Ever feel like you’re fighting a losing battle? Your organization is pretty diligent when it comes to security. You have firewalls at the perimeter between your internal networks and the Internet. You have an anti-virus product deployed on every laptop, desktop, and server within your organization and the updates are kept current. You may have even deployed an application-aware next generation firewall, an IPS, or a SEIM/SEIM to collect and correlate security events from many data sources. Yet, despite your best efforts, your end users still manage to become infected with malware—or perhaps even ransomware. You may ask yourself, “With all of this protection in place, how is this possible?”
Well, you’re not alone. In fact, many organizations are facing the very same issues. No one wants to be the next one to make headlines or to spend hours and days cleaning up and rebuilding after a malware infection. If one of your primary security objectives is to minimize the possibility of any endpoint from becoming infected, the question changes from, “Why are we still being infected?” to, “Are we really doing everything we can to prevent becoming infected?”
If we understand that firewalls–even next generation ones–don’t necessarily see all of the network traffic (due to traffic patterns that may route around the firewall or SSL-encrypted traffic not being decrypted on the firewall for deep inspection) and that email protection products and services don’t stop all phishing scams, we still have removable media such as USB sticks, smart phones being tethered, and CD/DVDs as potential attack vectors. The best way to provide as complete coverage as possible is to secure your perimeters, your networks, your public and private clouds, and finally—your endpoints.
Traditional anti-virus and anti-malware products use signatures to test files to determine if they are known to be malicious. They remain fairly effective against known threats but allow any zero-day or unknown threat to go undetected until there is a signature available and the signatures are updated on the endpoint. That model doesn’t work well for today’s threats. Attackers can create malware on the fly and the number of variations and mutations can be mind boggling. They only need to find one hole to exploit, while you need to ensure thousands of them remain plugged and inaccessible.
Enter the world of Advanced Endpoint Protection (AEP) and Endpoint Detection and Response (EDR). When coupled with good perimeter, network plus endpoint OS, and application hardening practices, AEP/EDR greatly enhance the security posture of your organization by offering far more protection than is available with a traditional AV or anti-malware product on the endpoints. Advanced endpoint protection products have some or all of the following capabilities:
- Endpoint firewall
- Application control
- Sandboxing (locally, cloud-based, or both)
- System memory monitoring/protection
In addition, some products offer additional features and functions such as port/device control (USB and other removable media), rollback capabilities (to recover lost files in the event of ransomware, for example), full disk/file encryption, DLP, endpoint quarantine, and more. Because of how malware works to infect a system, these capabilities go far beyond traditional detection methods and look for abnormal behavior that does not require a signature for detection. As a simple example, a Word document may contain a macro that initiates a network connection to download malware or to load malicious executable code into memory. A traditional AV product misses this unless it has a signature for that specific Word document. However, advanced endpoint products have the ability to see what the Word macro is doing in memory, which processes it is launching or accessing, and whether or not it is creating network connections. Once detected, any or all of these behaviors can be stopped in their tracks.
Attackers and malware aren’t going away. If anything, the business of being bad is paying off and is on the rise. Some very good people are inadvertently doing “bad” things – opening an attachment, clicking on a link in an email, sharing files in the cloud and via USB sticks, and so on. Security awareness training, though very necessary, just isn’t enough–and neither is just having AV and a firewall. Cover your security bases with the best and broadest endpoint protection possible.
Want to learn more about advanced endpoint protection and how to increase your organization’s security posture? Contact ePlus to arrange for an Advanced Endpoint Workshop, or send email to firstname.lastname@example.org.