Companies are rushing to buy endpoint security and may be misinformed when it comes to the remaining risks. Vendors that produce endpoint security have a self-serving interest to make statements that mislead the buyer into believing that their solution will put them out of scope from compliance needs or that the risk of a breach is properly covered.
The reality is that endpoint security is only one tool in an arsenal that companies should use. Yes, endpoint security is a good thing. However, so are other key IT security tools and methods, such as:
- Network Segmentation—where the network is divided into smaller sized portions so that the strongest security resources can be focused on the network areas with the critical data.
- Whitelisting Applications—allowing only pre-authorized applications to run and restricting every other process at the CPU level to lock down any potential virus or malware.
- Least Privilege Access—a security approach where users are only able to do enough to get their job done and not are not granted access to do anything more than what is required. This restricts data and systems to a need-to-know basis.
In addition, endpoint security will not remove your organization from scope or compliance regulations. While encrypting the data and securing the devices that can extract the data is important, compliance is still required and will include many other factors. For example, endpoint security will not resolve the following common compliance areas:
- Change Management—the process for making changes to systems, applications and other IT offerings that are used by end users and customers.
- Logical Access—administering user IDs and passwords and removing users when they leave the company, which requires role-/group-based security to administer and restrict access.
- Disaster Recovery Planning—in the event of emergency, the IT systems will need to be restored in an alternative location so that the business can continue to operate.
The misconception that endpoint security will solve everything cybersecurity-related is not unexpected. There are numerous risks around losing data that endpoint security accommodates. For example, if the data is encrypted in a way that makes it inaccessible to any unapproved or unauthorized device, it can help keep that data safe. However, the data can still be removed by someone who works at the organization and has access to the corporate network. This insider threat can be a significant risk. The insider may take the data intentionally. For example, Snowden took hard drives and other data from the NSA that had been encrypted because he had the keys to unlock them. Other times it may be accidental, such as from malicious software that has taken over a computer and leaks the data onto the Internet. Another benefit touted by vendors of endpoint security is that only authorized devices can access the network, which reduces the possible attack surface for an organization. This is a great perspective on security, but its specific benefit can be reduced when a device is stolen, when it is taken over by malicious software or when the security keys that mange endpoint security are compromised. The use of endpoint security often resolves one potential threat, but it then makes another area even more critical, such as key management.
Key management in endpoint security relates to the ability to decode the encrypted data and allow users to access it. Those keys must be guarded, and the risk that organizations will purchase endpoint security and forget to focus on this step is high. Once organizations invest in security tools, they begin to feel secure, and this false sense of security is a significant trap. It is very common for organizations not to know all of the methods for key management and for complacency to set in because the latest tool purchased was thought to keep the organization safe.
Ultimately, endpoint security is only one of many tools and should not be accepted as a panacea to all of the organization’s cybersecurity risks. Endpoint security should be approached as a powerful tool, but the enthusiasm that drives an organization to purchase it and implement it should also drive them to clearly understand how it maps to their needs. The solution should be mapped to specific compliance areas and compliance controls. The solution should also be architected in a way that it shows how all of the security tools and procedures come together to provide a more secure environment. Endpoint security will not solve every problem, but it is a good tool and it should also be supported with a holistic cybersecurity strategy.
Carlos Pelaez is the National Practice Leader for Coalfire’s practice area focused on serving Service Organizations and Internal Audit departments. He provides the framework and methodology to local audit teams so that they may be well equipped to validate compliance and cyber-security needs for cloud based solutions.
