Three lesser-known endpoint vulnerability strategies you might be missing
Modern IT environments continue to become more and more distributed, driving the growth of endpoints across the enterprise. Some research estimates that enterprises now manage more than 135,000 endpoints and Enterprise Strategy Group estimates that more than 70 percent of employees use more than four devices daily for work. That’s a lot of endpoints. And when you combine this endpoint growth with the fact that 560,000 new pieces of malware are detected every day, how can you not wonder if your organizations is the next target for a ransomware or phishing attack.
Security pros are overwhelmed by endpoints and struggle to find the right mix of solutions and strategies that can effectively secure their organizations. The more diverse they are, the more difficult they are to manage and secure (especially with mobile and IoT device proliferation). Just look at recent attacks against Twitter, Slack, Taco Bell, and more. For many organizations, endpoint security is really hard. This is why their security teams need to constantly assess and adjust their endpoint security strategies.
I’d like to share three commonly overlooked endpoint vulnerability strategies that can help teams alleviate the burden of endpoint security management. But first, a quick refresher on some of the basics.
When it comes to mitigating endpoint risk, you should already understand what devices are on your network, be able to quarantine new or returning devices, be scanning for threats and vulnerabilities, be applying critical patches and updates, and then repeating that cycle continuously. That’s basic table stakes. Then you need to layer on good hygiene by retiring and replacing legacy hardware and software, ensuring all endpoints matter equally, understanding the latest attack trends that could impact your organization, and more. Of course, much of this can be simplified or streamlined using the proper tools and solutions.
But what else can be done to improve efficiency and security? Here are three strategies you may be overlooking (or didn’t know exist).
Move Beyond Polled Connections; Get Real-time Insights with Live Connections
Most endpoint management and vulnerability tools are set up to conduct a poll or scheduled scan. After the scan has run, the results from that scan are dropped into a database, and hopefully, an alert is provided that prompts review. The time between these activities can be hours, but oftentimes it’s days. Many vulnerability scanners cannot complete a full scan of the environment within a week of the initiation of a scan. This means that the data received is already old.
With robust endpoint and vulnerability management solutions, teams can have a real-time connection that provides live data on key details, such as installed software, missing patches, security vulnerabilities, and more. These solutions need to be built with a cloud-native architecture and allow for two-way connections over which both the request for information and the response travels (versus a database of results.) This means querying the device directly versus a database.
With live connections, you can accurately assess, prioritize, manage, and resolve IT and security risks. For example, last month, Google released two zero-day exploits for their Chrome browser. Organizations can take a few different paths to remediating this vulnerability.
(1) They can send an email out to their entire organization, asking that employees update their Chrome browser and hope that the employees do it.
(2) They can push an update out via an agent-based management solution that requires employees to allow the update to run and then restart the machine manually -- this update would go out to everyone regardless of whether they use Chrome or not.
(3) With a live connection to the endpoints, the organization can identify which endpoints have Chrome installed, push the update directly to those devices and require a restart without the end user ever needing to be involved. The first two methods can take hours or days (and when vulnerabilities are being exploited in the wild, every minute counts).
Automate Supercharged Workflows and Processes
Building sequenced workflows is about bringing more structure and consistency to endpoint management. Most endpoint security tools offer playbooks or workflows that help simplify policy management. But those are usually siloed actions. Supercharging this with sequenced workflows that wrap in automation allows you to chain together multiple playbooks to dramatically improve productivity across your IT and security teams.
For example, you could set up a sequenced workflow for Patch Tuesday that deploys patches to a group of test endpoints, wait for a week to allow your team to evaluate if the endpoints are stable and performing as expected; then push those patches to an alpha group of endpoints and users; wait and monitor, and then have it continue the deployment to the full production environment after everything is deemed stable.
This same process can be used with vulnerability scanning and remediation. You can set up a sequence of workflows that conduct a vulnerability scan on your least valuable assets (i.e., not the "crown jewels"), then automatically remediates any risks found, generate a report on these actions, wait a week for your team to review and assess the stability of those remediations, and then move on to assets that are more valuable, and repeat. This helps secure your crown jewels but reduces the risk to any remediations in a methodical fashion. This can be powerful for condensing highly complex projects. And, if you align them around CIS benchmarks or other compliance issues, you’ve checked even more boxes.
Leverage a Policy Evaluation Engine for Zero Trust Access
Most people think of zero trust as a disappearance of the network perimeter, but the endpoint is not disappearing -- in fact, the attack surface from endpoints is growing with the proliferation of IoT and mobile devices. Focusing only on zero trust with identities or with data is shortsighted. If you are looking to implement zero trust, evaluating how to implement zero trust on endpoints is critical.
One way to approach this is with a trust evaluation engine that can identify endpoints in untrusted states and deny them access to corporate networks and systems in real time. For example, you should be able to build out a profile of what a trusted endpoint looks like based on corporate policies. Does the endpoint have the latest approved patches? Is it running antivirus software with updated signatures? Does it have the firewall on? If the answer is no, then the endpoint does not get access to important systems or the corporate network. Once this trusted profile is developed, every time that endpoint turns on, the evaluation engine does a check against that device and enable or disable what that endpoint can get to or access. Or you can set the evaluation engine to do a zero trust check every 15 minutes.
This approach enables your team to build comprehensive trust profiles, policies, and access rights for all endpoints across a network. For example, if your Controller accidentally clicks on an email that installs malicious software to disable their firewall without them knowing. They go to lunch, come back to their computer, and try to log into the enterprise financial system. But they can’t get in. While they were away from their desk, the trust evaluation engine kicked in and saw that the firewall was disabled and couldn’t be re-enabled. The policy to block that endpoint from accessing the financial system was enabled to limit a breach and data exfiltration.
Endpoint security is only getting more challenging as attackers find new ways to target organizations. By considering these lesser-known strategies, you could improve security and reduce manual tasks.
Image Credit: alphaspirit / Shutterstock
Ashley Leonard is the president and CEO of Syxsense -- a global leader in Unified Security and Endpoint Management (USEM). Ashley is a technology entrepreneur with over 25 years of experience in enterprise software, sales, marketing, and operations, providing critical leadership during the high-growth stages of well-known technology organizations. Ashley manages U.S., European, and Australian operations in his current role, defines corporate strategies, oversees sales and marketing, and guides product development. Ashley has worked tirelessly to build a robust, innovation-driven culture within the Syxsense team while delivering returns to investors