Today’s cyberattacks can move at lightning speed. For example, WannaCry ransomware can encrypt a file in under three seconds. Similarly, NotPetya was specifically designed to spread automatically and quickly with devastating results. More recently, Ekans ransomware targeted operational technology systems. By the time an organization discovers an attack was happening, its data was often already ruined. In addition, sophisticated attacks such as these can quickly spread to other devices if you don’t have prevention and detection capabilities in place.
In particular, endpoints are especially risk. A report from IDC found that 70% of all successful network breaches start on endpoint devices. Unfortunately, the growing number of exploitable operating systems and application vulnerabilities simply make endpoints — particularly IoT endpoints — an irresistible target for cybercriminals. This situation is further exacerbated by the COVID-19 pandemic which suddenly forced employees to work from home using a wide range of endpoints, such as company provided laptops, IoT devices and home networks with often questionable security.
In addition, vulnerability management can be a challenge. Patching is difficult to execute at scale and no matter how hard organizations try, there will always be someone who will open a malicious email attachment. Consequently, security teams must operate with the assumption that their endpoints will eventually be compromised. That’s why, in addition to prevention, real-time detection and containment are imperative.
Delays in detection and response create great risk
Ransomware can ruin a system or even an entire network in seconds. However, most confirmed data breaches have a long dwell time. In fact, the average mean time to identify a threat is 197 days and it takes another 69 days to contain a breach, long enough for even the laziest cybercriminal to browse through an organization’s network and extract customer data and corporate resources. Manual approaches to automated attacks that operate at machine speed is simply not reasonable.
Fortunately, the endpoint security industry has responded by reducing detection times from weeks to days or even hours. But that is hardly comforting for organizations dealing with high-speed ransomware. Even if an endpoint detection and response (EDR) tool can detect an attack in real time, what good is that if it then requires an hour or more to manually contain it?
Dealing with false positives
False positives can be a significant impediment to effective detection and response and must be addressed. Even if an organization’s EDR tool does respond in real time, what happens to legitimate application activities that trigger an alert, leading to suspension? An organization’s EDR tool must be able to deploy a block without terminating a critical process or quarantining the endpoint.
To do this, an organization’s next-generation EDR tool must be able to make an instantaneous assessment of the event in question by blocking a possible threat and, if benign, release the block with no detectable end user impact. However, if the event is confirmed as malicious, the EDR tool must respond with an automated action, such as terminating processes, removing malicious or infected files, isolating endpoints, notifying users and opening a help desk ticket.
A five-part strategy
In order for an organization to protect their business from today’s rapid-strike attacks, an EDR tool must have these five crucial elements:
- Discovery: An effective solution must include the ability to identify both authorized and rogue devices to understand the full endpoint attack surface.
- Prevention: The tool must harden all discovered devices it can to reduce the attack surface and prevent both known and unknown threats with signatureless blocking. Ideally, it should also operate at the kernel level for deepest visibility.
- Anomaly detection and blocking: 100% prevention is unrealistic. Therefore, an effective solution must include behavioral-based anomaly detection combined with the ability to block external communications, as well as access the file system to stop breaches and ransomware damage in real time; even after a device has been infected.
- Automation and streamlining: The solution should include playbooks that enable security teams to selectively automate incident response operations and streamline incident response and remediation processes, all while keeping affected machines online. This will prevent the interruption of users and the disruption of business without exposing the network to risk. Security staff will then have the time to remediate the device by taking it offline when it won’t impact critical business processes.
- Updated intel: The system should give detailed information about detected threats that can be used to support forensic investigations by security analysts, predict future attacks and ultimately improve the device’s — and organization’s — overall security.
Removing threats, staying productive
Modern EDR solutions are a vast improvement over endpoint isolation. A tool that automates a response process, such as endpoint isolation, could negatively impact a user or department; especially given the concern of false positives. An EDR solution would quickly lose organizational support if it just shut down computers any time it detected a suspicious event.
However, with the latest EDR technologies in place, threats are rendered unthreatening once an EDR tool is able to make access to files and communication impossible. An organization’s network will stay up and running and their users remain productive as the system comprehensively secures endpoints in real time. A system like this can put an end to alert fatigue and fears about being breached, while using advanced automation to maximize the resources of an organization’s security operations.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.