Predicting the future of endpoint security in a zero-trust world

Endpoints must become more intelligent, resilient and self-healing to support the many new identities they need to protect. Even the most hardened endpoints are at risk because they can’t protect against identity-based breaches. Putting any trust in identities is a breach waiting to happen.

How endpoint protection platform (EPP), endpoint detection and response (EDR) and extended detection and response (XDR) providers respond to the challenge will define the future of endpoint security. Based on the many briefings VentureBeat has had with leading providers, a core set of design objectives and product direction emerges. Together, they define endpoint security’s future in a zero-trust world. 

Srinivas Mukkamala, chief product officer at Ivanti, advised organizations to consider every operating system and have the ability to manage every user profile and client device from one single pane of glass. Employees want to access work data and systems from the device of their choice, so security in providing access to devices should “never be an afterthought.”

“Business leaders will continue to see costs of managing these devices rise if they don’t consider the variety of devices employees use,” said Mukkamala. “Organizations must continue moving toward a zero-trust model of endpoint management to see around corners and bolster their security posture.” 

Event

Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.

Register Now

Manufacturers, in particular, call ransomware attacks that capitalize on unprotected endpoints a digital pandemic. And, after an attack, the forensics show how attackers are fine-tuning their tradecraft to capitalize on weak to non-existent endpoint identity protection.  

CrowdStrike’s 2023 Global Threat Report discovered that 71% of all attacks are malware free, up from 62% in 2021. CrowdStrike attributes this to attackers’ prolific use of valid credentials to gain access and perform long-term reconnaissance on targeted organizations. Another contributing factor is how quickly new vulnerabilities are publicized and how quickly attackers move to operationalize exploits. 

CrowdStrike president Michael Sentonas told VentureBeat that the intersection of endpoint and identity is one of the biggest challenges today.

Attackers doubling down on improving their tradecraft reduced the average breakout time for intrusion activity from 98 minutes in 2021 to 84 minutes in 2022. CrowdStrike notes that it can take up to 250 days for organizations to detect that an identity breach has occurred when attackers have valid credentials to work with. 

Leading EPP, EDR and XDR providers hear from customers that identity-based endpoint breaches are rising. It’s not surprising that 55% of cybersecurity and risk management professionals estimate that more than 75% of endpoint attacks can’t be stopped with their current systems.

Generative AI needs to deliver zero-trust gains

Generative AI can help capture every intrusion, breach and anomalous activity along with their causal factors to better predict and stop them. With these tools, security, IT and operations teams will be able to learn from each breach attempt and collaborate on them. Generative AI will create a new type of “muscle memory” or reflexive response.

Notable providers with strong AI and machine learning (ML) leads include CrowdStrike, Cisco, Ivanti, Microsoft, Palo Alto Networks and Zcaler. Microsoft spent $1 billion in cybersecurity R&D last year and committed to spending another $20 billion over the next five years.

Providers seek stepwise gains to provide more contextual intelligence, resilience and self-healing. It is easy to see why endpoint providers including BitDefender, Cisco, Ivanti, McAfee, Palo Alto Networks, Sophos and others are doubling down on AI and ML to bring a new intensity to how they innovate. 

Below are key takeaways from product briefings with leading providers.

Fast-tracking ML apps to identify most critical CVEs impacting endpoints

Active Directory (AD), first introduced with Windows Server in 2019, is still used across millions of organizations. Attackers often target AD to gain control over identities and move laterally across networks. Attackers exploit AD’s long-standing CVEs because organizations prioritize the most urgent patches and CVE defenses first.

Undoubtedly, AD is under attack; CrowdStrike found that 25% of attacks come from unmanaged hosts like contractor laptops, rogue systems, legacy applications and protocols and parts of the supply chain where organizations lack visibility and control. 

Consolidating tech stacks provides better visibility

CISOs say that budgets are under greater scrutiny, so consolidating the number of applications, tools and platforms is a high priority. The majority (96%) of CISOs plan to consolidate their security platforms, with 63% preferring (XDR). Consolidating tech stacks will help CISOs avoid missing threats (57%), find qualified security specialists (56%) and correlate and visualize findings across their threat landscape (46%).

All major providers are now pursuing consolidation as a growth strategy, with CrowdStrike, Microsoft and Palo Alto Networks the most often CISOs mention to VentureBeat. 

