Skip to main content

Assume you’re going to get breached, even with endpoint security

cyber attack
(Image credit: Pixabay.com)

If the definition of insanity is doing the same thing over and over again and expecting different results, what are we to conclude about the colossal year-over-year growth in endpoint security spending when at least 70 percent of all security breaches start at the endpoint?

Well, it would be hyperbole to say that it’s crazy for enterprises to keep escalating spending on endpoint security, but they should at least acknowledge that doing so doesn’t really shield them from security breaches. In fact, in 2019, 68 percent of IT security professionals said their company experienced endpoint attacks that compromised data or IT infrastructure. Every enterprise should assume that it will be breached even with the latest in endpoint security deployed.

To be fair, endpoint security is a bit of a cat-and-mouse game, where just a single lapse in timely detection and prevention of threats can be “game over” in favor of the attacker. Enterprises don’t really have a choice but to keep trying to stay a step ahead of the bad actors looking for new and innovative ways to infiltrate the corporate network via an employee’s company-issued PC or an employee’s own personal device.

Why endpoints are so hard to protect

Given that the typical corporate-issued laptop hosts numerous applications representing millions of lines of code, the hunting grounds for bad actors are expansive. A good deal of that code may have been written long enough ago that the security standards to which those lines were held have long since fallen out of date. Some of the applications, themselves, may not be sanctioned by the enterprise and may have been downloaded and installed by the end user visiting a website that is not legitimate. Either way, with all that exposure, some 80 percent of successful breaches are “zero-day attacks,” exploiting newly identified vulnerabilities discovered in the vastness of all that code. There’s just too much uncharted territory for antivirus solutions to defend.

What’s more, BYOPC policies can further amplify that exposure. Personal devices can be malware magnets, making unmanaged PCs the Wild West of endpoint security. Enterprises that lack the resources to secure all these endpoints are providing attackers with an easily traversed gateway to the network and all the resources to which the network is connected.

With Covid-19, the challenges have only increased. We’re far enough into the pandemic now to understand that cyberattacks have multiplied since companies scrambled to shift to a remote-first stance in the first quarter of 2020. Part of that scrambling included altering security policies in an attempt to balance worker productivity with corporate security. In a recent survey of Fortune 2000 CISOs we undertook along with Team8, we found that companies are all over the map when it comes to altering endpoint security and corporate access policies to best address the massive shift to remote work forced by Covid-19:

26 percent of CISOs surveyed have introduced more stringent endpoint security and corporate access measures since the arrival of the pandemic.

35 percent have relaxed their security policies in order to foster greater productivity among remote workers.

39 percent have left their security policies the same.

There’s genuine confusion about how best to empower workers to be productive working remotely, and that just makes for even more fodder for attackers looking to identify and exploit vulnerabilities in corporate-managed and personal endpoints.

Isolation: Not-so-new strategies to enhance protection of the corporate network

For companies whose methods of detecting and preventing endpoint infiltration could be stronger (read: all of them), the focus needs to expand from merely prevention to prevention plus isolation. Prevention will head off many attacks, but all companies must anticipate that some endpoint attacks are going to be successful. As such, they need to have a cogent answer to the question, “Now what?”

Security professionals have been using isolation techniques to keep viruses at bay for years. The strategies have evolved over time, and today include virtual desktop infrastructure (VDI), Desktop-as-a-Service (DaaS), app sandboxing and browser isolation.

VDI and DaaS separate desktop images and applications from the user’s device. The images and applications reside on servers that are most frequently positioned in the cloud. Authorized users access VDI or DaaS resources from their choice of devices -- thin clients, corporate-managed laptops, or user-owned devices.

Thin clients are generally very secure, as there is very little code on the endpoint for a cyber attacker to exploit. However, the threat simply migrates to the server, in which a fat client is executing all that code and exposing the network to zero-day and other attacks. Furthermore, VDI and DaaS introduce both cost and user experience challenges when you try to scale them to meet the needs of modern users.

App Sandboxing contains threats coming from the sandboxed application to prevent them from affecting the operating system (OS). It completely blocks attackers who target an app that employs this technique. However, it doesn’t protect against vulnerabilities in other versions of the same app, the many unsupported applications, the underlying OS, middleware, malicious external hardware or networks.

Browser Isolation lets users access the web via a browser application running on a locked-down virtual machine or container in the cloud. Browser isolation does a great job at blocking malicious web content. But it leaves other vectors completely exposed.

Further, limiting endpoint usage strictly to web browsing isn’t adequate for the range of tasks most workers must undertake in the normal course of their workdays. As soon as the user turns to an installed application or connects a peripheral like a thumb drive, the protection of browser isolation is rendered moot.

OS-based isolated workspaces: The best way to protect the corporate network

OS-based isolation represents a deeper and more comprehensive approach to isolation. OS-based isolation allows an end user to have multiple operating systems on a single endpoint, allowing unrestricted access to the internet, email and non-privileged information on an “unlocked” OS while having a second privileged OS that is open only to high-value corporate assets, including sensitive data and other systems.

This second privileged OS allows for no wild internet access, no unsanctioned applications and no peripherals. Corporate data is encapsulated on the endpoint in the isolated environment and cannot be exfiltrated. To be viable at scale, these isolated environments deployed on users’ endpoints must be fully and centrally managed remotely with a robust and fine-grained set of networking, clipboard and data security policies such as access control, application management and insights across the entire workforce. Breaches may still happen in the non-corporate environment, but with no possibility of exfiltration of malicious code, the corporate environment remains protected.

Any cyber criminal who infiltrates the unlocked workspace will be contained within it. The attacker cannot reach the privileged OS or even see that it exists. An OS-based isolated workspaces approach is, therefore, an elegant and necessary complement to traditional endpoint security measures. Best of all, isolated workspaces can be deployed with equal efficacy on corporate-managed and non-corporate-managed endpoints, allowing companies greater flexibility to institute or expand BYOPC policies.

And while the focus of this article has been squarely on security, isolated workspaces offer a huge additional benefit to end users and the enterprise: greater worker productivity through a superior user experience. Providing an isolated workspace that is completely segregated from the corporate environment allows the end user the freedom to access the tools and content they need to do their jobs (and even those that fall outside of their normal workflow) without having to switch devices. There’s no lag typically associated with the less robust isolation solutions, like VDI or DaaS, either.

So go ahead and keep investing in endpoint security solutions. But instead of doing the same thing over and over, look into deploying OS-based isolated workspaces, as well. We don’t want to exaggerate, but some might say you’d have to be crazy not to.

Tal Zamir, Co-Founder & Chief Technology Officer, Hysolate