Nontraditional endpoints are a glaring, yet under-addressed, security risk

Windows-open-no-breeze_1.gif

The past few years have been big for breach news: Nearly 2 billion records were compromised in 2016 alone — making security a priority for many technology leaders.

Analysis from F-Secure Labs found that cyberattack volume doubled in the first half of 2017, while the National Cyber Security Alliance found that almost 50 percent of small businesses have experienced a cyberattack. In the 2017 U.S. State of Cybercrime report, published by CSO, researchers predict that cyber crime damage costs will hit $6 trillion annually by 2021.

Companies across industries are embracing cloud services and enabling employees to work from their mobile devices. Thanks to these devices, employees can work anytime, anywhere, which is a boon for operational efficiency, productivity, and employee satisfaction. This rise in mobility also means the way people work has become more distributed and virtualized. Without some forethought these mobile devices become endpoints that are susceptible to security incidents.

Nontraditional endpoints for access to cloud services, like mobile devices, are often overlooked from a security standpoint, which makes them extremely vulnerable. According to the Forrester Consulting research commissioned by Google Cloud, “Rethink Enterprise Endpoint Security In The Cloud Computing Era,” nearly two-thirds of external attacks last year targeted a corporate-owned or employee-owned mobile device. That makes mobile devices big bullseyes to hackers.  

“Enterprises need to expect that the endpoints are going to be attacked and expect that they are going to be vulnerable,” said Matthew O'Connor, head of security and compliance, Google Cloud Platform. “These kinds of threats are not going to go away.”

Don’t overlook personal devices, browser-centric apps, and APIs
The nature of work is changing, and with it, enterprise infrastructure. By taking advantage of web-based apps and modern architectures, IT can deliver applications or information to employee smartphones.

This shift does require that security approaches evolve — and not all companies have taken the necessary steps. Personal devices, browser-centric business apps, and APIs make enterprise attack surfaces bigger, which create security concerns that hackers have noticed. These endpoints heighten the risk of attack unless enterprises invest in closing the gap between the user and the cloud platform.

Forrester found that despite universal concerns about API security, only 44 percent of security decision makers consider APIs as part of their endpoint security strategy. While most companies allow employees to access resources through personal devices, just 43 percent consider personal smartphones part of their endpoint strategy.

Furthermore, only 35 percent of security professionals feel their organization is very effective at managing access to enterprise assets, and only 32 percent said the same about monitoring endpoints for malicious activities. It’s no surprise then that more than half of global enterprises experienced at least one compromise or breach between 2015 and 2016 — a five percent increase over the previous year.   

Make authentication a key part of multiple device management
In the face of pervasive threats, forward-thinking IT teams need to include nontraditional endpoints, such as employees’ personal devices and APIs, in their security planning.

“Companies need to make sure they have a plan, a roadmap on how they are going to roll things out, and they need to pay attention to their use cases,” said O’Connor. “It's worth doing the due diligence, taking your time, and being meticulous about how you address endpoint security. It’s important to understand that the physical and technical measures you take to protect and provide endpoint security go hand-in-hand with identity and access management, as well as policy.”

Embracing multiple device management (MDM) is something all enterprises should be thinking about with regards to endpoint security. A single employee may switch back-and-forth between a smartphone, tablet, laptop, and PC, and each of those devices needs to be secured through measures like screen locks, strong passwords, and remote device wipe capabilities, which protect devices that are lost or stolen.

Physical two-factor authentication and other forms of identity verification are also key to keeping data safe. Google Cloud Platform client Microchip Technology has learned that authentication devices featuring hardware-based root of trust storage and cryptographic countermeasures can fight off even the most aggressive attacks. Because attackers cannot see secret keys that are stored in protected hardware, they cannot attack.  

“We believe the cornerstone of endpoint security is authentication,” said Nicolas Schieli, Microchip Technology’s senior manager of strategic marketing and application engineering. “How can a connected device prove it has a legitimate identity to this remote cloud server? You can equate it to when someone has to present a passport to immigration when crossing the border — you have to prove who you are.”

In addition to authenticating a unique, trusted, and protected identity, endpoint protection requires a resilient and resistant platform that can be updated quickly. How can you achieve resilience? Through the operating systems (OS) and browsers. A secure, cloud-optimized OS makes updating simpler, especially if your workforce primarily accesses cloud-based services, and allows companies to take advantage of cloud service providers’ (CSP) security programs. With browsers, companies should think about standardizing on one browser in order to make it easier to update and for corporate app developers to build upon.

A strategy where the OS and browser are optimized and connected to the cloud is the best line of defense. Updates can be deployed to both systems automatically, which reduces risk because users are no longer faced with constant requests to update, which often go ignored. Moreover, a cloud-based OS and browser creates a consistent point of control for endpoint security, making it easier for IT to manage.

Attackers usually deploy a range of techniques, so effective vulnerability management must address the entire endpoint security stack, including the connection between browsers and APIs. The platform should compartmentalize user tasks and apply protections to holistically protect the system or device from even inadvertent misuse.

“Attackers look for what is the weakest point in the whole chain and it’s not going to be on the server side,” said Xavier Bignalet, security product manager, Microchip Technology. “Attackers are going to look at new areas because that’s where the security is weak. If you don’t protect yourself, an attack could have a negative impact on your brand, company, IP, customers, and of course, revenue.”

Security strategy not only depends on technical solutions, such as security keys and two-factor authentication, but also on actual humans following best practices.

“I think that IT leadership is realizing that they have to embrace education,” said O’Connor. “One lesson we learned at Google is that if we explain to our users why we are expecting them to act a certain way, or what we want them to look for, by explaining the threat, there is a higher acceptance of that education. People get it.”

Prioritize threat and malware detection
Endpoint security is a critical, yet often overlooked, risk that organizations can’t afford to ignore any longer. Change can take effort, but it’s important for CISOs to have the endpoint security conversation sooner rather than later.

A good place to start is by analyzing what your organization is able to do today and where you want to go. Forrester’s survey data reveals IT decision makers’ top priorities in endpoint security are: improve threat detection capabilities (48 percent); improve malware detection (47 percent); and improve network analytics (42 percent). Along the same lines, the top outcomes they seek are: improved detection capabilities (75 percent); fewer breaches/attacks (75 percent); real-time control of endpoint (73 percent) and reduced attack surface (72 percent).

Practically, IT can achieve these goals by reducing the latency between when updates are available for endpoints and when those updates are actually installed by employees. In a manual setting where IT is receiving the updates from a vendor, assessing them, and then notifying the organization about the update, a significant period of time passes in which vulnerabilities could be exploited. Cloud-based systems update automatically and cloud vendors offer a range of managed services, freeing up time and energy for IT to focus on higher value IT projects.

ezgif.com-optimize.gif

These priorities and outcomes serve as a good game plan for companies that are just starting out. Along the way, remember that vulnerability management is essential for the entire endpoint security stack. Consider the connection between browsers and APIs, and keep in mind that resilience is a key factor in protecting user data.

An attack can come from anywhere, so organizations need a top-down approach that enables them to quickly swing into action. If a breach is identified, there should be a clear plan of action for how to handle the situation, who does what, and in what order. There’s also no shame in seeking out expert help when needed.

CSPs are increasingly relevant players in providing security expertise, along with endpoint tools and integrations. To get the most out of their CSP, companies should make sure to ask about the shared responsibility model. Who is responsible for what? Based on that information, IT teams can prioritize the things that add the most value to the organization and the vendor can tackle the rest. Endpoints present a big risk, but you don’t have to defend them alone.