If you're a CISO or other security leader, you're constantly engaged in two relentless obstacles:
Obstacle #1 is defending yourself from a global attacker who can strike at any time, causing insurmountable damage to your organization.
Obstacle #2 is maximizing value out of your budget-constrained organization, in an industry with a limited pool of security experts, all while being held accountable to ensure your assets, data, and employees are protected.
This balancing act between investment and security is a daily consideration for anyone managing a security program. No one should minimize either of these, especially when it comes to endpoints. If your organization has a data breach or other significant attack, you'll make the news. Not investing enough in the right technology solutions to improve the efficiency of your team means that next attack on your data is only a question of, "When?". But, in the same vein, budget and security expertise is limited - you can't just create more of it.
How do you strike the right balance between the two?
Tiers of Threats
There are many ways to classify the cyber threats we face daily. Sometimes it's useful to classify threats based on their technical attributes: fileless attacks, polymorphic malware, etc. For other purposes, we may want to classify threats by the type of harm they cause: exfiltration, systems lockup, denial of service, etc.
For our purposes here, I'll propose four basic tiers of endpoint threats which are a hybrid of the classification above:
Tier 1 - Opportunistic. This includes the most basic opportunistic attacks (Malware, Ransomware, Scripts, etc). These attacks rely on pure scale rather than knowledge about vulnerabilities specific to your organization's environment. They leverage the fact that many organizations haven't installed the latest security patches and are comprised of users with poor security hygiene. These attacks are typically delivered as some type of file executable, word document, or script and are designed for a user to easily execute on an endpoint.
Tier 2 - Opportunistic Phishing. Think of these as opportunistic attacks that leverage social engineering exploits designed to fool your users at scale. They use sophisticated methods, like trojans or software payloads, to obtain sensitive information or credentials from your userbase. These methods are designed to capture inputs from corporate sites, keystrokes, and log-ins. E-mails, text messages, and phone calls are also often used to redirect users to fake online websites to capture this information.
Tier 3 - Targeted. There are many ways attackers exploit organizational vulnerabilities to go after focused targets. One strategy is to identify deficiencies in an organization's infrastructure and exploit those weaknesses. Targeted attacks are typically human threat actors who know how to take advantage of an externally (or sometimes even internally) discovered entry point, such as a poorly configured firewall. To determine these vulnerabilities, these attackers use opportunistic methods, or insider information, to build their playbooks. These attacks may also unfold in multiple stages, each of which is individually difficult to detect. Using threat intelligence, combined with skilled security experts, helps identify behaviors and movement that help triage vulnerabilities to ward off targeted attackers.
Tier 4 - Advanced Persistent Threats (APTs). These are threat actors who purposefully live in your environment for long periods of time, sometimes even years, to avoid alarms. They use slow, stealthy movement to achieve the greatest volume of data exfiltration before they are discovered - if they are discovered at all. APTs may also involve malicious insiders with intimate knowledge of the environment and the location of the most valuable data assets, as well as credentials that allow illegitimate actions to appear legitimate.
Opportunistic threats (Tiers 1 and 2) represent the vast majority of threats Secureworks detects at the typical customer site. But, while targeted threats (Tiers 3 and 4) may be less common, if exploited, they can cause significantly greater impact to an organization's operations, finances, and reputation.
The point here is customers are faced with a variety of attack vectors to protect against. All threats cost time and money, and they all have the potential to inflict significant harm to the organization. Protecting against as many of these attack strategies as possible is absolutely critical.
Where and When to Automate
Given this taxonomy of threat tiers, how does an organization force multiply to outpace the threat landscape?
The main way we do this is through automation. More specifically, we can progressively automate more and more protections against the opportunistic threats-thereby freeing up staff to focus their time, energy, experience, and expertise on threat detection and remediation for the more advanced threats in the higher tiers.
So, for example, the endpoint security (AV) industry moved from signature-based detection to more complex strategies that better detect highly evasive threats. The threat landscape requires next-gen antivirus (NGAV) technology, which, at its core, is designed to automate remediation and prevent most threats. The technology leaders in the NGAV space are fractions of percentiles away from each other in their efficacy. Choosing a partner in this space is less about the efficacy (assuming they perform well in testing), and more about impact to the endpoints. Security program leaders should look for technology that offers low resource utilization, low false positive rates, and minimal impact to users. The final, and most important thing to consider is that your NGAV provider delivers its outcomes to your analysts in a way where they can be consumed in context with alerts coming from other security technology in your organization.
