Why a Cloud-Native EPP is Critical for Futureproof Security Operations

May 19, 2020 | 2 minute read

The past two months will be a source of endless future research. Within the span of days, large portions of the world transitioned from office workers to a fully distributed, work-from-home environment. Heads of security globally are facing the task of enabling the business to operate remotely while ensuring the business remains secure. Over the past several weeks we’ve seen adversaries increase the rate of attack as well as quickly adopt techniques to take advantage of this situation.

The enormity of the task of securing a suddenly distributed workforce is made clear by two factors:

  1. The security operations team and their supporting tech stack are used to and designed for on-premises operation. 
  2. The toolset used to protect the company is, in many cases, designed for on-premises operation.

The answer to both challenges is to adopt cloud-native protection.

Two months ago, security best practice was to create a balanced operatus with a combination of network monitoring, traffic and DNS filtering and endpoint protection. But these past two months have rendered network-based solutions all but useless. We remain in a world where the endpoint is really the only enterprise asset in an otherwise hostile network. 

Among endpoint solutions, there’s a staggeringly clear distinction between solutions that are cloud-native and those whose cloud capabilities are either non-existent or partial at best.

These fall under various categories:

  • Security - This category looks at whether the tool can perform its action, streamline alerts, and enforce policy within long periods. This could be days or weeks of being removed from the corporate environment. 
  • Operations - This category considers whether the tool can continue giving real time reporting and alerting, and whether these alerts remain viewable and actionable when disconnected from the corporate network for a long time. For example, many legacy EPP solutions only stream their alerts to an on-premise collector and cannot broadcast alerts when not connected to the corporate LAN.
  • Management - When considering management, rapid, daily change is the new norm. Can your solution change policy configuration, deploy new configuration, white-and-black lists and make sure to get real-time application of such policies? If you’re still using the legacy vendors, you may have a problem here. 
  • Updates - The achilles heel of legacy products is their utter reliance on daily, often hourly, malware definitions. While some vendors can now fall back to cloud delivery for just those definitions, many still lack proper reporting and verification as to whether this is actually successful. More fundamentally, there’s an inherent reason why machine learning-based NGAV solutions do not rely on such definition updates: the AI models driving these products don’t rely on the cat-and-mouse game to find the most recent signatures.
  • Advanced Security - All of the above assumes a steady state in risk and threat. This is clearly not the case. We are seeing an increase in COVID-19 related phishing, while other attackers increase their operations believing that the global pandemic will mask their cyber one. A lot of legacy vendors (looking at you, Symantec and McAfee) have tried to retrofit an EDR stack and advanced security onto their product. These are often bound to on-premise use-cases and are reduced to completely useless in our new reality off-premise.

In the industry as a whole, we’ve been talking about the implosion of the perimeter and our transition to a zero-trust model. We’ve imagined this is going to take years. Then COVID-19 came and we had to make that transition over a week. In the new world, we really have four types of assets - Cloud Infrastructure, SaaS, Identity, and Endpoints. The latter are our most important tools for control of our security posture.  If our own tools aren’t built on these pillars, they become another problem, instead of the solution.

Start ensuring business disruption is a thing of the past with a deployment that takes a matter of hours and is designed to do “no harm” while your team transitions to a new and better prevention solution.

Yonatan Striem-Amit
About the Author

Yonatan Striem-Amit

Yonatan Striem-Amit, CTO and Co-Founder of Cybereason, is a machine learning, big data analytics and visualization technology expert, with over a decade of experience applying analytics to security in the Israeli Defense Forces and Israeli Governmental Agencies.

All Posts by Yonatan Striem-Amit