“The biggest misconception people have about endpoints is that they have an idea of what their endpoints really are. The security industry has rightly taught defense-in-depth & blocking. However, too many companies rely solely on that concept, and aren’t prepared for what happens when something is breached. That breach, when it happens, will take place because someone got through to an endpoint – whether through exploitation of the software or the human. Companies should presume breaches will occur, and move to a continuous monitoring cycle to augment their defense in depth posture.” Thomas Quilan, Cybersecurity Expert
There is a gap in corporate security technology. Many enterprises rely primarily on firewall, SIEM and endpoint security solutions, but these technologies only cover so much and are missing key components of your corporate security, namely what is happening between those endpoints and what is happening at the packet level?
Today we will focus on endpoint solutions.
Endpoint solutions are only as effective to the extent that they are deployed, which according to many experts, rarely happens at the 100% level. Why? With the rise of remote networks, third-party vendor devices, BYOD (Bring Your Own Devices) to work like mobile devices, and simply keeping up with organic growth, nearly two-thirds of enterprises have been compromised in the past year by attacks which originated at endpoints — a 20 percent increase year-over-year.
So how do you secure that gap?
Well, wire data can help as it tells a very compelling story on the how, when, and where of attackers gaining access to your network. Tracking down and remediating the issue, often with the help of data collected from endpoint toolsets (and SIEMs), helps reduce dwell time significantly. Attackers don’t just rest when they gain access to a network. They have to move around to find the data. That’s where monitoring the network traffic and hunting down the root cause via that traffic, helps analysts recover from breaches much more quickly than if they were just relying on events from SIEMS and End Point toolsets.
Consider these 7 additional facts from the 2018 State of Endpoint Security report:
1. The frequency of attacks against endpoints is increasing. Sixty-three percent of respondents say the frequency of attacks has increased over the past 12 months. The increase in successful attacks is taking a toll on endpoint security confidence. According to respondents, an average of 52 percent of all attacks cannot be realistically stopped.
2. The cost of successful attacks has increased from an average of $5 million to $7.1 million. Costs due to the loss of IT and end-user productivity and theft of information assets have increased. The average cost per compromised endpoint is $440. Small-and-medium-sized (SMB) companies have a much higher cost of $763.
3. Majority of respondents say their organizations were compromised in 2018. More respondents in 2018 say their organization has experienced one or more endpoint attacks that successfully compromised data assets and/or IT infrastructure (64 percent vs. 54 percent).
4. Zero-day attacks are 4x more likely to compromise organizations. Of the 64 percent of respondents in organizations that were compromised, 76 percent say the type of attack was a new or unknown zero-day attack. This is four times the 19 percent of respondents who say their organizations were compromised by an existing or known attack.
5. Antivirus products missed an average of 57 percent of attacks. Confidence in traditional antivirus (AV) solutions continues to drop. On average, respondents estimate their current AV is effective at blocking only 43 percent of attacks. In addition to the lack of adequate protection, respondents site high numbers of false positives and alerts as challenges associated with managing their current AV solutions.
6. The average time to patch is 102 days. The findings reveal the difficulties in keeping endpoints effectively patched. Forty-three percent of respondents in organizations that have a patch management process say they are taking longer to test and roll out patches in order to avoid issues and assess the impact on performance.
7. Organizations that have purchased EDR solutions cite a lack of proactive protection and adoption challenges as top frustrations. The majority of organizations adopting these solutions use them to detect early signs of an attack and block them. However, on average, only 46 percent of all features or functionalities are actively used and 47 percent of respondents say it took more than three months to deploy.
The costs of a breach are well documented. We all realize that the attacks are getting more sophisticated, with bad actors using ML and AI to stay ahead of the curve. This is why a regular assessment of your security program is a great idea, so you can leverage the most appropriate tools for your organization. If you have not done so already, it may be worth scoping the addition of a network monitoring platform with the ability to do digital forensic investigations, full packet capture, incident response and predictive analytics. Such a platform will improve your visibility significantly and be a complement to your SIEM and endpoint products.
By Kyle Pullman, Strategic Partnerships at MixMode