Do You Need an Endpoint Detection System?

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• Majority of data security incidents caused by insiders – IT Security Guru
• Why Organisations Need Both EDR and NDR for Complete Network Protection – The Hacker News
• Ransomware Group Bypasses “Enormous” Range of EDR Tools – info security Group
• Endpoint Protection is Key When it Comes to Cyber Insurance – VMware Security Blog

Episode Transcript

Brian: Hey welcome to the Fearless Paranoia podcast where we try our very very best to make the difficult and complex world of cybersecurity decipherable and understandable to everybody. My name is Brian. I am a cybersecurity attorney.

Ryan: And I am Ryan Matson. I’m a cybersecurity architect. 

All right. So we’ve gone through a lot of discussions about understanding basic concepts of ransomware and potential points of attack. And we’ve even touched on some insurance issues. But I’ll take a step back and talk about something that’s been, I think, probably over discussed or overused in cybersecurity and cybersecurity related industries. And that term is endpoint security. Now, historically speaking, the whole concept of security has been the curtain wall and moat defense structure, the idea that the best way to secure yourself is to prevent the bad guys from getting in. However, as history has taught us, a wall can be overcome, a moat can be overcome and external facing cybersecurity can be overcome. So over the past, I’d say 10 years, the focus of a lot of the thought leadership in cybersecurity has been to shift away from the external wall mentality, not as a getting rid of exclusively but making sure that there’s another focus. And that’s sort of on looking outward and looking inward. So Ryan, give us just a basic understanding of what is endpoint security, and how does that fit into the overall basic cybersecurity antivirus anti malware systems defense world?

Ryan: Sure, and you touched on a couple of the important topics right there with anti-malware anti-virus, but it definitely goes far beyond that when you’re talking to endpoint security. So as the nature of cyber based threats have kind of evolved over the last few decades, you made a great point earlier to in the past, we’ve always taken the approach of moving these assets, then behind an extremely well hardened perimeter. And we require our users to be allowed permission grant that they’re basically granted access to this VIP area we’ve created, they come in to the perimeter. And then we just kind of assume that once we’re behind that wall, everything is safe. It’s the old fortress approach, right? So you get into the castle walls. And once you’re inside there, you just kind of let everybody have access to the things they need. But as long as that wall stays secure, the assumption was that your threats remain outside that wall and you’re safe, your people are safe, your IP is safe, that’s certainly not the case any longer. When the threat actors started hitting the wall too many times, eventually, the goal was to overcome the defenses to overcome the wall, you know, funny enough, the Trojan horse approach, you go back to the story of Troy, and I use the wooden horse to bring an army in through the wall here, what they do is they just compromised the endpoint then now with that approach that we’ve always taken in the past inside the walls, you let the bad guy in through the wall. Now they’ve got access to for the most part, your entire network, or at least the portion that the user on that endpoint has access to.

Brian: You brought up something that I think is an important term or concept to kind of understand and differentiate when we’re talking about this another one of those buzzwords that has been really popular in the I’m just going to call them the cybersecurity adjacent fields, the ones that do the business related to cybersecurity has been zero trust. And just to make sure that we understand what we’re talking about this to everyone listening understand what we say that trust environment. And when you say that trust environment is basically saying, Okay, you have a fortress, you have a door, the door has a lock, the lock requires a key, the only people who have the key are the people who are supposed to have the key. And once that key has been used, the lock has been unlocked, the doors open persons walked through the existence of a system based on trust means that you accept that when a person has gotten through that door that they have the proper authorization and authority to do so you to walk through that door zero trust, which is one of those big new concepts in cybersecurity is this idea that you shouldn’t ever trust anybody. And so you’re always going to have authentication and verification, you know, set up and running it in place. And so I think that is important to clarify. But finding a small little weak spot and then exploiting that weak spot to gain access through the front door is as good a metaphor as you get nowadays for cybersecurity penetration. So you were talking about the idea of endpoints, and we’re talking about endpoint security, what is an endpoint?

Ryan: Yeah, so and endpoint is actually a really, really big conversation, because and that’s kind of changed over time as well. So endpoint traditionally was looked at as end user devices. And that’s not solely the case anymore, but that’s still a big component of it. So end user devices are going to be your laptops, your desktops, your mobile devices, your tablets, any other device that a user is using to access or connect to some of your resources, some of your assets endpoints now has started to encompass primarily because of the zero trust approach all of your individual assets that how has any sort of service or any sort of data or anything so realistically, the endpoint security topic now is all of your user endpoints, all of your servers, all of your cloud assets, all of the individual services under those cloud assets can all effectively at some point be considered endpoints from a network mapping approach. So every workstation is an endpoint. Every enterprise copying machine setup that’s connected to your network is an endpoint. Anything basically has, you know, a computer processor and a physical or wireless connection to your network becomes an endpoint.

