The fall and rise of endpoint security

Johannesburg, 02 Mar 2020
Read time 4min 20sec
Pieter Nel, Regional Head – SADC, Sophos
Pieter Nel, Regional Head – SADC, Sophos

Anti-virus software was once good enough to maintain security. But those days are far behind us. Demands on digital security are more complex and urgent, and threats seem to appear from every angle. In this space, is there still a role for endpoint security?

The short answer is 'yes!' mainly because the endpoint remains one of the favoured soft spots that cyber criminals target. It is the place where they can find end-users, often cited as the weakest link in security systems.

The changing behaviour of endpoint attacks echoes this. Word processing documents such as .doc and .dot, and not the once-dominant .exe, are the most common file attachments used in e-mail attacks. Devices are also targeted at the endpoint, where fractured operating systems and emphasis on convenience over security has left many holes to exploit.

In other words, you have to have endpoint security. But will it work?

Known knowns

Endpoint security has enhanced itself in numerous ways, which we will explore later. But it's important to understand why endpoint security fails against today's threats.

Endpoint security is like a bouncer with the names of people they should keep out. If a threat arrives and matches a signature, it is flagged and removed. This tactic worked perfectly fine for pre- and low-connected systems. But in today's always-connected and interconnected market, its impact is limited.

"Traditional endpoint protection solutions are very effective against known threats, because of a variety of foundational techniques that they rely on," says Pieter Nel, Sophos' SADC Regional Head. "However, as the threat landscape has shifted, unknown threats such as malware that has never been seen before, have become more and more common. In SophosLabs, we see 400 000 unique new pieces of malware per day."

Traditional endpoint security can't keep up with the rapid evolutions that criminals make to their code. Malware, a security threat that only arrived in the past two decades, is a prime example of this fluidity — new variations of malware are continually being produced.

It should be added that the most popular malware has been around for years. These exploit the fact that people don't patch their systems or update their security behaviour often enough. In this area, signature-hunting security can be very effective. Yet if addressing laziness is the best a security product can offer, it's bound to fail against motivated and creative human attackers. Endpoint protection can't replace good security habits.

Redefining the endpoint

Traditional endpoint security falls short because the types of attacks available are much broader and more creative. At the same time, the connected world has dramatically increased the speed and scale of attacks. These factors hint at what endpoint security should be, says Nel: "An endpoint security solution is just one part of an overall security strategy. Organisations should look beyond the endpoint towards protecting the entire environment. Ideally, a single vendor provides solutions that work together to give consistent protection and policy enforcement throughout your organisation."

Modern endpoint solutions go beyond chasing signatures for viruses and malware. Contemporary features include application lockdown, behavioural monitoring, Web protection and data loss prevention. New generation security is also emerging through the endpoint in the guise of machine learning, anti-exploit (for unpatched vulnerabilities), credential theft protection, process protection against privilege escalation, and endpoint detection and response.

That's a mouthful, and companies are struggling to make sense of it all: "While there are advanced technologies available, a lack of understanding of how they work makes it hard for organisations to evaluate them effectively and put in place the necessary protection. Organisations should also assume that a threat will get through their defences and equip the organisation with endpoint security accordingly."

Shopping for an endpoint solution doesn't mean focusing on one primary feature. Being able to detect 99% or 100% of all known threats is not enough, and pursuing a single dominant feature translates into a single point of failure. Modern cyber security requires several active layers, which can prevent breaches but also mitigate them when breaches do happen.

Endpoint security is still an essential part of any security strategy. It shouldn't be left out, despite its shortcomings. All security products have weaknesses – effective security relies on different services working together to cover each other.

So, don't be impressed by the vendor stats. Ask the more penetrating questions, Nel concludes: "As part of an endpoint security evaluation, ask different vendors what techniques are included in their solution. How strong are each of their components? What threats are they built to stop? Do they rely only on one primary technique? What if it fails?"