Posts

7 Factors to Consider When Evaluating Endpoint Protection Solutions

The threat landscape is evolving. Attackers are getting craftier with infiltrating secure environments. Is your endpoint protection able to keep up? In many cases, organizations just aren’t sure.

The increase in the number of cyberattacks targeting endpoints — and attackers using craftier methods to gain access to user machines — has lead to a highly competitive endpoint protection market. There’s plenty of confusion surrounding what differentiates one endpoint protection solution from another, let alone which product will meet your unique business needs.

Among the claims and counter-claims about which solution is best, the reality is that the right solution for your organization is not necessarily the one with the loudest voice in the marketplace.

Instead, consider whether your approach to endpoint protection matches that of the providers you evaluate. With rapid changes in the way malware and threat actors are compromising victims, which security solutions are keeping up?

Let’s take a look at seven basic checks that can help enhance endpoint compliance and lead to better protection against cyberattacks.

  1. Don’t underestimate the risks of mobility

    The traditional approach that legacy AV software is just there to protect your devices from malware and data loss creates a blind spot in defensive thinking. The task is to protect your network from both internal and external threats, and that includes the potential threat from end-user behavior when they’re mobile and off-network.

    Today, users who login from airports and cafés using public and open access points pose a greater threat to the corporate network.

    Modern, integrated security thinking understands that this means more than just anti-malware or AV coverage on the device. Off-network content filtering and media control are necessary adjuncts to protect your entire network, regardless of where the threat may come from.

    And in the event a verdict from the agent doesn’t have confidence, having a second layer of defense via a cloud-based malware analysis engine helps handle it in real-time.

  2. Avoid drowning in the noise of alerts

    Even today, some endpoint vendors still believe that the quantity — rather than the quality — of alerts is what should differentiate a superior product from the rest. But alerts that go unnoticed because they are swimming in a sea of hundreds of other alerts clamoring for attention are as good as no alerts at all.

    The Target Corporation learned this lesson at a great cost. False positives (i.e., the boy who cried wolf) condition weary admins and SOC specialists to “tune out” things that may be the next big threat because they simply cannot cope with the quantity of work.

    Rather than a security solution that provides hundreds of single alerts for each command with little or no context, choose one that provides a single alert with the telemetry and details of all the related commands — whether that be one or 100 — automatically mapped into the context of an entire attack storyline.

  3. Secure the endpoint locally

    We live in the age of the cloud, but malicious software acts locally on devices, and that’s where your endpoint detection needs to be, too.

    If your security solution needs to contact a server before it can act (e.g., get instructions or check files against a remote database), you’re already one step behind the attackers.

    Make sure that your endpoint protection solution has the capability to secure the endpoint locally by taking into consideration the behavioral changes and identify malicious processes without cloud dependency.

    And when using a cloud-based second layer, make sure the suspected threat is contained to eliminate impact while a verdict is made.

  4. Keep it simple, silly

    There’s power in simplicity, but today’s threat landscape is increasingly sophisticated. While some vendors think the number of tools they offer is a competitive advantage, it just increases the workload on your staff and locks knowledge into specialized employees who may one day take themselves — and that knowledge — elsewhere.

    You want to be able to eliminate threats fast and close the gaps without needing a large or dedicated SOC team. Look for endpoint protection that takes a holistic approach, builds all the features you need into a unified client and is managed by a user-friendly console that doesn’t require specialized training.

  5. Build for the worst-case scenario

    Let’s face it, ANY protection layer can fail. It’s the nature of the game that attackers will adapt to defenders. If you can’t see what your endpoints are doing, how can you be sure that one of them hasn’t been compromised?

    Has a remote worker clicked a phishing link and allowed an attacker access to your network? Is a vulnerability in a third-party application allowing cybercriminals to move around inside your environment undetected? Have you factored for attackers who have now embraced encrypted threats (e.g., HTTPs vectors) and acquired their own SSL certificates?

