Digital Guardian looks at the risks of endpoint security

Adam Burns, Director of Cybersecurity at Digital Guardian, is an expert in cybersecurity, specifically threat detection and protection. He graduated from Wentworth Institute of Technology (WIT) with a Major in Computer Networking and a Minor in Computer Science, and subsequently worked as a Systems Engineer at Kaspersky Lab, where his interest in security was born. He has been in his current role at Digital Guardian for over seven years. Here he looks at the modern threats associated with endpoint security.

Personal devices have become somewhat of an operational and cybersecurity challenge. With data being stored across a variety of phones, tablets and laptops, content sprawl has become a serious worry for CIOs. In fact, more than three quarters are concerned about it. With more organisations now moving towards secure access service edge (SASE) models for their security, it is important to understand the capabilities of this approach, the requirements to make it work and its role in securing personal devices.

SASE solutions are designed to address security across a distributed workforce. They do so by incorporating network security functions including Secure Web Gateways (SWG), Cloud Access Security Brokers (CASB), and Zero Trust Network Access (ZTNA) with Software-defined Networking (SD-WAN).

By definition, SASE implements security monitoring at the ‘service edge’ where users and systems interact with data, instead of on each device or in the datacentre for authentication, authorisation, monitoring, and control. As it stands, however, the SASE concept leaves organisations with some significant security gaps, particularly at the endpoint.

While SASE solutions have visibility over data stored in the cloud, they typically do not extend to on-premises or endpoint storage. Given endpoints represent the primary attack vector for insiders and are often targeted by external bad actors, the sensitive data they contain becomes even harder to protect in the rapidly evolving remote work environment.

Indeed, the lack of security oversight many organisations have over their growing network perimeters leaves their SASE technologies vulnerable when employees bypass corporate VPNs, use outdated or unpatched devices, or perhaps worse of all, connect to public WiFi hotspots.

In addition, SASE infrastructure can suffer from inconsistent policy enforcement. According to Gartner, these technologies don’t currently support distributed cloud architectures or platforms such as AWS Outposts, Google Anthos or Microsoft Azure Stack. 

Safe And Secure Everywhere

These are important considerations and given the dramatic and long-term rise in Work From Anywhere (WFA) culture, security leaders need to focus on their vulnerabilities and the steps they can take to address data security at the endpoint in particular.

Firstly, protection needs to recognise the variety of circumstances and technologies inherent in the WFA environment. In doing so, security teams must have visibility of data wherever it resides, no matter which operating system each member of staff is using, whether they elect to use on-premises devices or cloud applications. The point is, an effective security strategy should make it easier to identify and block threats in all forms, and no technology does that better than data loss prevention, or DLP for short.

Data loss is not always as a result of a malicious attack, and DLP is a proven tool to see and control risky user activity. There are many circumstances when employees may be inadvertently responsible for security incidents, such as when moving large files to cloud drives to bypass email size limitations. Other examples include copying data from a ‘password.txt’ file to a web login page, and while the relative risks vary, security teams need to a) know this is happening so they can prevent data loss, and b) utilise technologies that can alert users to the dangers of these and other activities.

Some DLP solutions can even provide granular, contextual control to determine what actions may be taken with the data, by whom and under what circumstances. Enabling privileged users to configure devices but also prohibit them from viewing specific, sensitive files on those devices helps ensure data can be used in its full and legitimate manner.

While SASE solutions can provide control over native web applications, they are unable to monitor and control the desktop applications used to access those services. In today’s hybrid and remote environments, however, security must cover both corporate and personal collaboration application accounts like Microsoft Teams, Skype, Slack, and Zoom. In the process, effective DLP can be employed to block users from sharing sensitive files, warn them about the risks, require a justification or just log any attempt to do so.

Then there’s the issue of blocking and protecting removable media, whereby malicious insiders seek to evade security by copying sensitive files to removable storage devices. Effective DLP solutions should monitor and control this kind of information transfer across everything from Bluetooth, USB and CD/DVD form factors to Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP) devices.

Also essential is the ability to block users from printing sensitive information - even on their home network. When DLP integrates data classification, user and action functions, it can block or warn the user, as well as maintain an evidentiary quality log file of all attempted and completed actions. To offer flexibility, printing should be restricted to a specific network printer to allow administrative review prior to releasing the printed documents.

Ultimately, SASE and DLP are not mutually exclusive. While SASE combines multiple technologies to simplify and improve network security, the growing WFA trend has highlighted its limitations. As a result, DLP has risen up the list of priorities for security leaders and their teams who now need to extend visibility and control across a wide range of endpoint devices. 

In an environment where organisations must balance efforts to protect their networks with enabling effective remote working, the pressure is on to deliver both. The key is to develop a strategy using DLP technologies that work on the broadest collection of endpoints to provide visibility and control to all sensitive data, educating users of unsafe behaviour, blocking malicious actions, and providing the detailed reporting security leaders need.