You may be surprised by how many endpoints are currently in your organisation. Companies with over a million connected endpoints are increasingly common, and as we add more network-connected devices, it will grow.
Today, you may now have Apple OS/X or IOS devices, Android, proprietary IoT operating systems and contend with various flavours of Linux. Devices will end up connected to your systems via other devices you may not have considered; switches and routers, process control equipment and dedicated consumer-facing devices such as Point of Sale terminals.
Segmenting endpoint risk and establishing clear risk categories show how you can group endpoints, software and users by considering what they have in common. For each of these, you can then define an effective mitigation strategy.
Users and their interaction with endpoints
To your average endpoint user, security is an inconvenience rather than an asset. If the user has direct control over their personal endpoint device, they may well deliberately disable security protection measures or defer vital updates to avoid disruption. Even if the endpoint is company-owned and subject to good management practices, privileged user accounts are often necessary for the user to perform their job function (e.g. software development or maintenance). These privileged accounts may mean that malware inadvertently introduced by the user can access other sensitive information on the endpoint and then ‘pivot’ to attack your corporate infrastructure itself.
Ensure you can monitor effectively
People assume that a million devices lead to a million risks, which explains the rise in the popularity of endpoint detection and remediation (EDR) tools, which aim to simplify the task of protecting and managing endpoints at scale. It is vital to own a tool that can monitor your environment in every way. This includes not just definitive, up-to-date pictures of hardware and software inventory, but real-time information on network traffic flows and potential anomalies. Without good management tools, you have no baseline on which to build. You may think, that you already have good endpoint detection tools. But do those tools track per-user installed software? Older EDR solutions often feature architectural designs pre-dating the mobile and cloud revolutions, thus leaving you with blind spots of potentially significant unpatched vulnerabilities.
Use virtualisation creatively
If a physical endpoint can’t be fully locked down, consider using virtualised guests within endpoints. With the overhead of virtualisation minimal on modern hardware, even laptops or other relatively modest devices can now easily support these environments. You can then lock down the virtualised guest much more easily since you’re dealing with standardised images and can restrict the device owner’s rights within the virtualised environment without constraining their control of the physical device itself. In the event of endpoint compromise, you need only roll back to a previous checkpoint of the virtualised image to completely remove all traces of compromise, which proves easier than cleaning up physical devices themselves.
Encrypt all the things
By ensuring that the virtualised environment is fully encrypted, you also ensure that sensitive corporate data is protected. Your system management tools should allow you to continuously scan for unencrypted storage and ensure that risky endpoints (e.g. mobile devices) are always encrypted. If the device is lost or stolen, the sensitive information it contains will remain protected.
Partition your network
The best approach is to rigorously partition IoT devices within corporate networks so that they are never connected directly to a vulnerable internal network. Again, good system management tools can constantly scan looking for things like MAC address prefixes associated with IoT manufacturers, allowing you to monitor your network proactively.
Obviously, this is not practical with IoT devices intended to act as key networking components, such as switches and routers. You need to ensure you can monitor and manage these devices and update their firmware without disruption, so you can respond proactively when a device vulnerability is reported.
What about AI?
While good security practices in AI are still evolving, it’s prudent to consider the consequences of implementing any kind of AI-based subsystem within the organisation. Ensure that you partition this system off so that its inputs and outputs are tightly constrained and that there are procedures to monitor its operation and determine any anomalies that might indicate an issue. If the AI system starts malfunctioning or is attacked, what are your procedures to route around it, so that critical business processes aren’t stalled?
Managing large numbers of endpoints may seem a daunting prospect, but with today’s increasingly sophisticated real-time endpoint detection and remediation tools, you can easily reduce a million risks to a handful, then control and mitigate each of these risks effectively.
A recent study by Enterprise Management Associates (EMA) took an in-depth look at the key decision criteria for organisations looking to invest in EDR solutions. The report compares two markets leading EDR offerings, 1E Tachyon and Tanium Core, indicating the qualitative differences between an older (Tanium) versus a modern (Tachyon) EDR solution. EMA recommends carefully identifying the business IT requirements for security, administration, and compliance that exist today as well as those expected to be introduced in future. This will ensure the foundational introduction of a solution that will continuously meet organisational needs without periodic disruptions to production environments, unexpected financial costs, and increased management complexities.