Category: Endpoint Security

The Future of Botnets is IoT

by Josh Mayfield | Apr 23, 2019 | Data Visibility & Protection, Endpoint Security

Just when defenders think they have successfully eliminated a threat, attackers come back with new variants capable of circumventing previous blockades. This is the case with the Mirai Botnet, a self-propagating botnet malware that first started causing wide-spread destruction via home routers in 2016. What is a botnet and how are they evolving to stay ahead of defenders? As Mirai demonstrates as recently as this month, the future of botnets is IoT.
What is a botnet?
A botnet is a group of computers connected in a coordinated fashion for malicious purposes. Botnets are comprised of individual computers —called bots — that have fallen under the control of cyber criminals. Most often, these crooks start with a virus to gain control of individual computers and then connect them into a giant botnet army. Botnets are used to launch expansive criminal activity such as coordinated distributed denial-of-service (DDoS) attacks or large-scale spam campaigns. In many cases, an individual computer owner may not even know their computer is being used for illegal activity – they become Zombie computers or bots.
How botnets are gaining strength
Unlike traditional botnets made up of computers, the Mirai botnet was the idea of some really smart teens who were trying to gain a competitive edge in the game, Minecraft. The idea quickly grew into a connected army of internet of things ‘IoT’ devices such as routers and digital cameras. Then, in the fall of 2016, the Mirai botnet orchestrated a massive distributed denial of service (DDoS) attack against internet domain company, Dyn which resulted in website failures at Twitter, Netflix, CNN and many other big brands in the U.S. and Europe.
Mirai has continued to evolve since then, with new variants popping up regularly. As recently as this month, reports surfaced about a collection of new Mirai malware samples compiled to run for “Altera Nios II, OpenRIC, Tenilica Xtensa and Xilinx MicroBlaze processors.” This, according to researchers, increases the number of devices that can be added to the Mirai botnet.
Even in the three short years since Mirai was first discovered, the number of IoT devices have grown exponentially. Printers, IP cameras, building controls, wearables and many other smart devices are now commonly used both at work and at home. With an internet connection built into each one, they all represent a possibility for botnet control and subsequently, a source for large-scale DDoS attacks and other criminal activity.
Preventing a botnet attack
What can you do to prevent your device from falling into botnet control? First, you need visibility into what devices you have and the security control each has running. Are those controls working? Is the device still where is should be? Another important early step is to change the default password set by the device manufacturer. Customize your devices — all your devices — and boost their security individually.
If you would like more information on botnets and how they work, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video Transcript:
Hey everyone, it’s Josh from Absolute. We’ve been talking about cyber threats and in today’s episode, we look at one of the shadowy characters: botnets.
The term botnet is a mashed-together term that comes from robot and network.
A botnet is an array of hacked computers, connected together so they can team up to perform cyber-attacks.
Typically, the user is totally unaware that their device has been compromised and joined some rebel army; this is one of that computers inside the botnet are often called ‘zombie computers’.
These zombies are controlled by a number of protocols, including: Telnet, IRC, Peer-to-Peer (P2P), and domain controls.
These control systems allow the cybercriminal to link the hacked machines together for a powerful and coordinated attack.
So what do they do, these botnets? The most common form of botnet attack is denial of service, which can also be widespread, hitting many of your resources at once. This is called a distributed denial of service attack or DDoS.
When a collection of zombie computers within the botnet send millions of requests to something like a webserver, the webserver can crash…leaving legitimate requesters unable to access the service.
Beyond denial of service attacks, botnets have been observed launching spyware, email spamming, click fraud, and GPU mining; enslaving millions of machines to churn out cryptocurrencies.
In 2018, 37% of botnet zombie computers were endpoints in the United States.
That’s right! Although most botnets are controlled outside the U.S., close to half of the machines are working inside the USA.
We just don’t know it, because most of the time…we lack visibility to every device – especially those off the corporate network.
The largest botnet of all time (so far) was called BredoLab, also known as Oficla, and had more than 30 million zombie computers to do its bidding. Thankfully, BredoLab was dismantled in 2010.
Botnet attacks are dangerous because they don’t come with a return address; you can’t know for sure who’s doing it and when it’ll happen.
Even though we can’t predict botnet attacks, we can reduce their odds of success with ceaseless endpoint visibility and control.
Don’t forget to like and comment below. And remember to subscribe to get more Cybersecurity Insights. I’ll see you next time.

10 Future-Proof Cybersecurity Tips for Healthcare

by Josh Mayfield | Apr 18, 2019 | Endpoint Security, Healthcare

The threat of cybercrime can be felt most strongly where its impact is most acute. Although threats are very real to all industries – including critical infrastructure, government, financial services and others –healthcare has the biggest target on its back today. These threats have been steadily rising for many years and last year was no exception. See the 15 largest health data breaches of 2018. What can you do to bolster stay safe in 2019? Here are 10 future-proof cybersecurity tips for your healthcare organization.
Individual Impact
The impact of data breaches on organizations is significant, with healthcare data breach costs ranking the highest of any industry at $408 per breached record. But what about the impact to a patient? What happens when patient data is used in medical identity theft for years, only discovered when the collections agency comes calling? Or worse, when a patient receives incorrect medical care because the medical record is compromised by false updates? What happens to the patient who enters the hospital for care only to find all hospital systems shut down by ransomware? What happens to the patient if his pacemaker or MRI machine is hacked?
Risky Technology
Healthcare technology is continually advancing with the goal of improving patient outcomes, and yet many technologies are being deployed before security concerns can catch up. We trust that we’ll receive the best care possible from our doctors, but we’ve only just begun to feel the impact of cybersecurity threats on patient care. So, what can healthcare organizations do to improve this escalating situation?

