Why edge and endpoint security matter in a zero-trust world

In February, Nvidia was hit with a cyberattack by Lapsus$, an international hacking group known for their cyberattacks on enterprises. The group was able to gain access to multiple systems and at least two code-signing certificates, giving the cyberattackers the option to digitally sign malicious code, bypass security defenses and compromise endpoints. Following the attack, at least two binaries not created by Nvidia were found online, signed with the stolen keys. The attack provides a sobering reminder of how machine identities are vulnerable to attack using stolen code-signing certificates. 

Stolen certs show edge and endpoint security’s widening gaps 

Developers use code-signing certificates to verify the authenticity of their apps’ code, endpoint security agents and integration points across networks. Cyberattackers, including Lapsus$ and others, put a high value on these certificates because they can use them to impersonate legitimate device drivers and code to take control of devices, endpoints and sensors. Cyberattackers use this growing technique to distribute malware across endpoints and enterprise networks. 

Modifying code-signing certificates is now one of the most sophisticated, popular approaches to controlling edge and endpoint security devices on a network while launching malware attacks. Cyberattackers continue using Nvidia’s stolen code-signing certificates to disguise malware code as legitimate while attempting to launch attacks. Last year, impersonating legitimate code was integral to the SolarWinds supply chain attack. 

Nvidia having terabytes of data exfiltrated and code-signing certificates stolen show how fragile edge and endpoint security can be. Using stolen code-signing certificates to make device drivers, executables and source code look legitimate is among the toughest endpoint breaches to stop. 

Longstanding gaps in endpoint security are getting wider, enabling more sophisticated breach attempts due to the following:

Privileged access management failures 

Many endpoint networks and IoT platforms aren’t configured for any privileged access management (PAM) credentials or they have identical passwords across all devices to streamline administration, leaving the entire network open to attack. In the first six months of last year, there were more than 1.5 billion IoT breaches using the Telnet protocol. In the second half of 2021, there was a 34% increase in security vulnerabilities for IoT and IT technologies. 

Machines’ identities are getting harder to protect 

The more complex the hybrid or multicloud environment, the more challenging it is to have a unified identity access management (IAM) strategy across all machines. In many organizations, machine identities are growing at twice the rate of human ones. Twenty-five percent of security leaders say the number of machine identities they are managing this year increased by 10 times or more in the last 12 months. Furthermore, 84% of security leaders say the number of identities they manage has doubled since last year. Forrester predicts that machine identities (including bots, robots and IoT) will grow twice as fast as human identities on organizational networks. 

Gaps in machine-based PAM and IAM leave IoT platforms vulnerable 

The cloud, cybersecurity, infrastructure and operations (I&O), devops, platform and support teams have different requirements for machine-based IAM and PAM apps and tools. Reconciling these diverse needs can lead to gaps in authentication, authorization and trust, increasing the risk of a breach. For example, 53% of internet of medical things (IoMT) and IoT devices (registration required) contain critical risks, with 73% of IV pumps and 50% of VoIP systems being at risk of an IoT breach. AT&T Alien Labs is also tracking a new IoT botnet, EnemyBot, discovered earlier this year. EnemyBot targets IoT devices, web servers, Android devices and content management system (CMS) servers and reflects how sophisticated IoT botnet attacks have become. Digital platform security provider Irdeto predicts that the estimated cost of an attack on IoT devices currently stands at $330,000.

IT team workloads at capacity 

Fast-tracking digital-first revenue and service projects combined with supporting hybrid workers has many IT teams overwhelmed with work. Securing machine identities often suffers. KeyFactor and Ponemon Institute’s State of Machine Identity Management 2022 study found that 42% of organizations use spreadsheets to track and manage certificates, and 48% don’t have an accurate inventory of secure shell (SSH) credentials in their organization. Certificate life spans are getting shorter and IT teams are being tasked with more, leading 65% of organizations to say they are concerned about the increased workload and risk of outages caused by shorter SSL/TLS certificate lifespan.

How zero trust is closing edge and endpoint security gaps  

The most effective edge and endpoint security implementations close network and cybersecurity gaps while securing access to shared resources users need anywhere, anytime. Getting edge and endpoint security right closes the gaps between network and security infrastructure, which is the essence of a secure access service edge (SASE) strategy. 

Zero-trust network access (ZTNA) is at the core of the SASE framework, treating human and machine identities as the security perimeter. ZTNA is predicated on providing the least privileged access to any edge or endpoint device on a network, ensuring more trusted, secure endpoints across an enterprise – which is exactly what edge and endpoint security needs today. 

Implicit trust with edge and endpoint devices is a security risk ZTNA looks to eliminate by defining and managing identities and privileged access by session and user. By 2025, 70% of organizations implementing agent-based ZTNA are expected to choose a security service edge (SSE) provider for ZTNA rather than a standalone offering, up from 20% in 2021.

Zero trust isn’t a single architecture but a set of guiding principles for operations, systems design and workflows. The latest zero-trust architecture standard, NIST Special Publication 800-207, provides useful insights for any organization looking to define a framework that will work for their specific needs. Having a series of guidelines to evaluate zero-trust frameworks helps. CompTIA’s State of Cybersecurity, 2021, study provides insights into how 400 security professionals implement their zero-trust frameworks. Multifactor authentication, microsegmentation, cloud workload governance, IAM software and least-privilege access are the most implemented components of zero-trust frameworks.     

