Network security

The Evolution of Endpoint Security – Changing with the Currents

Lester Obbayi
October 11, 2018 by
Lester Obbayi

Introduction

Traditionally, endpoint servers within organizations were managed by IT departments to contain endpoint security. But with the constant changes in the world of threats and attack vectors, how is endpoint security evolving to manage these threats?

In this article, we’ll take a look at how endpoint security has evolved throughout the years and the different trends that can be anticipated for the future, starting today and going forward. We will also look at some endpoint solutions and how they compare with each other.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

What Is Endpoint Security?

Endpoint security is a method used within network security to secure the organization’s network against devices that connect to that network. These devices include mobile phones, laptops, tablets and any other network enabled devices that connect to organizations.

In the past, traditional endpoint security has been achieved by having a server within the internal network of the organization. The endpoint server controls updates to the endpoint software installed in each endpoint within the network. As well as issuing endpoint updates, the endpoint server acts as an authentication server, authenticating connections into and within the network. What makes endpoint security solutions differ from the competition is that different vendors will include security software within their solutions. This will be software like a Host Intrusion Prevention System (HIPS), firewall, antivirus and antispyware to apply to certain attack vectors and to provide more security.

Over the years, malware has evolved, and endpoint solutions have leveled up to keep up with the constant threats. Security vendors have now embraced endpoint security as a service to manage new threats better.

How Has Endpoint Security Changed in Recent Years?

Over the years, endpoint security has evolved from primitive antiviruses to the more sophisticated next-generation antiviruses that employ advanced technology, the newer and better endpoint detection and response, and the OS-Centric Positive Security approach. Below, we’ll briefly discuss these changes and how they have influenced today’s endpoint security.

Traditional Antivirus (AV)

Back in the 1980s, endpoint security protection was mostly achieved by deploying antiviruses, which were only as good as their antivirus signatures. This had been the case for as long as computers have relied on antiviruses for protection. But a great deal has changed since those days, with malware now being capable of so much more subtlety when it came to antivirus evasion. A better way of securing endpoints had to be found.

Next-Generation Antivirus (NGAV)

One major shortcoming of traditional AVs was the fact that virus signatures had to be constantly updated: thus, AVs were only as good as the updates they had. However, next-generation antiviruses introduced an approach where it was possible to identify malware based not on signatures, but by using machine learning and artificial intelligence. This became more common in 2014 and has since significantly improved.

There are still a couple of challenges that this approach struggles with. They are:

  • Inability to detect zero days and completely new malware by virtue of NGAVs only being trained on existing malware
  • Inability to effectively detect fileless malware, since they are not signature-based and NGAVs are only capable of static analysis of files
  • The curse of artificial intelligence being used for malicious intent. Hackers can implement artificial intelligence to engineer malware that intelligently evade NGAVs, effectively rendering them useless

There was still room for a newer and different approach, one which would allow the detection of and response to endpoint threats.

Endpoint Detection and Response (EDR)

The phrase “endpoint threat detection and response” was first coined in 2013 by Gartner’s Anton Chuvakin to refer to the tools that could be used to detect, provide visibility, monitor and investigate suspicious activities within endpoints.

EDR solutions allow security departments to be capable of performing console alerting and reporting, advanced response to security incidents, wider geographic support over large regions, managed detection and response and one of the most important features to date which is third-party integration.

EDR was and still is a great idea, as it allows for the detection and prevention of attacks even as they occur.

OS-Centric Positive Security

Due to the shortcomings encountered by the signature-based methods and unpredictable user behavior techniques of the past, OS-Centric Positive Security was invented. This basically mapped legitimate operating system behavior to determine actions that could be detected as hostile. Hostile actions would include such things as file deletions, data exfiltration, sabotage, encryption and much more. Surprisingly, it has been found that tracking finite acceptable actions instead of hunting down unwanted actions helps thwart attacks before damage is suffered.

What Are Some Common Trends in Endpoint Security?

