What do we understand by endpoints? Traditionally, an endpoint was any device connected to the LAN or WAN such as a workstation or end-user PC, a modem, a hub or a switch. Now endpoints incorporate a multitude of additional digital devices from laptops, tablets and mobile phones sitting on the edge of the network, to network printers, consumer and industrial IoT devices and point-of-sale systems. Securing this ever-expanding portfolio has become urgent because these devices represent a significant risk to the cloud ecosystem and the global enterprises that are on or moving towards it.
Undoubtedly endpoints are the weakest link in the security chain. According to the Absolute Endpoint Security Trends Report 2019, 70 per cent of breaches originate at the endpoint, and 42% of endpoints are unprotected at any given time. The impact of the COVID-19 lockdown will have pushed this figure higher.
Endpoints have a lower security posture, partly due to out-of-date anti-virus or internet security solutions or because they are shared. They also have a higher risk of compromise if they are running counterfeit or unlicensed solutions or operating from an untrusted network.
Unmanaged endpoints accessing a network remotely usually present a higher risk in terms of sensitive data – including corporate login credentials – being stolen via attacks involving keylogging. Along with spyware, keylogging is ranked as the highest global malware by the NTT Security Threat Intelligence Report. Protection against keylogging should be a priority.
While API-based keyloggers are the more common and work by infiltrating the keyboard API to log the keys that are pressed and store a record of it to be accessed by cybercriminals later, the more dangerous are kernel-based keyloggers. These sit deeper in the system and record keystrokes as they pass through the system, and they are more difficult to identify and eliminate.
The most prevalent protections against endpoint keylogging currently are solutions such as AV (Anti-Virus) and EDR (Endpoint Detection and Response). Integral to both these technologies is malware detection. However, malware detection, particularly detection of newly released kernel-level malware, is difficult and increasingly complex.
While AV and EDR may have their limitations, malware detection still has its place, but it should be part of a layered approach to security, where multiple security controls compliment and reinforce each other. This provides strength and depth ensuring that although a specific attack may bypass one security measure, it will be thwarted by another. The most precious asset – data, and the specific applications which handle sensitive data – should be placed at the centre, with security layers wrapping it protectively.
Protection techniques which securely wrap sensitive data and applications which process data, are emerging to become “best of breed”. These wrap around applications – those that interact with data going into the cloud and they are numerous. From online office tools and enterprise applications to SAP or Oracle applications and remote access solutions like Citrix, VMware and RDP. By securing the data that is entered into these applications, organisations are ensuring that the unmanaged devices being deployed outside the corporate perimeter, are at least as secure as standard managed corporate devices.
One approach is to use containerisation and virtualisation both of which encapsulate an application in its own operating system environment. While containerisation shares the operating system with its host, a virtual environment incorporates its own operating system. Containerisation is a form of fast, light-weight virtualisation (it has a smaller file size, consumes less resources, and is faster to provision). This is why containerisation is sometimes called operating system virtualisation. Both containerisation and virtualisation share the host’s kernel components which opens vulnerabilities.
Containerisation means that applications are executed in a controlled, clean environment, which narrows the attack vector – only the minimum services can be included in the container. There are many advantages for organisations, but it’s important to recognise that containerisation security can potentially be compromised through malicious applications designed to gain permissions to execute inside the container or through the kernel – such as kernel-level keyloggers or screen capture. The answer to this is to ensure that the applications involving sensitive data within a container are bolstered with additional security measures and a combination of simple containerisation, injected security and anti-key logging which can securely wrap remote access, enterprise and SaaS applications being used by endpoint devices works well.
When it comes to standard AV and EDR solutions they often fall short of the mark, barely covering half of the risks. EDR is not designed to work on devices outside the corporate perimeter so unmanaged endpoints invariably are not protected.
Endpoints need a baseline security profile which neutralises the effectiveness of any malware that gets through other protections that have been put onto the device. The solution should tackle the key threats to endpoints and applications including keylogging, screen capture, session hijacking and common malware, Man-in-the-Browser, Man-in-the-Middle, DLL injection and browser saved account detail harvesting. It should also protect logon credentials and extend across an entire session whilst also securing sensitive data into local applications, and it should also eliminate browser compatibility issues. To find out more about why this is important right now, please read the full article in Network Security Journal.