Industry Perspectives

Endpoints are our new perimeters

Nov 04, 2020 | by David Strom |
Spiral staircase no end

Remember when firewalls first became popular? When enterprises began installing firewalls in earnest, they quickly defined many networks' protective perimeter. Over the years, this perimeter has evolved from a hardware focus to one more defined by software, to all but disappearing a few years ago when Bruce Schneier officially proclaimed the death of the perimeter.

Part of this evolution is the changing nature of the attacks we experience along with the changing nature of our enterprise networks. Back when everyone was working from well-defined offices, we could definitely state that there was a difference between what was considered "outside" and "inside" the corporate network. But then the Internet happened, and we all became connected.

Even before the pandemic, there was little difference. With the advent of the cloud and the onset of the pandemic, we are, as the wise infosec sage Jerry Seinfeld once said, all out. We no longer worry about "bringing your own device." Today, that's our default. We are all working from home, using devices that aren't necessarily ones that IT has purchased and sharing them with other family members. As my colleague Scott Fulton wrote in 2017, "Once the distinctions between inside and outside have been effectively erased, an outside user would be treated exactly the same as one inside the office." You could argue that he was talking from the opposite perspective, but with the same result: today, an inside user would be treated exactly the same as one outside the office.

This has given rise to the concept of zero-trust networks, a topic that I touched upon in my March 2019 post. In that post, I talked about the shades of grey that are now accepted as part of the authentication process: not only is there no distinction between 'inside' and 'outside' the corporate network, but there is nothing that is fully trusted anymore. As I mentioned in that post, the zero-trust concept is really a misnomer: instead, we should strive for a zero-risk model. RSA CDO Dr. Zulfikar Ramzan has long advocated doing this, because it gets IT staffs to examine what is really important: identifying and securing key internal and third-party IT assets and data.

One consequence of a zero-risk model is that today the new network perimeter really depends on the integrity of our endpoint devices. The endpoint is the first thing that can fall victim to a phishing lure and is the first place that attackers look for a sign of an unpatched OS or a smartphone that is secretly running malware. Recent surveys show that the pandemic is making it easier for cybercriminals to target mid-level managers with everything from traditional business impersonations to Covid-related lures.

That doesn't mean we need to let a thousand firewalls bloom, but it does mean that endpoint detection and response tools have to do a lot more these days than just scan for malware and compromises. Instead, we need a whole army of protective features working for us to prevent our endpoints from being an attractive place for attackers to try to leverage. The vendors in the endpoint space have risen to meet this challenge, and have added features such as:

  • Ad hoc queries (to search for new compromises),
  • Better security policy enforcement and reporting,
  • Automatic discovery of outliers and unmanaged endpoints,
  • Detection of lateral network movement (for better and earlier attack notifications),
  • Better remediation and deployment tactics (to upgrade large populations of outdated endpoints),
  • Better patch management (ditto), and
  • Integration into existing protective gear such as event and service management tools.

Consolidating all of those features is a tall order for any security tool to handle. But as we continue to work from home, we need the appropriate protection. As Pogo once said, "we have met the enemy and he is us."