Blog | Jun 17, 2020

A Call for Modern Endpoint Security in a Distributed World

There has never been a more relevant time to make the case for modern endpoint security solutions than today’s current business climate of massive global distributed workforces.

Endpoints have always been a favorite attack point for adversaries. In Nuix’s second annual Black Report, 54 percent of surveyed cyberattackers reported they could breach a target’s perimeter, identify critical data and exfiltrate in under 15 hours. Fifty-nine percent of attackers also identified social engineering, phishing, ransomware and other endpoint originated attacks as their favorite and most successful vector. In the 2020 CrowdStrike Global Threat Report the speed at which an adversary accomplishes lateral movement after initial compromise was just under 19 minutes for nationstate attackers, with a global average of 4 hours 37 minutes across all threat groups. In contrast, dwell time, the timeframe from undetected intrusion to containment, has extended to 243 days[1] for organisations across the U.K.

With distributed workforces in play, minimising detection-to-remediation timeframes has never been more critical, especially with 68 percent of organisations reporting an endpoint attack that compromised assets, according to the 2020 State of Endpoint Security Risk Study. And for many organisations in the U.K., it is seemingly impossible to adhere to recommended standards such as CrowdStrike’s 1-10-60 rule, which says companies should aim for 1 minute to detect a threat, 10 minutes to triage it, and 60 minutes to contain its impact.

As budgets tighten due to current economic conditions, cybersecurity teams are challenged with adapting endpoint defences to an increasingly exposed vector of attack. The information and charts below serve as guidance and justification for strengthening endpoint protection by understanding the probability of an endpoint breach and subsequent yearly risk incurred.

Probability of one or more endpoint incidents in a 12-month time period in the U.K.

This table indicates the probability of one or more bypasses of existing endpoint controls based on eSentire observed Security Operations Centre (SOC) data. Notice as the number of locations increases (and relative endpoints), the probability of an endpoint incident increases due to exposure. This data however does not mean that the incident results in data disclosure.

Locations

1

2

3

4

5

6

7

8

9

10

Probability

19%

35%

47%

58%

66%

72%

78%

82%

85%

88%

Probability of an endpoint incident and that incident resulting in data disclosure across the U.K.

This table indicates the probability of one or more incidents and that incident converting to data disclosure. While these percentages are lower than the previous table, these numbers take into account the conversion rate of incidents to data disclosure. These calculations assume a minimum of one incident in a 12-month period are calculated using the table above multiplied by the conversion rate of incidents to data disclosure for all global industries (29.6%).

Locations

1

2

3

4

5

6

7

8

9

10

5.6%

10.4%

13.9%

17.2%

19.5%

21.3%

23.1%

24.3%

25.2%

26.0%

Incurred yearly risk

Using the probability of an incident and that incident converting to data disclosure, the value of incurred risk can be calculated. Based on the Ponemon cost per record lost in a data breach scenario in the U.K., the table below represents the minimum value an organisation must account for with at least one endpoint incident in a 12-month period. The incurred yearly risk is dependent upon the projected number of records that could potentially be lost in a data breach scenario, which the table gives visibility from 1,000 to 100,000 records lost. While these values only indicate the incurred risk, the cost of the breach would be far greater when and if a breach does occur. Incurred risk is similar to how insurance providers calculate financial risk outlay for customers, acknowledging an event will happen, in this case a data breach, incurred yearly risk is the financial outlay they must account for to accommodate when a breach does occur. An important note is to acknowledge that the greater the number of incidents, the greater the financial risk outlay, however each incident is independent in projected records lost.

Locations

Probability of an incident and that incident converting to data disclosure

Projected Records Lost In a Data Breach Scenario

1,000

5,000

10,000

25,000

50,000

100,000

1

5.60%

£8,680

£43,400

£86,800

£217,000

£434,000

£868,000

2

10.40%

£16,120

£80,600

£161,200

£403,000

£806,000

£1,612,000

3

13.90%

£21,545

£107,725

£215,450

£538,625

£1,077,250

£2,154,500

4

17.20%

£26,660

£133,300

£266,600

£666,500

£1,333,000

£2,666,000

5

19.50%

£30,225

£151,125

£302,250

£755,625

£1,511,250

£3,022,500

6

21.30%

£33,015

£165,075

£330,150

£825,375

£1,650,750

£3,301,500

7

23.10%

£35,805

£179,025

£358,050

£895,125

£1,790,250

£3,580,500

8

24.30%

£37,665

£188,325

£376,650

£941,625

£1,883,250

£3,766,500

9

25.20%

£39,060

£195,300

£390,600

£976,500

£1,953,000

£3,906,000

10

26.00%

£40,300

£201,500

£403,000

£1,007,500

£2,015,000

£4,030,000

While these calculations are intended to raise awareness of endpoint risk across the U.K., incurred risk will vary in accordance with a number of factors including industry, existing security controls and contextual threat landscape applicable to individual organisations.

With a growing number of customisable tools and the use of fileless malware, threat actors will continue to break through endpoint defences with record speed and precision. While the value of advanced endpoint security is irrefutable, when combined with network, logs and cloud telemetry, organisations can accelerate detection and containment timeframes.

That’s why CrowdStrike and eSentire have joined forces to bring cloud-delivered Managed Detection and Response (MDR) solutions to the mid-market with esENDPOINT, powered by CrowdStrike. Leveraging CrowdStrike’s endpoint protection platform and eSentire’s proprietary technology stack that identifies elusive threats across network, endpoint and cloud sources, organisations gain comprehensive visibility across their dynamically changing environments no matter where users or data reside. Aligning to CrowdStrike’s 1-10-60 rule, eSentire’s SOC average 35 seconds to detection and 20 minutes to containment thereby minimising the probability of a breach and risk to business operations. Read the full case study here.

Wes Hutcherson

Wes Hutcherson

Director of Product Marketing

As eSentire's Director of Product Marketing, Wes oversees market intelligence, competitive research and go-to-market strategies. His mult-faceted, technology experience spans over a decade with market leaders such as Hewlett-Packard and Dell SecureWorks.