Start now

Endpoints: How to Protect from Security Threats

Endpoints: How to Protect from Security Threats

Endpoints are the cybersecurity "front line" against malware attacks. Learn best practices to keep your business safe and find out more about our EDR solution.

Endpoints: How to Protect from Security Threats

When it comes to endpoint security, it’s simple: the more devices you have, the more vulnerable you are. Endpoints – the devices used to connect a workforce, such as desktop computers, laptops, and mobile devices – are highly susceptible to malware attacks seeking access to an organization’s network.

Nowadays, even small companies have highly connected workplaces, and with the growing number of smart devices installed as part of IT infrastructure, the risks are only increasing. According to a study by the Ponemon Institute, a hefty 68% of organizations experienced one or more successful endpoint attacks within a two-year period. 

Main threats related to endpoints

Further research has found that attacks on endpoints are some of the most prevalent forms experienced. Their most common purpose is to launch ransomware, malware that hit 37% of all businesses in 2021. Worse still, recovering from these ransomware attacks cost organizations $1.85 million on average in 2021.

Just how important is endpoint security?

Despite these growing threats, businesses aren’t helpless. As fast as malware is evolving, so too are security solutions designed to keep one step ahead of attackers. Having sufficient endpoint security is critical, whether that’s implementing staff best practices or employing a specialized EDR (Endpoint Detection and Response) solution.

An endpoint attack can affect any organization, from hospitals to militaries to educational establishments. Regardless of the size or purpose of your company, your endpoints must be protected from attacks that can completely halt your operations for an indefinite time. In fact, the financial impact can be staggering – the average cost of a successful endpoint attack increased from $7.1 million to $8.9 million in 2021.

What do attackers want?

Understanding what endpoint attackers want also demonstrates both the severity of the fallout and how all organization types are at risk: 

  • Ransom: The attacker has taken control of your organization, meaning they can bring down the customer-facing website and effectively halt your entire production process by encrypting your systems. Now, they’ll ask for as much money as they can before control is handed back to you.
  • Data exfiltration: If you rely on trade secrets, an attacker might look to gain access to them. There’s always someone willing to buy information. 
  • Money transfer: An attacker may misrepresent their credentials to manipulate a user into making a large money transfer.
  • Mining for Bitcoin and other cryptocurrencies: In a growing crypto market, the processing power of computer systems is an increasingly valuable resource. 

Where are threats coming from and what mistakes are being made?

In any given company, perhaps 5% of your workforce is in technical support; that means 95% of the people connected to the network have significantly less training in computer security. The risks are simple but multiple and can be a result of:

  • Local admins with outdated passwords
  • Misconfigured users with unnecessary privileges 
  • Cached credentials left exposed on endpoints 
  • Users permitted to make unlimited login attempts

When people treat their work computer as a personal computer, perhaps clicking on suspicious links or phishing emails, the endpoint becomes vulnerable and, consequently, the entire network it is connected to. These risks increase the longer software goes without being updated: good configurations and management are essential. 

Best practices for endpoint security

There are five steps you can take right away to help protect your company:

  1. Enforce privilege capabilities through a zero-trust model, which permits the fewest possible administrative privileges to each employee by status
  2. Continually review and update your systems, requiring regular password changes and user configuration
  3. Train employees in safety and security when it comes to their online conduct
  4. Quickly respond to known vulnerabilities such as lost or stolen devices
  5. Maintain awareness of every endpoint connected to the system 

The main capabilities of EDR solutions

Every form of attack exploits the vulnerabilities that may be contained within a network in different ways. But for every exposure, there’s a way to block the attack and prevent the worst from happening.

Best practices like those listed above will be instrumental in helping to prevent attacks. But suppose you’re looking for the utmost in specialized security. In that case, the intelligent deployment of EDR systems like those developed and implemented by Ackcent will help you sleep much more soundly at night. 

How does Ackcent approach the problem?