And every single one of them has a different approach to providing security to it, obviously, you’re going to provide a different level of security, use a different tool set and take a different approach to and then use your laptop that’s moving around the world accessing services very frequently to like an office printer, which still could be considered an endpoint because it is accessing a service or providing a service your users are touching it, your data is flowing through it. But you would certainly take a different style of approach, you’re not going to install a generic anti malware antivirus web proxy on a on a printer that’s not going to be out browsing the internet. But you might still protect it with things like network segregation, or inbound IP restrictions to limit who can access it or putting authentication layers on there that you’re connecting out to your core identity providers, things like that, to take that approach.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian: When we’re talking about endpoint security than especially as being used now, you know, as you hear it, discussing now, how is endpoint security what’s being talked about as endpoint security, How’s it different from the more traditional forms of cybersecurity that individuals and businesses have been using since you know, the first anti viruses were available.

Ryan: And so again, I think in the past, the point was, you want to cover the 80 plus percent everywhere that you can. And in the past threats were very different. Threats weren’t actively scanning the internet scanning every device looking at all different ports, people weren’t aggregating all of that data to really like define a very clear attack map of the internet of all of its devices, etc. What happened in the past was you would pick up the bad things on your own, usually through activity through behavioral access from your end users. And so one of the biggest problems in the past was a user goes download something from the internet, something from the internet has malware, something in it, and then that impacts your network. And so again, the biggest point in the past was guard the traffic either putting up a web proxy, putting up local anti malware anti virus on the endpoint, and that took care of the majority of the threats that were coming at your business nowadays, that’s expanded a lot nowadays, again, there’s active scanning everywhere on the internet, there’s lots of new zero days popping up very frequently. So your application has turned into a big hole, your perimeter devices have turned into potential big holes, there’s just this huge landscape that has kind of come to light in the last I’d say probably 10, or even less years, that has really made it so that the endpoint is while an important piece of the conversation. It’s definitely not the only piece of the conversation. However, because that is where most of our end user activity lives. And end users tend to be unfortunately, and I apologize to all your end users out there that are on computers and stuff, but you guys tend to be the largest weakness and are easily the most exploitable weakness on the internet. And it’s not by the nature of anyone doing anything malicious, or being careless or anything but social engineering and phishing are like 80 to 90% of the way that most company level intrusions, or most DLP or most malware distribution events really start is from convincing a user to interact in some fashion that will trigger what they needed to trigger because again, a lot of endpoints and a lot of perimeters tend to be quite secure from a systematic approach. So like your average laptop, if you’re out on the internet, you’re on your company laptop, chances are I can probably touch your laptop in some way you’re building an internet connection you have an IP address I can probably get to you. The problem is that most companies have like those resources locked down pretty tight on laptops. So I won’t be able to do much with your laptop until you give me the okay to do it. So really then at that point, if I want to compromise your laptop, the hardest approach to do it would be to find a zero day find some way to actually penetrate the laptop, old school hacker style, the easiest or at least Hollywood hacker style. Well, exactly. The easiest way to do it nowadays is to craft a really great looking email that says, hey, somebody tried to access your Wells Fargo account. We’re writing this to tell you that we’ve mitigated the attack, please log in here to validate that everything’s okay with a nice big login button going to Wells Fargo XYZ don’t click on me.com and all of a sudden bam, they click there. This website pops up that looks really like a Wells Fargo login page. You pass through your username, your password, my site takes that passes it right through to Wells Fargo and then redirects you right there. So now you’re actually logged into their site. But in doing so you gave me all your credentials. And that’s just one real basic chain of like how these small little events of trying to, you know, work the end user into doing something that you want them to do is really kind of the primary entrance point and tends to be the path of least resistance. For most of these. Nowadays, endpoint security is an important topic because again, that’s where most users start their interaction.

