Feb 26 2021

What Are Next-Generation Endpoint Security Tools, and How Can They Prevent Government Cyberattacks?

Endpoint security has gotten more complicated for government agencies in the age of large-scale remote work, and these tools can help make sense of the threat landscape.

State and local governments continue to face a wide array of cybersecurity threats. Witness an intruder’s recent attempt to poison the water supply of Oldsmar, Fla., or the disclosure several weeks ago of a large data breach involving the Office of the Washington State Auditor. Ransomware attacks are not slowing down either, and local governments are refusing to pay.

With chunks of government workforces still working from home amid the coronavirus pandemic, securing their devices remains a critical issue for state and local government IT leaders. They need to consider all of the available tools in their defensive arsenal to do so. Some of the most potent protective measures include a class of cybersecurity defenses known collectively as next-generation endpoint security tools.

Next-generation endpoint protection technologies go beyond the simplistic, signature-based anti-virus detection techniques of the past, and increasingly leverage artificial intelligence and machine learning to enhance agencies’ security. Such solutions still use reliable signature detection, but also include new approaches, including endpoint detection and response (EDR), behavioral analysis, sandboxing, predictive analytics and threat intelligence.

What’s the Value of Next-Generation Endpoint Security?

Signature-based security, which relies on comparing threats to a database of previously identified malicious code, still catches roughly 70 to 80 percent of cybersecurity threats, says Arnie Lopez, vice president of worldwide systems engineering at McAfee. However, that’s increasingly not enough to tackle today’s threat landscape.

In the simplest of terms, says North Dakota CTO Duane Schell, next-generation endpoint security “is a much better version of traditional endpoint protection.”

“In reality, it is a completely new solution that analyzes user and endpoint behavior in real time, leveraging AI and ML to detect and prevent threats much faster and more effectively than traditional endpoint solutions,” he says.

In most cases, next-generation endpoint security solutions also provide agency IT security leaders with “rich and detailed information that allows for more effective post-event analytics and investigations.”

Ultimately, Schell says, these tools provide a “significant reduction in risk from an endpoint perspective, and in the event something does happen, you are able to be much more effective in the investigation efforts.”

MORE FROM STATETECH: Find out how agencies can gain visibility by centralizing logs.

Next-Generation Endpoint Security vs. Traditional Endpoint Security

Traditional endpoint security solutions rely heavily on a signature database, Schell notes, “and in a world where threats are evolving at an enormous pace, the maintenance of that signature database is an impossible task.”

Additionally, there is an inherent lag time in the distribution of threat signatures to all the endpoints.

“By switching to a real-time approach that relies on AI and ML, the task of maintaining signatures is minimized, latency is removed and risk levels are reduced,” Schell adds.

Next-generation endpoint security tools with access to real-time threat intelligence can analyze this information and deploy immediate updates to users’ endpoints. This enables agency IT security leaders to block IP addresses, update malware signatures and identify new adversary tactics quickly, providing rapid detection of evolving threats.

Duane Schell
By switching to a real-time approach that relies on AI and ML, the task of maintaining signatures is minimized, latency is removed and risk levels are reduced.”

Duane Schell CTO, State of North Dakota

Increasingly, organizations need to be smarter about how they determine what is actually a threat, Lopez says, using data not just from endpoints such as laptops and mobile devices but also from the network edge, secure web gateways, firewalls, email getaways and so forth. Next-generation endpoint security tools enable agencies to, for example, detect command-and-control server activity that might not be apparent on an endpoint, and feed that data into their telemetry so that they can make smarter security decisions.

Another pillar of next-generation endpoint security is EDR, which moves beyond simple detection of a security compromise and manages an active response that contains the damage, isolates affected systems and recovers normal operations as quickly as possible.

EDR solutions combine a client that is actively conducting anti-virus, firewall security and intrusion prevention, as well as solutions that will immediately respond once a threat is detected.

Next-generation endpoint tools are ideal for securing government users’ endpoints at home, Lopez says. “They have their IT-supplied desktops or laptops, but they’re also sometimes having to join from tablets, mobile devices,” he says. “So, having mobile capabilities for your endpoint security is also a big part of next-gen endpoint security.”

Another capability that is popular in next-generation endpoint security platforms is rollback remediation, Lopez says. “As much protection as you put in place, anyone that tells you you’re 100 percent safe has not been doing this for a living; things are going to happen, and things are going to get through,” he says. “How do you deal with it when it happens?”

Rollback remediation allows agencies to use previously created images, or versions, of a user’s system. When malicious activity and changes are detected, such tools can reverse the changes and restore the system to its previously healthy state. “Then, you should not lose everything you were working on,” he says. “You’ll just lose 10 to 20 percent, vs. everything.”

EXPLORE: What is the state of local government cybersecurity?

How Next-Generation Endpoint Security Uses AI and Machine Learning

Next-generation endpoint security takes cybersecurity to the next level in terms of behavioral analysis, Lopez notes. To do that effectively, however, such platforms must leverage AI and machine learning techniques.

Next-generation endpoint security tools can help IT security professionals understand whether they are encountering valid applications or uses of system capabilities, such as Remote Desktop Protocol (RDP).

As these tools start ingesting data in user behavior and intelligence, and begin looking for anomalies in users, applications and even network traffic, there is a high possibility false positives will occur. The platforms may detect what might seem to be anomalous malicious activity that is, in fact, benign.

Arnie Lopez, Vice President of Worldwide Systems Engineering, McAfee
Having mobile capabilities for your endpoint security is also a big part of next-gen endpoint security.”

Arnie Lopez Vice President of Worldwide Systems Engineering, McAfee

State and local agencies tend to have limited IT staff, and they can spend a great deal of time chasing down false positives. Machine learning can help staff determine what is and is not an actual threat, saving time and valuable resources, according to Lopez.

MORE FROM STATETECH: How do SIEM tools enhance government cybersecurity?

The Threats Next-Generation Endpoint Security Helps Combat

Although specific next-generation endpoint solutions on the market today — from a wide range of vendors, including McAfee, ForcepointBlackBerry CylancePalo Alto NetworksSophosVMware Carbon BlackSentinelOne and more — bundle in a variety of protection capabilities, “at the core of all solutions is providing protection against malicious code and malicious behavior that can affect the endpoints,” Schell says.

This includes threats such as spyware, viruses, malware and, of course, ransomware, which Schell notes remains a top-of-mind threat.

Signature-based solutions also do not catch zero-day attacks, which are more difficult to stay on top of with small IT security staffs. As FireEye notes, “a zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability.”

Machine learning, threat intelligence and remediation rollback can help significantly to combat those threats, Lopez says. “You’ve got sometimes two guys and girls that are the security engineers and network engineers, and they also do the response. They’re pseudo-SOC threat hunters at the same time,” he says. “So, those zero-days are the ones that are really taking up most of their time.”

Another kind of threat that next-generation endpoint tools can help guard against are PowerShell-based attacks. “PowerShell can be used for good, but typically it’s not,” Lopez says. “So, being proactive and ask why do you need to have a partial script on an executive admin’s endpoint, as an example.”

Machine learning tools can then determine what that individual user’s role is and whether there is a valid use for something like a PowerShell script, he notes. A similar process can determine whether RDP is being used appropriately or whether it is being used to launch ransomware.

Schell says it is important to remember that next-generation endpoint protection won’t make agencies immune to attacks, “but having next-gen endpoint protection in your security toolkit is the best way to significantly reduce your risk in this space.”

metamorworks/Getty Images