Endpoint security is definitely an approach that I favor. Keeping a network secure is an immense challenge that requires constant work and vigilance. Why introduce a client or server to your network before making sure that the device is as security hardened as possible?
In my data center work experience, a very significant percentage of the major network vulnerabilites I've had to fix were caused by the introduction of poorly secured computers. It's a surprisingly common blunder.
Network-based information security attacks have been making the news with increased frequency throughout 2014. It's even gotten to a point where a lot of those incidents are being reported in mainstream publications and websites. And you can bet that for each incident that makes the news, there are possibly thousands more that we don't get to read about.
A lot of these problems can be prevented with a solid endpoint security strategy. Are corporations and institutions going to get smarter about it? In the rapid pace of tech, how will endpoint security implementation evolve in 2015? From my keen observations of what's going on in the IT world, here's what I predict.
As personal and business smartphone usage has exploded since about 2007, people who work in office environments carry their work home with them on the same devices they use to watch cat videos on YouTube, empty their wallets with Candy Crush Saga, and conduct their personal banking. Many of them even use their phones to pay for stuff in malls and restaurants, thanks to NFC payment apps such as Google Wallet and Apple Pay. Businesses will often allow BYOD (bring your own device), thinking that it'll increase productivity and save them money by not having to purchase mobile devices for their employees.
But BYOD introduces a multitude of security problems to corporate networks, even when they don't contain a business's sensitive data. The app payment, banking, and NFC payment examples I cited are examples of how sensitive personal financial data may be on employees' personal phones and tablets.
Also, mobile malware is an ever increasing risk.
“As consumers and businesses shift to using mobile devices for a greater percentage of their daily activities, cybercriminals will place a larger emphasis on targeting these platforms - specifically Android and jailbroken iOS devices. Remote find, lock, and wipe aren't enough,” said Mark Bermingham of Kaspersky Lab.
It also makes it far too complicated to thoroughly run a penetration test and security harden an office's network when so many employees' own devices get connected to it. “Attention employees! Give us all of your personal smartphones for 36 hours so that we can test their security!” Yeah, that will go over well.
So, in 2015, I believe that many businesses that have BYOD policies will scrap them altogether. They may either switch to CYOD (choose your own device that's completely administered and controlled by an IT security policy) when smartphones and tablets are completely necessary for work, or eliminate work done on mobile devices if it's functionally possible. More and more often, we may see USB ports in office PCs being carefully controlled so that employees cannot mount the filesystems of their personal devices to them.
A different antivirus approach
Both consumer and enterprise antivirus software tends to work based on signatures. If antivirus developers constantly keep up on the latest malware and crypters (programs used to help malware evade signature antivirus shields), their software will usually do a great job of preventing some malware infections. But for obvious reasons, signatures are useless for zero-day attacks.
“Signatures have been dying for quite a while. The sheer number of malware samples we see every day completely overwhelms our ability to keep up with them,” said F-Secure's Mikko H. Hypponen.
Antivirus software, both consumer and enterprise, will still use signatures for many years to come. But anomaly-based malware detection will become a greater component in the products of competent antivirus developers.
Currently, anomaly detection algorithms are much more sophisticated in IDS and IPS devices. They focus on network activity rather than code. Antivirus developers are already researching better ways to implement anomaly-detection in antivirus shields.
False positives are going to be a huge problem, and there'll always be bugs in the system. Sandboxing suspicious packets only sometimes works, and most sandboxing functions for such purposes are limited to the Windows platform. But I'm optimistic that there will be a lot of progress in anomaly-based malware detection research in 2015. As malware development gets ever more sophisticated (Stuxnet! Regin!), that'll be an absolute must.
It'd make me so happy to hear zero-day attacks becoming less frequent!
The greater the number of vendors a business has to deal with for their firewalls, IPSs, and antivirus solutions, the more complex a network administrator's job is. Also, money spent on one vendor's product may take away funds for something else.
When IT departments find that expensive antivirus software products are no more effective than inexpensive antivirus products, the temptation to switch antivirus vendors is perfectly understandable.
Palo Alto Networks surveyed 555 of their customers. They asked “Would you consider switching to 'free' enterprise antivirus in order to fund more advanced endpoint protection for your company?” 44% of respondents said they'd either consider it, or they're already doing it.
If antivirus heavyweights like Symantec want to stay competitive in the enterprise, they may need to package their antivirus software licenses with other products that are applicable to endpoint security more often, and cut license prices altogether. Limiting license commitment duration may also help. If a corporation is stuck in a three-year license, that doesn't make it easy for them to switch to another vendor if they become dissatisfied with the performance of their current vendor's product.
Another excellent idea is if network security appliance vendors like Cisco and Juniper Networks make deals with antivirus vendors like Kaspersky and Symantec. They could cooperate to make packages for enterprise customers that include OS antivirus and firewalls in addition to IPS/IDS devices that contain antivirus software and hardware firewalls. It's such a great idea of mine, that it's possible they may be considering that already. I just hope, for the sake of the industry, that they don't buy each other's companies.
I watch information security trends very closely, and I write about a lot of my observations. So, by the time 2015 is over, we'll see how correct or incorrect I am. But I'm feeling pretty darn confident!
Kim Crawley is a Security Researcher for the InfoSec Institute.