Endpoint and Application Security vs The Soft Gooey Middle
Soft, Gooey, What?!
Still no Silver Bullet…
In this article we are going to distinguish between various areas of our defense-in-depth strategy. If you have read our prior posts, you know security is not a single thing and there is no magic silver bullet, but good security is a combination of layers of defense. So here is the problem with the traditional approach: much emphasis has been placed on the corporate network with its firewalls, intrusion detection, content filters, hard wired ethernet connections, and encrypted corporate wifi – except there is a paradigm shift toward mobility and this puts our endpoint devices and applications at a disadvantage.
Safety outside the castle
Access is needed outside of the high castle (corporate) walls where the commoners gather. Places like Starbucks or the now ubiquitous home office. These external areas most often do not share the same security features of the traditional workplace network. So, what is “soft and gooey”? Well, the truth is, even the corporate network is not as secure as we would like to believe. Yes, it is more secure but with the ever-increasing threats of email phishing, zero-day attacks, and other threats, the constant cat and mouse game of securing the network is often a losing battle. We still need to address these areas, but even more is needed. And because of the trend to cut the corporate tether and leverage the advantages of mobility, the current best defense strategy is to assume the corporate network is an unsafe zone and beef up efforts to build security around the endpoint (more and more often a laptop or smart phone/tablet these days) and likewise the application itself.
Endpoint Protection
Not your average antivirus
Endpoint protection is generally reduced to signature-based antivirus. The flaw is these products are ineffective against new threats that have not yet been cataloged by the software vendor and released as updates. Also, threats evolve into different variants that are not detected by the antivirus engine and leave your device open to attack. Installing operating system updates helps but still do not offer protection against unknown vulnerabilities.
More needs to be done. New “next generation” antivirus products build on the traditional approach by using behavior monitoring and artificial intelligence. These security products not only block known/cataloged threats but are able to detect unknown threats by looking for malicious behavior by the application running on your device. Advanced heuristics establish a baseline of “normal” behavior and shuts down activity when a process misbehaves.
Even more is needed
An additional capability involves moving content filtering from the corporate firewall to the endpoint itself. This can be accomplished with very little additional overhead as the filtering takes place on secure Internet DNS servers (hosted by the security vendor). This is a valuable security measure when developing a mobility-first strategy.
Who has not seen a VPN commercial these days?! There seems to be an endless number of companies selling virtual private network technology. These can be used to extend the corporate network for secure access to on premise and/or cloud-hosted applications. Also, a VPN can be leveraged to encrypt general Internet traffic on an endpoint connected to unsafe/open wireless networks (like Starbucks).
Further, endpoint cloud backup is desirable when there is critical data on a laptop that is not saved frequently to servers. This trend is more common as we rely less on servers and move our data to cloud storage.
Application Protection
C squared = B + HS = I V
Reading a bit like a Phil Mickelson formula to defeat Tiger Woods, the alphabet soup of IT Security can be equally intimidating – we get something like HTTPS+VPN+2FA-MITM = GTG. Much like securing the endpoints in untrusted environments, the applications can be protected from unauthorized access. Two-factor authentication along with forcing an encrypted connection is a common approach these days. You will notice most web sites you visit these days use https instead of http. The former is an encrypted connection while the latter is open to what is called “Man-in-the-middle” (MitM) attacks due to the lack of an encrypted session. Essentially a hacker can read user passwords and other data sent back and forth over the unencrypted connections while it is much more difficult to do the same thing when the connection is secured using advanced encryption. Cloud-hosted applications can also use software firewalls to enable many of the same security features traditionally found on the corporate hardware firewalls.
M365 to the rescue
Microsoft 365 is a good example where application security can be enhanced. Companies using 365 email have the mail transport encrypted end to end between internal and external parties running on the same Microsoft hosted platform. Further, anti-phishing and cloud-to-cloud backup can be used to protect the documents and emails stored on the M365 system. Additionally, Microsoft Teams communications through chat or voice/video calls are encrypted. There are huge benefits to living within this ecosystem as much as possible as the number of security products needed to protect communication and collaboration can be reduced. Less complexity also means greater security as there are fewer configurations needed to make the security work. When combined with Microsoft Azure virtual server hosting, it is now possible to move niche line of business applications and critical company workflows to the secured Microsoft environment.
So What, Now What?
Will legislation force all of our hands?
Responsibility is being placed on the Managed Services Provider to enforce these security measures. For example, Louisiana Act 117 – Senate Bill 273 requires MSPs that manage infrastructure or end-user systems for “public bodies” to register with the state. Additionally, MSPs are now required to disclose cyber incidents to the state.
It is expected for similar legislation to make its way to other states and there will be an increased top-down accountability between regulated organizations and their technology vendors. This means MSPs will continue to up its security game or be left behind. Also, managed service providers will become more selective when choosing its clients to ensure there is a closer alignment of operational maturity levels (OML), otherwise there will be constant tension between the MSP obligations versus the organization’s cooperation to improve security.
Follow the leader
The best approach is when a security-minded MSP articulates the reasons behind the need and the client trusts the advice of its technology partner and follows their lead. For those who refuse to take security seriously, MSPs may be eventually forced to document the opt-out on the client’s part by issuing a legal letter advising of the dangers of not implementing the needed defenses. This will strain relationships where there is a mismatch of OML or where trust is lacking. What this means for all of us is the cost of doing business will continue to go up as more products and time will be needed to implement these solutions. But the risk is too high to ignore the warnings and being wrong about security can result in a higher cost to business due to downtime, stolen data, or potential fraudulent wire transfers. Be sure your organization has implemented the latest and greatest security tools and services by having a conversation with your trusted security advisor.