Modern technology presents a potential security nightmare for IT. Ransomware attacks and well-publicized cases such as the loss of a laptop with sensitive data by a US Secret Service agent have highlighted the risks involved in defending critical assets against loss or theft.
With more data than ever being stored on mobile and other external devices, supported by ‘bring your own device’ (BYOD) policies, what features should IT decision-makers look for in ensuring suitable endpoint security solutions?
What is an endpoint?
Firstly, an endpoint is any internet-enabled device on a TCP/IP network – whether it’s a desktop, laptop, smartphone, tablet, printer or even a point of sale terminal or smart meter.
Endpoints need to be secured as they can provide access to a company’s network and confidential data. This is because ‘dark’ endpoints – devices that are off the network, lost, stolen or operating without security controls – are potential breeding grounds for security breaches.
A lack of visibility across applications, data, devices and users presents ample opportunities for hostile outsiders and even insiders to perpetrate attacks.
Security experts agree that network security policies for endpoint devices should be in place before they are granted access to network resources, which might also include restrictions for certain devices and users.
Know where your endpoints are
Today’s reality is you can’t secure what you can’t see – whether devices are on or off a company’s network.
While hacking events like WannaCry have grabbed headlines, lost or stolen phones and laptops can be a significant and often overlooked threat to a company’s network. The Register reported in 2016 that one in four breaches of US banks’ data came down to lost or stolen phones and laptops, with just 20 percent the result of hacking.
It is therefore essential to ensure that all endpoints used for business purposes, including BYOD, are registered and are configured in accordance with your business’s OS and security policies. The endpoint security solution should provide total visibility for all devices – even if off the network – as well as the data, applications and user behavior associated with those devices.
Put simply, it is impossible to protect what you don’t know about.
Ensure endpoints are secure
Make sure all endpoints comply with corporate security policies before allowing them to access your network.
This starts with basic steps, such as ensuring that endpoint OS, management tools, anti-virus, encryption, VPNs and the like, are updated and working as they’re supposed to.
Patching to prevent exploitation is key to protecting multiple devices. Active patch management and monitoring can ensure patches are working to proactively minimize risk. They can also see the presence and health of patch management tools and other endpoint security agents to ensure that supported devices are safe. In addition, data loss protection (DLP) software can further protect an endpoint.
Know when endpoints have been compromised
Once you have awareness of all your network endpoints – regardless of device type or location – you need the ability to quickly detect and respond to threats.
Identifying and containing infected ‘patient zero’ devices are paramount. Containment then allows a compromised device to be quarantined from the corporate network to prevent further spread.
Software interacts with a company’s firewall to block web traffic to and from compromised devices faster than manual efforts. Firewall rules should also be consistently monitored and recreated or repaired if a user tries to modify them.
Resilience and remediation
Once an unacceptable level of risk is reached or a device has been compromised, your endpoint security needs to be able to perform a range of critical tasks:
- Notify the user and IT team.
- Lockdown an infected device.
- Restrict access to files.
- Wipe a compromised device.
- Instigate in-depth analysis to determine if a device is a vector in a broader enterprise attack.
Most endpoint security software will automatically block malware. If a new malware or ransomware threat is not blocked, then endpoint security should detect malicious behavior, such as unauthorized file encryption, and take appropriate remedial action. This includes alerting administrators, blocking or isolating the threat, removing files or rolling back changes made by malicious software.
With malware and ransomware threats on the rise, having the right endpoint solution is vital for any organization seeking to protect valuable data.