Enterprise endpoint protection failures will continue until accountability increases

To make better choices, we must help enterprise stakeholders understand the conflicts of interest among the cyber players that present or influence their choices.

Unified Endpoint Management

There is a great need for sweeping changes, more so than most know. The Cyber War continues to heat up and no enterprise is left on the sideline. Smaller business are being left for dead, successful ransomware attacks are driving more ransomware attacks, and the largest of enterprises with best practices in place are getting breached repeatedly. Hundreds of millions of customers’ records have been stolen, with more inevitably to follow.

The many different resources the enterprise throws at this weighs like a tax that grows every year. And what do we get, cyber tools and services that are less and less proactive and more and more reactive. Helping to create and sustain this, too many different players profit more from the chaos of cyber-attacks than their defeat. When did you last see a forecast that this cyber tax will be repealed, or at least reduced one year? Taxes are ultimately not paid by the enterprise but passed onto their customers. So, the cost of cybercrime is withstood, for now.

Instead of widespread shouts for meaningful change, all trends point to more of the same. The word for this is complacency.  Now that we have set up this doom and gloom scenario, let us see how we might change this paradigm through accountability and awareness.

A recent discovery of a new and terrifying malicious code attack technique helps begin to illustrate the acceptance of cyber inadequacy. It is called Process Doppleganging and researchers explained it at Black Hat Europe in December 2017. They demonstrated that nearly every enterprise is defenseless to it despite the billions they’ve spent on the recommended best practices cyber solutions. This new attack technique does NOT depend on exploiting a Windows software vulnerability. It is reported that there will be no Microsoft patch anytime soon, if ever, that will eliminate what the vendors cannot block, or in many cases, cannot even see. The presenters at Black Hat showed how easily this attack bypasses the biggest names in security, including their most recent offerings. In my opinion, this can and should be the wakeup call that drives the media to hold these companies accountable.

In fairness, no such attacks have occurred in the wild yet. Societies often do not act until much blood has spilled. But, the Process Doppleganging technique is only a White Walker entering a war torn world where “fileless” and weaponized document attacks draw blood daily. A recent Ponemon survey (2017, Cost of Cyber Crime Study) asserts that companies are experiencing 2.5 successful cyber attacks per week; most involve the endpoint.

Roughly half of the enterprise attacks employ “fileless” tactics, about another half exploit unpatched endpoint software vulnerabilities, and filling out the rest are social engineering attacks, tricking end-users into installing malware. A Ponemon survey published in November 2017 cited 53% of respondents conceding that their endpoint protection tools are inadequate. Why isn’t this figure much higher? I promise you: the other 47% are NOT blocking advanced attacks at the endpoint.

Instead of defeating the attackers at the gates, the endpoints, today’s enterprise strives to rapidly detect, contain, and clean up the mess after the adversaries have penetrated the city. In other words, the more costly reactive posture exceeds that of the proactive. This requires many different platoons of analysts working different cyber areas and functions. Recruiting such an army in today’s cyber skills gap climate is challenging. Is it a conflict of interest that the tools and services these armies leverage are coming from the same vendors that supply what are supposed to prevent breaches?

Today’s enterprise must deal with a cybersecurity solutions industry with conflicts of interests with those of their customers. Solving problems at the root yield lesser profits than treating the symptoms. Tool vendors offer services demanded in part because of the shortcomings of the tools. Other contractors and service providers get a piece of the action for the tools and services of their partners. Professional services that advise and assess profit from the sales of tools and services to remediate the issues they find. They also influence customer choices, many of which ultimately determine the volume of billable hours for the same professional services team issuing the advice. On top of this, the complexity, nuances, and ephemeral changes of all these things drive demand for subject matter experts, pundits, and periodicals. In their own way, they too profit from the chaos of cyber crime. And finally, the success of these individual players depends on the relationships they have with the others. One scratches another’s back at the expense of the customer, and ultimately that of the entire community of enterprises, and their customers. And so the cyber tax grows year after year with no end in sight.

Who and where are the agents of change? Are they really the authors of what you read online or the speakers at the conferences you attend? Instead of clamor for change I see malaise. And why not? Every year we fundamentally see the same answers but with different buzz words. We see over-hyped solutions that fall far short of promises after operational realities become inescapable. We see one breach after another knowing far more are never reported, all of which originate from the same attack surfaces. Most of those are endpoints, where their compromise is the norm.

The community of enterprises can repeal this cyber tax by demanding more accountability for what cyber products and services do and do not do. To be more proactive and less reactive, we must insist on knowing how enterprise IT/secops labor costs correlate with whatever drives their headcount. And to make better choices, we must help enterprise stakeholders understand the conflicts of interest amongst the cyber players that present or influence their choices. By creating demand for these things, the thought leaders and those that echo them, will flesh out the insights needed to finally repeal the enterprise cyber tax.

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline