In 2017, I wrote the blog, Endpoint vs. Network Security – who wins?, with a slightly clickbaity title. My intention was to spark some discussion about how we approach security and modern malware threats. Now, nearly four years on, I thought the topic was worth revisiting. While so much has changed, many challenges and misconceptions remain.
In 2017, threats like WannaCry were high on people’s agenda as ransomware burst into the enterprise space. At the time, I saw many organizations scrambling to improve their security posture. While companies were starting to invest more heavily in security, attackers kept succeeding. One of the key reasons for this was that organizations remained focussed on network defenses, yet, data was stored on endpoints, the phishing emails and exploits targeted those endpoints, and the malware exploited user privileges on those endpoints.
Network defenses remain important, and email filters and firewalls are essential parts of the security stack. The problem was/is/has been that by focusing so heavily on filtering content at the network level, organizations fail to mitigate the key weaknesses on the endpoints that attackers leveraged. This results in an unbalanced security stack that can be easily undermined by an attack. Having a state-of-the-art network sandbox detecting threats does not compensate for having unpatched endpoints accessed by users with local admin rights who are able to execute any application.
This is what I refer to as an “eggshell” security stance, where you build a hardened perimeter, but then one small crack occurs and everything spills out—creating a real mess. I once spoke with a peer who learned this the hard way. They had invested heavily in the latest and greatest next-gen defenses that dynamically analyzed email attachments in a network sandbox—only to be smashed by ransomware a week later. The cause? A user with a high level of privilege had opened an email attachment from their personal webmail, bypassing all the new controls and exploiting the user’s privileges and unimpeded ability to execute code on multiple endpoints.
Where are we now?
I’m sure we can all agree that the world has changed rapidly and significantly in the past four years. Corporate networks become increasingly decentralized and devices flow out of offices into the homes of newly remote workers. The industry analysts have declared the age of cloud computing and mobility is here and the infosec sages cry out louder and more forcefully than ever that the perimeter is dead. But once again, it’s time to talk about endpoints, which have arguably become the new perimeter as we focus on identity.
In the short term, there has been a rush to enable access to data and systems for users—no matter where they are. While this is generally a positive thing, with cloud apps and Office 365 enabling more global collaboration, there is a tangible danger of privilege creep.
To aid user productivity, many organizations have taken shortcuts. This could be in cloud configurations where users are given access to vast amounts of data to avoid the complexities of more granular permissions and user groups. It is also happening on the endpoints, where users suddenly need local admin privileges to install home printer drivers, update the software on their headset, or install new applications. Without an Endpoint Privilege Management solution in place to granularly control privilege elevation and delegation, this may mean giving the user temporary or permanent access to local admin privileges.
Just as four years ago with the network security investments, today there is suddenly a rush to invest in EDR or “next-gen” solutions to monitor and protect endpoints. However, the core challenge remains unchanged—you can’t compensate for over-privileged users being able to execute code with a reactive, detection-based solution. The attacker just needs to evade detection once to succeed and, when they do, they can quickly use their newfound admin privileges to disable your modern EDR tool, or access data across the system.
What we need to achieve is a balance between the proactive measures that reduce the attack surface, such as patching, removing privileges and application control, and the reactive measures such as AV, EDR, and monitoring.
These are not competing technologies, but rather complimentary ones. Anyone who has turned on an EDR or SIEM tool in an unbalanced environment will tell you they are flooded with alerts and end up responding to attacks that may have already inflicted damage.
If the attackers aren’t able to exploit an unpatched vulnerability, aren’t able to execute a custom payload dropped to disk, and can’t easily access local admin privileges, then, not only will you see fewer attacks flooding your dashboards, but you will force an attacker to take a much longer route to inflict damage. The more circuitous their route and delayed the attacker’s journey, the more opportunity and time you have to thwart the attack. This is why a balanced security stack not only makes you more secure, but also allows you to do far less firefighting and be more proactive.
As you consider the cybersecurity maturity of your organization, don’t forget about balancing the investment in endpoint security. Ultimately, the data and apps may be moving to the cloud, but the attackers will look for the path of least resistance to access it, that might just be your workstation endpoints.
James Maude, Lead Cyber Security Researcher
James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.