Data has historically been contained to the computing devices that accessed it within the enterprise campus perimeter. The traditional network endpoint was isolated to desktop PCs, laptop computers and most server components that attached to the organization’s network.
In recent years, a dramatic increase in mobile devices has broadened the endpoint definition. Mobile devices require access to a company’s data anytime and from anywhere. With the addition of always-connected, sensor-powered Internet of Things (IoT) devices, the range of endpoints can now include everything from IP cameras to smart vending machines to biomedical devices.
The original definition still holds true to this day; however, the presence of more sophisticated devices requesting an IP address from the network, and often without a user interface, also suggests that the approach to endpoint defense must change. Bi-directional communications means the endpoint can be an entry point into a network or application. What does the device need to communicate with? Does it require internet connectivity? Does a device with an embedded OS provide some form of protection?
See Related: Cutting-Edge Defense Tactics For Network Endpoints
“The explosion of connected devices also requires re-thinking the protection mechanisms to apply to those endpoints,” says Kayne McGladrey, Director of Security and IT, Pensar Development. “Similarly, the widespread adoption of cloud-based services means that there’s no single network to protect.”
Science fiction writer Gene Wolfe wrote in The Urth of the New Sun, “The best offense is a good defense, but a bad defense is offensive.” Avoid offending executives and end-users alike by developing endpoint defense tactics. We asked security leader Kayne McGladrey to give us three insights that every organization should consider in an effective endpoint defense.
- Have an inventory of every endpoint. Deploying both an active and a passive IT asset management system is something that’s stymied most organizations for years, despite being one of the Critical Security Controls defined by the Center for Internet Security. An organization cannot defend what it cannot see.
- Patch all the endpoints that support patching. This will mitigate the common vulnerabilities. Get rid of devices that cannot be patched. If they are business critical and cannot be patched, segment them on the network.
- Segment network endpoints by the sensitivity of the data collected, processed, and/or stored by those endpoints. In practice, this means that the IoT sensors for an organization’s HVAC should be on a different logical network segment than the mobile phones. This segmentation means that a breach of a device on a network segment makes it incrementally harder for a threat actor to move laterally into a different type of device.
See Related: Patching And The Basics
The changing threat landscape and the sophistication of cyber-attacks necessitates that organizations should assess endpoint defense strategies on a regular basis. Consensus from security leaders that we spoke with converged on an annual review as an adequate timeframe to learn from any events or assessments and identify potential gaps. There will be variations on the frequency based on the size and objectives of the organization. One CISO suggested that an ongoing assessment as part of a continuous monitoring program reduces the risk of a strategy assessment falling out of cycle with the needs of the organization. Another CISO observed that large, centrally-managed organizations need to resist the urge to change frequently.
Read more of the insight from Kayne and other security leaders in our Cutting-Edge Defense Tactics For Network Endpoints market report.