Review all contracts — Healthcare organizations today are large and complex systems, with many ‘smaller’ entry points through partner systems or vendors. Security standards must be reviewed regularly and a process put in place to promptly report data breaches by all partners and vendors. Organizations should make sure that they have the contractual rights to insist on security standards for vendors.
Formalize breach notification process — Include both detection and response capabilities and consider purchasing special insurance. Under GDPR requirements, organizations must report a data breach within 72 hours. Read: 5 Tips for Compliance Officers Dealing with GDPR.
Rehearse your data breach plans — Make sure your organization can report on the consequences of a breach in a timely manner.
Maintain endpoint visibility — Ensure firmware and software can be updated against vulnerabilities and alerts can be issued if a device goes missing, misses an update or shows signs of tampering.
Protect legacy technology — The reality of limited budgets in healthcare means that many legacy systems remain unsupported and that could place the entire network at risk. Isolating these systems or building protections around legacy systems can serve as a temporary safeguard until systems can be modernized.
Automate detection and response capabilities — A recent Ponemon study found that traditional endpoint security approaches are costing enterprises more than $6 million in poor detection, slow response and wasted time. Security solutions should be automated to detect and contain threats with minimal human input or intervention.
Add resiliency to security solutions — How can you ensure that your current security controls cannot be tampered with by malicious or insider activity? This resiliency is available through Absolute’s persistence technology.
Help the C-suite understand — Appoint a CISO or Data Protection Officer to be responsible for data security and ensuring data security is a regular topic by the Board, a key differentiator in reducing security gaps.
Educate staff — Train them on the importance of data security to mitigate the insider threat. Have a well communicated policy on how and when to report lost devices or suspicious texts or emails and enforceable repercussions for infractions.
Conduct regular compliance reviews — GDPR lays out stringent data protection requirements, as does HIPAA and HITRUST. Be proactive in identifying and rectifying issues. Read: HIPAA Compliance Checklist for 2019

Patient medical records are now the #1 target for cyber criminals. And healthcare organizations are legally required to protect their PHI, even as it leaves their systems and goes to other covered entities.
For more on how you can prevent data breaches, read about actionable strategies in the whitepaper, Data Breach Prevention for Healthcare: A Best Practice Guide.

Uncovering the Fragility of Endpoint Security

by Josh Mayfield | Apr 17, 2019 | Data Visibility & Protection, Endpoint Security

New report highlights vulnerabilities caused by the degradation of endpoint security solutions over time.
IT and security professionals have a huge range of tools and technologies at their disposal to help combat data and device security risks. In fact, by 2020, the global spend on IT security is predicted to total a staggering $128 billion. Despite this, every week it seems there is news of another high-profile data breach.
A new primary research study by Absolute has uncovered an explanation for this: much of IT security spending is done in vain due, in part, to missing or broken endpoint security agents or disabled controls.
The study found that the fragility of endpoint security tools causes the efficacy of these tools to diminish significantly over time — unless those tools are deliberately controlled to improve their resilience.
Endpoint security is more vulnerable than you think
Our security research team gathered data from over one billion change events on more than six million devices. They monitored the data over a one-year period to see how security solutions performed — or failed to perform — during that timeframe. The sample included data from 12,000 anonymized organizations across North America and Europe.

One billion change events
Six million devices
12,000 organizations (anonymized)
One-year benchmark study

The findings were eye-opening. While it’s reasonable to expect the fundamental endpoint security solutions we invest in — such as encryption, antivirus/anti-malware (AV/AM)— to keep our devices secure, the harsh reality is this: Endpoint security solutions fail reliably and predictably. The false sense of security they provide is probably enterprises’ biggest risk.
Security tools fail: Endpoint security is flawed
We expect encryption to protect our data, AV/AM to protect us from cyber threats, and client management tools (CMT) to ensure our applications are patched and safe from publishing vulnerabilities. Our expectations are too high, apparently.
Read: The Biggest Challenges with Encryption
Our research shows that encryption is regularly disabled, broken, or missing entirely. In fact, 100 percent of endpoint security tools failed eventually — no tool is immune. And of the devices where encryption fails, 30 percent remain unencrypted for more than 60 days — an unacceptable window of data vulnerability considering the heavy penalties laid down by HIPAA, PIPEDA, GDPR, and other global regulations.
The 2019 Endpoint Security Trends Report uncovers some startling truths about what is putting organizations at risk.
Our research also found that 21 percent of devices had outdated AV/AM; additionally, seven percent of endpoint protection tools were missing altogether, leaving 28 percent of devices unprotected.
28% of Endpoints have AV/AM that is either outdated or missing altogether
Further to this, 23 percent of the patching tools designed to remediate vulnerabilities in devices and the applications running on them were broken or disabled. This is concerning since the 20 most common applications published over 5,000 vulnerabilities last year. In fact, every 5.7 days there’s at least one vulnerability published by the top eight application publishers This means that every few days, there’s a window of opportunity for attack on almost a quarter of your devices.
Key takeaways from the 2019 Endpoint Security Trends Report include:

28% of endpoints have missing or outdated endpoint protection tools
100% of devices experience an encryption failure within one year
42% of endpoints are unprotected at any given time

Strengthen existing endpoint security
While the analysis is sobering, it doesn’t mean that existing security tools are without merit — they just need greater resilience.
There is a way for organizations to monitor, manage, and secure their entire endpoint infrastructure so their staff can do their best work safely, from anywhere. Absolute’s technology is embedded in the firmware of more than 500 million of the world’s devices. Because it’s the only embedded security solution, it maintains a persistent connection to devices.
This connection enables IT and security professionals to keep a close eye on existing security controls to ensure they’re always performing at an optimal level. In this way, IT and security teams can unlock value from solutions they’re already paying for and avoid unnecessary spend on yet more endpoint security.
Uncover the findings from an extensive primary research study analyzing over six million enterprise devices over a one year period and discover actions toward real-world resilience. Read the Endpoint Security Trends Report 2019.

IT Complexity: Metrics and Strategies to Navigate and Measure Performance

by Josh Mayfield | Apr 12, 2019 | Data Visibility & Protection, Endpoint Security

IT complexity is one of the biggest roadblocks to success. One of the culprits is the tendency to pack endpoints with more and more controls, apps, and of course, agents. When an organization’s device and agent population expand, they compound the effects of one another; not multiplying endpoint complexity, but exponentiating it.
Different agents compete with one another for the device’s underlying resources: hardware, software, processes, etc. These zero-sum cage fights are more common as the number of agents has grown. Moreover, the variation in hardware — Dell, Lenovo, Microsoft — and software — OS versions and builds, agents, apps—has made everyone a de facto multi-platform enterprise.
This power law creates more security-eroding complexity than security-enabling assurance. Because…by the laws of probability, there are now many more ways for things to go wrong, than to go right. The astonishing odds against this backdrop fall at the feet of IT and security teams trying to make sense out of what appears to be a senseless device-agent landscape.
This tangled web of complexity has completely changed how we see, control, respond to, and secure endpoints.
What Is IT Complexity?
The concept of IT complexity isn’t anything new. In fact, a 1979 paper by Bill Curtis was written to address the issue.
But not too long ago, keeping track of all our devices and everything running on them used to be manageable. Even ten years ago, maintaining agents and tools was a fairly straightforward process; so having conflicting controls, apps and agents on your devices just wasn’t a factor.
Those days are long gone, however. Today, device care is 12 times as difficult to reach the same degree of endpoint cyber resilience.
Why? Because every control, app, and agent is tapping into hardware and software resources — a zero-sum game in which some feast while others starve.
This agent friction leads to some startling results. Data from a recent webinar, The State of Endpoint Security 2019, recently revealed:

At any given time, 28 percent of antivirus/antimalware agents fail
42 percent of encryption agents go to an early grave
50 percent of repaired client/patch management agents required more than three repair events within one month
..in an era where patching is already a struggle, one in five patching agents break every month.

Our maniacal pursuit to stuff endpoints with controls, apps, and agents creates entirely new risks. By adding more security controls on a device, our organizations aren’t getting any safer; in fact, this only increases endpoint vulnerabilities. Worse, it diminishes the capabilities of our IT people. With so many tools and combinations, it’s almost impossible to determine what is causing things to fail.
When complexity intensifies, exposures that open up the attack surface become a feature of our IT environments.
To achieve cyber resilience, we must first acknowledge the self-inflicted trouble that occurs when we stuff our endpoints with competing agents. It’s as if we’re putting all our endpoints into a knife fight in a phone booth!
When agents conflict, we can optimize their behavior. When they fail, we can regenerate them, bringing them back to life. This is the power of persistence.
How to Measure IT Complexity
“Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.”–H. James Harrington, business process guru.
Measuring IT complexity is all about looking for redundancy. You basically need to establish a heatmap of where things are getting complex. You need to answer these questions: Where is there agent creep, driver creep or app creep within your endpoints? What are all the OS types, device types, and client types within your organization? What is the lifecycle process?
There are so many factors, but these variables must be measured.
Sound overwhelming? It is. It isn’t called IT complexity for fun.
Measuring everything manually can be done, sure, but at what organizational cost? You can bring your enterprise architecture team into every budget meeting with a live inventory framework, and spend countless hours strategizing, but how sustainable is that?
The best way to help measure and deal with IT complexity is to reduce the effort. You need to manage it. If you’re in IT, you have no choice.
You need to manage your FTE (full time equivalent). What if you can reduce your FTE from 3½ to .3 in measuring complexity?
The only way to properly measure complexity is to have a solution manage it for you.
What It Means To Have IT under Control
To achieve true IT resilience, your endpoint management solution must go deeper and have a full view of everything going on within and outside of your devices with a privileged position.
You need to have a solution that resides right in the firmware to understand the complexities of your ecosystem. When measuring complexity, it’s imperative to get a detailed snapshot of your endpoints versus a sample level.
Most solutions on the market can look at your endpoints and present data that — if it were a court of law — would amount to circumstantial evidence. With Absolute, it’s like a DNA test.
Or think of it in other terms: say your friend sends you a video of a cute cat playing the piano. The coding behind that video is made up of ones and zeros. The coding is merely information; the other — the video — is knowledge. You want knowledge.
How to Manage IT Complexity
How do you even get started managing IT complexity without the right knowledge?
Absolute can not only provide validation that something may have occurred, but it looks at the implications of your services, can boomerang all the relevant data back to you and display a modelling of what happened before and after each incident.
When the time comes to demonstrate, prove, and validate your security posture, Absolute can be audit-ready and close the complexity gap with ceaseless visibility and control.
Want to learn more about how reducing IT complexity can lead to resilience for your endpoints? Watch our new webinar: The State of Endpoint Security in 2019, to discover actions you can take toward real-world resilience.

