For years, security practitioners have had the unenvious responsibility of architecting creative solutions to protect our end users. While there is nothing new to this, the issue is – and always will be – the moving target of what the ‘endpoint’ is. Where is the endpoint and what is it? These are questions we need to address right now.
Long before Covid-19 was a part of our lives, the business world had begun the move to a more mobile and agile workforce. This meant employees were working on the road and taking calls from coffee shops, hotel bars, and airport lounges across the world. The flexibility and efficiency of the “work from anywhere” model is amazing, but it comes with a few drawbacks. Security is much harder to achieve when users are no longer uniform in how they perform their work. Our old baselines that told us what the “truth” was, unfortunately, are long gone and of little to no help to us now.
So, this leaves us with two questions: Where do we stand now and where are we going?
Over the last few years, we have had to re-invent the way most of our lives are lived, and as security engineers, the remote life has made things complicated. There is now a large percentage of organizations that were “born in the cloud (BITC)” meaning that they do not have a datacenter of their own, they do not own network gear, and everything they have can and needs to be accessed from anywhere. Along with these BITC companies, many traditional organizations are also moving to a cloud-based design in terms of their IT infrastructure. This means that all of the money organizations have spent to build up internal security measures now need to be converted over so that they can work with the new norm of a highly mobile workforce.
When it comes to the endpoint, traditional Antivirus software (AV) is not enough. It really isn’t even enough for your grandmother’s home computer, let alone for an organization’s endpoint in a professional and complex environment. This has been true for a couple of years now, and unfortunately, it is no longer a luxury to have, but an absolute requirement.
If traditional AV is not enough, then what is? An Endpoint Detection and Response (EDR) solution. After email security, an EDR solution is arguably one of the best investments an organization can make into the future protection of their assets. Where traditional AV falls short, EDR solutions fill the gaps. The ability to perform User Event and Behavior Analysis (UEBA) is unequivocally critical in your ability to stop an advanced attack in its steps.
But wait, there’s more! (RIP Billy Mays) The true value in an EDR solution is that they include a couple of key features that allow our overworked and stressed engineers to have a small amount of certainty into the alerts that they are investigating. Any half-decent EDR solution should include the following: traditional AV engine with known malicious signatures, UEBA, correlation of endpoint actions with known attack methodologies (MITRE), the ability to isolate hosts and pull forensics, and a concise and clear interface.
When an organization has an EDR solution installed on their endpoints, it allows the security team to understand what is really happening on the assets under their control – key word being control. Once a security engineer knows what to investigate, they need to know why and what they are looking at.
One of the best features in any EDR solution is their ability to isolate a host, pull forensics, and perform a full triage of the historical events, if needed. Try doing all of those tasks quickly without one. This alone should be the selling point to any company. Today, EDR solutions make those complex tasks very simple and in turn can stop the spread of ransomware attacks, save time when critical logs are turning over, and allow the business to have a faster time to resolution and therefore, less money lost to the business.
There always seems to be talk of the ‘future’ and how the paradigm shift of a truly mobile workforce will change the way in which the world does business. From the security perspective, the “future” is our present and we need to adjust our thinking in order to get ahead of the curve and help our businesses accel with the move to a fully remote workforce. In order to defend something effectively, we must have the visibility into not only what we are defending, but the actions that our adversaries are making as well. Moving into the future will require the security community to get back to basics, meaning that we need to gain the visibility into our new status quo of our networks being everywhere and anywhere.
The implementation of an EDR solution is the first step in maturing your security posture as an organization. While there are many other areas that deserve our attention, the endpoint is still king. As the world of technology evolves and we see the wide adoption of Zero Trust Network Access, Secure Access Service Edge, and a fully virtual desktop, one thing will remain – the notion that humans are creatures of habit. Being able to identify a user’s baseline behavior will help security to understand when attacks are happening and what is happening. Without that knowledge and visibility, we are playing defense blind.