Learn 10 endpoint protection features you should have in place to secure your business.
Anti virus protection has been one of the staples of cybersecurity protection every since virus attacks were spawned in the 90s.
AV protection alone is no longer good enough because most vendors say they are effective against 99% of attacks which means at some stage they will be victims of a successful attack. That 1% of attacks use advanced techniques to breach security such as exploiting legitimate processes, or fileless malware injected when you visit an infected website.
Endpoint protection is no longer a case to deploy and forget given the constantly changing nature of attacks. Modern endpoint protection now needs to eliminate blind spots and block unknown threats as well as stop known malware.
Given that nearly all attacks must involve endpoint compromise at some stage, getting this component of the security solution right can go a long way towards ensuring your security posture is as high as it can be.
A good endpoint protection solution should be agile and have elements of automation to ensure known and unknown threats are blocked. Some of the important features that need to be in place are outlined below.
- Next Generation AV capability – endpoint protections systems need enhanced AV capability which has the ability to detect new attacks in real time – it, therefore, needs to look at behaviour and not just signatures of known attacks #
- Use multiple malware detection techniques – effective protection against malware needs multiple detection and protection techniques, these could include AV type signatures, fileless malware detection, sandboxing, machine learning, cloud lookup, vulnerable software classification and more. The more techniques the better as long as functionality is not compromised
- Prevent fileless malware – most malware is carried in regular attachments such as word, pdf, excel however emerging attacks are fileless and endpoint protection needs to protect against attempts to hijack legitimate applications
- Endpoint Detection and response – endpoint detection now needs to be more than responding after the event and after the attack has occurred. The solution does need to monitor all activities on the endpoint and be able to identify the beginnings of an attack based on unusual behaviour and respond accordingly. This will apply especially for new/unknown attacks that are appearing for the first time, signature-based techniques alone will not protect against these
- Cloud Intelligence feed – the dynamic nature of attacks means that malware can use resources spun up and torn down on public cloud infrastructure in minutes, new endpoint protection systems need also to access constant feeds of threat updates from intelligence systems and specialist threat hunters
- Cloud architecture – use a cloud-based architecture to make use of big data and up to date intelligence feeds. Also, enable user base to scale up seamlessly across fixed and remote locations as well as mobile clients.
- Share Intelligence across systems – once malware is detected on endpoint security systems the information should be shared with other systems such as email/web/network security devices to prevent further attempts or infection. The endpoint security should also be able to take feeds from these systems
- Protect all endpoint types – all systems accessing data should be comprehensively protected, this must include Windows/MAC/Linux/Android and iOS especially given that mobile devices account for over 50% of web access
- Dynamic analysis and sandboxing – unknown threats detection can be greatly enhanced with the ability to execute and test malware in a sandbox environment, the results can be fed back to endpoint protection
- Log everything – a logging solution should be in place and logs from all critical assets sent to the logging solution. This will provide an invaluable tool for any future analysis especially when a breach occurs
Surveys have indicated that most security systems have only a small subset of their features activated. Oftentimes features are not activated due to lack of knowledge or concerns that it may affect performance. Sometimes costs may be an issue because some features require additional licencing.
Not enabling features needs to be weighed up against the impact of a successful breach for which the costs in terms of financial, reputational and confidence may well outweigh the costs of doing it properly in the first place.