Solving the dark endpoint problem with increased visibility and control

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

dark endpoint problem

In this podcast recorded at RSA Conference 2018, Richard Henderson, Global Security Strategist at Absolute Software, and Todd Wakerley, EVP of Product Development at Absolute Software, talk about endpoint visibility and control, RSAC happenings, and what’s hot with Absolute right now.

Here’s a transcript of the podcast for your convenience.

Todd: And I’m Tood Wakerley, EVP of Product at Absolute.

Richard: We’re here today to talk about what’s going on in Absolute what we see going on in the industry and just talk a little bit about what’s happening at RSAC. So Todd, what are some of our priorities at Absolute right now, what’s hot for us?

Todd: Well, I think what’s hot for us right now is what’s been hot for us forever, right? We are kind of the leader in endpoint visibility and control, and you know our message at RSAC is that we solve the dark endpoint problem better than anybody else.

Richard: What is dark endpoint though?

Todd: Well I mean to me, a dark endpoint is an endpoint that is either unmanaged, or has an agent broken, or just doesn’t give the visibility to an administrator or a security ops person that they should have access to it.

Richard: Yeah, a lot of people that I talk to, especially customers, when we talk about the dark endpoint they really want to know a lot about how we can help them solve devices that have gone off network or outside of that traditional perimeter. And in most visibility and control solutions there’s a big gap in being able to always actively and continually monitor those endpoint devices once they leave that traditional perimeter, and I think we have a really unique solution that others do not.

Todd: I think that the challenge with the endpoint products today, is that even if they have an off network solution many times those agents simply stop working. They’re either disabled, or they stop reporting in, they’re not getting their policies. What we’re able to do is kind of extend our Persistence offering to those solutions whether it’s BitLocker – any sort of encryption technology, asset management, endpoint protection, EDR solution. I look around the showroom floor and I think every single company that has an endpoint agent we could persist their product and make it better.

Richard: So, I feel like you like totally set me up for a good segue there, but I just wrote a report that will be published on Absolute.com, about some of the statistical trends we’re seeing among a large number of our customers around, what’s going on with endpoint applications and agents.

Something like 90% of enterprise devices today, most of them are Windows 10 Pro now, that’s the most likely deployed operating system we’re seeing. But most of them have an encryption agent installed by default – it’s almost always BitLocker, but there’s other suites out there as well. But of that 90%, almost half of them aren’t encrypting any data whatsoever.

Why wouldn’t you? I mean it’s not like it was 15 years ago where the processor overhead to enable full disk encryption was a rather significant performance penalty. Now, there’s no reason not to full disk encrypt on your devices. We provide customers the ability to gain that visibility into the encryption status alone on their devices, and you know some people have asked me “Well I don’t really care that I have full disk encryption on my endpoint devices”, but you probably should care and I’ll tell you why you should probably care.

As part of that study, we took a sample about half a million devices, and of those half a million devices across a whole litany of verticals and company sizes with the exception of the education space, every vertical had it was something on the magnitude of seven out of every ten devices at the endpoint level had some measure of regulated or sensitive data on it – whether it was PFI, PHI, credit card data, social security numbers, you name it, it’s on those devices.

Now, to close the circle if you think about what that means if one of those devices becomes lost or stolen, and if seven of those ten devices have regulated data on them, if you can’t verify that the device was fully encrypted and protected when it was lost or stolen, in a lot of cases that triggers a breach notification, and breach notifications are not cheap anymore.

Todd: That cost companies money.

Richard: Millions in some cases. By being able to verify on your endpoint devices the status of your encryption agent and the other security tools that you care the most about, you may be able to stave off a breach notification if something would happen.

Now what’s even crazier is you know think about how many millions of laptops are purchased every year it’s got to be tens if not hundreds of millions of devices. You know 6% of all devices, all laptops every year get lost or stolen. That’s a huge number of devices. Now if you think 6% of those devices, a few of them are going to have regulated data on them. If you can’t verify at the time of theft or loss that something’s happened, and that you can guarantee that someone couldn’t access the data on it, then you’re going to have to default to a breach notification.

Todd: As we said that can be both expensive and you know the company loses focus on I think what the primary objective is.