Self-healing endpoints essential in a zero-trust world  

More than 120 vendors claim to have self-healing endpoints that can contribute to zero-trust frameworks. A true self-healing endpoint has integrated self-diagnostics and can regenerate its original software configurations after an attack or breach. They’re capable of shutting themselves off, completing a recheck of all OS and application versioning and then resetting themselves to an optimized, secure configuration – allowing no human intervention. Leaders include Absolute Software, CrowdStrike, Ivanti and Microsoft Defender 365. 

Absolute Software’s Resilience is the industry’s first self-healing zero-trust platform and is noteworthy for its asset management, device and application control, endpoint intelligence, incident reporting, resilience and compliance. Absolute relies on firmware-embedded persistence, providing self-healing endpoints that are undeletable from every PC-based endpoint. Absolute’s Remote Work and Distance Learning Center is free for anyone to use and provides an up-to-date, reliable benchmark of endpoint security health. Absolute designed the dashboard to provide data-driven insights into device and data security, device health, device type, device usage and collaboration.

Ivanti Neurons for Unified Endpoint Management (UEM) provides self-healing endpoints that rely on an integrated platform that combines AI, ML and bot technologies to identify anomalies in endpoints and act to restore them. Ivanti invests in adjacent technologies to improve its insights-driven automation and self-healing, real-time discovery, performance analytics, automated patching and patch management and support for zero-trust security frameworks.

Microsoft Defender 365 is considered one of the most advanced self-healing endpoints for correlating threat data from emails, endpoints, identities and applications. Defender 365’s accuracy is based on how well it “learns” from the continual correlation of threat data from emails, endpoints, identities and applications and then takes autonomous action to remediate malicious or suspicious artifacts. 

What makes Microsoft Defender 365 noteworthy is how well the current release integrates with Azure AD, Defender xDR and Microsoft 365 applications. Real-time, reliable integration to these other Microsoft platforms is driving the adoption of Defender 365 across enterprises today. 

Other notable security resources to consider 

The future of ransomware detection and security is data-driven patch management that prioritizes and quantifies adversarial risk based on threat intelligence, in-the-wild exploit trends and security analyst validation.

Absolute’s Ransomware Response extends the company’s expertise in endpoint visibility, control, resilience and self-healing endpoints to stopping ransomware. What’s unique about Absolute’s approach is how its solution provides security teams with the flexibility to define cyberhygiene and resiliency baselines and assess the strategic readiness across endpoints while monitoring device security posture and sensitive data. 

Ivanti’s string of acquisitions, including Cherwell, MobileIron, Pulse Secure and, most recently, RiskSense to help customers combat ransomware, reflects the company’s vision to provide an excellent user experience combined with full-stack automation. Ivanti’s Ransomware Index Update Q1 2022 found that there’s been a 7.6% jump in the number of vulnerabilities associated with ransomware in Q1 2022, compared to the end of 2021. The report uncovered 22 new vulnerabilities tied to ransomware (bringing the total to 310), with 19 being connected to Conti, one of the most prolific ransomware groups of 2022.

In addition, Microsoft is a market leader in endpoint security, information discovery and retention and cloud access security broker, making Microsoft Defender for Cloud an investment priority for many organizations.

Next steps 

CIOs, CISOs and the organizations they serve need to consider the following steps for better securing edge (IoT) and endpoints across their networks, starting with the 10 things every CISO needs to know about zero trust today.  

• Design PAM and IAM support at the platform level. Getting PAM and IAM right needs to start by first cleaning up access privileges and defining identity and privileged access management at the tech stack level. It’s especially the case in multicloud and hybrid cloud configurations. 

• Look to automate key and digital certificate management. Every machine in a network requires a unique identity to manage and secure machine-to-machine connections and communications. Digital identities are assigned via SSL, SSH keys, code-signing certificates, TLS or authentication tokens. Cyberattackers target SSH keys, bypassing code-signed certificates or compromising SSL and TLS certificates. Therefore, ensuring the accuracy, integrity and reliability of every machine identity is the objective. Leading providers in this area include CheckPoint, Delinea, Fortinet, IBM Security, Ivanti, KeyFactor, Microsoft Security, Venafi, Zscaler and others.  

• Design zero-trust frameworks to also authenticate mobile devices. One of the fastest-growing threat surfaces today is mobile devices because cyberattackers are devising new ways to intercept and steal privileged access credentials from them. Getting visibility and control across mobile devices needs to start on a UEM platform. A UEM platform supports cloud-first OS delivery options, peer-to-peer patch management and remote support. Additionally, CISOs need to consider how UEM platforms are improving user experiences while hardening endpoint detection and response so they can replace VPNs. The Forrester Wave™: Unified Endpoint Management, Q4 2021 Report names Ivanti, Microsoft and VMware as market leaders, with Ivanti having the most fully integrated UEM, enterprise service management and end-user experience management capability.