Join top executives in San Francisco on July 11-12 to hear how leaders are integrating and optimizing AI investments for success. Learn more
Endpoints must become more intelligent, resilient and self-healing to support the many new identities they must protect. Even the most hardened endpoints are at risk because they lack protection against identity-based breaches. Putting trust in identities is a breach waiting to happen.
How endpoint protection platform (EPP), endpoint detection and response (EDR), and extended detection and response (XDR) providers respond to the challenge will shape the future of endpoint security. Based on the many briefings VentureBeat has had with leading providers, a core set of design goals and product direction emerges. Together they determine the future of endpoint security in a zero-trust world.
Srinivas Mukkamala, chief product officer at Ivanti, advised organizations to consider any operating system and have the ability to manage every user profile and client device from a single window. Employees want access to work data and systems from the device of their choice, so security when granting access to devices should “never be an afterthought”.
“Business leaders will continue to see the cost of managing these devices rise if they don’t account for the variety of devices employees use,” said Mukkamala. “Organizations must continue to move towards a zero-trust model of endpoint management to look around the corner and strengthen their security posture.”
Manufacturers in particular are calling ransomware attacks that take advantage of unprotected endpoints a digital pandemic. And after an attack, forensics shows how attackers fine-tune their craft to take advantage of weak to non-existent identity protections on endpoints.
Crowd Strikes Global Threat Report 2023 found that 71% of all attacks are malware-free, up from 62% by 2021. CrowdStrike attributes this to the abundant use of valid credentials by attackers to gain access to and conduct long-term reconnaissance on targeted organizations. Another contributing factor is how quickly new vulnerabilities are published and how quickly attackers move to operationalize exploits.
CrowdStrike president Michael Sentonas told VentureBeat that the intersection of endpoint and identity is one of the biggest challenges today.
Attackers who doubled their craft reduced the average escape time for intrusion activity from 98 minutes in 2021 to 84 minutes in 2022. CrowdStrike notes that it can take organizations up to 250 days to detect that an identity breach has occurred when attackers have valid credentials to join. to work.
Leading EPP, EDR, and XDR providers are hearing from customers that identity-based endpoint breaches are on the rise. Unsurprisingly, 55% of cybersecurity and risk management professionals rate that more than 75% of endpoint attacks unstoppable with their current systems.
Generative AI should deliver zero-trust profit
Generative AI can help capture every intrusion, intrusion, and anomalous activity along with their causative factors to better predict and stop them. These tools enable security, IT, and operations teams to learn from and collaborate on each breach attempt. Generative AI will create a new type of “muscle memory” or reflexive response.
Notable providers with strong AI and machine learning (ML) leads include CrowdStrike, Cisco, Ivanti, Microsoft, Palo Alto Networks, and Zcaler. Microsoft spent $1 billion in cybersecurity R&D last year and promised to release another one $20 billion within the next five years.
Providers seek incremental gains to provide greater contextual intelligence, resilience, and self-healing. It’s easy to see why endpoint providers include BitDefender, Cisco, Ivanti, McAfee, Palo Alto Networks, Sophos and others are doubling down on AI and ML to bring new intensity to the way they innovate.
Below are key points from product briefings with leading providers.
Accelerated ML apps to identify the most critical CVEs impacting endpoints
Active Directory (AD), first introduced with Windows Server in 2019, is still used by millions of organizations. Attackers often target AD to gain control of identities and move laterally across networks. Attackers exploit AD’s longstanding CVEs because organizations prioritize the most urgent patches and CVE defenses first.
The AD is undoubtedly under attack; CrowdStrike found that 25% of attacks come from unmanaged hosts such as contractor laptops, rogue systems, outdated applications and protocols, and parts of the supply chain where organizations lack visibility and control.
Consolidating tech stacks provides better visibility
CISOs say budgets are under more scrutiny, so consolidating the number of applications, tools and platforms is a high priority. The majority (96%) of CISOs plan to consolidate their security platforms, with 63% favoring (XDR). Consolidate tech stacks will help CISOs avoid missing threats (57%), find qualified security specialists (56%), and correlate and visualize findings across their threat landscape (46%).
