A Call for Modern Endpoint Security in a Distributed World

This month we are sharing a blog from our partner eSentire on how to prepare for the move back to the office (B2TO).

There has never been a more relevant time to make the case for modern endpoint security solutions than today’s current business climate of massive global distributed workforces.

Endpoints have always been a favorite attack point for adversaries. In Nuix’s second annual Black Report, 54 percent of surveyed cyberattackers reported they could breach a target’s perimeter, identify critical data and exfiltrate in under 15 hours. Fifty-nine percent of attackers also identified social engineering, phishing, ransomware and other endpoint originated attacks as their favorite and most successful vector. In the 2020 CrowdStrike Global Threat Report the speed at which an adversary accomplishes lateral movement after initial compromise was just under 19 minutes for nation-state attackers, with a global average of 4 hours 37 minutes across all threat groups. In contrast, dwell time–the timeframe from undetected intrusion to containment–has extended to 243 days[1] for organizations across the U.K.

With distributed workforces in play, minimising detection-to-remediation timeframes has never been more critical, especially with 68 percent of organizations reporting an endpoint attack that compromised assets, according to the 2020 State of Endpoint Security Risk Study. And for many organizations in the U.K. it is seemingly impossible to adhere to recommended standards such as CrowdStrike’s 1-10-60 rule which says companies should aim for 1 minute to detect a threat, 10 minutes to triage it, and 60 minutes to contain its impact.

As budgets tighten due to current economic conditions, cybersecurity teams are challenged with adapting endpoint defences to an increasingly exposed vector of attack. The information and charts below serve as guidance and justification for strengthening endpoint protection by understanding the probability of an endpoint breach and subsequent yearly risk incurred.

Probability of one or more endpoint incidents in a 12-month time period in the U.K.
This table indicates the probability of one or more bypasses of existing endpoint controls based on eSentire observed Security Operations Centre (SOC) data. Notice as the number of locations increases (and relative endpoints), the probability of an endpoint incident increases due to exposure. This data however does not mean that the incident results in data disclosure.

Endpoint Security

Probability of an endpoint incident and that incident resulting in data disclosure across the U.K.
This table indicates the probability of one or more incidents and that incident converting to data disclosure. While these percentages are lower than the previous table, these numbers take into account the conversion rate of incidents to data disclosure. These calculations assume a minimum of one incident in a 12 month period are calculated using the table above multiplied by the conversion rate of incidents to data disclosure for all global industries (29.6%).

Endpoint Security 2

Incurred Yearly Risk
Using the probability of an incident and that incident converting to data disclosure, the value of incurred risk can be calculated. Based on the Ponemon cost per record lost in a data breach scenario in the U.K., the table below represents the minimum value an organization must account for with at least one endpoint incident in a 12-month period. The incurred yearly risk is dependent upon the projected number of records that could potentially be lost in a data breach scenario, which the table gives visibility from 1,000 to 100,000 records lost. While these values only indicate the incurred risk, the cost of the breach would be far greater when and if a breach does occur. Incurred risk is similar to how insurance providers calculate financial risk outlay for customers, acknowledging an event will happen, in this case a data breach, incurred yearly risk is the financial outlay they must account for to accommodate when a breach does occur. An important note is to acknowledge that the greater the number of incidents, the greater the financial risk outlay, however each incident is independent in projected records lost.

Endpoint Security 3

While these calculations are intended to raise awareness of endpoint risk across the U.K., incurred risk will vary in accordance with a number of factors including industry, existing security controls and contextual threat landscape applicable to individual organizations.

With a growing number of customizable tools and the use of fileless malware, threat actors will continue to break through endpoint defenses with record speed and precision. While the value of advanced endpoint security is irrefutable, when combined with network, logs and cloud telemetry, organizations can accelerate detection and containment timeframes.

That’s why CrowdStrike and eSentire have joined forces to bring cloud-delivered Managed Detection and Response (MDR) solutions to the mid-market with esENDPOINT, powered by CrowdStrike. Leveraging CrowdStrike’s endpoint protection platform and eSentire’s proprietary technology stack that identifies elusive threats across network, endpoint and cloud sources, organizations gain comprehensive visibility across their dynamically changing environments no matter where users or data reside. Aligning to CrowdStrike’s 1-10-60 rule, eSentire’s Security Operations Centre average 35 seconds to detection and 20 minutes to containment thereby minimizing the probability of a breach and risk to business operations.

This blog was first published on the eSentire blog on 17th June 2020.

For help to make sure you have secure business practices in the ‘new normal’ office, please contact us or call us on 0845 625 9025.