Endpoint Security Series: Introduction to the Threat Landscape

This is the first in a series of posts we’ll be featuring over the next few weeks to highlight various end point solutions, their key differentiators, and how they could help your organization. Here are the solutions we will be covering:

When I first started in IT almost 20 years ago the only endpoint security decision was whether to purchase Trend Micro, Symantec, or McAfee antivirus. Over the last 10 years, the number of threats and threat vectors has grown exponentially. Likewise, the number of endpoint security products and their features have also become much more diverse. The current threat landscape has created a few different types of endpoint security solutions.  

Ransomware has become every CISO’s greatest fear. Ransomware attackers are shifting their sights from smaller businesses in favor of targeting larger corporations. Just this July the navigation company, Garmin, was crippled for days until it paid a multi-million dollar ransom. The following week, camera manufacturer Canon was hit by ransomware but refused to pay the ransom. Now the attackers are threatening to leak 10TB of pictures and data they have stolenYou can also add Carnival Cruises to the list of large companies affected by Ransomware in the last month.  

Over the last 10 months, endpoint security has become more important than ever. The COVID-19 pandemic has opened new doors for attackers. The FBI recently published a FLASH warning stating that attackers are taking advantage of COVID-19 fears and spreading the Netwalker ransomware by “luring unsuspecting victims with pandemic related phishing emails.” The same warning should be given for the current election season. Domestic and foreign attackers will take advantage of the election year to lure victims into their phishing traps. Protecting our colleagues from detonating ransomware or other payloads is critical and cannot be ignored.  

With the majority of the workforce still working from their home offices, the bulk of our endpoints are no longer used primarily onsite. Onsite, coincidentally, is where we’ve spent the most time securing our networks and our endpoints typically enjoy the protection of an entire stack of network security solutions. The blur between personal life and work has led to an increase of personal activities on work computers, potentially exposing endpoints to more chances of attack. The ability to protect our endpoints on unknown networks is more important than ever.  

There are two primary types of next generation endpoint protection products. These are Endpoint Protection Platforms (EPP) & Endpoint Detection and Response (EDR). At first glance it may seem like having an EDR solution removes the need to invest in EPP.  However, EDR is actually very complimentary to an EPP. So much so that many endpoint solution providers combine them into one product.    

Endpoint Protection Platforms (EPP) are similar to the traditional Antivirus products. These Next Generation products can protect your endpoints from Known and Unknown threats by using machine learning, AI, known threat signatures, sandboxing, firewall rules, and behavior analysis. These tools will stop viruses, malware, ransomware, and even zero-day exploits. Generally, these tools are more of a passive product that does their job with minimal day to day interaction from a security administrator.  

Endpoint Detection and Response (EDR) solutions are used to provide full real-time visibility of all your endpoints and their activity. These tools are used to investigate both current and past breaches. EDR solutions can show the history of the attack, all the processes and systems that were affected, and provide a remediation path. These products can isolate incidents before they spread across your network to other endpoints. They are also used to detect non-file-based attacks by identifying endpoint activity anomalies. Remediation actions can be taken through a combination of manual resolution by a security team, outsourcing to a solution provider, or having fixes be applied through automated processes. 

Understanding the threat landscape is the first step in identifying a solution that can keep your users secure. Now that we’ve laid the foundation and provided an overview of different endpoint approaches, we can start to dive into specific solutions. Check back next week for our first endpoint solution feature: Crowdstrike 

About the Author: These posts are written by Jeff Schaefer, a Security Engineer at Vandis with extensive experience in endpoint security. Jeff has been in the IT industry for almost 20 years, familiarizing himself in all areas of infrastructure before focusing on security solutions.  Recently, Jeff has spent a great deal of time talking with technology manufacturers and doing independent research to give effective guidance to organizations around endpoint security strategies and initiatives.