One outcome of the recent widespread transition to remote work has been that many businesses have faced considerable challenges around establishing and managing an effective endpoint security strategy. The explosion of remotely connected devices now on enterprise networks has created gaps in security, exposing organizations and their employees to increased levels of cyber risk. This trend was highlighted in FortiGuard Labs’ recent Global Threat Landscape Report, which noted a considerable spike in ransomware activity targeted at enterprise organizations during the first half of the year.
Now, as more organizations not only adapt to remote workers, but look at the prospect of long-term or potentially permanent work from home conditions, being able to address the risks that ransomware and hybrid threats pose to device security has become critical. In the coming months, and maybe even years, more devices will be added to the network to accommodate teleworkers. As this happens, IT teams will face increased complexity and reduced visibility and control, thereby weakening endpoint security postures. For this reason, these same teams must work to implement effective endpoint resilience strategies to protect their remote workforce and organizations from threats. This is where partners and MSSPs can demonstrate exceptional value.
Analyzing Critical Threats to Endpoint Security
Before the pandemic, when employees connected their devices to the network, they were protected by the full range of enterprise-class security that monitored their behavior, inspected their traffic, and secured their devices. Today, however, most of those endpoint devices no longer have the security infrastructure they need to be protected against complex attacks – something which cyber criminals are fully aware of. By targeting the devices being used by teleworkers, attackers can gain use them as a springboard to gain access to the larger company network, leading to large-scale data breaches and theft. This year, this strategy has begun with a high level of phishing and ransomware activity documented in the first half of 2020. These attacks target enterprise devices, novice users, and unprotected and unsecured home networks, and they are easy to carry out.
Pertinent ransomware threats tracked by the FortiGuard Labs team included NetWalker, Ransomware-GVZ, and CoViper, all of which targeted users by hiding ransomware in COVID-19-themed messages, attachments, and documents. The speed at which ransomware is being distributed across remote devices raises additional concerns as it allows attackers to also quickly assemble botnets to launch DDoS attacks or distribute malware, all while evading detection.
An additional technique that threat actors have embraced over the past couple of years is the use of Cobalt Strike, a penetration tool that was exploited and made available on the black market. When used for malicious intent, this tool enables cyber criminals to deploy payloads in the form of a keylogger or ransomware within the compromised network to steal data. The severity of these attacks showcases why enterprise customers must prioritize endpoint resilience across their distributed workforces, especially as telework continues as the business norm.
The Endpoint Security Challenge
The primary challenge with endpoint security stems from the fact that IT teams often do not integrate endpoint security into the rest of their network security services. Without a strategy that integrates the network and endpoint solutions into a single, cohesive security strategy, endpoint resilience can only begin at the point at which a device enters the network. This creates a significant gap in security that is being exploited by cyber criminals.
This challenge is becoming even more complicated as network complexity grows, resulting in many organizations now finding themselves unable to effectively monitor the endpoint devices on their networks. Given the growing number of endpoints introduced by remote workforces, tracking when devices enter and leave a network – especially as critical resources can exist anywhere – leaving end-users to connect to the network through the LAN edge, WAN edge, data center edge, or one of many cloud edges – is becoming increasingly difficult. This issue is compounded by the fact that employees also use these devices for personal reasons, creating additional pathways for exploitation.
How Partners Can Assist Customers with Endpoint Security
To address the challenge of endpoint security, organizations need comprehensive tools on their side. MSSP Partners are in a prime position to assist by providing specialized endpoint security solutions that can be easily integrated into an organization’s broader security framework, while providing granular controls not possible using traditional endpoint security software. In addition, partners can also offer threat intelligence capabilities to help customers develop automated threat detection and response capabilities. And because it is no longer realistic for IT teams to rebuild compromised systems, as was once the preferred method, partners should also help customers choose a solution that features remote remediation capabilities to reverse the ramifications of malicious actions.
Two tools, in particular, that should be leveraged to enhance endpoint resilience are endpoint detection and response (EDR) tools and network access control (NAC) solutions.
- Endpoint Detection and Response (EDR) solutions deliver advanced, real-time threat protection for endpoints. These solutions actively reduce an organization’s attack surface by intercepting malware infections and defusing threats in real-time, preventing malware from executing on an endpoint device and blocking their ability to communicate with their command and control servers. By integrating EDR tools with network operations, IT teams are also able to communicate between application controls, thereby streamlining threat detection and response for security teams to ensure protection of all endpoints, even those that are not covered by an EDR agent.
- Network Access Control (NAC) solutions improve visibility into device access and usage on networks, enhancing the customer security teams’ ability to accurately track endpoints. This translates to more secure bring-your-own-device (BYOD) device usage, an essential component of successful remote work operations. NAC solutions also enable customers to limit device access, helping to reduce network complexity and improve security functions. And with a NAC solution in place, customers are also better able to support the needs of their remote workforce through a unified threat management solution.
In addition to choosing a solution, partners can also guide their customers through the integration process, helping them to automate responses beyond the endpoint. By taking this step, they can segment vulnerable, rogue, or suspicious devices from others on the network, and even place compromised endpoints in remediation VLANs.
Final Thoughts
As a partner, you must be able to provide customers with solutions that align with their business objectives and network requirements. For those customers looking to bolster their endpoint resilience to address new telework requirements, EDR and NAC solutions are a necessity. Deploying these solutions on your customers’ networks will help enable their ongoing organizational success by protecting them against today’s sophisticated cyber threats.
By Stephan Tallent, CISSP, senior director MSSP & service enablement, Fortinet. Read more Fortinet blogs here.
