The Critical Role of Endpoint Detection and Response • Remediating the changes caused by executed attacks with the ability to roll back endpoints to a previously known clean state. • Creating granular policies to handle USB devices in order to block unknown and potentially malicious USB keys. • Enabling protections for remote employees who can’t rely on perimeter defenses. Moreover, EDR solutions can provide business benefits by satisfying regulators, compliance staff, customers and others that an organization that deploys an EDR solution takes its security posture seriously. An EDR solution can demonstrate that threats will be monitored closely, highly detailed information about endpoint events will be retained for an appropriate length of time, and remediation of security threats will occur as quickly as possible. In short, the increasing use of EDR represents the need to build upon and enhance the foundation of traditional antivirus and EPP solutions by working alongside them to provide better protection, reporting and other advanced capabilities. ABOUT THIS WHITE PAPER This white paper was sponsored by Trend Micro; information about the company is provided at the end of this paper. Security Problems are Getting Worse ATTACKS CAN BYPASS PERIMETER DEFENSES Improved perimeter defenses like email security, firewalls and EPP solutions have motivated threat actors to find new ways to reach endpoints in order to maximize damage while minimizing detection. For example, the NSS Labs 2018 NextGeneration Firewall Comparative Reportviii found that three in five of the firewalls tested failed at least one evasion test, and one-half did not block attacks that came through non-standard ports; the 2019 SonicWall Threat Reportix found that in a sample of 700 million malware attacks, 19 percent came through non-standard ports. Moreover, threat actors are increasingly using methods like encryption to penetrate organizations that don’t inspect encrypted traffic, as well as updating existing malware variants to bypass static filters. THE ATTACK SURFACE HAS SHIFTED The increasing use of EDR represents the need to build upon and enhance the foundation of traditional antivirus and EPP solutions. Fifteen years ago, most organizations had on-premises infrastructure and very little else in the context of their computing environment. They operated an on-premises email system and other business-critical applications using in-house servers managed by their internal IT staff members, and operated primarily desktop computers and company-owned laptops. Moreover, the comparatively few employees who had mobile devices – in an era before smartphones – had them supplied by their employer, and most of their data and computing assets were kept behind a relatively defensible perimeter that could be protected reasonably well using a conventional security infrastructure. Fast forward to today and the situation has changed dramatically: • The vast majority of organizations are operating a wide range of cloud services within hybrid environments for mission-critical and non-mission-critical purposes. For example, one source estimates that there are nearly 1,200 cloud services in use in the typical large enterprise and that the vast majority of these are not “enterprise-ready”x. • Mobile devices – many of which are owned and controlled by employees – are commonly used to access corporate data resources and sensitive data assets. ©2019 Osterman Research, Inc. 2 The Critical Role of Endpoint Detection and Response These devices typically contain a large number of apps, many of which can be exploited to steal login credentials and other sensitive information. • IoT devices are becoming commonplace and the number of these devices in use is skyrocketing. • Employees continue to use conventional endpoint devices like desktop and laptop computers. • The “Bring Your Own” trend has expanded from personally-owned and managed devices (BYOD) to personally-owned and managed cloud, mobile and desktop/laptop applications of many types. In short, today’s modern network comes with an expanded attack surface. There is no longer a defensible perimeter that can fully protect corporate data. BAD ACTORS HAVE BECOME MORE SOPHISTICATED A key reason for the success of cybercrime is that cybercriminals are well funded (often because they are enabled by organized crime), have the technical resources needed to create new and ever more capable attack methods, and tend to collaborate with one another to share new techniques and processes. For example, a study by Bromium found that the most successful cybercriminals can make up to $2 million annually, and even beginners and hobbyists can generate an income of $42,000 annuallyxi. Cybercriminals can generate individual earnings that are up to 15 percent higher than traditional crimesxii. Moreover, laundered funds from cybercriminal activity are estimated at up to $200 billion per yearxiii. In short, money is a key motivator for virtually any activity and cybercrime is no exception. The result has been that cybercriminals have been able to develop new and ever more sophisticated techniques to penetrate corporate defenses. This has led to new penetration techniques, fileless malware, and an increased emphasis on compromising credentials and account takeover. THE CONSEQUENCES OF SECURITY LAPSES HAVE BECOME MORE SEVERE While security breaches have always carried with them serious financial, reputational and other consequences, regulations like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), among many others, have made the consequences of security problems much more severe. For example, if a bad actor is able to penetrate the defenses of a company that has not properly protected its sensitive corporate data, such as Personally Identifiable Information (PII) or Protected Health Information (PHI), the company can face enormous financial penalties. Moreover, new privacy regulations and individual requirements within them (such as Article 33 of the GDPR) require reporting of a data breach within 72 hours. Organizations that do not have the ability to detect that they have been breached – let alone understand the cause of the breach and how to remediate it – can run afoul of regulations that require rapid response to breaches and other security issues. Today’s modern network comes with an expanded attack surface. There is no longer a defensible perimeter that can fully protect corporate data. THE SKILLS SHORTAGE IS COMPOUNDING THE PROBLEM The very well-publicized cybersecurity skills shortage is compounding these problems. Because many organizations cannot find or afford a sufficient number of highly skilled security analysts and other security staff members, they often will not have the resources necessary to investigate, analyze and remediate security alerts and the various threats they encounter. ©2019 Osterman Research, Inc. 3