Laptops, mobile devices, and cloud services have all eroded the concept of the traditional network perimeter. And the sudden shift to most or all employees working remotely from home in response to the COVID-19 pandemic has devastated what was left. When users can connect from virtually anywhere, the endpoint itself is the one thing that stands between an organization and a compromise.
Endpoint detection and response (EDR) has emerged as the standard for endpoint protection. EDR recognizes that prevention measures do not work 100 percent of the time and shifts the focus from just trying to block threats to monitoring activity on the endpoint to detect suspicious or malicious activity and provide relevant information to help thwart and respond to a successful attack. It is an evolution from traditional anti-malware solutions, and it is a step in the right direction, but it can result in false positives that distract and waste limited security resources, and it is ineffective against multi-vector attacks.
The rising threat of multi-vector attacks
The attacks themselves are getting more complex as attackers are using multiple entry points (or vectors) as a path to infiltration. The narrow focus of traditional EDR on the endpoint excludes relevant data crucial for properly understanding the scope of multi-vector attacks that extend beyond the single endpoint.
Looking at just the endpoint itself does not give you all of the criteria necessary for determining the true risk, resulting in false positives and negatives, which can cause alert fatigue, bad prioritizations of threats, and poor allocation of resources and efforts to mitigate or remediate threats. False positives and negatives also make it difficult to automate detection and response, which is critical in order to scale with today’s complex environments. It is important to take into consideration different data points to gain a broader context of how much risk the threat truly poses.
You must leverage security vectors beyond detecting malware to truly protect endpoints. Having an inventory of all endpoints connecting to the organization’s network, along with information on installed software such as version numbers, authorization status, and end-of-life status, as well as a view of running processes and network traffic to see any malicious activity, is vital.
Visibility into misconfigurations of security processes, anti-virus validation, exploitable vulnerabilities, and missing patches also provide additional vectors that help security teams proactively and reactively hunt for threats while reducing alert fatigue so teams can focus on the true risk.
The endpoint is indeed the perimeter. Effective endpoint protection is more critical than ever, but the standard approach to EDR is not enough. Organizations need EDR that sees beyond the endpoint itself to gain vital perspective.