Brian: So the next step and discussion is discussing with endpoint security management and endpoint detection and response, a basic antivirus that’s run by a company on all of their workstations technically qualifies as endpoint security. But what we’re now really looking more at is a security system that evaluates what the activity that’s happening in the system. And based on that activity detects malicious access. One of our favorite movies hackers is in the discussing is that there’s one user account online and there’s enough workload for 10 users, I think we got a hacker is a perfect example of basic endpoint security in that they are evaluating the endpoints and determining whether or not the activity is consistent with what they expect that endpoint to be. But that is also very basic. And also, since that movie came out in 1995, very old notion of endpoint security, how are the modern endpoint security solutions different? What have they built upon or built on to that basic approach?

Brian: So endpoint security comes down to not just solutions, but it comes down to just sheer visibility, like you pointed out, you have no idea what to prevent or what’s even happening on your endpoint unless you have full visibility over the endpoint. So to me, the biggest critical piece of endpoint security isn’t, isn’t even having expensive tools that are doing all these really cool things. Nowadays, it’s just gaining that visibility and finding a way to make use of that visibility. So layered approach is really 100%. The answer to endpoint security nowadays, because again, any vendor that comes to you and tells you, hey, I’ve got this tool that’s going to solve your endpoint problems, they’re either lying to you, or they’re giving you a percentage of the story. But a lot of these tools have come a long way. So back in the day, we were using things like the Avast, and the AVG Free and those kinds of things, you know, Microsoft Security Essentials to protect our workstations. And again, that’s great from average malware, average Trojan, stuff like that. But all of that’s all detection based, which means those tools are only as good as the detection libraries that are being shipped out by the companies that run them. So if they fall behind, and nowadays, most of them fall behind quickly, we see the prevalence of zero days popping up nowadays on the market, which means the attackers have started to get in a pretty solid cadence ahead of the detectors or the defenders to such a point where they’ve had to rely on other things to stay on top of being able to attack these. So you can’t just rely on detection, because again, a detection will come to you over time somebody reports it, they see weird activity in their network, they report it to all these big vendors, they incorporate it into their tools, and then eventually you build a detection for it and it goes out. But that’s too slow. For a lot of the attacks. Nowadays, they’ve had to really get into heavily leveraging things like artificial intelligence, machine learning holistic analysis, to start to look for not just behavior that is known bad, but behavior that looks potentially malicious because of what it’s trying to do spawning different child activities as root trying to elevate privileges in a spot where it shouldn’t need to trying to write or pull data from areas where it hasn’t asked for previous permissions to things like that, that look inherently out of bounds or anomalous to a program like that, so that it can start flagging those and a lot of times it won’t mitigate those immediately. But it will take that activity, send it back to their center. So they can have people kind of fiddle through it and identify is this something truly malicious that we want to start building detection for so we can identify maybe a new attack behavior or something that’s on the market. So those antivirus anti malware, EDR, SDR solutions are kind of moving in that direction. But again, getting back to the point of visibility to those aren’t nearly enough. So like in the enterprise level, now, we do have an SDR solution out there on all of our workstation, all of our endpoints that we use, that is really pretty good at catching a lot of the things that happen there. But we also have web filtering technologies in place like a web proxy to make sure our users aren’t getting to sites that are known bad that we can really have heavy control over that. So we’re not just defending the stuff that they touch and try and bring in, we’re just preventing them to get from getting to it in the first place, which also helps. But to me, one of the biggest keys to maintaining endpoint security is visibility having like a sim security incident and event management source where we’re not just defending the endpoint, but we’re taking all of the logging that’s occurring on the endpoint, every event, every activity, every whatever, and we’re shipping it back to a centralized place so that when something does get past one of these other many, many layers we have of defense, we can look through everything else that’s occurring on the machine, and we can just write off all the stuff that we know is known behavior, expected behavior, and then we can take a look at what’s left and say, Is this just other behavior that totally benign, or do we have something here that is starting to look interesting that we’d like to either investigate for see if more of it exists or find a way to Start remediating and shutting it down if we do see that it is getting far enough out of bounds or it looks inherently malicious.

