researchHQ’s Key Takeaways:
- To prevent malware from spreading through a system like a wildfire, organisations require an endpoint protection solution that reacts immediately.
- Since 100% prevention is simply unrealistic, real-time detection and containment capabilities are essential.
- First-generation endpoint detection and response tools were designed under the assumption that there was enough time to respond to slow-burn threats.
- Sophisticated modern solutions detect and react to threats in real-time without hindering standard business procedures.
When dealing with wildfire – such as the raging fires that have devastated large parts of Australia, or the chronic fires that have been plaguing both Southern and Northern California the past several years – every second counts.
Seasoned firefighters need to do much more than simply douse a fire with water. Essential firefighting resources need to be stockpiled in the areas of most risk and properly distributed. Firefighting teams need to coordinate information between weather experts and firefighters on the ground and in the air to predict the direction a fire will head and then cut it off with fire breaks and retardants. Extra efforts need to be made to protect valuable structures and critical infrastructure, and that can only happen of those landmarks are identified before a fire starts. And evacuation plans and escape routes need to be pre-designated and protected, with alternative routes in place, so victims can get clear of danger.
Of course, the best firefighting strategy always starts with prevention. Underbrush is cleared away, break lines are already in place, homes are mapped and separated from vulnerable areas by clear-cutting forests back from property lines. But in spite of the best preparations, high winds and dry tinder are simply always going to make some regions of the world more prone to wildfires.
From Wildfires to Endpoints – The Principles Remain the Same
The exact same principles apply to endpoint security. When a device is targeted with malware, especially ransomware, if you don’t react immediately the fight is over – and you will have lost. Consider that WannaCry takes a mere 3 seconds to encrypt a file. And NotPetya, the cyber weapon designed to spread automatically and rapidly, was the fastest moving attack to date. By the time its victims saw the warning on their screen, their data center was already gone.
And worse, such an attack can quickly spread to other devices, and without an intervention plan in place, you will lose the chance to stop those threats from spreading like wildfire through your organization.
Because of these and literally thousands of other high-profile endpoint attacks, everyone should already know that endpoints are just one of those places in the network loaded with dry tinder and high winds waiting for a spark to set it off. In fact, according to a report from IDC, 70% of all successful network breaches start on endpoint devices. The number of exploitable operating system and application vulnerabilities – most of them unpatched – simply make endpoints an irresistible target for cybercriminals.
And while most CISO’s would agree that prevention is important, 100% effectiveness is simply not realistic. Not only is patching is intermittent, but all security updates trail behind threat outbreaks, zero day attacks can slip past security systems, and there will always be those few folks in your organization who won’t be able to resist clicking on that malicious email attachment. As a result, security teams need to operate under the assumption that their endpoints will eventually be compromised. And that’s why, in addition to prevention, real time detection and containment is critical.
Lag Times in Detection and Response Keep Organizations at Risk
The first step is to understand the kinds of threats in play. From a timing standpoint, there are the wildfires, such as ransomware, that can ruin a system in seconds. And then there are the slow-burn threats designed to steal data slowly and over time. In spite of all the press that ransomware attacks get, most confirmed data breaches have a long dwell time. In fact, the average mean time to identify a threat is 197 days, and another 69 days to contain a breach
Unfortunately, this is the bench mark that first-generation Endpoint Detection and Response (EDR) tools were designed for. The assumption was that there was enough time to manually respond to a slow-burn threat. And, in fact, the endpoint security industry has made important progress on detection speed (mean time to detect or MTTD), reducing detection times from weeks to days or even hours. But that is hardly comforting for organizations staring a high-speed ransomware attack in the face. And even if an EDR tool is able to detect an attack in real time, what good is that if it then takes an hour or more to manually contain the threat? If the case of a ransomware attack, your data is already gone and you don’t need the EDR’s help with detection.
