While attacks on user devices become a favorite point of entry for attackers, most enterprises can’t see what’s happening to them
For most enterprises, the endpoint has become the weakest link – and the attacker’s target of choice. Take a look at this year’s Verizon Data Breach Investigations Report. Endpoints – desktops, laptops, and ATMs – accounted for more than three quarters (77 percent) of all breaches last year. The top two categories of people associated with breaches were end users and customer service representatives (63 percent). Almost all (95 percent) of the breaches in the study involved some type of social engineering attack on a user.
Yet, while most of the bad guys have recognized the endpoint as the low-hanging fruit on the enterprise data tree, most enterprises have not. While corporations have spent billions of dollars on technology for monitoring and managing security in the data center, on servers, and in the network, most of them have very little visibility into the endpoint. From a security perspective, in fact, the endpoint has become the enterprise’s most dangerous blind spot.
Think about it. In your enterprise, the desktops, laptops, and smartphones might have antivirus software, authentication tools, or even full-disk encryption. But do you have a way to spot users who have turned off their personal firewalls? Can you tell if an end station has changed its configuration to connect to an insecure wi-fi network? If an infected PC became a zombie in a new botnet, how long would it take your administrators to detect this activity?
The fact is that most enterprises have instrumented their servers and networks to report anomalous activity, but they generally have not instrumented their endpoints to do the same. Oh, they might have a way to track a lost laptop or spot known infections, but there generally is no way to detect configuration changes or behaviors that might indicate zero-day malware activity. As the Verizon report indicates, they may go for months, even years, before spotting a problem.
Much of the problem stems from enterprises’ resistance to the concept of “agents,” those small pieces of software that sit on the endpoint and report anomalous behavior back to the security team. Years ago, agents were bulky and intrusive, often creating performance problems on the endpoint device or even preventing devices from operating properly. And there were so many different products that proposed to add an agent to the end station that many enterprises boycotted them altogether.
Today, however, agents have become the last, best hope for tracking risky end user behavior. Yesterday’s signature-based tools simply no longer cut the mustard – with so many new threats emerging every day, they have become bloated and unable to stop the rapidly-morphing types of attacks that are being sent against them. Perhaps even more importantly, most endpoint defense tools don’t flag the security team when key features are turned off by the user, or when telltale malware behaviors have been initiated. The only way to recognize these developments is through an agent that is tuned to recognize them and cannot be turned off by the end user.
And agent technology has improved significantly. My company, Triumfant, has developed a lightweight agent that can report virtually any change on the endpoint without affecting performance, adding appreciable memory overhead, or incurring high costs. And we are not the only company that is doing so – a number of other security vendors also are using lightweight agents in their products that help enterprises monitor the security posture of the end station without inhibiting the user experience or adding heavy overhead. Today, it is practical to instrument the endpoint with real monitoring and change management technology – the same types of technology that previously were limited to servers and enterprise networks.
As long as attackers and malware developers know that their exploits at the endpoint will not be detected, they will continue to take advantage of them. It’s time for enterprises to extend their visibility into endpoint security and stop the attacks before they happen – instead of months or years later, after Verizon or some other third party has been called in to pick up the pieces after a breach.
- John Prisco, CEO, Triumfant