With enterprise endpoints increasingly operating “out of network” and from remote locations, the need for real-time data has never been more acute as IT departments grapple with reacting quickly to fast-developing security threats.
Modern computing endpoints have crossed the sheltered boundaries of the corporate networks where their traditional counterparts used to operate, and are being used from home, on-the-road, in remote locations, using public networks and hotspots where they are prone to frequent changes in an external environment. Most current IT environment setups have IT operations operate like clockwork, with multiple management tasks, while security is handled by a separate set of tools deployed and managed by the IT ops teams. The new endpoint environment requires more coordinated and responsive action from IT, based on shared desired outcomes and with less regard to internal functions. Consequently, the rigid functional view of endpoint security and management that worked for PCs within the corporate network’s firewalls is no longer relevant in today’s enterprise where endpoints can be anywhere.
Endpoints Face Increasing Malware Attacks
Organizations across many industries are witnessing a steady rise in data breaches, disruptions and malware attacks through their corporate endpoints. As many have reported, large data breaches have occurred throughout 2016. These breaches covered government departments, independent software vendors, healthcare companies, insurance corporations and universities. Attackers have definitively shifted their focus from servers, backend databases and operating systems to applications and runtimes on the endpoints. Clearly, the number of breaches will increase as endpoints continue to become the weakest link in the corporate information chain. Attackers will look for ways to exploit endpoints.
In the past, IT endpoint security and management has largely been operational (e.g., patch deployment, configuration management, and so on), with endpoints managed based on vulnerability information sourced from security databases, vendors, information brokers and others. However, it is no longer enough to monitor and secure the network, servers and data from one end because attackers are increasingly attacking the vulnerable other end – the endpoints and the apps running on them.
Companies tell us they regularly receive calls from regulatory bodies, governmental agencies and security analysts about potential malware and vulnerabilities and struggle to detect the exposed devices quickly.. The result is action can be delayed, sometimes by months, with vulnerabilities unaddressed for prolonged periods. This trend will only increase with the advent of the internet of things.
Endpoints Must be IT Accessible in Real-time, 24/7
To manage these threats, endpoints must be made accessible to IT more easily and monitored proactively. IT should have access to the vulnerability information, take its detection signature, know what type of evaluation needs to be performed on each of the hundreds of thousands of endpoints to identify the exposed ones, and know how to remediate them – all in real time, within a matter of minutes! This is a far cry from the traditional way of obtaining vulnerability information periodically, updating the respective internal databases, running endpoint scans on a pre-defined schedule, analyzing the results through reports the next day, and finally, deciding to initiate the remediation process. In short, the time needed for this end-to-end process just shrank from days and weeks to seconds and minutes!
Two Challenges to Endpoint Security
Endpoint security is easier said than done for two primary reasons.
#1. IT teams typically work with stable sets of data, collected over days, if not weeks, that is pre-processed and structured to fit existing models. Endpoint information is much more dynamic.
With the fast-changing and dynamic nature of endpoints today, up-to-the-minute and higher velocity data takes on as critical a role, perhaps even more so, as lower velocity operational data. Operational data is usually represented as reports, which is hindsight information. The connection between information from the reports and actions performed by IT is tenuous and indirect. On the other hand, high-velocity real-time information provides visualizations and reports that tie to actions directly. In fact many times they’re created with specific actions in mind.
#2. Real-time endpoint information must be available “out-of-cycle,” not tied to the cadence at which regular IT operations happen. On the other hand, the real-time data and operations must also be consistent and well-aligned with operations so remediation can be done and actions taken quickly.
Matching the two is not an easy task, and can cause security gaps. For example, if real-time data is queried with specific actions in mind and for a specific purpose, the response still must be correlated with existing systems of record and operational data for action. Obtaining the right balance between the power of real-time data and the context that operational data provides is not an easy proposition, especially across team silos with different goals.
Real-time information could contain the current status of installed software, recently identified rogue files, specific versions of installed software or libraries that have vulnerability (e.g., OpenSSL version 1.0.1 containing the heartbleed vulnerability).
Endpoints Must Become Smarter
IT security teams must be able to pinpoint problems and remediate them quickly, which calls for specificity and sharpness in endpoint information. Endpoints must become even smarter, with tools and agents that can detect, alert and self-heal going forward.
Another aspect of real-time information is that endpoints cannot merely receive queries and remediation actions initiated from the backend each time. They must proactively manage security around breaches and attacks. Prescheduled alerts and real-time monitoring can add tremendous value towards improving endpoints’ readiness against attacks. True power of real-time management and security exists at the strategic intersection of endpoint management, monitoring and security.
With the fast-changing and dynamic environment in today’s enterprise, not having timely information can give a false sense of security. As a result, time becomes an even more critical factor.
As corporate workforces increasingly work out of home and remote locations, attackers will only continue targeting endpoints and applications further. Endpoints must become smarter and more involved in the decision-making processes related to them, such as patching, updating software versions, changing configurations, installing and uninstalling software or files, and more. They cannot be simply “managed” as a reaction to environmental factors and information external to them. Endpoints must be included in the information gathering process for security, compliance and audits, and that can only happen in real-time to be effective.