Phishing Scams and Malware: What You Need to Know this Tax Deadline

by Josh Mayfield | Apr 10, 2019 | Endpoint Security, Ransomware

Filing your taxes each year can be a painful process and sadly, cyber criminals continue to amplify the confusion. Phishing scams and malware again topped this year’s “dirty dozen” list of prevalent tax scams published by the Internal Revenue Service (IRS).
What are Phishing Scams?
Phishing scams are fake emails, text messages and websites set up by online scammers as a way to steal personal information and gain access to your system, and lets malware loose to wreak havoc.
Tax Fraud and Identity Theft
Inevitably, Tax Day brings phishing scams and malware. In a warning to tax payers last month, the IRS said phishing scams, or messages that look like they are coming from the IRS or other legitimate tax service companies, commonly lead to both tax-related fraud and identity theft. With more than 135 million Americans filing their taxes electronically last year, it’s easy to understand why the annual event is such a lucrative target for cyber criminals.
Phishing emails are step one into a larger, nefarious effort. The messages may contain links to malicious websites set up by crooks to steal your data. One cybersecurity firm discovered more than 100 such sites this year alone – all designed to make the user think they were using a legitimate website. In reality though, the site only existed to steal login information for the actual, legitimate site it was impersonating and/or personal details such as social security numbers or even passport numbers.
Read Top Cybersecurity Threats of 2018 Revealed
Other phishing emails are designed to coax you into downloading malicious software, or malware. This year, some of the more common malware downloads stemmed from phishing messages that appear to come from Intuit, the makers of Quickbooks and TurboTax. Others target businesses and look as if they have been sent from accounting or payroll service companies like ADP. These messages include an Excel file attachment that, once opened, is programmed to install a Trojan on your computer for further data pilfering.
TrickBot Banking Trojan
A Trojan is a program that claims to perform one function but actually does something else entirely. One popular Trojan for this year’s tax filing deadline is TrickBot. It targets Windows users through a malicious Excel document and once infected, the malware combs for passwords, banking information and other credentials to send back to the attacker. The information can then be used to steal funds and in some cases, file fraudulent end-of-year tax forms for further financial gain.
Tax Day is a popular event for cyber criminals to lean in on, and there are many others. Black Friday and Cyber Monday are two other national events that call for added caution and so are more personal events in your life such as home buying. Cyber criminals’ methods continue to grow increasingly sophisticated. The best thing you can do is educate yourself, and your users, on their tactics.
If you’d like more information on the more common attack types such as phishing, trojans and even ransomware which has been a significant issue for many in recent years, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:
Hello again, Josh here from Absolute. In the last episode, we saw how threats come in many forms. In this episode, we’ll explore a couple of ways those threats use to get to the goods.
Let’s look at phishing, the most common tool cybercriminals use to get access to our systems.   We’ve all seen it; the email from your bank or a company you patron asking you for information. ‘Please, update your account (or profile or membership or…)
Logos and font styles look real.   There’s the button, staring back at you. What is it about people and buttons? There is an unmistakable urge to click!
Now that you’ve scratched the itch to click, the attacker gets a toehold to push malware, ransomware, or even grab control over the device.   Phishing is the most widely used weapon for cyber-attacks for one, single, very important reason. It works.
It exploits our most basic instincts: curiosity, cooperation, trust, and willingness to share and help.
When we fall for these deceptions, we’re likely to play host to some unwelcome guests in our IT environment: malware.
Malware is a smashed word coming from malevolent (meaning, bad) and software. Malware tends to come in four forms:

Viruses
Worms
Trojans
Hostage-takers (aka Ransomware)

Viruses are aptly named, they infect the system and interact with the normal processes to either get the user to do something that gives access, or disable the system so that it is unusable.
Worms are designed with the expressed intent to replicate and spread to other systems. Much like viruses, these pesky malwares corrupt the host system, but are tailored for reproduction and thus are more damaging.
Compounding the sadism, we have trojans. These malwares look like approved apps and software (like a printer driver) so they’re not as easily detected by anti-virus apps. Once installed, they replicate and forge onward to other resources playing the same trick.
By now, most of us have heard about the last of these weapons: ransomware. The malware designed to lock your files and data until you pay a fee – usually in a cryptocurrency so it can’t be traced.
The good news, of course, is that no phishing scam or malware is effective without an existing vulnerability.
Once again, we see why having persistent visibility and control is so essential. Unless we can see our trouble-spots and quickly remove the risk, we are bound to fall victim to these attack vehicles.
In our next episode, we’ll look at the growing threat of botnets. Be sure to subscribe and leave your comments below. I’ll see you next time.

