Endpoint Defense Starts with Prevention

Everyone understands you have to have an endpoint cyber security strategy. But which strategy? Endpoints, particularly different types of mobile devices, are multiplying rapidly. They can be located anywhere, with always-on access to everything. And because you’re playing defense against wily opponents who are quick to circumvent existing lines of defense to create new attacks, it’s a good bet your endpoint defense of last year won’t be good enough next year.

There’s no doubt endpoints are in the crosshairs of the bad actors. According to the 2019 Symantec Internet Security Threat Report (ISTR), Symantec blocked an average of 10,573 malicious mobile apps per day in 2018. Ransomware infections on mobile devices led the way, up 33% in 2018 compared to 2017. If that weren’t enough, the 2019 ISTR found one in 36 mobile devices were classed as high risk. That includes devices that were rooted or jailbroken, along with devices that with a high degree of certainty had malware installed.

This has become a very important issue that companies must focus on with the average cost of a breach at $3.86 million, and the average cost of a stolen record that contains sensitive and confidential information reaching $148 million. 

I mentioned before, in this blog that many seemingly well-prepared organizations are just seven minutes away from disaster. This peril stems from the design of Active Directory, which exposes the database to every endpoint connected to a domain. The architecture provides attackers the information they need to elevate their privileges to domain admin in about the time it takes to read this blog. Attackers can then access any asset in the domain, effectively taking over an entire enterprise.

Those attackers could hide the stolen admin credentials and use them later, even after being detected and kicked out. Should the attackers succeed, they could establish an Infinite Toxic Domain Loop, requiring a rebuild of the entire Active Directory domain/forest, a difficult, expensive and time-consuming task, or a comprehensive domain credentials clean-up, a complicated process that can lead to network problems.

As these attacks demonstrate, it’s not enough to discover and expel an attacker. Because endpoint detection and response (EDR) by itself is too slow, an effective endpoint defense strategy must put prevention ahead of detection. It’s also essential to extend the umbrella of protection to mobile devices. Mobile devices are always on, always connected and are often used to access both personal and corporate data, increasing their susceptibility to hackers.

Recognizing the danger of endpoint compromise, many organizations pile on multiple endpoint protection products. Ponemon Institute found organizations install, on average, seven different endpoint agents to support IT management and security. Each agent operates independently, with its own console, rules and policies — all of which need to be configured, rolled out, managed, and maintained. In addition to creating more IT overhead and costs, multiple products introduce defense gaps and lead to errors, increasing the chances you’ll miss a threat. One result of this approach is rising attack dwell times, which now average over 190 days.

Symantec Endpoint Security proactively protects your modern endpoints against the full range of mobile threats, including malware, network connection and content attacks, risky apps, and OS vulnerabilities. Symantec Endpoint Security is a complete, integrated endpoint security platform built on four pillars:

• Pre-attack. Focusing on attack surface reduction, advanced policy controls and technologies continuously scan for vulnerabilities and misconfigurations across applications, Active Directory, and devices.

• Attack. Aimed at attack prevention, multiple defensive layers protect against file-based and fileless threats, using machine learning and AI to identify and block new and evolving malware attacks in real time.
   
• Breach. Intrusion prevention and firewall technologies block attacks, preventing command-and-control setup. By controlling the attacker’s perception of Active Directory resources, it defends the primary attack surface against lateral movement and domain admin credential theft. AI and ML adapt endpoint policy thresholds or rules to the current risk profile of the organization.
   
• Post Breach. Combining EDR and SOC analyst expertise to perform response and remediation enables quick close-out of endpoint incidents, minimizing attack impacts. Integrating EDR in a single-agent architecture that covers both traditional and modern endpoints enables precise detection of advanced attacks. Real-time analytics assists the pursuit of threats as well as investigation and remediation.

Many cyber security providers focus on one or two of these pillars and seem to assume the others will take care of themselves. For comprehensive protection across the attack chain, you need to focus on all four. A key part of the Symantec Integrated Cyber Defense platform, Symantec Endpoint Security does just that in a single-agent, integrated solution that’s available on-prem, as a cloud service, or in a hybrid model.