Seamus Lennon
IT Leaders Summit debates the true purpose of endpoint security.
At the Computing IT Leaders Summit, an audience of some of the UKs top CIOs gathered to listen to experts drawn from a broad range of disciplines and backgrounds. One of these was Seamus Lennon, Senior Solutions Engineer from zero trust endpoint protection platform ThreatLocker, who delivered a talk on the purpose of endpoint security.
Lennon began with a reminder of what exactly zero trust is because misconceptions are still commonplace. For the record zero trust essentially assumes a breach is imminent or has already occurred therefore security architecture should work on a least privilege basis. Every user should have access to only the applications that they specifically need to do their job.
The problem is that in many organisations, cybersecurity teams are juggling a raft of tools to detect, block, manage and mitigate threats but whilst these are all effective to some extent against known threats, they become much less so for new ones. Crucially they struggle to tell the difference between legitimate software and the malicious type. Applications like PowerShell can be used legitimately for the purposes it was developed for - or it can be used to run malicious activity. The fact remains that every time a user opens a piece of software - knowingly or not - that software can access everything the user can. As Lennon said:
The path of least resistance is not the infrastructure and it's not your end users. It's the endpoint"
Lennon also raised the possibility that increased levels of home working are being exploited by criminals who are using the greater connectivity of our homes as attack vectors. The message for employers is to be wary of your employees' smart doorbells because they represent the path of least resistance.
One particularly sobering statistic delivered by Lennon is the fact that 87% of ransomware attacks utilise PowerShell.
A crucial aspect of zero trust is ring fencing. Applications like PowerShell should be ringfenced and prevented from accessing files, folders and the internet. This prevents the downloading and execution of malicious code. It also prevents data exfiltration which is one of the cyber criminals more recent weapons of choice.
ThreatLocker present defence as a triangle, with the first two sides concerning the education of users and traditional threat detection. Both of these are necessary but also fallible (yes, even if you use heuristic or AI powered threat detection) ThreatLocker beefs up the third side of the triangle - which is control.
That control compromises six parts - ringfencing, application allowlisting, elevation control, storage control , network access control and managing user configurations.