The Biggest Challenges of Encryption

by Josh Mayfield | Apr 8, 2019 | Compliance, Endpoint Security

Encryption is a staple security control for most organizations. In a recent Ponemon study, enterprise use of encryption hit an all-time high this year with 45 percent of organizations now having a comprehensive encryption policy in place. Conversely, just 13 percent of organizations have no encryption capabilities. What is the biggest challenge organizations face in implementing their encryption policy? Simply having visibility into their data and knowing which needs to be protected.
What is Encryption?
According to Techopedia, Encryption is the process of algorithmically transforming information to make it unreadable for unauthorized users. The encoded data may only be decrypted or made readable with a key and while it can be used to protect data at rest, it’s most often used during the transfer of information. In 2018, encrypted traffic reached 72 percent of all network traffic – a 20 percent increase over the year prior.
Encryption means data is only readable by senders and receivers, not third parties who may be trying to get their hands on it. In the age of big data, where organizations collect and share information at unprecedented rates, encryption is a critically important tool.
Adoption Driver: Compliance
Along with the need to protect against rising data breaches, another primary driver behind increasing encryption use is compliance. Data protection laws – including GDPR, CCPA, PIPEDA – require organizations to prove that encryption was in place at the time of a security incident or face some hefty fines – to the tune of $3.86 million dollars which is the average cost of a data breach now.
GDPR repeatedly highlights encryption as an ‘appropriate technical and organizational measure of personal data security.’ Under GDPR, organizations must notify regulators and impacted individuals of a data breach within 72 hours of the incident unless the data in question was sufficiently encrypted.
Having encryption in place can save your organization from potentially disastrous reputational damage. More than the cost of the fines, reputational damage caused by losing the trust in the eyes of customers and the public can ultimately be the factor that destroys an organization’s success.
The Human Element
Encryption isn’t without its challenges however and a big one is the very people who use it. Users are often the weak link in your security chain – another new study found employee mistakes continue to be the most significant threat to data security. Encryption may be mathematically guaranteed but it can also be complicated to implement and confusing for users. This often leads to employees disabling it or insecurely sharing decrypt keys which makes the entire program void.
Device Complexity Creates False Sense of Security
Encryption is a powerful tool but it’s still just one ingredient in your overall security mix. It is most often paired with other endpoint security solutions such as patch management, antivirus and antimalware along with firewalls, SIEM solutions and many others. All have their place, but the rising number of solutions deployed on any given device contributes to significant complexity making monitoring them a challenge. Tools don’t always integrate or work well together and/or controls easily become misconfigured.
The high volume of security tools often provides a false sense of security because broken tools can leave big gaps in an organization’s defenses. Instead, IT and security teams need to be able to better understand what’s happening on their devices and respond to suspicious events to reduce security failures. Adding more and more security controls to the endpoint may perpetuate the risk.
It’s imperative that encryption and any other fundamental security tools are working at all times, as intended in order to have visibility and control over devices that contain data or network access.
To learn more about how security tools degrade and how you can analyze the tools you already have to identify blind spots or opportunities to strengthen your defenses, listen to the recent webinar we did with Forrester analyst, Renee Murphy titled The State of Endpoint Security in 2019.

Increased Security Spend Creates Enterprise Risk

by Josh Mayfield | Apr 4, 2019 | Data Visibility & Protection, Endpoint Security

It’s become a vicious cycle. Budgets grow, tools are purchased, and IT workloads expand. But in the end, IT teams are still forced to scramble and mega data breaches continue. What is going on?
Security teams evolve and improve, but so do the cybercriminals who are equally as determined to pilfer your data. In the forever game of cat-and-mouse, the answer for many organizations has come in the form of increased security budgets and more tools on devices.
Is this fear propelled InfoSec budget explosion working? The evidence – overwhelmingly – says no. In fact, increased security spending actually creates enterprise risk.
Security Fatigue
Despite growing budgets and a heightened awareness of cybercrime, the majority of IT security teams remain unsatisfied with their results. Absolute is releasing a new report that represents more than six million endpoints studied over a one year period. In it, nearly three-fourths of respondents say they have little or no confidence in their ability to prevent and mitigate risks. The data also shows more than half of ‘high-security spenders’ have suffered a data breach.
There are many reasons behind the high no-confidence vote and the report offers an interesting deeper dive into that topic. One obvious driver though is the strong correlation between endpoint complexity and increased risk.
Security Tool Degradation
Regardless of the security tools you use, all of them degrade over time – no tool is immune. Patches fail. Encryption breaks. Antivirus falls out of date. Not only are these failures inevitable, but they also happen faster than you think too. The more security tools you use and devices you manage, the more rampant the problem. No matter how many new solutions you layer on top. Rather, the data says, because of the new solutions layered on top.
The research found that devices can have 10 or more endpoint security agents installed — including encryption, AV/AM, and client/patch management options. With all of these tools, there are virtually unlimited combinations on devices and there is no way to know which ones don’t play nicely together. Until they break.
How do you know if this is a problem for your organization? Better yet, how do you address it?
Asset Management
First, because you can’t secure what you can’t see, examine your asset management program. It should go beyond a quick asset inventory to include a comprehensive look at asset intelligence. This approach is an evolution from a simple catalog of your machines and include an identification of the business function for every resource.
Endpoint Health
Then, take stock of your device fleet’s Endpoint Hygiene (Health) Coefficient. I’ve described this idea in more detail in an earlier post (Read: NIST Cybersecurity Framework: Second, Build A Moat Part 2) but simply put, it’s a way to score your device fleet at a single point in time against your organization’s definition of endpoint hygiene on a scale from 0 to 1.
When your endpoint population is reckoned at “0” this indicates that no single device has any controls or configurations aligning with my policy or security intent. A hygiene coefficient of “1” signals that every device has every control, configuration, and policy-granting behavior in place. Both extremes are rare of course – you’ll typically fall somewhere in the middle.
Resilience
Finally, you need to know when agents break and have the ability to repair it immediately. Our data shows that 100 percent of endpoint security controls fail eventually and 28 percent of devices are unprotected at any point in a year. And no one knows. These blind spots keep IT and security leaders from being able to protect organizations and leave them increasingly vulnerable over time.
There is no one sure-fire way to keep hackers out of your data. However, it is possible to prevent security incidents by knowing what you have on your endpoints, removing unnecessary agents to reduce complexity, and ensuring that the basic protection tools are working as intended. Endpoint resilience is possible when you have visibility and control.
We talked in greater detail about the state of our industry, security tool degradation and what to do about it in a webinar with Forrester Principal Analyst, Renee Murphy titled The State of Endpoint Security in 2019. Listen in on the results of our new study and hear how endpoint security can flourish by persisting the controls, apps, and agents you already own.