Brian: I think what you discussed at the beginning, there was, I thought, pretty important the idea of a layered approach to security. I know I’ve read recently that of three of the top selling endpoint detection response systems out there are all easily beaten when targeted, specifically. And that’s, you know, simply because they do a certain thing, they look for certain things. And by adjusting the attack to fit within the parameters of those systems, they can easily be bypassed. And the important concept there is that endpoint security can’t be the only part of your security, you need to make sure that you also have your siloed approach to data, you want to make sure that people who have authorization, even high level authorization for certain data, if they don’t have high level authorization for data in other compartments of your business, that that authorization doesn’t extend beyond what they need to prevent lateral movement through your system, even with high access and high authority. Very important approaches like that what you were discussing, as I’m sitting here, listening sounds like I’m picturing, you know, the inside of Mission Control or the Launch Center at NORAD, while I’m watching all of this, all of these people tracking all of this information, testing certain access events and use and that’s being sent back to a central location to be analyzed and discussed. And to determine whether further action is required for small businesses out there. What are we looking at for an expense, you know, for something that’s worthwhile, one of the troubling things that I’ve seen recently is that cyber insurance carriers have been requiring endpoint security software, I always get nervous anytime insurance companies require a specific approach, because a, it’s a giant red flag for anyone trying to defeat that system of what exactly they’re going to need to defeat, but because it creates this static idea of what is necessary, and it leaves a relatively low bar to clear and as long as you clear that bar, you’re okay. And I feel like it creates a very false sense of security. So what really should small businesses be looking to do and to spend to accomplish this? 

Ryan: So you had very important topics right there and it goes back, and I’m going to tie in a little bit of that zero trust conversation again, to because that really is going to be one of the best methods, and it may take a little bit of time to set up, it may take a little effort to set up. But in the end, it’s gonna be one of the lowest cost methods to being able to keep a lot of your stuff safe. Back to our castle approach, again, if the walls not good enough, once you breach the wall, you’re inside, taking more of that zero trust approach is well, now my castle has taller walls, I now have cameras on the outside of my walls, a centralized person who’s watching those cameras, who’s really paying attention to the visibility of what occurs outside. And we’ve set up internal doors on every entranceway inside the castle, every doorway, every arch, whatever that has a different independent level of authorization required to go through that doorway. So now it’s not just free rein, once you get in the walls, it’s free reign up until you hit a door with something important behind it. And then you need to authenticate again. And that passes through, you know, the AAA structure, again, to make sure that you are authenticating that it’s auditable that you are actually allowed to have access to it. So it’s not just a Hey, I’m Ryan, it’s, Hey, I’m Ryan, and I’ve got access to this door. And now there’s going to be an audit log that somebody can go back and see that I have access to the store and that I had the proper access to get through there.

Brian: I’m just picturing Patton Oswald in a lanyard right now. So getting back to what’s important for the average small to middle sized business, who maybe doesn’t have the budget that some of the huge enterprises have that are really digging their heels in deep on cybersecurity nowadays, and how it relates to the insurance conversation.

Ryan: So yes, I do agree, I think so insurance is Insurance is trying to mitigate responsibility, mitigate liability, and they want to make sure that they’re covering their bases on what they’re responsible for in the case of a major impact.

Brian: So when they start making mandates, but in addition to that they have a vested interest in making sure that their insurance don’t get hacked, because they don’t want to spend the money if they don’t have to. And even if they try to get out of spending money that costs money in itself, so they want you to be secure. They’re not recommending something because it’s bad. It’s almost that it becomes the problem once they make it mandatory because of the message that making it mandatory gives.

Ryan: Well, so the nice part is that the things that they’re mandating too, are they’re mandating old standards is where I’m going to start from too. So stuff like EDR. EDR is not something that they’re just mandating, because they should they’re mandating because that’s a 20 year old, 30 year old conversation. If you’re on the internet nowadays, and you don’t have an antivirus solution or something running on your PC, you are inherently at risk, and you’re inherently at risk by old things, you are inherently at risk by the old malwares that are just floating by drive by on the internet that every EDR solution has fingerprinted and stops just by default without even reporting it to you because we’ve known about it for so long. It just it’s on the radar, but if you don’t have even that basic level of protection, you’re walking out in the snow and the ice with no issues and no socks on I mean, you’re gonna get you’re gonna get frostbite. I mean, it’s just that kind of basic, basic thing. The problem is that you’re right the mandate does provide a certain level of well they’ve only mandated we check these three boxes. So once we check these three boxes, then we’re good from the insurance standpoint, we’re done doing cybersecurity for the year now we walk away and go back to business as usual. And you’re right. That’s a it’s a terrible approach. Because again, insurance is trying to protect their interests, which include your safety, because again, that costs that money if you are inherently unsafe, but a business needs to look at it slightly different. They don’t just want to look at staying generally safe per the insurance standards, you need to do proper risk assessment of your business, you need to identify what’s important to you, how much is it going to cost to you? How are you going to deal with some of these other big prevalent issues? If they occur? Like, yes, an insurance company may come and cover you if you get ransomware? But to what extent and what’s that going to mean when you come out of the back end of that. And so there’s many, many other layers that kind of need to be considered beyond those basic insurance mandates when it comes down to stuff like business continuity, disaster response, incident response that aren’t going to be covered by those kinds of few basic checkboxes that insurance requires. And I think that insurance will continue to mandate more and more things as the years go by, because they’re gonna take and put in mandates for bare minimum standards that they consider because they know that without those bare minimum standards, you are inherently at risk at a point where you will be compromised nowadays.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: So for small businesses out there, what are the things for a modern and effective endpoint solution? What do they need to have what is essential? And what features and options would you say are must haves?

