This article was provided by James Doswell (pictured), senior cyber risk management consultant at Travelers Europe.
Over the last few years, the rapid shift to remote work and use of smart devices has dramatically changed how organisations and employees use information technology. Many staff are now highly mobile and work from multiple locations including home or public networks. The change has ushered in a range of security threats as criminals look to leverage personally identifiable information and gain financially from unsuspecting targets.
Consequently, traditional IT security practices are no longer enough. We must strengthen protection directly at the endpoint – the servers, laptops, desktops, smartphones and tablets we use – and not focus merely on the network.
Before our working practices changed – and more businesses adopted remote working and cloud service – organisations often managed cyber threats using a perimeter firewall with one or more secure internal networks. Beyond that, they would use a ‘demilitarised zone’ (DMZ) network to house internet-facing services such as email or web servers. This provided extra security and separation from internal systems holding confidential information.
Endpoint protection traditionally included antivirus software and a personal firewall to guard against unauthorised inbound connections. Often, antivirus protection involved just signature-based checks for malware. Each file on a computer would be scanned against a database of signatures to see if part of that file matched, which signified it was either compromised or was malware itself. This scanning consumed substantial time and disk activity, significantly slowing user response times.
As IT security requirements have changed, multiple new solutions have come to market. Legacy systems such as antivirus solutions have also been updated and modified to account for security shortcomings. This huge array of protections can make it difficult for even seasoned IT professionals to determine the best course. Worse, determined attackers can bypass many of these protections. Organisations must therefore choose software carefully – selecting products not just for their brand name or reputation, but because they are best suited to particular security tasks.
Nowadays, endpoint protection can include any combination of:
These protections, combined with up-to-date patching to debug or enhance software, complement each other to provide the depth of security we recommend organisations have.
One solution not mentioned here that many are unaware of, but which is important to cover in more detail, is an endpoint protection platform (EPP). Better EPP solutions augment these layers of security to create an exceptionally strong security architecture.
Unfortunately, even for organisations with strong security systems and diligent patching, the biggest threat is the unknown. If, for example, unknown malware strikes between the release of a software patch and its application to businesses, it could be catastrophic, particularly if multiple organisations are taken offline.
The software protecting a system is only as good as its code. If there are ways to access a system with elevated privileges, an attacker can usually disable the security software. One example of this is the BlackCat Ransomware as a Service. A hacker subscribing to the service can literally choose a variety of attack methods – and even select from an extensive list of security software they want to bypass. The service then provides the subscriber with tools to evade security and increase their attack footprint.
Cyber risk appears to have no limit as attackers constantly change their methods and targets. How can businesses protect against the unknown? We might throw expense and technology at it and hope artificial intelligence can improve and analyse threats faster and more accurately – or we can respond based on how malware works.
Simply put, malware is code that, when loaded into a computer’s memory, can be read and used to execute instructions for malicious purposes. To compromise a computer, malware must write itself to that computer – either through a file being written to it or via a direct in-memory-only attack. Fortunately, the latter is exceptionally difficult to accomplish. This malware is generally considered to have been written by governments and represents a small subset of malware overall.
If you follow malware’s path of attack, the progression relies on getting executable code onto a device and set to run. While antivirus, EDR, XDR and other security solutions allow a file to be written to disk, at which point they react to it, a good EPP solution behaves differently. It is embedded in the ring 0 architectural layer of a system and can take full control of the input/output channel.
From here, it controls the write (or block) of every file, checking each one to see if it is executable. Whenever the system detects a specific byte sequence attempting to be written, the ‘unknown’ executable file is blocked by the EPP software and the computer remains secure. It operates quickly and efficiently compared to traditional antivirus checks because it only has to check for the executable header bytes of the file being written. If those bytes that signify the file is executable are detected, the EPP blocks it from being written to the computer.
EPP offers stronger protection at a time when the security landscape is becoming increasingly sophisticated. An organisation’s endpoints are its new weak points. Businesses must be vigilant to stay ahead of the threats.
The information provided in this document is for general information purposes only. It does not constitute legal or professional advice nor a recommendation to any individual or business of any product or service. Insurance coverage is governed by the actual terms and conditions of insurance as set out in the policy documentation and not by any of the information in this document
