Endpoint protection has been the trusted backbone of many companies’ security. But with stories about data breaches and successful cyber attacks constantly in the news, people are beginning to think endpoint security is dead. Whether or not you agree, you might be wondering if there’s any truth to this statement. F-Secure’s Antti Tuomi joins us from Japan for Episode 16 of Cyber Security Sauna to talk about endpoint security, its strengths and limitations, and when detection and response is needed. Listen or read on for the transcript.
Welcome to the show, Antti.
Thank you very much for having me.
Can you tell us a little bit about what you do at F-Secure?
My title is Principal Security Consultant, which pretty much means that I help different kinds of customers in basically strengthening their security posture or dealing with threats and attacks they are facing. And I work with a lot of organizations worldwide. For example, I’ve worked with companies in the aviation industry, but also in finance, online gaming and so on, and more recently for example, very young and agile cloud service operators, or young, agile organizations utilizing cloud services over here in Japan.
Endpoint security is sometimes proclaimed to be dead, and sometimes said to be an important part of an organization’s security program. What is endpoint security to you?
Well, to me, endpoint protection is basically the foundation, the very simple, as we say in Japanese, the kihon no ki – the first simple step that you should have in place regardless of what you do. So basically the fact that you have something that blocks the known threats, like these programs that we already know are bad, or these exploits that we already know. So at least being able to block that is a very important beginning part.
That being said, usually in the work that I do, we often come across a lot of attacks or ways to abuse an application or a system that do not fall within the bounds of this endpoint protection. For example, the attacks might be targeting a web application, or they might be related to the business logic of an application. And in that case, it’s not really something that endpoint protection by itself can take care of.
So to kind of put it shortly, to me, endpoint protection is the basic building block – let’s try to get the flu vaccine – let’s try to get rid of the ones that we know are bad. But your work is not done after just installing that.
So we’re not just talking antivirus anymore, although that’s in there. We’re not talking firewalls, although those are in there. Also, not all endpoint protection is equal. What makes the difference to you?
Basically, what’s nowadays called endpoint protection, I think, is a combination of all the technologies you can use to protect individual endpoints, let’s say, workstations. In order to protect an endpoint, you do need an antivirus or anti-malware or sometimes be able to block those exploits. And also, what’s usually included is a firewall, like a managed firewall type of application so that it’s easy for an organization to collectively set like, “Okay, these laptops are used by the sales team, they don’t need to expose any ports towards the Internet. And these guys are the developers’ workstations, so these guys we want to manage like this.” And definitely having all of those features there, and also later on the detection and response part, where if something were to happen, you’re also able to in a centralized way react to the intrusion or to the attack. That’s very important.
Yes, endpoint protection softwares, or products, are not all equal. Some of the products have this anti-malware part, or some of them might not have the firewall part, some of them might include detection and response capabilities as well. So there’s definitely a difference in the features. And the capabilities in detection. So if you take a look at the AV-TEST, the antivirus test organization, they publish results on which anti-malware or endpoint protection suites have the best detection capabilities and so on. So definitely you can see a lot of differences there depending on which type of product you choose.
You could go into the realm of password managers and in a way securing how the user operates within or uses their endpoint.
What are the sorts of attacks that endpoint protection is made for? And what sort of attacks fly under the radar?
Usually what the endpoint protection is meant to deal with is to give a feasible and reasonable peace of mind and safety for the user of the endpoint. And also for the organization. So let’s say you have the latest ransomware virus, or you have the latest exploit in the browser or something. The role of the endpoint protection should be to be able to block that if it makes its way all the way in to your endpoint. So I think that’s the extent.
But when you start talking about custom applications, or let’s say malicious users…So let’s say there’s for example, a disgruntled employee, who out of their own volition uses their own credentials to export the whole list of customers, or stalk the users of the organization, that’s just something that you cannot protect against with software to begin with or endpoint protection software.
That’s an interesting point. A common distinction is that endpoint protection covers the opportunistic, the commodity threats that randomly hit organizations. And for attacks where the adversary is devoting energy towards a specific organization, targeting their attacks, like phishing emails, you need detection and response technology. Would you say that is an accurate distinction?