Richard: I am going to ask you another question okay answer it as well. What are you following in cyber security in general even just beyond what we’re doing in Absolute?

Todd: Well, I think the thing that interest me most is what’s happening in the kind of the analytic space. It’s not necessarily UABA but you know what are we doing with machine learning, or what are we doing with blockchain around identity. I’m looking at the conference, and what the people at the edge of the conference are doing that’s kind of innovative in that space. I think behavioral analytics or just even analytics as it relates to kind of threat analysis and detection is really interesting and it’s kind of the next step in terms of like heuristics, beyond heuristics.

Richard: I think I’m seeing some really interesting developments and it’s kind of like the pendulum’s shifting again towards GRC and risk, and the analytics can help enterprises get a much better handle and quantify the risk that’s inherent inside their networks.

Risk really is everything to see so cares about it at least it should be one of their top three priorities. Many CISOs have a very good statistical background and they’re always trying to quantify the risk in their networks. GRC is going to be red hot, I think identity is heating up again. A few years ago it was all network-centric security, now the endpoint’s red hot, and now we’re seeing that it’s becoming a little more granular into things like identity and GRC. So, it absolutely can provide a little bit of color for companies who are trying to get a better handle on the wrist that’s inside their networks.

Todd: Certainly through technologies like Reach we can even provide that data into their analytics engine, but once again I’ll come back to the fact that many of these engines need an endpoint presence in order to collect, analyze, and send up data. And we can protect, defend and make those endpoint agents resilient.

Richard: Right, so I have one more question I want to ask myself because I really want to cover this. Someone wanted me to ask that like most companies agree on best general principles for cybersecurity, but they continue to fall short. And as people have asked me why it is, and I just wrote an article not too long ago about this, and you know for anybody listening I just want to say you probably have 90% of the tools you need in your environment right now to get 90% of the way there. And you have to remember that getting 90% of the way there eliminates a lot of risk in your network where you can focus that little bit of last resources on maybe closing that additional 10% gap. But, if you’re not using the stuff you have already effectively, and as best as possible, you leave those gaps wide open. One of the things

I wrote about recently was being able to trust that you have the right tools in place in your environment, but you need to verify that they’re working. So, the old Russian proverb – trust, but verify. If you don’t verify that the tools you’re using inside your environment are functioning and working as expected, and that also means making sure they’re actually there if you know you have an insider or an employee who doesn’t like your EDR suite because it gets in the way of their job, and they just decide they want to uninstall it because you’ve given them local admin privileges to do so, which you shouldn’t do.

Todd: That happens all the time.

Richard: It happens all the time, people are disabling agents all the time. You know the average endpoint in the enterprise has at least half a dozen security type agents functioning on the device at any one time, and they’re not always going to be up and running. By leveraging the persistence power of Absolute you can ensure that those applications are always on, in a good state and functional.

Todd: I’d just like to close and ask just a fun question, a fair trade. I can see your cane and you’ve got a lot of stickers on your cane today, what would you say the best t-shirt that you’ve seen on the floor is?

Richard: I kind of have t-shirt fatigue at RSAC because there are so many of them. For those at home who can’t see me recording right now, I’ve hurt my back pretty significantly so I’ve had to walk around with this just this very unattractive cane, so I’ve adorned it with stickers from all the booths. I have all these cool hacker stickers all over, one of them says data is the new bacon. I mean, was data always bacon? I think it probably was, but as far as t-shirts, I got to say you know the people at SentinelOne certainly broke the bank this year and gave everybody Patagonia vests. They must have got a really heck of a good deal to be able to give people who are sitting in on a thing there. But you know there are so many cool t-shirts out there.

Todd: I saw two, and I really liked one was Cisco’s and it’s just said RUN DNS. I really like that one, and the other one that I think I can’t remember who it was from, but it said “I’m too socksy for this shirt”.

Richard: Right Said Fred is turning over in his grave right now.

Todd: That’s right, okay all right. Well thank you.

Richard: Thanks for having us. I’m Richard Henderson, Absolute’S global security strategist.

Todd: And Todd Wakerley, VP of Product.

Richard: Thanks for listening.

RSA Conference 2018