In today’s digitised world, exacerbated by COVID-19 and the drastic shift to remote working, it is more important than ever for businesses to secure their endpoint security. With so many options in the market, what should be the check list for CISOs?

Check Point Software Technologies shares 5 questions CISOs should ask when choosing endpoint solutions suitable for the organisation to avoid security breaches and data compromise without compromising business continuity.

1. Is my endpoint security suite protecting my organisation from phishing attacks?

These days, phishing emails involve very sophisticated social engineering techniques that are designed to exploit human weaknesses. They include spoofing techniques that are designed to make the email look legitimate to the unsuspecting eye. Staying ahead of these cyber criminals and removing the burden of detection from the user is critical to prevent these kinds of attacks. 

Choose an endpoint solution that not only detects and blocks access to known phishing sites, but actively prevents complex and sophisticated attacks such as Zero-day phishing, Impersonation, Spear-phishing, and Business Email Compromise (BEC). Doing this means being able to perform full scans of websites and forms, including image-only websites, as well as to perform a deep heuristic analysis, and reputation scans that include visual and textual similarity algorithms of well-known sites.

2. Is my organisation protected against sophisticated zero-day ransomware attacks? 

In 2019 alone, the cost of ransomware to enterprises was estimated to have exceeded US$7.5 billion. The problem with zero-day ransomware is that you don’t even know that it exists until it’s too late, leaving the security teams scrambling for solutions. To make things worse, it can penetrate the organisation through multiple entry points, including the web, emails, and removable media devices. Unfortunately, traditional security products cannot handle the challenge. 

Thankfully, there is a solution. CISOs can look out for anti-ransomware engine that monitors changes to files on the users’ drives and identifies ransomware behaviour such as non-legitimate file encryption. Should the engine detect any unusual activity, it takes smart snapshots of the infected system, and not only blocks the attack, but also automatically recovers encrypted files.

3. Can we make sure that all incoming files are safe without disrupting employees’ productivity?

In our fast paced world, organisations cannot afford to waste time inspecting each file that is coming through the network, like attachments in emails or from the web and removable devices like USBs. However, we also can’t take the risk of allowing any file to be downloaded without inspection, as it might only take one vulnerable entry point to devastate the entire organisations’ network. 

Therefore, CISOs need to keep in mind to include an automatic file sanitisation function, known as Content Disarm and Reconstruction (CDR). This capability enables attacks to be proactively prevented by filtering through incoming documents, removing any exploitable content and potential harmful elements. These sanitisation of files should also be quick with minimal waiting time, with no disruptions to employees’ productivity.

4. Can we automatically detect and contain bot-related infections before sensitive data is exposed? 

Bots are often used by hackers when they target particular individuals or organisations in what’s known as Advanced Persistent Threat (APT). These bots operate by connecting to a Command and Control, and allow the hacker to control the bot to execute the attack, typically data theft of personal, financial, organisational or intellectual property. In some cases, cyber criminals may send spam emails that attack resources and execute bandwidth consumption attacks that ultimately impacts productivity, hiding important logs from your SOC team, or even conducting a whaling attack on a senior personnel. What’s worse is that this can all be done without you ever realising it. 

Having an anti-bot solution in your endpoint security will prevent such attacks from occurring by continuously monitoring outgoing traffic and identifying communications with the command and control servers. If an infected machine is detected, the anti-bot blocks the traffic, remediates the attack and isolates the compromised machine to prevent further spread of the infection.

5. Can my endpoint security solution automatically visualise and analyse incidents, contextualise, and remediate them? 

Although traditional Endpoint Detection and Response (EDR) solutions are able to detect suspicious behaviours, they typically have very few out of the box rules and do not have any automatic remediation. When manual remediation is performed, there is the added risk of attack residues that were not cleaned. This process is also time consuming, and requires highly trained analysts. This is something you really can’t compromise on. 

An ideal endpoint solution should automatically and completely remediate the cyber kill chain. The solution should offer forensics capabilities that automatically monitor and record endpoint events, including affected files, processes launched, system registry changes as well as network activity. An effective remediation solution will automatically quarantine the infected device to prevent lateral-infection spread, and restore the endpoint to a safe state when an attack is detected. This also significantly reduces the time security and IT teams have to spend on analysing incidents, freeing them up to focus on their more critical tasks. 

Vigilance in the comfort of working remotely

There’s no telling when cybercriminals have set eyes on your organisation, and a system can never be 100% secure. However, keeping up with your security strategy as the landscape elves can minimise your exposure and risks. It is important to always be one step ahead on the defence.

Evan Dumas, Regional Director, Southeast Asia, Check Point Software Technologies