Yeah, I think that’s a very accurate distinction. For example, these targeted attacks, or phishing attacks. Usually if they’re just untargeted ones, you just send out some kind of a message that doesn’t target the organization in specific, then the chance of success is a lot lower than it would be if it’s a targeted attack.
One of the more common ways of targeting an organization is the spear phishing type or these tailored phishing emails. For those you definitely do need detection and response instead of just endpoint protection. And one of the biggest reasons is that to begin with, let’s say the phishing attack is like “We are now piloting a new cloud-based Office 365 deployment that is going to be used by the sales department, so this is going to make your invoicing process much easier. You, good sir or good madame, have been selected to be part of the trial group since we know that you will have very great input into this problem. So please try logging on to our new cloud system using your domain credentials.” They only send a link to this spear phishing site. And now you click the link, you see the tailored cloud service login thing, and you were told that you could just use your normal domain credentials to try to log in, you input them there, press enter or click the login button, and you get a “Sorry, the system is down for maintenance briefly, please try again shortly” message. But your credentials were taken. So at this point, there is no chance that the endpoint protection could have likely or feasibly been able to pick up this attack.
The reason is that there’s nothing on your endpoint to begin with that was malicious. It was basically an email with pictures, links to an external site. So it’s very hard for an endpoint protection solution to actually pick that up. So the next step for the attacker is to use those credentials that they obtained using a spear phishing attack, and then, for example, use your actual organization’s login page or VPN endpoint, or whatever, and use your credentials to get into the system or the networks or your email account. And then take the attack forward from there. That’s where the detection and response comes in. You need to pick up what the attacker is doing, how, where, and with what accounts. That’s very, very important.
How likely is it that an organization will encounter the kind of attacks that are out of scope for endpoint protection?
It’s very likely. It’s happening all the time. It’s happening right now to most of the organizations on the planet. If you have a custom website, you have a web presence, you will be targeted either by automated means, or just someone who thinks you’re an interesting target, or thinks that maybe it would be an interesting thing to attack just for the fun of it. And there’s a bunch of commodity threats that might get through. There’s also a lot of different type of attacks, like phishing and also web application attacks, that the endpoint protection can’t just arbitrarily block.
How does knowing your threat model play into whether you need a detection and response solution on top of your endpoint protection?
It’s definitely important. In security there is no silver bullet. You can’t have one thing that protects you against everything. So you should definitely cover your bases using endpoint protection and detection and response solutions. But after that, the actual attack surface and threat model of your organization should be one of the key things in deciding how to proceed from there.
So let’s say you are a bank or financial organization, then your threat model will likely include attacks such as fraudulent transactions and people opening accounts in other people’s names, or transactions that come in or go through from money laundering sources, and so on. And in that case, you have to have specific protections against those kinds of threats. You need to have a security model that allows you to detect and block these transactions and reverse transactions where necessary, and so on.
However, let’s say if you are a car repair company, then your threat model is completely different. What you’re likely worried about is for example, what if my customer database leaks? What if someone is able to install a ransomware on my computers, and then I wouldn’t be able to service cars any more, I wouldn’t be able to serve my customers? The threat model is very different depending on the company and the industry you’re in.
The smaller companies typically have limited budgets. Where should they invest? Should they ditch endpoint security entirely? Should they just focus on detection and response? Do they need both?
Security is basically one of the tools for managing business risk. Endpoint protection is usually fairly affordable, even for private customers or for small companies. So that’s definitely somewhere where I would start, just, you know, have some peace of mind that at least there’s a smaller chance that something bad will happen and my computers will be wiped and I won’t be able to open the scheduling view for my customers the next time someone calls.
So basically for a smaller company, yeah they have more limited resources, but also their ability to bounce back from a cyber attack is also more limited. So for them just a single fairly commodity attack could be the end all.
Yes, that’s true. If you have limited resources to begin with, let’s say you’re working on cars or you’re working on something that’s not super IT-security centric, so just having to also worry about how to recover from attacks and spend all your mental capacity into security is kind of a waste, in a way. It’s not your main business so it’s not something you should be focusing on. So get some peace of mind by covering the commodity threats and then focus on the things you should be doing.