Ryan: I say that the few biggest things if you want to get quick wins on the endpoint security space, make sure that you have an endpoint anti malware solution and you have a decent one running. So if you’re running Windows environment, make sure you at least bare minimum have Windows Defender running. Windows Defender has moved into the space as a top notch top tier solution. Granted, it only gets better if you get into the Office licensing and the Microsoft licensing and get into like their ATP, their higher level solution. But even the core defender will block a lot of the basic stuff on the internet. Otherwise get into a tool like I said, No one or even like I hate saying their name, but McAfee any of these other solutions that CrowdStrike would be a really great solution to get into have something in that space on your workstation to the extent that you can take away user admin rights on their workstation, please, for the love of God just do it and do it now. And you will survive without it webproxy technologies if you can afford it stuff like a Cisco umbrella as the scale or something like that would be a phenomenal approach. Again, those tend to be very expensive. So that comes down to who’s got budget and who doesn’t. Most places I found don’t have the budget yet.

Brian: In a situation like that where you have where like he describes most small businesses don’t have in their budget to handle this kind of thing. Is this a situation where it’s better to get a discount version, there are plenty of situations I can think of where getting a second tier version is not better than nothing that sometimes they can, you know, through various methods, including just lulling you into a false sense of security be worse is this situation where you know, if you can’t afford the best you can afford Cisco is going with more discount option, still a better than better than nothing?

Ryan: No, I don’t think so I think going to a discount option is probably just going to kind of set you up for a false sense of security in the future. To me, if you can’t afford really broad endpoint security solutions, what you should do is you should find a way to centralize your endpoint traffic instead, then, and what I mean by that is driving it in through like a VPN style solution or something where you’re bringing that traffic in through your environment where you can have a corporate level firewall or something that can act as that funnel point to watch that traffic to monitor that traffic, which has been a real big challenge since 2020, when we hit the COVID era, modern computing where all of a sudden, everybody instead of being in an office where you’re behind that perimeter, and we can watch your traffic as it goes, you know in and out the gate and we can pull the portcullis down if we need to. And we can slam shot the you know, slam shot the castle. Once your knights and your peasants and everybody are out in the fields outside the walls. They’re only as secure as you’ve made them with a small set of guards out there, they’re probably fine on their own. They’re susceptible to whatever threats may or may not find their way into your environment. So I would say that rather than go cheap, go smart instead. So if you can’t feasibly or financially monitor your endpoints to that level, or take away your users admin, I’d say if you can’t do that centralized is to me the big piece where you can centralize it through a single point rather than secure 1000s Potentially of endpoints.

Brian: Yeah, there’s one other big aspect that I do want to discuss on this and I think what we’re gonna have to do is we’re gonna discuss it in a later episode into the question If this idea of artificial intelligence and machine learning, obviously, the idea of having new information come into the system and affecting how the system works is a core principle of any machine. That’s how efficiency have more information into the system produces a better result. So one of my biggest concerns with endpoint security systems is this idea of artificial intelligence machine learning, that becomes more of a sales pitch. And so you have to start wondering about what it really means. So the next time we discuss endpoint security is going to be on how to separate the bullshit out from the legit you know, when you’re hearing all these claims of we use AI and machine learning to improve our security. But we’re out of time for this episode. And we will come back to this topic in a later episode, the discussion of endpoint security as an essential aspect, but not the only aspect of your company security is a very important one. We hope you learn something from this episode. And we hope you also were able to fully visualize the medieval village metaphor that Ryan just gave that I think is very appropriate and probably could have been taken on multiple story routes that we just didn’t have time for. Thank you for joining us here on Fearless Paranoia. On behalf of Ryan. I’m Brian. We’ll see you next time.