Endpoint management is becoming increasingly demanding but also necessary at the same time as organisations adopt the flexibility the cloud affords them.
As a result, cybercriminals are also tailoring their approach to target individual endpoints in a new perimeter-less environment.
Techday spoke to Trend Micro market strategy global VP Eric Skinner about key threats organisations are currently facing and the best way to mitigate them.
A few years ago, endpoints were protected by other layers of the company perimeter (e.g. firewalls) but today’s endpoints are frequently outside the perimeter, with a broader range of business and personal apps in use, and so must defend themselves.
Also, ransomware used to be at the top of the list when it came to endpoint concerns for many businesses, and while incidents are still occurring (e.g. the Cabrini Hospital incident in Melbourne in February), Trend Micro’s most recent Yearly Security Roundup Report found a substantial decline – ransomware was down a drastic 91% in 2018 vs 2017.
This decline is due to sophisticated endpoint security solutions being able to better detect these threats, resulting in malware authors shifting their focus.
More concerning is the rise of fileless threats.
Fileless threats are so named because they use no discrete binaries or executables. Nevertheless, they manage to run by injecting themselves into an existing application’s memory or by running scripts within a legitimate application such as Windows Machine Instrumentation or PowerShell.
Trend Micro has seen an 817% rise in fileless threat detections from August of 2017 to the end of 2018. These threats are risky as their intended behaviours are quite diverse, and as a result are more challenging to detect.
Endpoint security vendors including Trend Micro have invested heavily in run-time behavioural techniques and heuristic approaches to block fileless threats (for example, a Microsoft Word documents launching a PowerShell script is almost certainly a malicious action, and will be detected and blocked).
Overall, organisations are steadily doing a better job of raising security awareness, and helping employees recognise potential threats such as social engineering attacks delivered via email. However, we continue to see steady improvements in the attacker’s behaviour as well.
Phishing and business email compromise emails are more-frequently well written and researched – for example, Trend Micro found that the number of business email compromise (BEC) attacks in 2018 increased by 28% globally compared to 2017, and phishing URL detections increased by 269% over the same time.
Along with employee education, state-of-the-art detection technologies should be used, and businesses should ensure they have good processes in place to verify and authorise transactions such as invoice payments.
Developed countries in APAC such as Singapore and Australia have dedicated considerable resources to cybersecurity education, including innovative awareness campaigns aimed at the general public, whereas developing countries are now starting to implement such campaigns. Additionally, some large enterprises in APAC have implemented security quizzes or mock malicious email campaigns, as a means to educate their employees.
It is recommended that these are done regularly and systematically to keep employees educated and keep cybersecurity front of mind.
Endpoint security solutions can generate an unwelcome workload for IT teams if there are too many spurious alerts (obscuring real issues), or too many false-positive detections (where legitimate files and behaviours are being flagged as malicious).
Today’s leading endpoint security products are engineered to reduce noisy alerts as much as possible, and it’s a great reason for businesses to ensure they are running the latest version available from their vendor.
Australia’s Notifiable Data Breach legislation imposes a 30-day window for assessment of a potential breach, and this can be challenging if endpoint security solutions are not recording relevant events.
Modern advanced endpoint protection products include so-called EDR (endpoint detection and response) features which proactively record endpoint events, enabling assessment actions taken by suspected malware and a clearer picture of whether a data breach has in fact occurred.
These capabilities are sometimes available as a managed service so that ongoing threat investigation and monitoring can be performed by the vendor’s expert team instead of an overworked IT department.
Over the last ten years, there’s been a gradual shift from aiming to detect malicious files, to detecting malicious behaviour.
This shift has dramatically improved endpoint security vendors’ ability to intercept rapidly-evolving attacks from ransomware and fileless threats.
This – combined with the pressures of the cybersecurity skills shortage – has encouraged organisations to use non-traditional security practices such as endpoint detection and response (EDR) and managed detection and response (MDR) to navigate endpoint threats.
Both of these practices focus on identifying potential threats and activity that can paint a picture of possible intrusions or attacks.
However, MDR is a service harnessed by organisations to assist their in-house teams with threat hunting and alert monitoring and takes the heat off companies who are facing a shortage of skills or lack of staffing.
It’s also important that EDR and MDR are not undertaken as ad hoc elements of an organisation’s strategy, but rather are incorporated into larger security considerations.