4 Reasons to Unify Endpoint and Network Protections

The degree of damage an attack can generate isn’t limited to the initial channel of infection. Threats that take hold on a user’s device or via the core network tend to spread and wreak havoc elsewhere if you don’t have the necessary detection and remediation controls in place. Furthermore, attacks have gotten more sophisticated and evasive. Threat actors can often leverage technical tricks that evade aspects of both endpoint and/or network detections. That’s why organizations need both network and endpoint security working in concert to provide better end-to-end protection.

Here are four key examples of threat types that sometimes evade endpoint or network detection individually, thus illustrating the importance of combining endpoint and network security:

1. Rootkits – A rootkit is an attack tool or feature in malware that can leverage various Operating System (OS) capabilities to hide the presence of its activity on a computer. Nowadays attackers can include rootkit capability in the various types of malware, such as trojans or botnet clients, that they install. In short, rootkits can locally hide many aspects of its malware from your OS and endpoint security controls, such as its files, registry entries, and even network connections. However, while it might be able to hide its network connection from the endpoint, it still needs to send network packets to connect to its command and control (C2) infrastructure.

2. Network IPS Evasion Techniques – Just like rootkits can sometimes evade endpoint security controls, threat actors can use evasive tricks to sometimes sneak past network-based security controls too. For example, traffic fragmentation, protocol or application evasions, timing related attacks, resource exhaustion, and just plain old encryption are all techniques to evade some network security controls. In short, even though network security controls are great in general, attacks sometimes find new techniques to evade some of them. That’s why it’s always good to have endpoint controls as well.

3. Fileless Malware or Living off the Land Attacks – Fileless malware, also called Living off the Land (LotL) attacks, have been on a tear in recent years, increasing by nearly 900% in 2020 over the previous year. Contrary to most conventional malware variants, these attacks often succeed without requiring an attacker to leave an executable file, or registry entry, on the victim system. Finding fileless malware requires a different type of endpoint detection and response (EDR) solution that looks at other indicators beyond just files and registry entries. Things like: the behaviors around processes (legitimate or unknown); the types of network traffic the process generates; or if the malware can detect any memory injection or DLL hijacking techniques. Fileless malware and LotL attacks are just one of the reasons endpoint-based EDR is evolving to extended detection and response (XDR), which combines endpoint and network indicators together.

4. Zero-Day Malware – Attackers often leverage obfuscation techniques to help existing malware variants circumvent signature-based antivirus protections. According to recent security intelligence from the WatchGuard Threat Lab, zero-day malware accounted for 74% of all detections in Q1 2021. Evasive malware has become the rule, not the exception. To detect and prevent it you need advanced, behavior-based anti-malware services capable of evaluating potential threats on networks and endpoints based on their processes and characteristics, rather than just databases of known malware signatures. That’s why it’s best to look at and correlate indicators from many security controls, both endpoint and network, together to have the best chance to catch enough suspicious behaviors to know something is malicious.

Today’s increasingly sophisticated and evasive threats demand a layered, cohesive security strategy that protects networks, endpoints and users. No single security control is unbeatable, but tight integrations between network and endpoint security services can provide more effective protection.

The industry is going in this direction with the inception of extended detection and response (XDR), which correlates both endpoint and network indicators together in order to find advanced, evasive threats that may not have been caught by an individual control alone. The WatchGuard Cloud platform does just that, enabling network and endpoint defenses to share telemetry, threat intelligence and security event data to help MSPs and their midmarket customers automatically detect, contextualize, assess and remediate threats regardless of where they originate.

Beyond hardening security across your perimeter, endpoints and identities, unifying all critical defenses within one cloud-managed platform also dramatically reduces security cost and complexity for organizations of all types and sizes.

To learn about how WatchGuard’s Unified Security Platform combines endpoint and network protections for a more robust security posture with streamlined delivery and management, click here.