As your security organization continues to evolve and mature, a next step may be to implement Endpoint Detection and Response (EDR). EDR technology gathers telemetry from your endpoints, such as process lists, DNS queries, registry modifications, login attempts, and file executions. It then looks for patterns in that telemetry that are indicative of especially sophisticated opportunistic threats-as well as genuinely targeted threats.
This detailed telemetry provided by your EDR product allows security practitioners to build a full story about complex threat actor movement in your environment. Successful investigations are enriched from genesis to remediation by leveraging this endpoint data. If an endpoint is compromised, other endpoint features may be available to help "stop the bleeding." Response features, such as isolation, provide a remote method of disconnecting the endpoint from the network. This effectively prevents an attacker from moving laterally and getting closer to your most valuable assets.
The more your organization evolves, the more it should invest in preventing opportunistic attacks and detecting targeted threats. This is only possible once you have technology capable of correlating endpoint telemetry with other behavioral data. With machine learning, these diverse data sets can be used to identify and remediate the most sophisticated attacks.
Consider, for example, the "low and slow" exfiltration of data that APTs commonly use to evade detection. These attackers traverse your internal networks, identify sensitive data, and slowly collect this data over time. The ability to see logins, file transfers, shell commands, and processes in this case, helps our detection models identify highly stealthy targeted attackers.
Identifying and preventing common, widely utilized, and zero-day polymorphic attacks instantly on the endpoint saves time and prevents lateral movement. After all, if a security analyst team can't readily see which threats have been remediated, they'll spend the majority of their daily effort correlating and validating low-value attacks. Using proper technology here is a force multiplier and should be given serious consideration when choosing an endpoint security product.
Also, keep in mind why this article focuses on endpoint prevention. Endpoints are the most difficult and time-consuming part of your environment because 1) you have a lot of them, 2) they're highly varied-ranging from servers to low-end laptops, and 3) it's the most vulnerable attack vector. Endpoint protection represents true low-hanging fruit: the biggest time-sink that's also the easiest one to automate.
In other words, it's necessary to ensure your team spends more of their time on threats that genuinely warrant their attention-and less of their time on routine tasks that could just as easily be automated.
How Secureworks Can Help
After being at Secureworks for over 4 years, I've been involved in countless success stories that fully leverage the power of endpoint visibility. We perform over 1,000 incident response engagements per year using our own technology, and stand behind using our own endpoint solutions to remediate customers during their most critical moments. Read on to learn more about our scalable solutions.
Taegis™ NGAV leverages the power of local machine learning on the endpoint to detect and prevent opportunistic attacks, such as ransomware and malware, before they happen. Its methods are continuously validated by our Counter-Threat Unit™ (CTU™) and other internal testing. It has also been independently validated as achieving 100% in-the-wild detection efficacy by MRG Effitas. Over 3.7GB of current threats were tested, and Taegis NGAV managed to only have a 1.33% false positive rate. This means even less wasted time for you and your staff. TA summary of the report is available here.
Of course, even the best NGAV may be insufficient to counter a well-targeted Tier 3 or 4 threat. That's why we include this technology as an add-on to Taegis XDR. Taegis XDR continuously gathers and interprets endpoint telemetry from either our own endpoint agent, or your current endpoint protection platform EPP investments. Taegis XDR is built on an advanced analytics engine to provide the visibility, threat intelligence, and remediation you need to outmaneuver even the craftiest adversary. Taegis XDR provides correlation of alerts and telemetry across the diverse security solutions you may already have in your environment-including network, endpoint, cloud, and logging.
Learn more about Taegis XDR
Cyberattacks by criminals, state actors, and others are not going to abate any time soon. Unfortunately, your security budget isn't likely to increase in proportion to this intensifying attack activity. So do yourself a favor and address your endpoint security time sink. It's an essential best practice if you plan to keep your organization protected and out of the headlines.
You Might Also be Interested In: