In the course of doing business today, more different devices—and different types of devices—connect to enterprise networks than any time in computing history. Where once connecting to a business network required an IT person to drag out the Ethernet cable and do a bunch of configurations, now the least tech-savvy among us don’t think twice about logging on to business networks from their phones or tablets. This convenience is a driving force behind how the business landscape functions—but there’s a downside. The more devices that connect to business networks, the more easily hackers can use these network endpoints in order to infiltrate otherwise hardened, secure networks.
Over the past few years, the industry has been learning to address the security concerns that have arisen alongside the rapid uptick in the number of endpoints connecting to enterprise networks. The area of endpoint detection and response is a rapidly growing segment of the security market. Being aware of the following recent developments in the area will position solution providers, and their clients, to more effectively take on rapidly proliferating cybersecurity threats—stopping them at their most common point of entry.
Endpoint Health Monitoring and SIEM
Enterprise networks can consist of a tremendous number of computers in-house and even more devices that connect from outside. Just one device or computer behaving anomalously can be a tip-off to IT security staff that the network has been infiltrated, but with so much traffic, it’s difficult to log it all, let alone sort through it.
Endpoint health monitoring solutions and SIEM (security information and event management) solutions are at the forefront of endpoint traffic monitoring. The best of these tools allow IT staff to view all of the information gathered from numerous network and device monitoring logs consolidated in one place and also parse that information in a way that gives security administrators meaningful intelligence to act on. Alerts about anomalous device behavior, visual representations of data, and multiple ways to slice the network’s usage stats position an IT department to better do the detective work on each node accessing the network—to see what’s going wrong and why.
Endpoint Detection on the Hardware Level
Even in a world where virtualization and cloud-based solutions in which the user never sees a piece of hardware are becoming the norm, sometimes it works to a business’s advantage to have a discrete, physical box that performs a specific task. Hardware-based security solutions that gather endpoint traffic information and store it in a locked-down environment removed from potential infiltration are hitting the market. Such pieces of hardware could become a valuable resource in endpoint security.
There’s more to endpoint security than just being able to detect anomalous traffic or strange behavior at a network’s endpoint. A fast response is critical to thwarting a threat or minimizing damage. If it takes an IT staff days, or even hours, to address a threat and lock a device down, it leaves open the possibility for a threat making its way deeper into a network.
The problem that then arises is that humans end up being a weak link in the security chain. Monitoring systems can watch endpoint traffic, but if it is always necessary for a person to be available to act when something strange occurs, that can lead to dangerous gaps in
Because of this, researchers have begun developing endpoint monitoring solutions that use tiers of machine learning in order to act on anomalous traffic. Such systems, rather than merely alerting IT staff to the presence of a threat, use internal verification and outside data in order to automatically determine if the anomalous behavior represents a real threat. The solution can then cordon off that portion of the network, or cut off that particular node, so that nothing is damaged before the IT staff can investigate and take further action.
What new endpoint detection and response solutions have you seen working most successfully?