CISOS says that Microsoft is the most challenging to get right of the three. Microsoft sells Intune as a platform that helps cut costs because it’s already included in existing enterprise licenses. But, CISOs say they need more servers and licenses to deploy Intune, making it more expensive than they expected. CISOs also say managing all operating systems is challenging, and they need additional solutions to cover their entire IT infrastructure.

CrowdStrike, meanwhile, uses XDR as a consolidation platform; Ivanti fast-tracks AI and ML-based improvements to UEM; and Palo Alto Networks’ platform-driven strategy aims to help customers consolidate tech stacks. During his keynote at Fal.Con 2022, CrowdStrike cofounder and CEO George said that endpoints and workloads provide 80% of the most valuable security data.

“Yes, [attacks] happen across the network and other infrastructure,” he said. “But the reality is people are exploiting endpoints and workload.”

Jason Waits, CISO at Inductive Automation, explained that his company consolidated vulnerability scanning and endpoint firewall management into the CrowdStrike agent, removing two separate security tools in the process.

“Reducing the number of agents we need to install and maintain significantly reduces IT administration overhead while enhancing security,” he said.

Contextual intelligence AI-based indicators of attack (IOA) core to solving endpoint-identity gap

By definition, indicators of attack (IOA) gauge a threat actor’s intent and try to identify their goals, regardless of the malware or exploit used. Complementing IOAs are indicators of compromise (IOC) that provide forensics to prove a network breach. IOAs must be automated to provide accurate, real-time data to understand attackers’ intent and stop intrusion attempts.

VentureBeat spoke with several providers who have AI-based IOA under development and learned that CrowdStrike is the first and only provider of AI-based IOAs. The company says AI-powered IOAs work asynchronously with sensor-based ML and other sensor defense layers. The company’s AI-based IOAs use cloud-native ML and human expertise on a platform it invented over a decade ago. AI-generated IOAs (behavioral event data) and local events and file data are used to determine maliciousness.

<em>AI-powered indicators of attack (IOA) detect intent regardless of the malware or exploit used. Source: <a href="https://www.crowdstrike.com/cybersecurity-101/indicators-of-compromise/ioa-vs-ioc/" target="_blank" rel="noreferrer noopener">CrowdStrike</a>.</em>

Standalone tools don’t close gaps between endpoints and identities; platforms do

Normalizing reports across various standalone tools is difficult, time-consuming and expensive. SOC teams use manual correlation techniques to track threats across endpoints and identities. Tools don’t have a standard set of alerts, data structures, reporting formats and variables, so getting all activity on a single pane of glass isn’t working.

Ivanti Neurons for UEM relies on AI-enabled bots to seek out machine identities and endpoints and automatically update them. Their approach to self-healing endpoints combines AI, ML and bot technologies to deliver unified endpoint and patch management at scale across a global enterprise customer base.

<em>Ivantis device lifecycle dashboard provides real-time insights into every endpoints status and relative position in its lifecycle; Ivanit relies on AI-based bots to automatically discover new network devices.</em>

Self-healing endpoints help close the gap while delivering resilience

The most advanced UEM platforms can integrate with and enable enterprise-wide micro-segmentation, IAM and PAM. When AI and ML are embedded in platforms and endpoint device firmware, enterprise adoption accelerates. Self-diagnostics and adaptive intelligence make a self-healing endpoint. Self-healing endpoints can turn themselves off, recheck OS and application versioning and reset to an optimized, secure configuration. These activities are autonomous, with no human interaction needed.

CISOs tell VentureBeat that cyber-resiliency is as critical to them as consolidating their tech stacks. The telemetry and transaction data that endpoints generate are among the most valuable sources of innovation the zero-trust vendor community has today. Expect further use of AI and ML to improve endpoint detection, response and self-healing capabilities.

Conclusion

Endpoint security in a zero-trust world depends on EPP, EDR and XDR providers’ ability to bridge the endpoint security and identity protection gap on a single platform using common telemetry data in real-time. Based on interviews VentureBeat conducted with leading providers and CISOs, it’s evident that this can be achieved using generative AI to deliver zero-trust gains and consolidate tech stacks for better visibility. Providers must innovate and integrate AI and ML technologies to improve endpoint detection, response and self-healing in the face of a fast-changing and unforgiving threat landscape.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Source