What You Need to Know About Zero Trust

by Josh Mayfield | Apr 2, 2019 | Data Visibility & Protection, Endpoint Security

The Zero Trust security model establishes the idea that an enterprise cannot automatically trust any endpoint originating inside or outside of its perimeters. There is an authentication that happens at every single turn. Ideally, businesses should verify anything and anyone attempting to connect to their systems before granting access.
Think about going through the various stages of an airport from check-in to boarding. However, instead of going through security once to check your credentials, at every step you take there is another checkpoint to ensure you are the right person, and another, and another. That’s what Zero Trust is like.
What is Zero Trust
The concept of a Zero Trust Network (or Zero Trust Architecture), was the brainchild of former Forrester Research analyst John Kindervag. In 2010, he published a paper that introduced the concept to the IT world.
The granularity and micro-segmentation of a Zero Trust network enforces rules based on users, their locations, and/or other relevant details to determine whether that user, machine, or app requiring access should be trusted.
Without knowing the security status of an endpoint, Zero Trust networks won’t authenticate until it can verify the user and the location.
After an endpoint has been authenticated, a restrictive policy can be carried out for that specific session. Not unlike the “need-to-know” basis used by the government, a Zero Trust policy only provides the exact amount of network access required for users, machines or apps — nothing more, nothing less.
For independent security researcher Rod Soto, Zero Trust is not exactly zero in the literal sense. “Zero Trust is an operationalization of the least privilege principle and segregation of duties by the use of different technologies,” he said. “This can go from high privileges and full access to no access rights at all and can be applied to applications, devices, and users within and outside the perimeter.”
The role of network segmentation
Network segmentation is all about partitioning the network into smaller networks, and in doing so, restricting access levels. This way, hosts and services containing sensitive information would be on their own separate network — apart from other networks.
For example, you wouldn’t want sensitive HR or Finance data to reside on the same network as your general company documents or spreadsheets.
But to be effective, network segmentation requires careful planning and strict enforcement. Access should be monitored.
“I would say that a more comprehensive Zero Trust approach should go beyond just network segmentation and include asset and identity management components,” says Soto. “It is important to verify not just at the network level but also devices, applications, and users.”
Because once a bad actor compromises your network, they’re likely to poke around your systems in search of sensitive information, hosts and services.
Check out our Cybersecurity 101 guide to understand why preventing threats is so important.
Advantages of network segmentation
There are several benefits from segmenting your network and embracing the Zero Trust framework, the most obvious being improved security. We’ve discussed this above.
We’ve also touched upon better access control — the ability to make sure users and endpoints only have access to specific network resources, which can stop any accidental and malicious activity in its tracks.
Improved Containment
By segmenting your network, you reap the benefits of more containment of your network. Any networking issue that arises is limited to that local subnet. In addition to the attack protection, any network errors can be targeted to a precise location, which translates to an easier fix.
Improved Performance
With fewer hosts and endpoints per subnet, local network traffic can be minimized. By segmenting all your network traffic to its own subnet, you’ll use fewer resources detecting any incident.
Improved Monitoring
With network segmentation, you can not only log events but monitor internal connections (both approved and denied) and even detect suspicious behavior. Monitoring and logging events give your IT team the capability to notice patterns of malicious activity, and in turn, make the right changes so that future breaches can be prevented.
To sum up, according to Soto, Zero Trust can be used to strengthen defenses within and outside the perimeter, reduce the attack surface, contain and isolate intruders as well as improve management of security operations.
However, Soto advises that such implementations go hand in hand with business objectives. “I have seen applications of Zero Trust model that break legacy applications becoming counterproductive for business,” he said.
A few lingering questions
Although we’ve covered all the bases on the field of Zero Trust, there are still several concepts that are often confused. For instance — what is the difference between Zero Trust security and Zero Trust architecture?
While the two can be seen as interchangeable, Soto views Zero Trust security as conceptual models, with Zero Trust architecture representing the translation in technology deployment and implementation of such models.
You may also be wondering where PAM (privileged access management) fits into the equation.
“PAM is simply a technology framework that allows the application and enforcement of Zero Trust models,” Soto explained.
If all this sounds too restrictive to your business, we don’t blame you. But when it comes to your endpoints, it’s unfortunately not a question of IF there will be a breach, but WHEN.
How to achieve Zero Trust
The bottom line is, if you don’t have visibility into all of your devices, you can’t answer the question of whether they are trustworthy. If you can’t extract intelligence from your endpoints – all you have is an inventory – you also cannot determine their trustworthiness.
Existing endpoint security tools, such as encryption, AV/AM, and client/patch management, fail – regularly and reliably. Unless you go deeper, into the firmware, and have a ceaseless grip you cannot ensure trustworthiness of a device and achieve a zero trust environment.
All of these questions can be answered when you have visibility and intelligence. Absolute acts as an informant. It lets you know about the trustworthiness of devices, data, apps, people, and networks.
Learn more about how Absolute provides Asset Intelligence and helps you achieve a Zero Trust environment.

