For many organizations, endpoint security remains the weak link in their security strategy. While organizations are able to ensure that endpoint clients are installed on company-owned assets, security becomes more challenging when workers use their personal devices for work-related activities. The organizational risks introduced several years ago by BYOD have been compounded as the number of critical business applications and the volume of data being accessed have grown rapidly as a result of ongoing global digital transformation (DX) efforts.
Of course, not all endpoint devices are the same, and each requires a somewhat different approach. Traditional endpoint devices, even those owned by employees, can still be required to install a security client in order to access network resources. Likewise, handheld devices such as tablets and smartphones can be protected using mobile device management (MDM) solutions. And even the most primitive IoT devices can be secured using proximity-based protections.
Laying a proper endpoint security foundation
Like most security issues, success begins with laying the proper foundation. In the case of endpoint security, this begins with two fundamental strategies:
- Organizations need to implement a comprehensive Network Access Control Any device seeking to access network resources needs to meet certain baseline requirements, such as being malware free. If it a user-based device, then it must also be patched and running a current version of any mandated security software. Once a device meets that criteria, it then needs to be assigned to specific network resources using a variety of contextual criteria, including type of device, business unit it or its user are assigned to, current status of the user, and even physical location or time of day.
- Organizations need an intent-based segmentation solution in place,running in parallel to a NAC strategy.Working in coordination with the NAC solution, segmentation needs to be able to move a device into an appropriate network segment, monitor its behavior, and quarantine it for remediation the moment in begins behaving badly. In addition, segmentation needs to span the entire network, including across SD-WAN connections and multi-cloud environments, so that connections, applications, and workflows receive consistent protection regardless of the path they need to take. And, owing to the need to rapidly scale and adapt to real-time changes in business requirements due to DX, segmentation solutions also need to be able to convert business language directly into policy.
Essential endpoint security policies
For endpoint devices that are actively engaged in accessing critical resources and producing, using, or storing data on the network—usually end user devices—there are a handful of baseline security requirements that need to be in place. While these might not apply to every device, they should be deployed wherever they can:
- Requiring strong passwords and multi-factor authentication. Passwords also need to be regularly updated.
- Running an endpoint client that includes antivirus/antimalware software, DLP protections, along with advanced security functionality.
- Full-disk encryption to ensure that sensitive data stored on a mobile device is protected in the event of loss or theft.
- Application control to prevent unwanted and unauthorized applications from executing on the endpoint device, thereby putting that device and the network it is connected to at risk.
- As with network devices, endpoints need to undergo regular patching and updating. The status of this basic security hygiene activity should be caught and enforced by your NAC solution.
- Finally, endpoint devices need to be equipped with dynamic and automated VPN to ensure that data moving back and forth from an endpoint device is secured, especially when using public WiFi.
Customizing security for different classes of devices
Endpoint security is not a one-size-fits-all challenge. Today’s organizations need to account for a wide range of endpoint devices, from laptops, to handhelds like smartphones and tablets, to IoT devices.
Laptops: Because laptops run the largest array of complex applications and workflows, they require the highest degree of security. This usually comes in the form of a local, cloud, or hybrid client. Regardless of how it is delivered, an endpoint security client needs to provide the following security functionality:
Start by looking at clients that have been independently tested and validated by third-party organizations such as NSS Labs. These organizations generally test to ensure that these clients can detect and stop a wide range of attacks, from common attack vectors such as web drive-by, phishing email, and evasion, to unknown and offline threats. Today’s sophisticated attacks also require advanced security functionality such as sandboxing and user and entity behavior analysis (UEBA).
Handheld Devices: For devices that cannot run a full security client, such as smartphones and tablets, organizations need to ensure that they have proper measures such as VPN, access control, multi-factor authentication, and MDM solutions in place.
IoT:While there is a growing range of IoT devices available, they can generally be lumped into three categories: End User IoT, such as wearables or appliances; Professional or Enterprise IoT, such as printers or security cameras; and Industrial IoT (IIoT) such as valves, sensors, switches, and inventory tags. Of course, there are others, like Medical IoT, but in general, while there may be some important differences, they can all be addressed with a similar approach to security.
The first commonality is that most IoT devices do not run a full operating system. Most are simply a collection of commands combined with a basic communications protocol. Because they are headless, it is not only impossible to load client software onto them, many also cannot even be updated or patched. Even more concerning, many of them include easily exploitable code or have back doors hardwired directly into the device.
As a result, security needs to be indirect. These devices need to be identified and segmented. Devices on you network temporarily need to be closely monitored, while more permanent devices also need to be protected using proximity software, such as a dedicated IPS and NGFW system, to quickly identify and respond to unusual or unexpected traffic either directed at or coming from any IoT device.
None of these solutions can operate effectively in isolation. Instead, any endpoint security solution deployed needs to be chosen both for its security efficacy as well as its ability to be woven into an integrated and holistic security fabric that spans the entire network.
Connected endpoint devices need to be seen and treated as part of your WAN rather than as something separate, and securing them requires tying them together with your full range of different security solutions. This enables threat intelligence and policy changes to be actively collected and analyzed, sophisticated threats to be identified, and the entire security fabric to collectively deal with threats through a single, coordinated response than spans seamlessly from the endpoint to the core to the cloud.