This article is part of a VB special issue. Read the full series here: Zero trust: The new security paradigm.
Most enterprises don’t know how many endpoints they have active on their networks because their tech stacks were designed to excel at the concept of “trust but verify,” rather than zero trust. The gap between how many human and machine-based endpoints organizations know versus have is growing.
Jim Wachhaus, attack surface protection evangelist at CyCognito, told VentureBeat in an interview that it is common to find organizations generating thousands of unknown endpoints a year. In addition, a Cybersecurity Insiders report found that 60% of organizations are aware of fewer than 75% of the devices on their network, and only 58% of organizations say they could identify every vulnerable asset in their organization within 24 hours of a critical exploit.
A recent Tanium survey found that 55% of security and risk management leaders believe that 75% or more of endpoint attacks will not be stopped. The typical enterprise is managing approximately 135,000 endpoint devices today and 48% of them, or 64,800 endpoints, are undetectable on their networks.
A recent Ponemon Institute report, sponsored by Adaptiva, found that the average annual budget spent on endpoint protection by enterprises is approximately $4.2 million. While endpoint spending continues to increase, so does the gap between how many endpoints are known and protected on a given enterprise’s network.
An exclusive invite-only evening of insights and networking, designed for senior enterprise executives overseeing data stacks and strategies.
Zero-trust frameworks are needed to close endpoint gaps
CISOs need to consider that defining a zero-trust network access (ZTNA) framework for their businesses accelerates how quickly they can close gaps in endpoint security. A close second priority must be adopting ZTNA techniques, including microsegmentation and least-privileged access, to protect both human and machine identities.
It is common knowledge in the cybersecurity community that human and machine identities are under siege, with endpoints being the primary attack vectors. Cyberattackers use endpoints to take control and exfiltrate data from identity access management (IAM) and privileged access management (PAM) systems.
In 2021, market revenue for ZTNA rose by 62.4%, according to an analysis by Gartner. The research giant’s 2022 Market Guide for Zero-Trust Network Access provides useful insights security and risk professionals can use to see how their organizations can benefit from zero-trust security.
“Zero trust requires protection everywhere — and that means ensuring some of the biggest vulnerabilities like endpoints and cloud environments are automatically and always protected,” said Kapil Raina, VP of zero-trust, identity and data security marketing at CrowdStrike. “Since most threats will enter into an enterprise environment either via the endpoint or a workload, protection must start there and then mature to protect the rest of the IT stack.”
A report from CrowdStrike found that, “adversaries have demonstrated their ability to operate in complex environments — regardless of whether they consist of traditional endpoints, cloud environments or a hybrid of both.”
CrowdStrike’s threat hunting team identified 77,000 intrusion attempts, or one on average every 7 minutes.
“A key finding from the report was that upwards of 60% of interactive intrusions observed by OverWatch involved the use of valid credentials, which continue to be abused by adversaries to facilitate initial access and lateral movement,” said Param Singh, VP of Falcon OverWatch at CrowdStrike.
Zero trust is the future of endpoint security
Building a business case for adopting a ZTNA framework needs to cover cloud, endpoint security and insider risk scenarios to be effective. George Kurtz, CrowdStrike’s cofounder and CEO, said during his keynote at Fal.Con on how important consolidating security tech stacks are to customers. He emphasized the strategic role of extended detection and response (XDR) in the company’s product strategy, centering on endpoint detection and response (EDR) as its foundation.
“Zero trust, by definition, requires multiple technologies and process elements — and demands scale of data analysis and speed of execution to stop modern attacks,” said Raina. “With most CISOs now looking to consolidate security vendors, they are looking for a platform approach. A platform approach ensures a frictionless execution to zero-trust deployment — and leverages an enterprise’s existing investments — all in a standards-based, integrated model.”
Zero trust is the future of endpoint security because it addresses the following five areas:
1) Ransomware is endpoint security’s most persistent threat
Ransomware continues to proliferate, increasing by 466% in three years. Ivanti’s Ransomware Index Report Q2-Q3 2022 identifies the vulnerabilities that most lead to ransomware attacks and how quickly undetected ransomware attackers work to take control of an entire organization. Ivanti’s report discovered 10 new ransomware families, totaling 170. There are 154,790 vulnerabilities in the National Vulnerability Database (NVD) that are the basis of the analysis.
Additionally, 47 new vulnerabilities, or CVEs, were added to CISA’s Known Exploited Vulnerabilities Catalog in the last quarter alone. Unknown endpoints that often aren’t secured are what cyberattackers look for to launch ransomware attackers with these new ransomware families.