Top Cybersecurity Threats of 2018 Revealed – 4 Ways Attackers Accessed Data

by Josh Mayfield | Mar 26, 2019 | Endpoint Security

Billions of people were affected by data breaches in 2018. Now is the time when, if we’re paying attention, we can learn a lot from last year’s barrage of cybersecurity threats. A breakdown of the top cybersecurity threats from 2018 won’t make us immune from attack in the future, but it can help us hone our defenses for the upcoming year.
Attacks Are On the Rise
In November, Marriott announced news of a breach of more than 500 million customers. Days later, question and answer site, Quora disclosed a security breach that compromised as many as 100 million users. Facebook also joined the ranks of the breached in 2018 with more than 29 million users compromised. News got worse for the social media giant and their users when further inappropriate access to the tune of 87 million users as a result of the Cambridge Analytica scandal.
Climbing data breach tallies tell us one thing – cyber criminals are ramping up their efforts, not down. We also know the thefts are increasingly pervasive because cyber crime is a lucrative business. From your personal health dossier to your banking credentials to your Netflix login, cyber thieves can buy just about anything on the Dark Web. Prices vary from seller to seller, just as the quantity and quality of information available.
Last month, 617 million account details stolen from 16 hacked websites went up for sale with a single asking price of $20,000 in Bitcoin. Voter lists are said to sell for anywhere from $150 to $12,500 each today, depending upon the state and size of the list.
4 Ways Cyber Attackers Accessed Data
Cyber thieves have a variety of hacking tools at their disposal – sometimes influenced by the kinds of kits being sold on the Dark Web but more often, their tactics are driven by opportunity. According to Forrester’s State of Data Security and Privacy: 2018 to 2019, the most successful attacks last year were:

External attacks (40%)
Internal incidents (24%)
Third-party attack (21%)
Lost or Stolen assets (15%)

Most external attacks include the likes of denial of service (botnets in high gear), web app seizures, stolen credentials (usually from phishing), and of course, exploited vulnerabilities.
Making up nearly a quarter of all attacks, insiders can abuse access by knowingly changing or stealing data. More often though are sins of omission, like unreasonably high privileges that provide someone with far too much access.
Third-party attacks include the partners, suppliers, contractors, and even clients who push their own compromises into your environment. Rarely does this happen on purpose, but without constant vigilance, interconnected businesses provide the ingredients for this likely damage.
Lastly, things get lost. One out of every six successful attacks can be blamed on a lost or stolen asset such as a laptop, tablet or even phone. Once an asset is outside your view and control, anyone accessing the device is, by definition, gaining unauthorized access.
Read Lost or Stolen Devices: What To Do In 4 Steps
Knowledge of the four primary ways attackers are breaching organizations today is prescriptive. And today, you need to prepare for both outside attacks and troublesome insiders. Diligence is also required across your partnership network, although perhaps slightly less so right now if budget prioritization becomes an issue. And so is constant vigilance over all of your devices, all of the time.
For more information on the state of cybersecurity threats, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:
Hey there, it’s Josh from Absolute. In today’s episode, we’re going to take a look at cybersecurity threats.
What makes a something a threat?
Well, let’s look at the definition of a threat: a person or thing likely to cause damage.
Ah…it must be likely to cause damage.
Looking for threats forces us to think in probabilities.
In 2018, the most successful attacks were:

External attacks (40%)
Internal incidents (24%)
Third-party attack (21%)
And Lost or Stolen assets (15%)

Let’s take a closer look…
External Attacks are the likes of denial of service (botnets in high gear), web app seizures, stolen credentials (usually from phishing), and of course, exploited vulnerabilities.
What about internal incidents? Making up nearly a quarter of all attacks, insiders can abuse access – knowingly changing or stealing data – while many more are sins of omission, like unreasonably high privileges giving far too much access.
Number 3: third-party attacks. These are the partners, suppliers, contractors, and even clients who push their own compromises into your environment. Rarely does this happen on purpose, but without constant vigilance, interconnected businesses provide the ingredients for this likely damage.
Fourth and last, things get lost. One out of every six successful attacks can be blamed on a lost or stolen asset. That makes sense. Once an asset is outside your view and control, anyone accessing the device is, by definition, getting unauthorized access. They’re not the authorized user.
What’s the attacker’s goal? The primary motive is greed; you have something the attacker wants: information.
Whether the attacker is manipulating data or stealing it outright, the attacker profits.
If stealing data, countless customer records and intellectual property can be sold on the Dark Web or to a buyer who wants to do you harm.
When manipulating data, the attacker is provoking your organization’s behavior, and based on that reaction, the attacker can reap the profits in the stock market when buying and selling.
If we lose visibility and control, risks become more likely; when risks become more likely, they turn into threats. It all about visibility and control.
In the next couple of episodes, we’ll take a look at some common characters on the threat landscape like botnets, phishing schemes, and mutating malware.
Be sure to subscribe (and a little thumbs-up ‘like’ would be nice) and drop your comments below, I’ll see you next time.

