How to do Cyber Security in 2022 – If you don’t have EDR yet, ACT NOW!

If you haven’t heard the news yet, the most bulletproof form of cyber security is now on the market: ANY system you don’t want to have hacked or compromised; take it off all networks, especially networks that have an internet connection. Now, for the rest of us who don’t have the luxury of following that strategy, here is the best way to keep your organization safe: Protect your endpoints. Every server, PC, laptop, tablet and mobile phone, whether Windows, Linux, MacOS, Android or iOS needs your priority when it comes to security. The endpoint sits at the digital intersection of every business network. In this article I’m going to describe how to do endpoint protection that allows you to sleep peacefully at night.

The digital intersection

The endpoint is an essential tool of any business. With endpoints, users are granted access to systems and data that enable them to run the organization. The use of endpoints is ubiquitous and the need to grant rights and privileges that are accessed via the endpoint cannot be done away with. This same set of factors is precisely why cyber criminals are attracted to the endpoint as well. Access to the endpoint gives them a potential doorway into some valuable data, or privileges that can be used to expand their reach within the network.

In 2021 Absolute commissioned a report called the “2021 Endpoint Risk Report.” Surveying tens of thousands of endpoints, they revealed that about 73% of devices have access to sensitive data. If threat actors can gain control of an endpoint, they have a 73% chance that they will find something useful. Good odds!

The endpoint is the intersection of all things cyber security. Secure the endpoint: Secure the business. Let me give you some tips on how to do that. I believe it boils down to three important concepts to work on in your IT management.

1. Visibility

If you had to identify all the endpoints authorised in your network, could you? Another recent report, this one conducted by Cybersecurity Insiders, found that 60% of organizations are aware of fewer than 75% of the devices on their network. It is common for there to be some degree of sprawl as an organisation grows – keeping up with devices is not easy. This statistic shows the reality of that difficulty. Without the visibility of what is authorized to exist and operate in your network and use privileged information or access, you leave a weakness in your network security for attackers to exploit. So, any business that wants to take cyber security seriously must step up their visibility of their endpoints. There are expensive systems that you can buy to help achieve it, but I believe that process and procedure comes first. If a business can lead with well-structured systems, then they put themselves in a position gauge when the time is right to add complementary technological solutions. Simply throwing tech at cyber security is a fantastic way to fool yourself about your security posture and gain a cupboard full of white elephants at the same time.
Here are some pointers:

  • Develop a process, form, or app, for commissioning and decommissioning devices – from servers through to mobile phones – to gain visibility everything needs to be recorded when it arrives and when it leaves.
  • Put someone in charge of keeping a list of devices that have been authorised on your network. This could be an internal role, or something a third party could do.
  • If you have a complex network, consider implementing VLANs or network segmentation to restrict how must access an endpoint has and to compel some of these other processes to be put in place.
  • Get stricter with your allocation of privilege and rights. Use a ‘least privilege’ model for users and devices to limit the amount of intrusion a compromised endpoint hands to a threat actor.
  • Make your first technology-based solution a Remote Monitoring and Management (RMM) tool. These platforms provide a view of the state of your endpoints once you have implemented processes to ensure nothing is slipping through the net.

2. Patching

The amount of time between a vulnerability in a piece of software getting exposed and active attempts to exploit that vulnerability ‘in the wild’ is down to days, if not hours. The Absolute report (mentioned earlier) found that the average time between a patch being released and the patch being implemented on endpoints in organisations is nearly three months! This is too long. The old notion of waiting a few weeks so that other users can experience any bugs or issues no longer holds true. Would you prefer to manage a cyber security incident, or roll back some updates that caused issues in a controlled deployment? I hope you don’t take too long answering that question! Leaving endpoints unpatched increases your exposure to hacking – there is no question about it. Make sure your business has a suitable approach to managing the regular deployment of updates to all endpoints.

To add to the complexity of patching there is the ever-expanding array of Internet-of-Things (IoT) endpoints that are on your network; each with it’s own little operating system and software environment. Devices like printers, CCTV cameras and NVRs, access control units, even solar panels all come with built-in systems that you plug into your network to give you remote access, web-based configuration interfaces, and other features. They also bring potential vulnerabilities. Some of these are benign, but others are hot targets for cyber criminals. Patching doesn’t stop with PCs and laptops, it extends to each of these devices. In a lot of cases, there is no way to automatically update these systems, so vigilance is needed to ensure that these are updated as often as possible.

Absolute also found that, remarkably, Windows 10 adoption rates are still only 92%. Microsoft pulled support for Windows 7 over 18 months ago, so organisations are still using an operating system that has major security flaws and has not been patched in some time. Granted, there are services out there that deliver post-support patching for Windows 7, but I wonder what the cost of these are compared to getting Windows 10 rolled out in most businesses? If you still have Windows 7 machines still present on your network, take a moment to smack yourself on the hand and then plan to replace/upgrade them as quickly as possible.

3. EDR

In 2021, two commonly exploited vectors used by threat actors are VPNs and antivirus. Both are solutions designed to boost security, yet they can become weaknesses if not managed well. Antivirus particularly, is something that businesses tend to under-spec and over-trust. A reputable antivirus is certainly better than nothing, but it’s not the ‘good enough’ solution that it used to be. Think of it this way, if you had the opportunity to protect your home with one of the following detection solutions, which would you pick:

  • a trip wire at the front and back door, or
  • a full CCTV system watching all doors and rooms?

Traditional end point protection (EPP) is like the trip wires – useful, but easy to bypass or miss a critical event. Next generation protection is typically referred to as Endpoint Detection and Response (EDR). EDR acts like a CCTV system with motion detection enabled – every action on the endpoint is scrutinized with a combination of the old school signature database and modern AI algorithms. This next level of protection allows for an array of preset actions and responses across a whole organisation. In the battle to secure the endpoint, moving to an EDR solution is now essential for businesses.

3a. MDR

If we follow the CCTV analogy through, there is a drawback to having constant surveillance – detection and prevention are two different things. It would be a bittersweet moment to reply the footage of your house being burgled so that you could identify the villain, watching your house get ransacked while clinging to the cold comfort of knowing you can send this to the police to get justice. The insurance company would accept the video too, but the painful process of rebuilding and the fear of recurrence would be with you for months or even years.

Imagine, instead, that the intrusion triggered the doors in your house to close and bolt against the intruder, and first responders were dispatched at once to arrive at the scene within minutes? Managed Detection and Response takes EDR and wraps the human monitoring and response layers around it. Sounds expensive, doesn’t it? In cyber security it always comes back to your risk appetite. If an intruder could get into your house and change all the locks while you were out, and demand $100,000 to get the new keys, might the idea of paying a premium for the MDR solution sound more palatable? How about if the intruder threatened to tip your dirty laundry outside if you didn’t pay up? For most businesses, the cost of lost production, lost reputation, lost customers and running the gauntlet of privacy laws is not worth the risk. The reality seems to be that cyber security needs to be a permanent item on the company budget, and a MDR might be the ticket to reducing your risk profile in a cost-effective way.

Cyber silver bullets and onions

Does securing the endpoint guarantee you an incident-free operation? Sadly, no. Nothing does, and looking for silver bullets in cyber security is a dangerous activity. Instead, think of your cyber security as an onion – layer upon layer of processes, training, awareness, and technology solutions to fix vulnerabilities, sure up weaknesses, and mitigate the strategies of threat actors. There is no silver bullet, but if you invest in your visibility, patching and EDR/MDR, you give yourself layers of security that will give you the best possible position without overspending. Targeting the endpoint is a critical strategy in 2022. Please don’t let the opportunity to secure your organisation pass by.