SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image

The convergence of endpoint security & automated investigation & response

Fri, 15th Mar 2024

Endpoints are becoming an increasingly large and lucrative target for threat actors. According to Kaspersky's data on mobile devices, the total number of attacks reached almost 33.8 million in 2023, a 50% increase from 2022. Threat actors continue to seek new ways of exploiting endpoint vulnerabilities, with a rising number of attacks designed specifically to target endpoints, install malware, and gain unauthorised access to networks. 

The motivation is simple: according to IBM, the average cost per breach resulting from an attack on endpoints is over £7 million, which is more than twice the average cost of a general data breach. 

For organisations, responding to the rising wave of endpoint threats is no easy task. As data sets from endpoints rise, it can become both difficult and costly to filter and prioritise alerts manually, with security analysts unable to keep up with the volume of endpoint investigations required.

Not only does this fail to provide organisations with additional insights from unwanted network activity, leaving them unable to understand whether or not a specific user or host has been compromised, but equally, they are unable to quickly isolate a user from the network in case a data breach involving an end user or server happens. The overall result? Poor visibility, increased investigation times and missed attacks. 

A new approach

To avoid these potentially catastrophic consequences, organisations need to find new ways of enhancing their endpoint security strategies in order to reduce incident response times and contain attacks earlier. The crucial aspect is visibility. If an organisation has a full picture of the entire network activity, they will be able to spot and stop threats and isolate endpoints pending investigation.

So, how exactly can organisations improve endpoint visibility and respond to security insights at speed? Endpoint Automated Investigation and Response (EAIR) is proving critical.

Automation is vital in the modern security era, lifting the burden on security analysts to investigate potential incidents manually. However, for automation security solutions to be truly effective, they cannot stand alone. 

The key is to use several different security technologies together in a converged platform. By enabling SIEM, SOAR, UEBA, and endpoint security to work together harmoniously and autonomously, the time required for threat hunting and response can be dramatically reduced.

Collecting and visualising critical event data from clients, servers, network systems, cloud workloads, and business-critical systems in an automated manner makes it significantly easier to identify and investigate endpoint-related threats, saving significant time. 

By integrating endpoint security specifically, there is no need to extrapolate the threat information generated to understand what areas the threat has impacted. Context, threat intelligence, and entity risk can then also be incorporated, turning seemingly unrelated logs into meaningful investigations.

Within reach

To date, many enterprises have felt the need to choose between key technologies such as SIEM and EDR. However, while such solutions were once seen to be mutually exclusive, that is no longer the case. The convergence of both technologies over a singular platform now makes it possible to benefit from the capabilities of both security solutions. 

Indeed, EAIR now puts these technologies within reach of the SME. With support from the right provider, an overarching Endpoint Automated Investigation and Response can be adopted cost-effectively, comprising a full spectrum of solutions from SOAR to SIEM to EDR. 

With such a setup, it becomes much easier to obtain complete insights, making it easier to identify security breaches, simplify investigations, and accelerate response times across all endpoints.