Business & Technology

You Can’t Protect What You Can’t See: Gaining Visibility in Endpoint Security

By Tsailing Merrem | June 12, 2018

Enterprises have always leveraged technologies to gain a competitive edge, and the current digital transformation underway has led to unprecedented network expansion. This increased complexity can result in losing visibility into new attack vectors and exploits targeting devices and services running across the network. This has been especially challenging with regards to endpoint and IoT security. Modern networks have become accessible to a myriad of endpoints, including user devices and smart, connected devices (IoT) accessing corporate resources. Additionally, many of these endpoints may not be 100% owned and controlled by the enterprise.  In the case of IoT or headless devices, even those that are corporate-owned, IT may not have control over their firmware, compounding the challenge of tracking their levels of security or compliance with corporate security policies.

To ensure these connected devices are identified and accounted for from a risk perspective, IT teams must deploy security controls that allow them to be discovered, assessed, and continuously monitored within the security context of the network.

Threats Posed by Endpoints

While corporate networks and their resources have traditionally been secluded from outside users, they are increasingly becoming accessible to non-corporate entities due to employees, partners and customers demanding access to data and conducting transactions from outside locations using a growing array of devices. The growth in both the volume and sophistication of those devices demanding access to corporate resources now comprise a larger percentage of your total network bandwidth, and this trend will only continue as an estimated 125 billion connected devices are predicted to be in use by 2030.

As a result, connected devices have become a prime target for cybercriminals, infecting IoT and endpoint devices with malware designed to evade detection, then moving laterally across the network. The most popular method for such attacks is to exploit application vulnerabilities, often through a phishing attack—getting a user to click on a malicious link or attachment in an email. While zero-day exploits may grab headlines, the majority of successful attacks actually target known, unpatched vulnerabilities. The concerns about expanding risks are warranted, as our Threat Landscape Report for Q1 of 2018 reported detecting 15,071 different malware variants and 6,623 unique exploit detections actively operating around the world.

Lack of Visibility into Endpoint Security

To ensure that endpoint devices cannot be exploited as unauthorized network entryways, security teams need to have visibility into who a device belongs to, when it was last updated, what its current security status is, and the potential risks it is introducing, etc. After all, you can’t protect what you can’t see. However, achieving a critical degree of visibility has traditionally been a challenge for four key reasons:

1.     Lack of IT Ownership

Many of the endpoints connecting to corporate networks today are not official corporate assets. Because IT teams do not own these devices, they cannot easily assess or monitor them to ensure they receive necessary updates and patches. This not only leaves them susceptible to threats, but also makes them a largely unknown threat vector affecting the security of the entire network.

2.     Device Mobility

Mobility is another primary challenge to visibility. Endpoint devices used to be corporate-owned assets secluded inside the corporate firewall. Now, mobile users and roaming devices use a wide array of applications to connect to corporate resources, access corporate data, and conduct transactions. And increasingly, they don’t have to be connected to a VPN to access physical or cloud-based resources. According to a 2017 Ponemon Institute report, entitled “The Cost of Insecure Endpoints,” the fact that these devices spend a majority of their time connected to non-corporate network resources significantly reduces IT’s visibility. In fact, 2/3 of IT professionals admit to not having visibility into endpoints that regularly connect to the network when they operate outside of that network.

3.     Shadow IT/Shadow IoT

It is simple for employees to install and run traditional and cloud-based applications from their personal phones and computers, and even on the corporate-owned assets assigned to them without going through IT channels. If security teams don’t have visibility into all of the programs running on these devices, they cannot ensure that necessary controls are in place to mitigate resulting threats or control the distribution of data and other corporate assets.

4.     Isolated Endpoint Security Solutions

Historically, endpoint security has been considered separately from the broader network security strategy, often falling under the purview of the desktop team rather than the security team. However, as endpoints become an increasingly integral component of the extended network ecosystem, this approach not only limits visibility, but the lack of access to important threat intelligence hinders the ability to evaluate the security level of a device and take the necessary, automated steps in the event of a compromise.    

Mitigating the Endpoint Threat

To take advantage of the business benefits that connected devices provide, while minimizing security risks, organizations must establish deep visibility into each device accessing the network. This allows organizations to evaluate the level of risk associated with each endpoint and take steps to minimize that risk.

Getting sufficient visibility into each endpoint must be done in several stages, each of which provides different information:

Discovery

During this initial phase, organizations must determine key identifying features of the network, including all connected end user and IoT devices. This includes knowing every person who has access to the network, the types of devices that are connected, the operating systems and software that are installed, and any unpatched vulnerabilities. And this process must be continuous, as the highly mobile and often temporary nature of endpoint and virtual devices means that the threat landscape is constantly changing.

Assessment

Device and threat intelligence gathered from the moment of access must enable organizations to automatically determine a device’s level of security, the risks posed by that endpoint, and what additional associated risks may arise while connected using a risk scoring matrix. From there, teams can determine how to remediate those risks.

Continuous Monitoring

Once initially identified threats are mitigated, endpoints must be continuously monitored to ensure they continue to meet security compliance requirements and that they do not become infected. This includes collecting and sharing threat intelligence gathered from each device with the rest of the network’s security controls in order to add an additional layer of protection and response across the distributed network.

These integrated, automated, and continuous security measures call for a reform in the way endpoint security has historically been done. As networks continue to be inundated with connected devices, they require endpoint controls that can automatically integrate with other security solutions deployed across the network in order to effectively share intelligence and maximize protection.

These capabilities will be increasingly crucial as we adopt the next-generation of endpoint controls. In fact, 19 percent of IT security professionals state that the limited integration and automation offered by current security solutions leads to manual processes, which simply cannot keep up with the speed of modern attacks.

FortiClient from Fortinet, however, is designed to meet all of these needs, offering automated threat intelligence across a myriad of devices combined with deep integration with the rest of your security ecosystem.

Final Thoughts

Organizations cannot secure against the threats posed by endpoints without clear visibility into exactly what is present on the network. Implementing an integrated and automated security solution allows IT teams to discover, assess, and monitor endpoints to ensure security and compliance. 

Your approach to endpoint security must evolve to keep up with today’s security challenges. Read the white paper to learn why traditional endpoint security cannot protect your network and what is required instead.

For more reading, our paper on "Covering the Gaps in IoT Security” provides details on the security risks of IoT and what organizations can do to address them.