Greg Wyman, Bufferzone Security, tells us endpoint protection is critical to the cyberdefense strategy of all organizations in the APAC region. He argues: “Reducing the attack surface at the endpoint delivers a very powerful and compelling solution to all sizes of organizations.”
The least exciting and often ‘boring’ element in a cybersecurity strategy is endpoint protection. Who cares about another AV, NGAV (Next Gen AV), EDR (endpoint detection and response) or MDR (managed endpoint detection and response) product?
Let’s spend a minute or two to understand endpoint protection’s evolution as this is now critical to all organizations.
Detection-based AV
For years, anti-virus has been the foundation of endpoint security. Basically, a virus was discovered in the wild and the AV companies frantically wrote signatures to prevent that specific malware from infecting their customers.
With the explosion of malware threats (over 230,000 per day) and malware’s ability to morph every 15 seconds – writing definitions for every virus has become ineffective and the industry has evolved to NGAV.
Polymorphic malware – next gen anti-virus (NGAV)
This was arguably one of the biggest advances in endpoint protection. NGAV products could now move beyond detection to prevention. Often using highly complex mathematical algorithms, they could identify and predict virus-like activity.
If approximately 20% of a file looked ‘virus-like’ it blocked these files automatically from infecting an organization, moving the goal posts from detection to predication.
This strategy has proved to be exceptionally successful, and now NGAV products are typically very cost effective and critical to a cyber-defensive strategy.
Metamorphic malware – the ‘undetectable’ malware
The latest evolution of malware threats changes the rules again, unfortunately in favor of the malware writers. The previous generation of NGAV products, using their algorithms, could accurately detect that when approximately 20% of code in a file changed, it was malware.
Now with metamorphic malware – the changing code can be over 80%, making it almost impossible to detect, predict and defend against.
The difference is quite simple to visualize. The NGAV products were excellent at detecting a ‘leopard changing its spots’, but now, the leopard transforms into a lion, which if cyber-protection is looking only for leopards, makes it very, very difficult to detect or predict.
EDR and MDR
In recent times we have seen explosive growth and adoption of EDR (endpoint detection and response) and MDR (managed detection and response) products. These often include NGAV, although vendors accept that they cannot detect or automatically defend against the latest (metamorphic) threats so they include monitoring, management and response in their technologies.
Depending on the product, the vendor base, their capability on monitoring and tracking a breach after it has occurred, and then trying to put in place a series of kill points where the organization will be able to stop and roll back from an attack.
And they are very effective. The challenge is that as the attackers and hackers leverage more AI and Machine Learning technology to evade detection – will an EDR/MDR product be able to detect the breach in a timely manner, and then roll a business back with minimal to zero impact to the organization?
Containment, isolation and sanitisation
The future of endpoint protection is surprisingly simple, powerful and affordable. According to Verizon last year (2019), 94% of all data breaches start with email.
Imagine if every time a user browses the Internet, clicks a web link, downloads a file, opens an email attachment or clicks a web link in an email – that session is opened in a secure, virtual container that is almost invisible to the user and malware simply cannot escape from the container to infect the organization.
All files downloaded from the Internet and/or included as an email attachment are opened in the secure container and totally sanitised before being allowed to be saved to the corporate network – eliminating the risk of malware or a hacker breaching a company via any of its endpoints.
The challenge with many endpoint products is that users need to change what they do, how they work, or a product simply blocks access to the Internet unless the site has been classified as ‘allowed’.
In the real world, this simply doesn’t work. Users need to do their work with minimal to zero disruption – the containment, isolation and sanitisation solution needs to be near invisible to the user and not hinder, block or stop daily activities.
The ultimate goal of these containment, isolation and sanitisation solutions, especially when combined with a low cost NGAV product is to stop unknown, never-been-seen-before and zero-day attacks from infecting an organization.
If malware or a hacker is contained in a secure virtual container that cannot escape from or breach the company, confidence increases exponentially.
The ultimate goal of any cybersecurity strategy is for the attackers and hackers to move on to easier targets to breach. So reducing the attack surface at the endpoint delivers a very powerful and compelling solution to all sizes of organizations.