Can Endpoint Protection Keep up With Modern Threats?

Endpoint protection is a security approach that focuses on monitoring and securing endpoints, such as desktops, mobile devices, laptops, and tablets. It involves deploying security solutions on endpoints to monitor and protect these devices against cyber threats. The goal is to establish protection regardless of the endpoint’s location, inside or outside the network.

In this article, I’ll briefly review current endpoint security technologies, describe the threat landscape, and point out where endpoint protection falls short in protecting your organization.

Endpoint Security Solutions

Here are the three notable security solutions that can help you mitigate endpoint risks:

Endpoint Detection and Response Tools

Endpoint detection and response (EDR) solutions continuously monitor the network. EDR tools collect and analyze threat data from endpoints, searching for anomalous behavior that indicates a security breach. The goal is to facilitate faster response time and reduce the impact of breaches. EDR tools integrate with notification systems and on-call management tools to ensure that security teams are immediately aware of breaches on endpoints. 

Managed Detection and Response Services

Managed detection and response (MDR) services are supported by expert security personnel dedicated to performing monitoring, detection, and response tasks. Organizations can employ MDR services to help fill in the cybersecurity skills gap and ensure their networks and endpoints are properly secured. 

Extended Detection and Response Platforms

Extended detection and response (XDR) platforms centralize your detection and response efforts into one platform. Organizations can leverage XDR capabilities to automate the collection and correlation of data across all security layers. It helps break down data silos to identify evasive attacks. 

XDR platforms employ both network and endpoint monitoring to extend visibility into all devices on the network. These platforms can also initiate automated processes to alert security teams when threats are detected. XDR is one of the foundational technologies of a Zero Trust security approach, in which the network denies connections by default, continuously verifies access even for connections within the network, and automatically detects anomalies.

XDR solutions are used for end-to-end detection and response of security incidents, so they often integrate with notification systems to push alerts to security staff. Alerts can either be notifications of automated responses performed by the XDR system, or new incidents awaiting triage and response by human security analysts.

Endpoint Attack Tiers

Modern threats facing endpoints fall into four primary attack tiers.

Tier 1: Opportunistic Attacks

An opportunistic attack uses basic techniques such as malicious scripts or malware to compromise an endpoint. This type of attack relies on large-scale exploit attempts, not on specific knowledge of an organization’s network vulnerabilities. Opportunistic attackers rely on the fact that most organizations fail to install security patches immediately. At the same time, users often lack adequate security awareness. Attackers typically use an executable file or script to deliver the attack, relying on a user to execute it on the endpoint unwittingly.

Tier 2: Phishing Exploits

A fishing exploit is an opportunistic attack that uses social engineering techniques to compromise an endpoint device. The attacker tricks the user of an endpoint device into providing access, usually via a phishing email or a link to a fake website. The attacker then uses advanced techniques such as software payloads or trojans to collect sensitive information from the user base, enabling the attacker to capture inputs from logins, keystrokes, or company websites.

Tier 3: Targeted Attacks

Attackers can focus on specific targets by exploiting an organization’s unique vulnerabilities. They might look for points of weakness in the target’s infrastructure. This type of attack usually involves a human threat actor with knowledge of an identified vulnerability, whether discovered externally or internally by the organization. The attacker might leverage insider intel or use opportunistic techniques to identify vulnerabilities. Targeted attacks are often difficult to detect because they exploit organization-specific vulnerabilities and use multiple, seemingly innocuous stages. For example, the attacker might carry out a SQL injection attack by sending malicious queries to API endpoints.

Tier 4: Advanced Persistent Threats 

An advanced persistent threat (APT) is a threat actor that resides in the network and avoids detection for a long time. In some cases, APTs can remain undetected for years. This attack type is slow and stealthy, usually focusing on data exfiltration rather than causing direct damage to the system. A major risk for organizations is the involvement of a malicious insider who leverages the inside knowledge of the target environment, disguises malicious activity as legitimate using approved credentials, and can locate high-value data assets.

Can Endpoint Protection Keep Up?

While state of the art endpoint protection solutions can protect against all four the threat tiers described above, they suffer from several weaknesses:

• Legacy devices—most organizations use legacy devices as part of their everyday operations. However, these devices often have a weak security posture, making it harder to implement endpoint protection measures. Legacy devices and systems are typically suited to older networks, so they might not integrate well with modern security tools. It may not be possible to deploy endpoint security on some of these endpoints, exposing them to attacks.
• Complex environments—traditional environments had limited endpoints in scope and diversity, usually with a fixed number of desktops and laptops connected to the network. However, modern enterprise networks often have services distributed across multiple on-premise and cloud-based environments, with many organizations implementing a BYOD policy. Personal devices such as smartphones and tablets allow users to access company services remotely at any time. The growing number of endpoints connected to a network makes it harder to keep track of device vulnerabilities, and makes it impossible to deploy endpoint protection solutions on all endpoints.
• Lack of visibility—the volume and variety of connected devices pose a challenge for maintaining visibility over the network. Security analysts often struggle to identify who and what devices can access the network, creating a blind spot for vulnerabilities and making it harder to manage endpoint-related risks. If an organization is not aware of the endpoints accessing its systems, it also cannot deploy endpoint protection solutions, leaving it exposed to attacks.

Conclusion

Endpoint protection technology has greatly advanced over the past 20 years. State of the art solutions are able to detect and block zero day threats, fileless attacks, and advanced persistent threats (APT) lurking in a network and operating across multiple security silos. However, at the end of the day, endpoint security tools can only protect managed devices, and this is their primary weakness.

In a modern IT environment, it is no longer feasible for organizations to install endpoint protection agents on all endpoints. Users are increasingly using BYOD personal devices, some endpoints are outside the organization’s control (as in the case of cloud resources), and some, like legacy or IoT devices, simply do not support installation of agents in the traditional sense. A new approach to endpoint security is needed, which can detect and respond to threats on endpoints without requiring dedicated security agents on the device.