All major providers are now pursuing consolidation as a growth strategy, with CrowdStrike, Microsoft, and Palo Alto Networks being the most cited CISOs at VentureBeat.
CISOS says Microsoft is the most challenging to get right of the three. Microsoft sells In tune as a platform that helps save costs because it is already included in existing business licenses. But CISOs say they need more servers and licenses to deploy Intune, making it more expensive than expected. CISOs also say that managing all operating systems is a challenge and they need additional solutions to cover their entire IT infrastructure.
CrowdStrike, meanwhile, uses XDR as a consolidation platform; Ivanti Accelerates AI and ML-Based Enhancements to UEM; and Palo Alto Networks’ platform-driven strategy aims to help customers consolidate their tech stacks. During his keynote at Fal.Con 2022, George, co-founder and CEO of CrowdStrike, said that endpoints and workloads provide 80% of the most valuable security data.
“Yes, [attacks] happen through the network and other infrastructure,” he said. “But the reality is that people are exploiting endpoints and workloads.”
Jason Waits, CISO at Inductive automationexplained that his company consolidated vulnerability scanning and endpoint firewall management into the CrowdStrike agent, removing two separate security tools.
“Reducing the number of agents we have to install and maintain significantly reduces IT management overheads and improves security,” he said.
Contextual Intelligence AI-Based Indicators of Attack (IOA) at the heart of solving the endpoint identity gap
By definition, attack indicators (IOA) gauge a threat actor’s intent and attempt to identify their targets, regardless of the malware or exploit used. Complementary IOAs are indicators of compromise (IOC) who provide forensics to prove a network breach. IOAs must be automated to provide accurate, real-time data to understand attacker intentions and stop intrusion attempts.
VentureBeat spoke to several providers developing AI-based IOA and learned CrowdStrike is the first and only provider of AI-based IOAs. The company says AI-powered IOAs work asynchronously with sensor-based ML and other sensor defense layers. The company’s AI-based IOAs leverage cloud-native ML and human expertise on a platform it invented more than a decade ago. AI-generated IOAs (behavioral event data) and local events and file data are used to diagnose maliciousness.
Standalone tools don’t close gaps between endpoints and identities; platforms do
Normalizing reports across different standalone tools is difficult, time consuming and expensive. SOC teams use manual correlation techniques to track threats across endpoints and identities. Tools don’t have a standard set of alerts, data structures, reporting formats, and variables, so getting all activities on one screen won’t work.
Ivanti neurons for UEM relies on AI bots to discover machine identities and endpoints and automatically update them. Their approach to self-healing endpoints combines AI, ML, and bot technologies to deliver unified endpoint and patch management at scale for a global enterprise customer base.
Self-healing endpoints help close the gap while providing resilience
The most advanced UEM platforms integrate with and enable enterprise-wide micro-segmentation, IAM, and PAM. When AI and ML are embedded in endpoint device platforms and firmware, enterprise adoption accelerates. Self-diagnosis and adaptive intelligence form a self-healing endpoint. Self-healing endpoints can disable themselves, recheck versioning of operating systems and applications, and reset to an optimized, secure configuration. These activities are autonomous and do not require human intervention.
CISOs tell VentureBeat that cyber resilience is just as important to them as consolidating their tech stacks. The telemetry and transactional data generated by endpoints is among the most valuable sources of innovation that the zero-trust vendor community has today. Expect further use of AI and ML to improve endpoint detection, response, and self-healing capabilities.
Endpoint security in a trustless world relies on the ability of EPP, EDR, and XDR providers to bridge the endpoint security and identity protection gap on a single platform using common real-time telemetry data. Based on interviews VentureBeat has conducted with leading providers and CISOs, it is clear that this can be achieved using generative AI to achieve zero trust profits and consolidate tech stacks for better visibility. Providers must innovate and integrate AI and ML technologies to improve endpoint detection, response, and self-healing in the face of a rapidly changing and relentless threat landscape.