EDR is a predictive and reactive security software: it is designed to proactively identify threats and new forms of malware that seek to evade traditional security measures and take immediate action. Ackcent’s EDR software combines cyber threat intelligence, machine learning capability, and advanced file analysis to form a defense that both detects and responds to sophisticated threats, consisting of three key steps: 

  1. Prevention: Analyze executable files before execution in a process called static analysis
  2. Detection: Utilize machine learning and behavioural analysis on system processes to detect malicious network activity
  3. Response: React fast to incidents with our security analysts working around the clock to assist your organization

The first step is to install the EDR solution on your company’s system. During setup, we add the appropriate exclusions for any safe applications or software that could flag our alert systems, known as false positives. 

Next, we instigate the running phase, through which we monitor the alerts generated during set-up and conduct analysis to decide whether they too are true or false positives. If it’s a true positive, we investigate the source of the detection and configure the protection policies to establish whether this malicious action immediately halts certain processes, sends a notification to the security center, or employs other more advanced responses.

At every step, everything is agreed upon with the client. This part of the process helps us to understand your business and the threats it’s likely to face. Ackcent’s EDR solution works by tailoring the security response to the company’s capabilities.

What additional features does Ackcent’s EDR offer?

  • Rogue endpoint detection: An agent deployed on an endpoint can scan the rest of the network to find other unprotected endpoints. A common challenge for customers is knowing how many computers they have in their IT infrastructure, and consequently, how many of those are vulnerable. 
  • Prevention of “juice jacking”, attacks that attempt to fool employees to plug in USBs or connect to Bluetooth devices in order to access the network. This form of attack is increasing as workplaces rely more on remote or peripatetic workers. 
  • Rollback service. If your files are encrypted after a malware attack while our SentinelOne function was installed, the software allows you to restore everything to before the point of infection, reclaiming your important data from the malware.

How does EDR improve over time? 

With an EDR agent installed on your endpoint, the first step is the collection of telemetry, which is all the processes happening in the machine: network connections, file creations, file removals, and more. The EDR cloud or console then ingests this telemetry. More telemetry means more information for us to work with, and EDR is an intelligent solution, meaning that it continually gathers telemetry artefacts into the cloud for future investigations.

For instance, we receive an alert that triggers an investigation: a user has opened up Outlook from the user lounge, opened an email from outside the organization, and clicked on an attached Excel file. This looks like a classic phishing attack, in which the attacker is attempting to get the user to execute code through social engineering. The execution of the target code then launches connections with remote network addresses, called command and control. This is the server controlled by the attacker, and so whenever the malicious code is launched, it will connect to the command and control to receive instructions. There are several ways in which SentinelOne can respond. For instance, it can integrate with third-party software to isolate and trigger the malware in a sandbox detonation, allowing us to observe how the malware intends to function. The intelligence and responsivity of the EDR helped avoid a simple mistake turning into a major problem.

The EDR also tracks lateral movement activities, where the malware is moving from one device to another and spreading across an entire network, as well as persistence, a method to force the computer to re-execute code whenever a computer is rebooted. EDR also allows us to see and block privilege escalation, where the attacker looks to gain more administrative power.

All these processes involve metrics, which our installed programs can use to our advantage to track and eliminate threats. SentinelOne detections show the threat indicators that lead to the alert, which are linked to the MITRE ATT&CK framework, a globally-accessible knowledge database of tactics and techniques used by attackers in real-world situations. 

What’s next for EDR?

With remote working now very common and the Internet of Things continuing to expand, technology is meeting the challenge of protecting workforces with increasingly complex connective infrastructures. Agents are able to ingest ever-increasing amounts of data from devices such as firewalls, proxies, and mobile devices. 

The agility and learnability of our intelligent system mean that you’ll be supported every step of the way towards developing a bespoke product built to work specifically alongside you, your organization, and your system. With an EDR installed on your network, you can actively work to protect your IT infrastructure and, ultimately, your people: the employees and clients who rely on you to provide your service, without interruption.
Contact Ackcent today to discuss how we can help protect your endpoints from malware attacks and keep your business safe.