A new SANS Institute report found that automating endpoint detection and response processes is the top priority for IT professionals trying to put actionable controls around their endpoints.
Diversity and quantity of endpoints
The survey questioned IT professionals globally on how they approach endpoint security within their organisations, with endpoints referring to devices connecting to networks such as desktop computers, employer-owned laptops, network devices, cloud-based systems and IoT devices.
“The diversity and quantity of endpoints in the modern enterprise are driving the need for more automation and predictive capabilities,” says survey author and SANS Analyst Lee Neely. “While organisations are purchasing solutions to keep ahead of the emerging cyber threats, they appear to fall short on implementing the key purchased capabilities needed to protect and monitor the endpoint,” Neely continues.
Forty-two percent of the IT professionals surveyed said their endpoints had been breached; 82% of that group said their breaches involved desktops, while 69% cited corporate laptops and 42% claimed involvement of employee-owned laptops (42%), which are generally not well-covered in security programmes.
The top threat vectors for these exploited endpoints were web drive-by (63%), social engineering/phishing (53%) and ransomware (50%).
While respondents are relying on the security capabilities they currently have to protect these endpoints, often those technologies are not fully implemented.
For example, 50% have acquired next-gen antivirus but 37% have not implemented the capabilities. Additionally, 49% have malware-less attack detection capabilities, but 38% of these have not implemented them. In some cases, it appears that, while respondent organisations were able to procure these types of newer technologies, they lacked the resources to implement them.
This gap in implementation indicates issues such as incomplete strategies, a leadership shortfall or a failure in project management related tools and processes. With 84% of endpoint breaches including more than one endpoint, respondents have a vested interest in improving visibility, detection and response through more automated, integrated endpoint protection, detection and response technologies.
Automating and integrating workload across the detection and response cycle is critical as endpoints of every type are under constant attack. Neely concludes that more automation enables the security operations centre (SOC) to stay abreast of endpoint-related threats, while addressing a major issue cited by respondents, that of a lack of staffing and resources to manage and monitor their many endpoint-related toolsets.