Endpoint protection platforms (EPPs) are becoming increasingly data-driven. Leading vendors’ EPPs with ransomware detection and response include Absolute Software, whose Ransomware Response builds on the company’s expertise in endpoint visibility, control and resilience. Additional vendors include CrowdStrike Falcon, Ivanti, Microsoft Defender 365, Sophos, Trend Micro, ESET and others.
2) Getting microsegmentation right is challenging, but essential
The goal of microsegmentation is to segregate, then isolate defined segments of a network to reduce the total number of attack surfaces and reduce lateral movement. It’s a core element of zero trust and is integral to the NIST’s zero-trust architecture. Getting microsegmentation right is also table stakes for creating a successful ZTNA framework. It becomes challenging when defining which identities belong in a given segment: it often becomes an iterative process in assigning least privileged access to every human and machine identity across a network.
3) Eliminating agent sprawl, misconfigurations and breaches by automating device configurations
Eighty-two percent of data breaches involve mistakes in configuring databases and administrator options and accidentally exposing entire networks to cybercriminals. There are 11.7 security agents installed on average on a typical endpoint today. The more security controls per endpoint, the more frequent collisions and decay occur, leaving them more vulnerable.
Self-healing endpoint management platforms that can rebuild and reconfigure themselves after an intrusion attempt are in demand because they save IT’s time while reducing the risk of endpoint misconfigurations. Self-healing endpoints are designed to turn themselves off, automatically update device configurations, perform patch management and then redeploy themselves without human interaction.
Over 150 cybersecurity vendors claim to have self-healing endpoint management platforms that can automate device configurations and deployment today. G2Crowd currently tracks 42 of them. Leaders include Absolute Software, which has firmware-embedded persistence technology that enables endpoints to self-heal while providing an undeletable digital tether to every PC-based endpoint.
Others include Malwarebytes for Business, CrowdStrike Falcon Endpoint Protection Platform, Cybereason Defense Platform, ESET PROTECT Platform and Ivanti Neurons, which uses artificial intelligence (AI)-based bots for self-healing, patching and protecting endpoints. Additionally, Microsoft Defender 365 takes its own approach to self-healing endpoints by correlating threat data from emails, endpoints, identities and applications.
4) Automating patch management across endpoints reduces the risk of a breach
Security professionals spend just over a third of their time on patch management and related coordination across departments. In addition, just over half of security professionals, 53%, say that staying on top of critical vulnerabilities takes up most of their time.
Of the many advances in this area by EPP vendors, Ivanti’s launch of an AI-based patch intelligence system is noteworthy for its unique approach to scaling patch management. Neurons Patch for Microsoft Endpoint Configuration Monitor (MEM) is built using a series of AI-based bots to seek out, identify and update all patches across endpoints that need to be updated. Additional vendors providing AI-based endpoint protection include Broadcom, CrowdStrike, SentinelOne, McAfee, Sophos, Trend Micro, VMware Carbon Black, Cybereason and others.
5) Adopt a zero trust-based unified endpoint management (UEM) platform
Verizon’s Mobile Security Index for 2022 discovered a 22% increase in cyberattacks involving mobile and IoT devices in the last year. Advanced UEM platforms can also provide automated configuration management and ensure compliance with corporate standards to reduce the risk of a breach. The most advanced platforms can protect employees’ devices without downloading and configuring agents, which is a significant time-saver for IT teams.
CISOs continue to pressure UEM platform providers to consolidate their platforms and provide more value at lower costs. Gartner’s latest Magic Quadrant [subscription required] for UEM tools reflects CISOs’ impact on the product strategies at IBM, Ivanti, ManageEngine, Matrix42, Microsoft, VMware, Blackberry, Citrix and others.
Ivanti and VMware were the only two vendors recognized by Gartner for their zero-trust capabilities. Gartner wrote in its Magic Quadrant update that “Ivanti continues to add intelligence and automation to improve discovery, automation, self-healing, patching, zero-trust security and DEX via the Ivanti Neurons platform.”
This reflects the success Ivanti’s been having with multiple acquisitions over the last few years. Its series of successful acquisitions, including RiskSense, MobileIron, Cherwell Software and Pulse Secure, is looking to provide CISOs with the consolidated tech stacks they need to improve endpoint security and achieve their zero-trust objectives.
Getting endpoint security right
Going into 2023, CISOs will be under more pressure to consolidate tech stacks and improve visibility and control across all endpoints. It will be a challenge for many, as machine identities outnumber humans by 45 times or more. Self-healing endpoints capable of shutting themselves down when an intrusion attempt is detected, reconfiguring their system and agent software autonomously, reflect the future of endpoint security technology.
Endpoints that rely on firmware to provide self-healing, resilience and an undeletable digital tether to every PC-based endpoint also provide valuable telemetry data, further improving visibility. This also enables ZTNA frameworks to identify every endpoint on a network, whether the device is connected or not.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.