Why embracing holistic endpoint protection is critical

Michael Henderson
| 3/14/2022
Why embracing holistic endpoint protection is critical

Endpoint protection has evolved, and so should organizations.

As industry solutions attempt to keep pace with cybersecurity threats from malware attacks, organizations often make mistakes, such as depending solely on antivirus solutions, relying on outdated internal controls, and failing to perform adequate reevaluation of their defensive postures. Taking proactive steps to improve endpoint protection can help organizations mitigate risk and strengthen their defenses.

Understanding the evolution of endpoint protection 

According to the Verizon 2021 Data Breach Investigations Report (DBIR), using malicious software (malware) in the middle and end stages of a data breach event is the most common action taken by cybersecurity attackers. Malware was involved in nearly 80% of system intrusion breaches, and ransomware affected 10% of all breaches in the latest DBIR data set. Given this reality, organizations should take steps to verify whether their existing internal controls sufficiently address the risk posed by malware. 

From a compliance standpoint, traditional antivirus software with signature-based malware identification has long served as a standard internal control. The signatures are essentially footprints of known-bad malware and viruses, which means that for this type of antivirus to recognize malware trying to execute on an endpoint, it must contain a piece of something bad that has been seen before. As one might imagine, fooling traditional antivirus software by disguising malware or deploying malware that has never been seen before became trivial for expert threat actors, who could bypass antivirus software and leave the endpoint at the mercy of malware.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

Using only signatures as the basis for detecting malware became a less-than-optimal approach. In response to the growth of malware variants and evasion techniques, solution providers developed additional tools for the endpoint protection arsenal, including heuristic analysis, behavior detection, and sandboxing. These developments resulted in new product classes and market names for endpoint solutions, such as next-generation antivirus (NGAV) and endpoint protection platforms (EPP).

What ensued was a decades-long game of cat and mouse between attackers and defenders as developers observed and documented attacker techniques and imported them into endpoint protection products. Attackers then developed more novel methods, and the cycle repeated. Heuristic and behavioral analyses attempted to predict new malware patterns based on old ones, but attackers incorporated encryption, fileless (in-memory) execution, firmware injection, and living-off-the-land techniques to defeat the predictions. 

Many solutions also incorporated sandboxing, which is a method of safely executing potential malware (sometimes in the cloud) to see how it behaves before allowing it to run on an endpoint. Attackers found ways to escape those sandboxes too, and some even used the sandboxes as part of their attack chain to help exfiltrate data out of target networks.

Endpoint security solution providers have gotten wiser, and in addition to incorporating past techniques and research to prevent malware from running, they have expanded more holistically into endpoint detection and response (EDR) and, most recently, extended detection and response (XDR). These solutions go beyond simply stopping malware, and they do a better job of alerting security teams when – not if – anomalous activity is detected.

Refocusing and reevaluating

Several aspects of business and life during the COVID-19 pandemic seem to have pushed many organizations into a type of survival mode, and understandably so. The shift to remote work environments, disruptive technology changes, and high-impact and high-profile security events have, for some organizations, led to a tyranny-of-the-urgent mess. 

However, lessons learned from breach research data show that, just by paying a reasonable amount of attention to primary controls, organizations can significantly improve their defensive postures. Useful questions organizations can ask themselves include: 

  • Are we still using a traditional, signature-based antivirus?
  • How long has it been since we evaluated our endpoint security approach?
  • Did we define exceptions or configure settings years ago and not revisit them? 
  • Do we know where our gaps in antimalware coverage are? 

It’s not enough to confirm, year after year, that antivirus software is installed, gets updated, and periodically scans the network. As the threat landscape and controls evolve, so too should the measures used to evaluate those controls. Organizations need to identify an individual who pays attention to the changing landscape and updates their control set accordingly. These changes should also cascade down to audits and security assessments to make sure the controls mature to a higher standard.

Strengthening endpoint protection now – not later 

To stay abreast of threats, organizations should reevaluate their antivirus controls and ditch any mentality that leads to complacency – including check-the-box compliance. Regular, comprehensive risk assessment and threat evaluation along with updates to corresponding internal control structures should be business-as-usual activities.

When it comes to their endpoint security controls and strategies, organizations should take a proactive approach, challenging themselves to network with other companies and professionals, learn about solution provider products, and hire trusted consultants and auditors who can help them navigate the muddy waters of cybersecurity. Consultants can help organizations move toward a cloud-based solution, choose a particular EDR vendor, invest in the latest XDR platform, or take a moving target-defense approach that uses traditional antivirus software alongside a product that prevents sophisticated attacks from launching. 

Endpoint protection has evolved past antivirus solutions, and so should organizations. Instead of waiting for a new cybersecurity insurance requirement, a breach, a change to some security standard, or an external compliance requirement to improve internal controls, organizations should be continually learning and making adjustments. Commensurate with resources and risk posture, the time to build an effective endpoint protection program is now.


Is there a topic you’d like to read about?

Let us know.