Endpoint security has become a major battleground in the cybersecurity war as companies struggle to protect an ever-growing number of machines in an increasingly complex environment. With the widespread adoption of remote working arrangements, the onslaught of mobile devices and BYOD policies (or lack thereof), the endpoint landscape in many companies has become a wild west of devices, operating platforms and applications.
As a result, endpoint vulnerabilities are being exploited on an unprecedented scale. According to the Ponemon Institute, 64 percent of organizations have experienced at least one endpoint attack that compromised their data or infrastructure in the past year. With the average cost of a data breach now reaching nearly $3.9 million globally and $7.91 million for U.S. companies, it poses a legitimate threat to business survival.
The number of successful endpoint attacks has jumped 10 percent over the last year in large part because organizations are painfully slow at patching and maintaining up-to-date systems throughout the network. Ponemon’s research shows that the average time to patch is 102 days, leaving endpoints vulnerable for more than three months—and that’s after a known vulnerability is identified and a patch is issued, to say nothing of those that remain unknown and unpatched.
To protect the organization, CIOs must take charge of their endpoint assets and keep every system up to date. It might feel like a daunting task, especially in organizations with thousands of endpoints, because we know that rolling out patches doesn’t always go smoothly. But with a calculated approach, and a bit of automation assistance on your side, keeping your organization’s endpoints secure can become a smooth and efficient process. Here’s how:
- Identify what needs protection. In order to protect endpoints, you must have a handle on what’s running on each of them. Unfortunately, most organizations are in the dark about what software is running on the machines across their network. We’ve seen as many as 30,000 discrete pieces of software in place, not to mention all of the related executables, which could add up to several million.
Of course, no organization intentionally loses complete control over its software assets. It happens gradually. Perhaps you acquired a company, or some business units may work semi-autonomously and buy and install their own software. (This, by the way, is how NotPetya took down Maersk in a matter of minutes—with a single software install on a single unpatched machine.)
Add to that mobile employees connecting to free Wi-Fi at an airport or coffee shop, BYOD introducing a new layer of complexity and contractors working through your network who are responsible for their own systems maintenance, and it’s easy to see how the situation quickly spirals out of control. Still, in order to protect itself, the organization must somehow get a handle on all its software—who made it, what version it’s on, etc.—and create a hierarchical tree that shows how all of the pieces work together. You can’t protect it if you don’t know that it exists.
- Make patching a top-level priority. Virtually all the recent high-profile, costly breaches, like WannaCry and NotPetya, could have been prevented if the affected organizations had applied available patches. Not only the software, but the core operating system must also be updated regularly with the most current versions to reduce vulnerabilities.
But we have a long way to go. Windows 10, which was built with an emphasis on security, is over 3 years old. Yet most organizations still haven’t migrated from Windows 7. They’re relying on software that’s a decade old, which Microsoft will cease to support in the coming year, exponentially magnifying the risk for companies that haven’t migrated.
The responsibility to keep the organization up to date lies squarely on the shoulders of the CIO and failure to do so could be a multi-million-dollar mistake. Of course, there is a tremendous amount of cost and time involved in migration. Upgrading a single machine might take 3-4 hours, and multiplied over 10,000 machines in a large organization, it’s easy to see how it could take years.
That’s why automation is the only reasonable solution. Even in small to mid-size organizations, there are far too many system variations and vulnerabilities to deal with manually. Leveraging an automated solution will handle 90 percent of the load for you, allowing your team to focus on those few machines with more complex configurations that don’t upgrade smoothly.
- Deploy real-time response. Even with the best patching and upgrade protocol, there are bound to be some vulnerabilities left unaddressed. Endpoint security is a perpetual game of cat and mouse, with bad actors searching feverishly for vulnerabilities while software vendors work just as hard to find them first and button them up.
It’s literally a race against time. Thanks to the real-time nature of modern work that enables global companies to operate in perfect synchronization across every time zone, malware can propagate an entire global network in minutes. NotPetya, for example, took just 45 seconds to bring down a large bank in the Ukraine and just 16 seconds to fully infect and bring a major transit hub to a stop. Within hours, it had spread globally from a hospital in Pennsylvania to a chocolate factory in Tasmania.
Adding a real-time response solution into the security tech stack to detect and stop an attack before it becomes a breach is the only effective defense. While some solutions must see megabytes of suspicious data transfer before taking action, that’s simply too slow. The best defense is one that can halt an attack with a mere packet or two of data to shut down malware before it can do significant damage.
- Invest in alarms. Once you’ve secured all your doors and windows, it’s wise to add an extra layer of security to alert you in the event of an intruder, just like you would at home. There are plenty of great cybersecurity solutions out there to monitor what’s happening and sound the alarm in the event of something suspicious.
The problem is that they simply can’t catch everything. Last year, antivirus products missed an average of 57 percent of endpoint attacks. Perhaps just as dangerous, alarm fatigue is a real problem, with the number of false positives causing security teams to tune out. With 230,000 new malware variants launching per day a computer somewhere on the internet is attacked once every 39 seconds. That’s potentially a lot of alarms and finding the right level of response is critically important, otherwise you eventually just stop listening.
- IT security and operations must collaborate. Now that we’ve addressed the machine side of the equation—which is surprisingly the easiest part—we must work on the human side. Keeping the organization’s endpoints up to date is a joint task for security and operations, and collaboration is essential for any of this to be successful. And, the survival of the businesses depends on it. Operations must be onboard to help catalog all the assets and keep the machines patched and current, applying appropriate security settings as required. For its part, security must provide the monitoring and analysis that keeps the organization on top of threats, both potential and incoming. With this team-oriented approach, the organization will enjoy the peace of mind that comes with having all the doors and windows secured, but also fully equipped with a responsive alarm system, just in case.
Protecting your organization from a multi-million-dollar data disaster sounds simple enough—patch and update the endpoints—but the reality is that doing so is an extremely complex and costly endeavor. So much so, that many organizations are willing to take the gamble, opting not to spend just a fraction of the time and money that a breach would cost to keep their endpoints secure.
With automated solutions combined with real-time response and a just-right level of monitoring and alarm, companies of all sizes can find the sweet spot where investing in comprehensive defense is the only option.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.