Multi-vector EDR as our new defence

Hadi Jaafarawi, managing director – Middle East, Qualys explains as endpoints become our new perimeter, multi-vector EDR must become our new defence

The threat landscape is nothing if not adaptable. Its everchanging nature crops up early in every conversation between today’s security professionals, across the Middle East. First it was, “Oh, it’s not just about anti-virus anymore.” And then we had, “Nowadays, it’s not a matter of ‘if’ but ‘when’.” And then on to the differences between cloud security and on-premises security. And everything in between.

Every one of these conversations shows the industry waking up to a new norm (because attackers have found ways around defences to the previous norm). The current norm is one of ecosystems. Our corporate networks have evolved to the point that their endpoint devices are now their perimeters. So that is the next buzz phrase for conversation: “the endpoint is the new perimeter”.

Our work and personal lives are played out against a digital backdrop. Much of what we do has a digital component — we are woken by our smartphone, check news on a smart device, consult our calendar via another endpoint, consume content, order food, shop, chat, and on, and on, and on. And after you pause for a moment to consider how much more this is true of the COVID-19 age, ask yourself this:  how happy must attackers be to see this burgeoning activity on devices that connect to monetizable information inside corporate networks?

The rise of the multi-vector attack

Endpoint detection and response will now have to evolve, because this expanded attack surface allows bad actors to mount multi-vector campaigns. That means they have a menu of options — or paths — they can take to achieve a breach. They might take advantage of naïve users through social engineering. They might exploit a software vulnerability. Or they may opt for brute-force attacks. In the multi-vector world, they will adopt a mixture of these options to increase the probability of a successful incursion. And every endpoint is a risk to the whole environment.

In multi-vector endpoint detection and response (EDR), we branch out from monitoring and protecting the devices themselves because the endpoint is now just a small part of the risk profile for a network. Monitoring activity at just those surface nodes, in isolation of other readily available data, will lead to false positives (and negatives) and cause alert fatigue, suboptimal prioritisation of threats, and wasteful allocation of resources.

Without this new multi-vector approach, it will be much more difficult to automate detection and response functions and free up network admins and security professionals to perform more innovative tasks. And without the ability to scale up security postures to cope with more complex environments, those moving to hybrid working environments across the region — as is happening right now because of the pandemic crisis — will face thornier challenges than are strictly necessary.

The importance of visibility

So we need to be looking at a range of data points to gain a bird’s-eye view of the activity surrounding a suspect process, so we can properly assess its level of risk. Detecting malware is all very well and good, but a comprehensive inventory of endpoints and their activity on the network, along with status information on application upgrades, authentication and authorised processes, can go further in assessing the level of risk posed by a given activity and assigning (or not) resources to address it.

Clear visibility is vital. Those entrusted with protecting digital estates must be able to see misconfigurations of security processes, anti-virus validation, exploitable vulnerabilities, and missing upgrades. They need to be armed with the information and tools that allow them to become threat hunters, sifting out mere pests and zeroing in on sinister predators.

Multi-vector EDR gives a global view of the network, leveraging the cloud to unify context vectors such as asset discovery, normalized software inventory, end-of-life visibility, vulnerabilities, exploits, misconfigurations, in-depth endpoint telemetry and network reachability. Lightweight “edge” agents commune with powerful cloud-based engines to deliver potent assessment, detection, and response capabilities. Information processing and correlation happen in real time, meaning defence teams are never on the back foot. They are taking proactive measures ahead of possible breaches, rather than performing the lamentable task of cleaning up after data exfiltration has already occurred.

Information banquets feed shrewder action

The unparalleled visibility within multi-vector EDR platforms allows teams to go after the most advanced attacks before they do damage, leveraging threat intelligence to automatically flag suspicious activity for investigation. Not only do security professionals get to hunt big game — unquestionably the optimal use of their skills — but they are no longer plagued by “minnow” alerts, because the same information flow that has identified the genuine threat has accurately weeded out lesser ones.

The importance of seeing beyond the now-trivial endpoint to a wider vision should now be obvious. Multi-vector EDR allows organisations to build real-time information banquets that feed shrewder actions and resourcing. This, undeniably, is the future, and should be part of all our conversations from now on.