Every breach, whether it’s a Distributed Denial of Service (DDoS) attack, hack of a corporate database or phishing attack starts in the same place. An endpoint device is accessed and used by an unauthorised party or a user is coerced into using that endpoint in an unintended way.
With the number of endpoints on our networks exploding – there are estimates suggesting devices will outnumber people on the internet ten to one by the end of the decade – we need rethink our approach to endpoint security.
At a recent event attended by senior IT and security leaders, hosted by CSO Australia and sponsored by Heat Software, the issues, challenges and lessons learned around endpoint discussion were the subject of a vigourous discussion.
Attendees opened the discussion with an open dialog about what they were currently doing with their own endpoint security. One of the key questions raised was around defining exactly what an endpoint actually is. The traditional view of desktop computers, notebooks, smartphones and tablets was no longer seen as adequate.
While there was some mention of other devices, such as medical devices in hospitals, it was noted that suppliers need to be considered as endpoints. One of the parties noted that the Target breach of 2013 – which everyone agreed was a major pivot point for the information security industry – was the result of a third-party contractor being compromised.
Unlike the past, it was difficult to define who the users of systems are, what devices they might have and where the are used. While Mobile Device Management (MDM) systems were mentioned, it was noted that many are hard to use and the procurement and validation process of their efficacy were a challenge.
It was also noted there was also a need to find a way to balance the privacy of personal data and the need for control, particularly where BYOD was deployed.
A significant portion of the examination of the topic focused on managing the risks associated with endpoint devices. With IT departments forced to transform into more proactive and business-oriented teams, there’s a reluctance to say “no” when the business comes with a request. As a result, more complexity is brought into corporate IT environments resulting in an expanding threat surface.
The round table attendees agreed that systems that could detect unauthorised or unusual activity at endpoints was crucial. These tools could block potential threats or report them for further investigation. This is because traditional signature-based detection methods were seen to be ineffective in a lot of cases.
The use of external partners was also subject to substantial discourse. Several parties noted that parties such as Managed Security Service Providers (MSSPs) had access to more expert resources. As a result, they were better equipped for many tasks. For example, an MSSP could be used to maintain and monitor firewall operations, thus freeing internal resources to work on issues that had a more direct impact on business performance.
As well allocating tasks to experts, by using different service providers for different tasks, such as one MSSP for firewalls and another for endpoint security, companies could diversify their risks by not putting all their security eggs in one basket.
Vendor relationships were also seen as critical. Finding vendors who took the time to understand specific business needs and who were responsive to corporate needs was seen as a critical element, albeit one that is a harder to find.
So, what is needed to move from traditional endpoint security models to a new way of doing things that supports the new world? Finding skilled people who understand risks and systems and can convey that information to the business in terms that are meaningful was seen as critical.
That means getting away from what security experts see as important, such as patching a specific vulnerability, and moving to answering why patching a specific vulnerability is important and what it means to the business.
In concluding the dialog, several attendees rounded back to where the conversation started – physical, logical and human asset management. Knowing who and what is connecting to the network and the what is being accessed was critical.