An old saying about endpoint security is that system administrators should give most of their attention to securing all the hosts (or endpoints) on their network. If all your hosts are secure, hostile traffic doesn’t matter, because the attacker won’t get anywhere.

This still holds true, to an extent: if all the endpoints in a corporate network are secured, the overall risk to the enterprise is substantially mitigated.

What has changed over the decades is the sheer number and diversity of endpoints.

And all endpoints have the potential to expose vulnerabilities.

The ever-growing number and variety of endpoints is feeding a burgeoning market for endpoint security products.

According to Fortune Business Insights, the market was worth US$12.9 billion in 2021, and will reach US$24.6 billion in 2028, growing at 8.3 percent annually during that period.

Those trying to exploit endpoints will always have the same fundamental aims: to give themselves persistent access – to see what that endpoint connects to – and to ‘land and expand’ – to find a path to a machine with administrative privileges, like a domain controller.

According to Peter Sandilands, CISO at Pickles Auctions, “All communications are directed to an endpoint, whether it’s email, web browsing, or file transfers. It all comes back to the endpoint as the entree into the organisation. And endpoints are such variable platforms, even before people start installing applications, utilities, or plug-ins.”

In a perfect world, Sandilands said, people would be able to follow the Australian Signals Directorate’s mandates about what is allowable on a desktop computer, providing them “absolute control over what can run on the desktop”.

For a warehouse worker printing packing slips and delivery dockets, application control can secure the endpoint.Things don’t work the same way for information workers, he said.

“The machine is their tool – they want it to work the way they work.”

EDR

Another characteristic common to much of the burgeoning world of the Internet of Things is that

the endpoint isn’t under the eye of an end user, so to protect those endpoints, you need to do so remotely, constantly, and as far as possible, automatically.

Those imperatives are what gave rise to the market segment called EDR – endpoint detection and response – which began gathering pace after 2017.

According to Rustam Malik, senior principal analyst at Gartner, EDR has steadily won over enterprises, and today, “the penetration rate of EDR is close to 45 percent” of enterprise environments.

Its success at securing endpoints is based on its ability to detect unusual behaviour based on events generated by endpoints, giving the enterprise a way to observe and respond to suspicious activity, and collect telemetry to help reduce a response time.

AI Driving Capabilities

EDR’s next evolution into XDR – extended detection and response – depends on the application of machine learning and artificial intelligence to threat detection and response.

Infosec has been an early adopter of AI, and according to Malik, years of investment has paid off.

“The use of AI, especially in attack detection and automated response, has proved its value. Today, large amounts of log data are generated from multiple solutions and stored in cloud data centres.

“AI-based security software correlates and analyses that data to find attack signals.”

Gartner now sees AI enhancing attack detection solutions, with features like automated scoring and decision playbooks.

“The scoring playbook helps in event triage by automating the decision on criticality of events by scoring each event. The decision playbooks consist of a library of playbooks that are published to the automation platform,” Malik said.

“This is required to automate identification of threats and measures to contain them.”

The goal is to reduce the mean time to detect (MTTD) and mean time to response (MTTR), to reduce both the number of false positives, and the reliance on security analysts and third-party managed services providers.

As a veteran of infosec, Sandilands has watched the development of the EDR market, noting that vendors that have survived long-term have done so by way of brand extension, with cloud capabilities and vulnerability assessments based on the machine learning first built for the EDR product.

“EDR still doesn’t stop everything," he warned.

For example, “most web interfaces these days are single-page JavaScript applications, you’ve got code running in the browser”, making it hard for EDR to reach.

Such considerations make Zero Trust architecture important, “because it brings a focus onto identity and access,” Sandilands said.

Zero Trust

The “verify, don’t trust” model – Zero Trust Architecture – is becoming increasingly pervasive across the whole security landscape.

Zero Trust simply means that merely logging into the enterprise network is no longer enough for a user or a device to be trusted by any particular resource.

In opening an application or accessing a resource, the user needs to present strong identity, and device compliance needs to be validated. At this point, the user or device is granted “least privilege access” – that is, they access resources with only enough privilege for the task at hand.

The attraction is simple: it minimises the impact when a user’s identity and password are breached.

According to Malik, “Zero Trust network access (ZTNA) is a rollout of Zero Trust, which has seen huge adoption in last few years triggered by the increase in remote workforces and adoption of cloud applications.”

Gartner predicts ZTNA alone to experience a 31 percent compound annual growth rate from 2022 to 2027.

“We’re seeing increasing traction from organisations interested in talking about zero trust,” Malik said.

“In the US, for example, the guidance to advance toward zero-trust architecture in the US Executive Order on Improving the Nation’s Cybersecurity, issued on 12 May 2021, has created a ripple effect among government organisations and private-sector federal contractors.”

As vendors move to satisfy enterprises’ appetite for Zero Trust solutions, however, they’re running into interoperability issues. As a result, it’s hard to get consistent end-to-end visibility, policy enforcement, and performance.

Another issue with the Zero Trust model is that many solutions are cloud-only, but many if not most companies still host applications on-premises, and need their own solutions. On-premises and cloud solutions need to be integrated, and they need to support the hybrid workforce.