What about bigger companies? At what point does a company start needing a detection and response solution on top of their endpoint protection?
There’s no specific point, like if you’re more than 20 people, or if your revenue is more than this then you will definitely need detection and response. That’s really not the case. You know, on the topic of detection and response I would say that the moment you have a strong commitment towards your customers or towards the segments that you’re serving…let’s say for example you handle a lot of people’s personal information, or you handle credit card information, or let’s say you handle health information. At that point you kind of have this moral obligation to protect the data that you have, for the sake of your business. So your business is based on your customers, or your segments trusting you with their data.
So especially when you go into that kind of a business, I think it’s very important to invest in detection and response as well. The commodity threats might not be the biggest threat to your business, but if something does get in, or a targeted attack gets in, or even let’s say, your whole healthcare system network gets stopped by a ransomware. At that point you’re in big trouble, both as a business and morally or ethically towards your customers, your patients and so on. So at that point I would definitely think about introducing endpoint detection and response, or in general detection and response, to be able to notice if something bad has happened and to be able to respond to it as fast as possible.
I like your approach. It’s almost as if you’re saying that as long as the risk is only to you and your own company, then do whatever. But if you’re responsible for other people, then you owe it to them to do the best job you can.
I think that rings true with me, at least.
What is the biggest myth or misconception you’d like to bust about endpoint security or detection and response?
In general I think the security knowledge is getting a lot better recently, but some years ago, let’s say five or ten years ago, when you were talking with organizations about security, usually the first thing that comes to mind is this antivirus and “Oh yeah, we have antivirus, we have firewalls, so we have security.” Or maybe alternately, even like, “Yeah, we have encryption, so we’re secure.” That was definitely the biggest misconception a while ago.
Nowadays I think the world is going into a better direction, where more and more companies realize that it’s not about “We installed this product, installed security. Great, now we have security since we clicked the install button.” That’s definitely the big misconception that I’m fortunately seeing kind of phasing out. Endpoint protection is one piece of the puzzle that you need to click, but after that we need to step back and take a look at the cover of the jigsaw puzzle and go “Oh yeah, these are the things we need to protect, so let’s figure out the remaining pieces that we need.” That’s basically the direction I would like the world to go towards.
So detection and response on top of endpoint protection is a good idea. Are there kinds of organizations where even this won’t be enough?
Definitely, yes. Or, at least there are organizations that might not be able to utilize these normal IT-based protections like endpoint protection and detection and response. So for example, if we talk about IoT devices, so let’s say you have a light bulb that you control using your smartphone. And usually you have a small computer inside your light bulb, and it has some kind of communication chip in it so it can talk with your phone over WiFi or Bluetooth. Or maybe it even connects to your WiFi and it talks with a cloud service that manages your light bulbs. So now when you make these small IoT or Internet of Things devices, basically you are very limited in the resources that you have on the device. So you have a very tiny operating system or very tiny application based on that, and there’s no feasible way for you to run, for example, a proper antivirus or endpoint protection on that one.
Yet, for example, the Mirai botnet that came out recently, that exploits issues in devices exactly like this and was used to mount attacks on for example entire countries, like Liberia was being tried to take down using the Mirai botnet. So you have this tiny chip that is supposed to just control a light bulb, it doesn’t have the memory or the power or the functionalities to even run endpoint protection or detection and response. It’s just not reasonable. So in these cases your approach has to be completely different. You can’t rely on existing solutions or existing commodity applications intended for desktops.
Instead, what you should be doing is doing this threat modeling for your device and trying to figure out, how do we make sure that first of all, the application doesn’t expose attack surface? So for example, if your light bulb doesn’t have any open ports towards the internet, it doesn’t expose any interfaces, then it’s suddenly a lot harder to attack, and doing this kind of threat modeling and application and environment-specific protection is the most important thing.
Makes sense to me. Thank you, Antti for being with us today.
Thank you for having me.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.