Cyberattacks have become more sophisticated and immature security practices make endpoints an easy target in advanced cyberattacks. Security and risk management (SRM) leaders relying on traditional signature-based endpoint security struggle with defence against fileless attacks, ransomware, and identity theft.
Prevention alone is not enough. SRM leaders need to strengthen the endpoint security posture within their organization.
A Roadmap Can Improve Endpoint Maturity
To address the modern threat landscape, identify your organization’s current maturity level of endpoint security and prioritize projects to improve it. While some of these projects rely on tools outside the endpoint context, they can reduce the overall endpoint attack surface and improve threat detection and response (TDR) capabilities.
Prioritize the projects across the five maturity levels outlined below:
- Endpoint Protection Level 1: Interrupt: The primary focus at this level should be on investing in people and processes. Start a conversation with business stakeholders about the type of threats that are reasonable to expect, determine which corporate resources are the most critical to achieving business goals, establish an end goal, a timetable, and a budget to reach the desired endpoint protection level, and then prioritize getting an inventory of assets and resources.
- Endpoint Protection Level 2: Develop: At Level 2, define your organization’s requirements, take inventory, develop an analysis, and develop a plan to close gaps. Focus on getting application-level and authentication-level inventory.
- Endpoint Protection Level 3: Define: At this level, organizations should have most of the requisite tools, such as endpoint protection platform (EPP) and endpoint detection and response (EDR). However, they should continue to improve processes and establish a formal security operations center (SOC) for incident response (IR). Organizations at this level, address the reporting and tracking of performance. To prevent more opportunistic attacks, SRM leaders should expand their focus from malware prevention to detection and response. Also, root cause analysis and the proactive hardening of endpoints becomes more important at this stage.
- Endpoint Protection Level 4: Proactively Defend: On this level, focus on all network-connected devices by adopting techniques designed to reduce the attack surface for the IoT and out-of-support operating system. During this level, detection activity moves up to the device and user behavioural level. Implement identity threat detection and response (ITDR) and security information and event management (SIEM) solutions for more extensive, custom behavioural detection capabilities and threat analytics. To reduce the attack surface, ramp up the use of default-deny controls, such as applications safelisting, network segmentation and web isolation.
- Endpoint Protection Level 5: Refine: This is the refinement stage. Inspect the supply chain for downstream attacks and cyber offenses that happen lower in the computing stack, such as firmware attacks.
Not all organizations will, or should, implement all the protection projects listed to achieve the highest level of endpoint security. Organizations must weigh the risks against the cost and inform management of the achievable security level and the potential risks that may not be addressed, given the resources allocated. Then, business leaders can decide and communicate the acceptable risk appetite.
(The author is Peter Firstbrook, Distinguished VP Analyst at Gartner, and the views expressed in this article are his own)