Endpoint security trends project the future of managing endpoint threats and the capabilities of solutions that we will see in the market going forward. There are various innovations that have been fronted as the trends for the year 2018, including:

Machine Learning and AI

The need for faster computing the resulting number of threats is increasing, requiring much more effort and accuracy to perform adequate analysis of these threats. Machine learning and artificial intelligence have been found to be most promising in the automation of threat analysis and determining the severity of threats. The most critical threats can then be escalated for human intervention. Microsoft is one provider that has embraced AI and machine learning in its endpoint solutions.

SaaS-Based Endpoint Security

In the past, endpoint servers have been physical servers at the organization, offering the critical functions that we have discussed above. However, the advent of software-as-a-service and much of today’s IT infrastructure getting pushed onto the cloud has created an interest in having endpoint security solutions offered as a service as well. Security providers such as FireEye, Cybereason, Morphick, Carbon Black and Webroot are moving into this space. SaaS services are utilizing machine learning under the hood as well, to make for a faster and more reliable experience.

Layered Protection Against Fileless Attacks

One attack vector that is becoming prevalent today an area known as “fileless attacks.” These are attacks that entirely execute and reside within RAM and thus never interact with the disk. Since traditional antivirus solutions have always targeted disk-resident threats and just recently the memory, endpoint security solutions have capitalized on this area, with some solutions providing a layered defense against this attack vector. Layered protection and is often combined with machine learning to reduce the risk of false positives that common tools often generate.

Putting IoT Devices Under the Protective Umbrella

Today, billions of Internet-connected things such as cameras, routers, toys and appliances lack the appropriate security configurations that devices with such capabilities need. This has led to attacks such as the Mirai botnet attack, which involved millions of hijacked closed-circuit TV cameras that were used to launch DDOS attacks against Minecraft server hosts. However, since most IoT-capable devices are running on common OSes such as Android, Linux and Windows, security companies are beginning to create endpoint solutions that can accommodate such devices and secure them against malicious attacks.

Reducing Complexity and Consolidating Agents

In the past, security companies have produced different tools that resolve a plethora of security threats at the endpoint. This has resulted in the possibility of a single endpoint running multiple tools that address different security loopholes, which all need to be managed separately. The idea in consolidating agents is to have multiple security issues effectively addressed by a single security solution.

Endpoint security is still evolving and there are observable trends that project how the future will look in terms of this security approach.

What Do These Trends Mean for Your Defense?

The traditional security landscape could be a dangerous place: False alarms and lack of automation meant that much of the work was repetitive and produced inaccurate results. Today, with machine learning and artificial intelligence, it is not only possible to get accurate results but also to work with great speed and efficiency. Today’s solutions are able to achieve better remediation, meaning that activities such as deleting files, terminating processes and rolling back system images can save IT staff the tedium of manually reimaging breached systems.

You can visit Gartner’s Customer Choice Awards from 2017 to get a picture of the current names in the Endpoint Security space that might be helpful to you. You can also check reviews and overall ratings of different solutions here for your own comparison. Some of the solutions in the market include:

Digital Guardian: The Digital Guardian Threat Aware Data Protection Platform offers “ready-to-deploy” security that can be deployed at your organization either on your local machines or as a service.

enSilo: The enSilo platform provides two key services that include post-infection protection and threat traps. The latter quarantines suspicious threats for further investigation by a threat hunter.

Minerva: With emerging threats that are environment-aware and capable of escaping antiviruses, Minerva comes into play. Its core service is its Anti-Evasion platform, which deals with threats which are intelligent enough to fool antiviruses.

Promisec: Managing the detection and response of threats is a challenge that many organizations struggle with, especially with large amounts of data to work with. Enter Promisec. Promisec’s main selling feature is its ability to force endpoints to compliance to organization policies, helping in the managing and detection of threats.

Conclusion

Security is constantly evolving and there is a possibility that the future might hold much more than what we have seen. We cannot, however, ignore the changes that have been seen from the past several years to where we have gotten to today.

 

Sources

What is Endpoint Protection? Data Protection 101, Digital Guardian

5 top trends in endpoint security for 2018, CSO Online

Customer Choice Awards 2017, Gartner

The Evolution of Endpoint Security, Nyotron

A Historical Take on the Evolution of Endpoint Security, Minerva

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Endpoint Detection and Response (EDR): Everything You Need to Know, Varonis

Lester Obbayi
Lester Obbayi

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.