Endpoint Security 2019

by Mitch Kelsey | Mar 18, 2019 | Endpoint Security

Endpoint security has come a long way. The threat environment today is nothing like it was back when employees would receive anti-malware updates on a floppy drive a few times a month. Endpoint security is its own market with solutions focused on many different angles, segments, and platforms. Let’s look at what endpoint security actually is, why it is important, how it differs from antivirus software, and what makes up a balanced security posture.
What is Endpoint Security?
The best way to think about endpoint security is in the context of covering any of the risks associated with devices (endpoints) connecting to your network. This includes laptops, desktops, tablets, smartphones, and a host of IoT machines.
In information security, we often refer to the concept of defense-in-depth. Layering security controls that address different aspects of your organization’s security posture ensures overlapping protection, minimizes the impact of a single failure, and reduces your attack surface.
In a traditional defense-in-depth model, a lot of the heavy lifting was done by your networking security infrastructure to manage tasks including controlling access, monitoring for suspicious activity, and correcting misconfigurations, and other vulnerabilities. However, many of your devices we use now operate outside the protection of your corporate network and, as a result, endpoint security has evolved to address these new challenges. If the border firewall was the edge of your security perimeter before, your endpoints, applications, and end users are today.
Although the landscape looks different, the same principles still apply. Addressing your security concerns with a posture that accounts for the many facets of your business needs ensures that the solutions you adopt are complementary for better overall performance.
From an endpoint perspective, this sounds a lot like endpoint management, doesn’t it? To be equipped to effectively identify, protect, detect, respond to, and recover from security events in your environment, you need to understand your device population, its health indicators, and expected behaviors. This asset intelligence ensures that you know what you need to know when you need to know it to make those critical security decisions. Additionally, the valuable intelligence that your endpoints generate out on your perimeter not only help you understand their own health and safety, but also enriches what you know about the security of your data, networks, and applications.
Read: FORECASTING INTELLIGENCE: TRANSFORMING IT ASSET MANAGEMENT INTO BUSINESS-CRITICAL INSIGHTS
Why is Endpoint Security Important?
With your endpoints, applications and end users becoming your organization’s new security perimeter, they have a big job to do. Any device that accesses your corporate resources on or off-network could be a potential target for attackers. IT and security teams have to contend with the pressures of BYOD (bring your own device) programs, remote and mobile workforces, as well as an increasingly diverse web of networked devices all pushing against your organization’s IT operations and security infrastructure.
It should be no surprise then, that according to a recent study by Ponemon Institute, nearly two-thirds of enterprise organizations have been compromised in the last 12 months by attacks that originated on endpoints. Compared to numbers just a year earlier, we’re looking at a 20 percent increase.
Attacks from outside intruders may present the most obvious threat and are indeed a daily challenge, but we can’t ignore the impact of internal threats. Of particular concern here is when employees disable or tamper with the critical security applications which IT teams rely on to secure devices and data. Employee behavior, usually out of unwitting negligence (but also sometimes from maliciousness), can put critical organizational information at risk and cause malware infection, corrupted registry files and drivers, or disabled services.
When users interfere with system management – patch management, antivirus, anti-malware, encryption, and other important security tools – these endpoints must often be reimaged which can be a costly process. Intentionally or not, your employees may be putting the organization at risk of a breach while creating additional work for IT staff who are already often spread far too thin.
Endpoint Security and Anti-malware Software
To many outside of information security, endpoint security and anti-malware software sound synonymous. When you would have received those anti-malware definitions in monthly floppy disk shipments, it may have been an organization’s only security control.
As we mentioned before, endpoint security is a posture or a practice. Anti-malware software is one of many important components of that posture. Depending on your organization’s threat model (your understanding of the potential threats and associated risks to your business and what you would need to do to accept, mitigate, or transfer those risks) the specific combination of security tools may vary, but they should all support the overarching objectives of your posture.
What Makes Up a Balanced Endpoint Security Posture?
There is a seemingly endless list of endpoint security solutions on the market. Deciding which ones are the best fit for your business is a difficult task, but where do you even start?
First, it’s important to understand the different types of endpoint security controls. As we have already discussed in a post about NIST CSF, being able to prevent, detect, and respond to threats are foundational capabilities, but ensuring that these tools are active, healthy, and configured properly on your devices requires the asset intelligence derived from tying these tools closely with your IT operations’ service management and configuration management. This is particularly challenging and critically important for those devices out on the security perimeter without the defenses of your corporate network.
The best endpoint security strategy for your organization means finding the right mix of features. To understand what will work most efficiently and effectively, you need to ensure that endpoint security is an integral part of your information security strategy and architecture. According to a peer-authored report by SecurityCurrent, endpoint security solutions must demonstrate how the software and sensors enhance or improve a company’s overall security posture alongside other security tools.
The report lists several key considerations for endpoint security features to look out for. Your checklist should include those solutions, which:

Collect and preserve forensics data
Process integrated threat feeds
Allow security managers to “set and forget” the minimum security baseline
Provide alerts to changes in critical configuration items
Support mobility considerations
Focus on prevention versus detection
Manage resource intensity
Flexible for today’s variety of attacks and adaptable for future threats
Have a minimally intrusive footprint and resource usage
Offer tools to help determine the effectiveness of the solution

Absolute’s endpoint management solution that not only checks these boxes but is the only one that offers self-healing capabilities. Offering you a truly panoramic view of your endpoints, we look at your organization as a whole, complex system, providing unparalleled visibility and control over your endpoints on and off your network.
To help you along with endpoint security strategy, download our whitepaper: Four Essential Strategies For Endpoint Security And Protection.
To see how our endpoint management platform can work in your organization, request a demo or contact our sales team