We learned about the basic concept of Zero Trust in the previous blog post. In this article, I’d like to continue to address Zero Trust, but more specifically Zero Trust on Endpoints. Before we start, I would like to thank you for the favorable reviews on my previous post. It encourages me to continue to write more blogs with the content that resonates with the readers.
To most people, cyber security might sound difficult, but actually its concept is not difficult to understand although coming up with true solutions can be difficult. But if you understand the flow of how cybercrime and hacking occur, and what efforts are needed to solve them, then even solutions could be naturally created.
Today, we’re going to introduce Endpoint security products that have been recently developed as cyber security solutions. They are still in the early stages of being widely utilized in the market, but have huge potential for growth moving forward.
An Endpoint literally refers to any device that is physically an end point on a network such as laptops, desktops, mobile phones, tablets, servers, and even virtual environments can all be considered Endpoints.
Another term used frequently in Endpoint security is Vaccine. What comes to your mind when you think of a Vaccine? The COVID-19 vaccine might come to your mind first due to the recent disastrous global pandemic. In the computer field, Vaccine is the program that detects, blocks, isolates, and treats the malware. It is an IT term that directly parallels the medical term. In fact, a computer vaccine is often also called antivirus software, with a virus being a type of malware. Thus, anti-malware software might be a more proper term, but it is a cumbersome term and many people might not understand it. Interestingly, there are many other terms used in cybersecurity that come from other fields that also directly relate to their usual meaning. For example, some terms come from military terms such as kill-chain, quarantine, data exfiltration, lateral movement, etc.
By the way, I explain the term, vaccine here because it is not feasible to explain Endpoint security products without it. Now, with this background knowledge of the terms used in Endpoint security, let’s think about how ‘Visibility’, mentioned in the previous blog post has anything to do with implementing the principle of Zero Trust on Endpoints.
Visibility alone means showing everything without hiding anything. However, in the context of implementing Zero Trust principle on Endpoints, the ‘Visibility must be secured with all traffic being monitored. Visibility is needed because you can know how to address cybersecurity issues only if you are able to see things happening on Endpoints and thus, in this way, the concept of securing Visibility fits in the concept of Zero Trust.
As previously mentioned, the Endpoint is the user interface such as a PC or tablet. It usually accesses the internal network through one-step authentication. In many cases, it also acts with near full authority and no further authentication is made. But how can you trust it?
I recall one example of a company where a major hacking incident occurred by a third-party contractor. He accessed the internal network that was protected by only a simple one step authentication with no further authentication or monitoring mechanism in place and was able to wreck considerable damage. As you can see in this case, to efficiently avoid security threats, even internal threats, it’s necessary to keep monitoring the behavior of the Endpoint and responding to suspicious behaviors even after access to the network was made. Do not trust anybody! This fits the principle of Zero Trust.
The Endpoint security product needed today is called ‘Endpoint Detection and Response (EDR)’. This product records the activities that occur on Endpoints and responds to hacking attacks. It is more powerful and more effective than a vaccine alone, that can only respond to known malware and cannot act against the unknown malware. However, it doesn’t mean that a vaccine is not also necessary! It just means that vaccines alone can’t provide effective Endpoint security!
EDR is a solution to monitor, detect and respond to suspicious behaviors on Endpoints. I will explain EDR more in detail in the next blog post, but in short, there are a wide variety of suspicious behaviors possible on Endpoints that need to be guarded against. They include unknown external access to the Internet when a program runs on a PC, intentional destruction of the system by malware, attacks against the server or PC in the internal network, etc.
Meanwhile, please feel free to leave comments if you have any questions! I will continue trying to explain Cyber Security in a way that everyone can understand.