In a recent SANS Survey of IT Professionals who voiced concerns about endpoint security, several alarming patterns emerged, all pointing to continued escalation of risk to organizations of every size.
Organizations are increasingly deploying a greater number and wider variety of connected devices. This list includes: desktop computers, employer-owned laptops, network devices and servers, mobile devices, even cloud-based systems, Internet of Things (IoT) devices, mobile and network devices, and wearables.
The variety of connected devices is challenging the “standard remediation model.” In addition, the BYOD or Bring Your Own Device policy, which allows employees to connect their personal devices to corporate networks adds a greater level of uncertainty and lack of control for IT teams. Leveraging tools such as ‘automatic updates,’ Windows Server Update Services, and even many patching services fails to address the range of devices and the complexity of a hyper-connected environment.
As the number of devices has grown, knowledge about who is using what systems has diminished. According to this survey, only 34% of respondents could consistently connect users to systems. This is a key finding since not knowing who is using your systems and when, adds another significant level of complexity to identifying anomalous behavior.
Of the infections identified in 2018, 47% were caught by antivirus. Yet detection technologies that look at user and system behavior or provide context awareness were much less involved in detecting breaches. "Only 23% of respondents' compromises were detected through attach behavior modeling and only 11% of compromises with behavior analytics. Because user and machine behaviors are the cause of most endpoint breaches, these technologies are critical for endpoint detection and response."¹
Even more concerning is that 84% of endpoint breaches included more than the endpoints. While the majority of attacks started on the endpoints, the breach then spread to the servers.
The inability for most organizations to detect breaches is complicated by many factors: the number and variety of devices, the legacy solutions and processes used to remediate vulnerabilities, the limited skill sets of IT staffs in general, the lack of information about the user of the network resources and the resulting inability to understand normal versus anomalous behavior. Given these compounding issues, it is not surprising that the number of "those who didn't know whether they'd been breached" doubled, rising from 10% to 20%.
Successful cyber risk management starts with understanding your weaknesses, and offering full coverage of your assets. Leveraging a team that is certified, experienced and trained on the solutions being deployed and is always monitoring your network is critical to achieving optimal results (effective risk mitigation).
Since most organization operate with a limited IT budget, effective risk mitigation is simply out of reach. They lack the resources to pay for effective tools, training for those tools, training for effective response and enticing salaries and benefits to attract and retain qualified talent. Given these challenges, it is no surprise that the number of organizations unable to recognize an active breach has doubled in the past year.
Fiscally prudent organizations have realized that outsourcing security services to a qualified provider is the most financially efficient way to achieve effective cyber risk mitigation. If you would like to discuss your risk and how to optimize your results, please contact us to schedule a meeting with one of our advisors.
¹"Endpoint Protection and Response: A SANS Survey," June 2018