IT departments as well as the C-suite—are becoming increasingly aware that resources must be invested in early detection and response as well as prevention. A layered approach, including behavioral analytics capable of detecting and containing intrusions before a full-scale data breach occurs, is the only truly effective one. The strongest protection also includes active surveillance: securing your network is not a “set it and forget it” affair.
The best of the endpoint solutions available today offer more than a simple defense against malware. They play the role of a sentinel or informant rather than a security guard. In addition to providing a first line of defense against malware, they will capture detailed data on processes running on endpoint devices, and will issue near-real-time alerts when behavioral anomalies or policy violations are detected. They will integrate seamlessly with an overarching security event management (SIEM) platform to ensure that suspicious activities can be detected rapidly, even in highly complex environments.
To keep your endpoints safe in today’s threat environment, you need more than a simple stand-alone software product. Comprehensive network security demands constant vigilance. Both machines—advanced analytic tools and monitoring systems—and humans—seasoned information security professionals—should be monitoring your network.
Who’s watching over your endpoints right now? Netswitch offers cutting-edge enterprise-level cybersecurity solutions, including ongoing support and monitoring provided at a dedicated Security Operations Control Center on a 24x7x365 basis. Our team of experts is standing by, with a 15-minute response time included in every SLA. Contact us to bolster your endpoint security today.