    The modern cyber threat landscape requires a defense-in-depth posture, which includes SSL/TLS decryption capabilities to help organizations proactively use deep packet inspection of SSL (DPI-TLS/SSL) to block encrypted attacks. DPI-SSL technology provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPs and other SSL-based traffic.

    In addition, drive visibility into application vulnerability risk and control over web content access to reduce the attack surface.

  6. Drive compliance across all endpoints

    It’s the quiet ones at the back you have to look out for. If your enterprise is 95% harnessed to one platform, it doesn’t mean you can write-off the business risk presented by the other 5% as negligible.

    Attackers are able to exploit vulnerabilities in one device and jump to another, regardless of what operating system the device itself may be running. To avoid the risk of vulnerable endpoints connecting to your corporate network, integrate endpoint security with your firewall infrastructure and restrict network access for endpoints that don’t have endpoint protection installed on the machine.

    Remember, you’re only as strong as your weakest link.

  7. Don’t trust blindly

    Blocking untrusted processes and whitelisting the known “good guys” is a traditional technique of legacy AV security solutions that attackers have moved well beyond, and businesses need to think smarter than that, too.

    With techniques like process-hollowing and embedded PowerShell scripts, malware authors are well-equipped to exploit AV solutions that trust once and allow forevermore. Endpoint protection needs to look beyond trust and inspect the behavior of processes executing on the device. Is that “trusted” process doing what it’s supposed to be doing or is it exhibiting suspicious behavior?

Endpoint protection integrated across your environment

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback.

The solution uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics. It provides multi-layered defense against advanced threats, like fileless malware and side-channel attacks, using SentinelOne’s AI-driven behavioral analysis and SonicWall Real-Time Deep Memory InspectionTM (RTDMI) engine with the Capture Advanced Threat Protection (ATP) sandbox service.

The solution also delivers granular visibility into threat behavior, helping identify potential impact and remediation actions. A sound endpoint protection solution also should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and cloud.

4 Ways the WhatsApp Exploit Could Use Employees to Infiltrate Your Network

The recent WhatsApp breach was very sophisticated and clever in the manner it was delivered. And that should be expected considering who was reported as being behind the zero-day attack against the popular messaging application.

But the attack against the WhatsApp app is not just a concern for its millions of global customers. There’s a very real and imminent threat to businesses and enterprises, too.

For example, let’s assume one of your employees has WhatsApp installed on their device and it is subsequently compromised via the latest WhatsApp exploit. In many situations, this employee will, at some point, connect their device to the corporate network.

This legitimate access could be via VPN, cloud applications (e.g., Office 365, Dropbox, etc.), corporate Wi-Fi or, my personal “favorite,” plugging the device into the USB port of a corporate laptop so the phone can charge. Understanding how and where users connect to the corporate network is critical.

In most cases, organizations can’t prevent personal BYOD phones from being compromised — particularly when outside the network perimeter. They can, however, protect the network from exploits delivered via the compromised phone. Here are the four most common ways the WhatsApp vulnerability could be leveraged to infiltrate a corporate network and, more importantly, how SonicWall can prevent it:

  1. Via VPN. If an employee connects to corporate over VPN, SonicWall, for example, would be the endpoint where they establish the VPN Threat prevention (e.g., firewalls, Capture ATP) and access control (e.g., Secure Mobile Access) would prevent the WhatsApp breach from spreading any further than the compromised phone.
  2. Via Wi-Fi. In this scenario, next-generation firewalls and secure wireless access points should be in place to inspect all internal traffic and prevent the exploit from going further than the phone.
  3. Via compromised credentials. Because the WhatsApp exploit enabled attackers to steal credentials to cloud services and apps, organizations with Cloud Access Security Broker (CASB) solutions, like SonicWall Cloud App Security, would mitigate account takeovers (ATO), unauthorized access and any related data leakage.
  4. Via USB port. Users often forget that a powered USB port on their laptop is an entry point for attackers — even when doing something as innocent as charging a phone. A sound endpoint protection solution (see diagram), such as Capture Client, would monitor the connection to the laptop and inspect any malicious activity attempting to leverage the USB port to deliver malware payloads.