Is your endpoint protection able to keep up with the rapidly changing tactics of today’s attackers? Read on to learn more.
The proliferation of attacks on all businesses from small and medium-sized enterprises to Fortune 100 companies has led to a highly-competitive Endpoint Protection market. There’s plenty of confusion surrounding what differentiates one solution from another, let alone which product will meet your unique business needs. Among the claims and counter-claims about which solution is best, the reality is that the right solution for your organization is not necessarily the one with the loudest voice in the marketplace. Instead, consider whether your approach to endpoint protection matches that of the providers you consider. With rapid changes in the way malware and threat actors are compromising victims, which security solutions are keeping up with the pace? Let’s take a look at 7 changes to modern security thinking that should underlie any effective endpoint protection system today.
1. Your Network Is Everywhere
It’s easy to think that the job of security software is just to protect your devices from malware and data loss, and that indeed has been the traditional approach of legacy AV software, but that only creates a blindspot in defensive thinking. The task is to protect your network from both internal and external threats, and that includes the potential threat from endpoints themselves. Modern, joined-up security thinking understands that this means more than just anti-malware or AV coverage on the device. Firewall control, media control and deep inspection of encrypted and unencrypted traffic are all necessary adjuncts to protecting your entire network, wherever the threat may come from.
2. Keep the Noise Down!
Even today, some vendors still believe that the quantity – rather than the quality – of alerts is what should differentiate a superior product from the rest. But alerts that go unnoticed because they are swimming in a sea of hundreds of other alerts clamouring for attention are as good as no alerts at all, as the Target corporation found out to their cost. False positives, like the boy who cried wolf, also condition weary admins and SOC specialists to tune-out things that may be the next big threat because they simply cannot cope with the quantity of work. Rather than a security solution that provides hundreds of single alerts for each command with little or no context, choose one that provides a single alert with the telemetry and details of all the related commands, whether that be one or one hundred, automatically mapped into the context of an entire attack story.
3. Threats Are Local – Detection Should Be, Too
We live in the age of the Cloud, but malicious software acts locally on devices, and that’s where your endpoint detection needs to be, too. If your security solution needs to contact a server before it can act, to get instructions or check files against a remote database, you’re already one step behind the attackers. Will the security software even get its message to the outside world if the attacker takes over DNS settings? Will it receive a reply if the malware blocks incoming connections? Malware may have already done its damage by the time a cloud-based solution has done the round-trip to a server somewhere far, far away.
4. Less is More
There’s power in simplicity, but today’s threatscape is increasingly sophisticated. While some vendors think the amount of tools they offer is a competitive advantage, it just increases the workload on your staff and locks knowledge into specialized employees that may one day take themselves – and that knowledge – elsewhere. You want to be able to eliminate threats fast and close the gaps without needing a dedicated SOC. You also want the ability to do deep forensics if you need to without having to turn to yet another tool or vendor. Adding more and more tools to cover all the possibilities is a never-ending race as both attackers and defenders seek to exploit emerging technologies. Look for endpoint protection that takes an holistic approach, that builds all the features you need into a single agent, and that is managed by a user-friendly console that doesn’t need specialist training.
5. Seeing is Believing
We know endpoint protection can fail; it’s the nature of the game that attackers will adapt to defenders. If you can’t see what your endpoints are doing, how can you be sure that one of them hasn’t been compromised? Has a remote worker clicked a phishing link and allowed an attacker access to your network? Is a zero-day vulnerability in a third-party dependency allowing cybercriminals to move around inside your environment undetected? Visibility is key, but attackers have now embraced encrypted https and acquired their own SSL certificates. You need insight into the devices on your network, and that must include their encrypted traffic in order to detect when threats have sneaked past your defenses and are actively engaged with your assets.
6. Leave No Device Behind
It’s the quiet ones at the back you have to look out for. If your enterprise is 95% harnessed to one platform, it doesn’t mean you can write-off the business risk presented by the other 5% as negligible. Attackers are able to exploit vulnerabilities in one device and jump to another, regardless of what operating system the device itself may be running. As a result, effective endpoint protection needs to be platform-agnostic. Whether your users prefer Linux, Windows or macOS, securing your network means securing them all. You’re only as strong as your weakest link.
7. Move Beyond Trust
Blocking untrusted processes and whitelisting the known “good guys” is a traditional technique of legacy AV security solutions that attackers have moved well-beyond, and businesses need to think smarter than that, too. With techniques like process hollowing and embedded PowerShell scripts, malware authors are well-equipped to exploit AV solutions that trust once and allow forever more. Endpoint protection needs to look beyond trust and inspect the behaviour of processes executing on the device. Is that “trusted” process doing what it’s supposed to be doing or is it exhibiting suspicious behaviour?
How SentinelOne Can Help
SentinelOne provides a solution that you can manage with your existing team, and which can be deployed quickly with minimal training. It allows you to inspect encrypted traffic, block and remediate threats, and even rollback a device to a pre-infected state. It accomplishes all this and more within a single, seamless console that manages devices regardless of operating system platform. With on-device detection and contextual alerts providing a full attack storyline, SentinelOne gives you both simplicity and power. We also provide best-of-class detection by combining behavioral AI and a layered security approach.