By: Scott Williamson, VP of Information Services
We’ve just lived through two of the most challenging years most of us can remember, working to keep businesses running through political upheaval, dramatic market shifts, near-biblical weather events and an on-again, off-again pandemic. Most sectors have been impacted, some heavily. Even if you’re fortunate enough to be in an industry left relatively unscarred, there’s every chance you’ve seen longer hours and more anxiety than back in the carefree days of 2019.
If you’re still here, in business, reading this blog and moving forward, give yourself a pat on the back: you’re the embodiment of the American go get ‘em, frontier spirit.
Hybrid Raises Security Issues
Now, let’s consider how things have changed. Most businesses shifted dramatically during the pandemic, with working from home a key theme. As restrictions have been relaxed and the rhythms of business have started to pick up again, few are returning to the employment models in-use before the first lockdowns. Some are still operating entirely remotely, while many have adopted a hybrid model, working some days in the office, and some remotely.
This raises serious issues in terms of endpoint security. In the new hybrid world, vast numbers of workers are accessing company networks from home, friends’ homes, hotels, coffee shops and assorted public wifi networks. In 2022, we all need a security strategy fit to protect workers and their tools, and corporate digital assets – all day, every day.
How Far Can You See?
Visibility is key. For every one of your users now sitting outside corporate firewalls, you need to know precisely what their machine is connecting to and talking to, and exactly what actions it’s taking. More importantly, you need to be able to take action immediately when attacks are detected, regardless of where your users are located.
Signature-based solutions are no help here, and you need a deeper view of behavior than inspection of executed files can offer. Plus, it needs to be real time. You need to be able to manage behaviors, actions and connections, for every user, around the clock. Anything less leaves you just waiting for an attack to happen as a bad actor takes advantage of any one of those unprotected endpoints out there.
This requires deep visibility into, and the right information from, every endpoint. You also need the ability and resource to interpret that information at any point in time an event arises – middle of the night, weekends, vacations, whenever.
To achieve deep visibility, two things are key. You need the right tools to gather the necessary information from each endpoint, and the right people – expert human analysts – to choose the right course of action when abnormalities are detected.
The Right Tools
SentryMDR from Cerberus Sentinel is a light agent which runs on each endpoint. Not dependent on connectivity to your network, or even the internet, it collects behavioral data and stops attacks in real time, providing 24/7 protection irrespective of the endpoint’s location and connection.
When SentryMDR spots something out of the ordinary, it sends an alert to the U.S.-based Cerberus Sentinel Security Operations Center (SOC) where enterprise security tools analyze it, giving us immediate, clear understanding of and context for the alert. Then, if further steps need to be taken, our security analysts can step in.
The Right People
When SentryMDR presents the alert to our certified SOC analysts, along with the context and supporting information they need to fully understand it and decide on the right course of action.
This is the killer combination for endpoint protection, accelerating remediation from hours or days to minutes or even seconds. The alerting process is the point at which many endpoint protection solutions fall short (or, frankly, fail dismally). In contrast, this is where SentryMDR really shines.
Alerts are something of a double-edged sword. Endpoint protection solutions generally raise a lot of alerts, and it’s likely your in-house team will be uncertain how to handle many of them. Over a period of time, this can result in “alert fatigue”, with alerts being increasingly ignored or glossed over. This is every bit as dangerous as it sounds.
Comparing Endpoint Management Solutions
This is where the right toolkit and overall solution is essential. Whether you are considering Endpoint Detection and Response (EDR), Managed Detection and Response (MDR), or antivirus (AV), managing endpoint protection solutions goes beyond simple management of the agent. How you handle the information the agent sends you is just as important.
Effective endpoint protection management means assessing incoming alert information and determining whether each alarm is genuine or a false positive, and whether or not to create an exclusion. The fact that an alert has come in doesn’t mean there is actually malicious activity going on, and only a trained, experienced analyst can make the call one way or the other. Again, this requires the right solution, one that connects your endpoints with a securely located SOC that is staffed 100% by trained experts, around the clock. You’re not going to get that from an out-of-the-box solution, so your teams are going to be left sorting through a noisy alerting system and risk either missing an important alert or being pulled away from all the other areas of your environment that need to be monitored, as well.
Consider a scenario. Attackers have covertly acquired login credentials for one of your users and launched a legitimate business process as part of their attack. The process is approved under your company policies, but the intent is all wrong. Attacks like this, with the attacker masquerading as a legitimate user and using legitimate tools, are notoriously difficult to detect – and they’re becoming increasingly more common.
Such attacks can only be detected by solutions that support active hunting for this kind of threat in a SOC, and analysts with full visibility, experience with the tools, and deep cybersecurity knowledge. By actively searching activity logs through powerful, automated toolsets in the SOC, as well as employing advanced security data, experts can uncover even new and emerging attacks that can only be identified by looking for the right patterns. When your solution is backed by a SOC, analysts have access to information about what is trending in other companies’ environments, prompting them to also check your environment for signs of new attack.
Threat hunting and prompt intervention like this enables your teams to continue working as normal, where otherwise you could have had a serious, company-wide incident on your hands.
The Cerberus Approach
At Cerberus we conduct proactive hunting for MDR client by retaining logs and records for review. When we see a new compromise, we can review this historical data to identify any customers at risk, and proactively hunt for threats to them, before any long term damage is done.
Once we have identified a threat, we can neutralize it right away, before it is even sent to an analyst, in several ways:
- Kill the process
- Quarantine the file
- Remediate, reversing changes made by the threat
- Roll the system back to a known good state
- Isolate the endpoint on your network
The Way Forwards
As you consider how you will mitigate the new endpoint risks arising from dramatically increased remote and hybrid working, take into account that tools alone aren’t enough. To protect your endpoints effectively in today’s environment, you need deep visibility, telemetry, and expert investigative capabilities. That means the right tools, backed by a SOC staffed 24/7/365 by experienced, certified analysts.
The time to make that realization is now – not at 3am one weekend when a call comes through to tell you your company network has been compromised and your digital assets stolen in a covert attack.
Contact us to discuss your security needs and discover more about how Cerberus Sentinel can help you strengthen your security posture to address the realities of today’s world.