Ransomware attacks are currently a very popular method to extort money from companies. After a successful ransomware attack, one or more systems are encrypted. Victims are prevented from accessing their data until they “pay up”.
After paying up, victims receive a decryption key that makes the data available again. However, this doesn’t guarantee that all data is usable again. In some cases, aggressive encryption partially destroys or mutilates some of the data even after encryption. Because payment doesn’t guarantee the full availability of data, investing in a good defense (prevention) is better than investing in paying up (reaction).
First line of defense
One of the basic steps you can take to protect your systems against outside cyber threats is Endpoint Security. Endpoint security is a well-known concept in the world of cybersecurity but is unknown to a lot of people outside the cybersecurity world. Setting up a good Endpoint Security system is a great first line of defense against malicious software attacks like ransomware attacks.
With Endpoint Security, you defend your Endpoints. An Endpoint is any device that is connected to your corporate or home network from outside its firewall. A firewall is a network security device that monitors incoming and outgoing network traffic and determines which traffic is allowed or blocked based on a defined set of security rules. Examples of endpoint devices are laptops, tablets, mobile devices, Internet of Things (IoT) devices, Point-of-sale (POS) systems, digital printers, switches, and all other devices that can communicate with your central network.
Every Endpoint can be an entry point for an attack and the number of Endpoints is increasing rapidly. In some cases, people don’t even realize that new Endpoints are part of their network. A good example of this is the Internet of Things devices.
Nowadays businesses of all sizes (both corporate and Small Offices/Home Offices: SOHO’s), are attractive targets for cyberattacks. This means that good Endpoint Protection is very important to arm yourself against these attacks. It might be challenging and it will cost you an investment in both software and training, but the benefits heavily outweigh the damage for a company or a person in case of an attack.
If you run a private network at home, setting up a full Endpoint Protection System is not required. Having state-of-the-art Antivirus Software and having a vigilant approach (both yourself and the people that use your home network) towards outside cybersecurity threats should be sufficient.
How does Endpoint Protection work?
Endpoint Protection is a centrally managed security solution that is used by people and organizations to protect Endpoints like servers, workstations, mobile devices, IoT devices, etc. from cybersecurity threats. Endpoint solutions examine files, processes, and system activity for suspicious or malicious signs.
In the case of organizations, system administrators can connect to a centralized management console from which they can connect to their enterprise network. After connecting with this management console, they can centrally monitor, protect, investigate and respond to incidents. This can be done by using an on-premise, hybrid, or cloud solution.
On-premise management
Traditionally, on-premise security has been very popular. In this setup, security services are delivered from a locally hosted data center. This local data center is the hub for the management console to connect with all the Endpoints through an agent to provide security. This way, security silos can be created. A security silo is an isolated point in a system that is segregated from other parts of your system architecture. This is necessary because system administrators can typically only manage a limited number of Endpoints: those within their pre-defined perimeter. Perimeters that are too stretched lead to time constraints on the system administrator. This is not advisable because a system administrator has to make choices then and can’t be fully thorough this way.
In very small system architectures, silos are not required: system admins will then be able to monitor the full system. However, always assess if the span of control is not overstretched for a system administrator.
Hybrid and cloud management
Nowadays with the globalization of workforces and the pandemic-driven work from the home shift, many organizations have switched to laptops and bringing your own device (BYOD). The use of desktop devices, attached to a fixed corporate network, has been reduced because of this switch. Personally, I don’t think that the world is going to change back to the old situation after this pandemic (but that’s a philosophical discussion for another time). Because of these new developments, the classic “On-Premise” approach has to be adjusted and new Endpoint Protection strategies have to be set up.
Endpoint Protection solution vendors have shifted in recent years to a “Hybrid” approach. By taking the old (On-Premise) Endpoint Security architecture and retrofitting it for the cloud, additional cloud capabilities are generated that can support system administrators to monitor their full network, including the external devices that are not directly connected with the on-premise network.
In addition to the hybrid solution, there is also a full “Cloud-native” solution. This solution is fully built in the Cloud and suitable for Cloud systems. System administrators can remotely monitor and manage Endpoints through a centralized management console that is set up in the cloud and connects to remote devices through an agent on the Endpoint. When connected with the internet, this agent can fully work with the centralized management console. When not connected to the internet, the agent can work independently. This solution maximizes security performance beyond the traditional on-premise solution, removing silos and expanding the reach of a system administrator. In addition to that, it is also far easier to outsource Endpoint Protection to an external party.
User awareness and reporting incidents
Although technological solutions are key in a strong defense system, training employees is even more important. Most successful attacks are still generated by social engineering attacks. Continuous awareness training programs for employees mitigate the risks of becoming a victim of social engineering attacks. This significantly reduces your risk exposure but it can’t be completely prevented. In addition to this, you should create a culture of trust that will give an employee an opportunity to report clicking on a suspicious link (for instance) without repercussions. If you create a culture of penalizations, people won’t report incidents. Reporting incidents is important because a security team can immediately start with threat contingency actions once an incident report is received. If employees are afraid to report incidents because they can be penalized, no threat contingency can be started. Creating an open incident platform where people are comfortable reporting all incidents is key in your first line of defense.
Endpoint Protection Software vs Antivirus Software
Endpoint Protection Software protects all your endpoints against outside breaches: both physical and virtual, on- and off-premise, in data centers or in the Cloud. Endpoint Protection Software is installed on laptops, desktops, servers, virtual machines, as well as on remote Endpoints themselves.
The difference with Antivirus Software is that Antivirus Software is only a part of a full Endpoint Security solution. It is one of the most basic forms of Endpoint Protection. For Small Offices/Home Offices (SOHO) and for private networks (private persons), Antivirus software is sufficient (as previously discussed). Instead of using more sophisticated/advanced techniques, such as threat hunting and Endpoint Detection and Response (EDR), Antivirus Software simply scans and removes viruses and other types of malware. Traditionally, Antivirus Software runs in the background and periodically scans a device’s content for patterns that match a database of virus signatures. Antivirus is installed on individual devices inside and outside a firewall.
Final thoughts
With the increase in the number of home offices/flex workplaces outside a traditional corporate network, I think an On-Premise solution isn’t sufficient for any company anymore. In case a company still has an On-Premise-only solution, I would advise transforming its Endpoint Protection architecture into a Cloud Endpoint Protection architecture. A hybrid solution can be an “in-between step” if an immediate transition is too big to take right now. In the end, a full Cloud approach is the only way to go in my opinion. Especially because our technological advancements are completely focused on Cloud-based solutions.
I’m sure many companies still use an On-Premise solution while not realizing that there are also Endpoints (like laptops) that are not properly protected. Cybercriminals know this as well and will target these companies first because these companies have the highest vulnerability rate. Because of this, the rate of a successful cyberattack is much higher than a state-of-the-art Endpoint Protection platform in the cloud, protecting all Endpoints.
Finally, don’t forget that good protection is only as strong as its users. Make sure to train your people and yourself. Not once a year but structural in combination with attack simulations (penetration tests and simulated phishing attacks). This way you will be able to identify the weakest links in your organization and reinforce these weakest links.
Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, don’t forget to subscribe to receive a notification by email.
