With increasing numbers of businesses moving to remote working models, it’s more important than ever for CISOs to review and bolster their endpoint security policies. Tamer Odeh, Regional Director at SentinelOne in the Middle East, talks us through the key threats to the endpoint and offers advice to ensure organisations have comprehensive endpoint security strategies in place.
Can you give us an overview of some of the key threats to the endpoint?
The endpoint is vulnerable to many types of cyberattacks that include:
- Malware – Executables such as trojans, malware, worms, backdoors, payload-based attacks
- Malware – Fileless includes memory-only malware, no-disk-based indicators
- Exploits of documents – Exploits rooted in Office documents, Adobe files, macros, spear-phishing emails
- Live/insider scripts that include Powershell, WMI, PowerSploit, VBS
- Live/insider credentials such as Mimikatz, credentials scraping, tokens
However, the real question is not around the types of attacks but their long-term effects, the metrics cybercriminals use to launch these attacks and the coding they use.
Every listed type of cyberattack evolves by the hour and without strong pre-execution infrastructure, even attacks that are successfully mitigated can still cause tremendous damage to the endpoint.
SentinelOne’s single-agent technology uses a Static AI engine to provide pre-execution protection. The Static AI engine replaces traditional signatures and obviates recurring scans that kill end-user productivity.
On execution, SentinelOne’s Behavioral AI engines track all processes and their interrelationships regardless of how long they are active. When malicious activities are detected, the agent responds automatically at machine speed.
Its Behavioral AI is vector-agnostic, covering file-based malware, scripts, weaponised documents, lateral movement, fileless malware and even zero-day threats.
SentinelOne’s Automated EDR provides rich forensic data and can mitigate threats automatically, perform network isolation and auto-immunise the endpoints against newly discovered threats. As a final safety measure, SentinelOne can even rollback an endpoint to its pre-infected state.
What is the impact of remote working and BYOD on endpoint security?
When accessing corporate networks remotely, there is a higher risk of unauthorised access and data leakage. Employees may engage in behaviour they would never carry out at the office, such as sharing a device with other family members or using the same device for both personal and work activities. Also, the use of Home ISPs and public Wi-Fi services present an attack surface that is outside of your IT or security team’s control.
The biggest financial losses due to cybercrime occur through Business Email Compromise (BEC/EAC), where attackers take over or spoof the account of a senior manager or executive and use that account to instruct another member of staff via email to make a wire transfer to an overseas account, usually on the pretext of paying a phony invoice.
With more and more staff members working remotely, this presents an opportunity for BEC fraud as the whole scam relies on communications that are never confirmed in person.
Phishing campaigns are a threat for all employees whether they are based in-house or remote, but for workers who are not used to working ‘home alone’ and are now dealing with an increase in email and other text-based communications, it can be easier for them to lose perspective on what is genuine and what is a scam.
In particular, with a rise in malspam playing on fears of coronavirus from the ‘usual suspects’ like Emotet and TrickBot, remote workers need to be extra-vigilant.
Unlike the desktop computers in your office, which likely never connect to any other network than the company intranet, portable devices like laptops and smartphones used by remote workers can have a history of network promiscuity.
If such devices are unprotected, you never really know where they have been, what they have been connected to, what peripheral devices have been plugged into them or what processes they are running.
What endpoint security challenges does Digital Transformation pose?
Digital Transformation means different things to every company – it can be hard to pinpoint a definition that applies to all. However, in general terms, Digital Transformation is the integration of digital technology into all areas of a business resulting in fundamental changes to how businesses operate and how they deliver value to customers.
Digital Transformation can mean anything starting from data storage on the cloud, the connection of IoT devices to a company network, migration of documentation and processes to digital platforms and virtual access to applications and services.
It means that, no matter what organisations do today, it is done digitally.
We are more connected to the Internet, we’re connecting more devices to the Internet, more data is being stored and transferred in digital form and this all means we are subject to more cyberthreats.
The key objective for cybercriminals is to access and steal our data and the endpoint (our computers) is one of the entry points to a wider network penetration including cloud, internal and external servers, emails and everything else that represents monetary value for them.
Increasing connectivity and digitalisation increase the number of cyber-risks and endpoint protection plays an instrumental role in protecting valuable data and information.
Can you discuss some use cases for your technology?
Our Autonomous AI Platform defeats every attack every second of every day. It is applicable for any organisation across all sectors and within public or private domains.
Can you tell us how you scale your solution to protect large enterprises?
Our products, solutions and services are B2B focused and we mainly work with enterprise clients, as well as public sector entities. Our solution is scalable for enterprises of any size and can cater to as many users as required.
How important is Machine Learning for endpoint security?
Machine Learning or Artificial Intelligence (AI) is very important for endpoint security. If you think about it, a machine works at machine speed, processing of data is fast and the decision-making aspect of it is also fast. When it comes to next-generation cybersecurity, traditional on-premise signature database protection models are ineffective and lack administrator visibility.
Most traditional and next-gen approaches rely on scanning files to detect attacks, which makes them extremely vulnerable to new attack techniques. The shortcomings of other products are especially relevant to today’s live and fileless attacks.
The on-agent AI detection engines allow SentinelOne to autonomously detect and respond to malicious behaviour immediately, offering machine speed responses such as on-agent remediation and rollback.
To adequately defend the business and adopt cloud, containers, IoT and more, organisations need dynamic Artificial Intelligence-driven (AI) next-generation endpoint protection platforms that defend every endpoint against all types of attacks, at every stage in the threat lifecycle without the need for human intervention.
Why is minimal dwell time so important and how does your technology address this?
In our opinion, there is no such thing as minimal or maximal dwell time, all the talks about keeping a breach dwell time under 200 days instead of the average 285 days are pointless. If an attack takes place and is not detected before it is launched, we lost.
We address this challenge by not accepting any dwell time scenarios. Detection and response are done in real-time. SentinelOne’s patented technology links all behaviours and indexes all activities into a storyline on the agent, in real-time. Our analysts can hunt faster, focusing on what matters, instead of wasting time looking for the needle in the stack. Malicious attempts are prevented in real-time, reducing overall risk and alert fatigue all too common with other EDR products.
Are there any emerging trends in endpoint security of which CISOs should be aware?
Technology is becoming more and more disruptive and, as Digital Transformation continues its march, more and more trends will emerge – especially concerning endpoint security.
We believe that further adoption of AI will continue to grow and will impact the security sector in various ways. AI already surrounds us everywhere we go, from Alexa to Google Home, Nest to smart speakers – you’d struggle to find a home that hasn’t incorporated some form of AI. Beyond our devices, AI recommendation engines are allowing for highly targeted (and creepily precise) advertisements across the web and social media.
Machine Learning and other additions are also making AI even more intelligent. This allows AI to monitor anomalies, perform classification on gathered data and predict if a user is about to quit a service, for example.
But with more capabilities comes more code and with more code comes more bugs. Coupled with the fact that AI is a new technology, which as a rule makes it inherently less secure, it’s easy to see why cybercriminals are taking advantage of this problematic new tool.
AI shows no signs of slowing down; it’s effective and addictive, which is why we have adopted it with open arms. Clearly, there’s no going back now. As defenders, our next step has to be building the tools, security models and processes to combat the wave of deep fakes and beyond, securing a bright future with AI by our side, not against us.
What advice would you give to organisations to ensure they have a comprehensive endpoint security strategy in place?
Stopping the attack from happening is just part of the solution, a lot of malicious files can sit in your system for days and months and continue exploiting your data even after a breach is mitigated.
It is more important than anything to secure your devices and not allow any active attacks. In the absolute worst-case scenario, our last reserve is the rollback function that we offer to our customers. If your system doesn’t have the ‘pre-attack state’ back up, your endpoint cybersecurity infrastructure is as good as non-existent.