Endpoint Security: Why Organizations Need to Move Beyond Signature-based Detection


Today, endpoint security solutions are indispensable for organizations to secure an array of connected devices. The global endpoint security market is predictedOpens a new window to grow at a CAGR of 8% till 2026, indicating rising adoption across sectors. However, it is the quality that matters, as traditional signature-based malware detection is no longer sufficient to keep threats at bay. Here’s a look at the key components of a robust endpoint security solution and research-based insights on their effectiveness.

The concept of endpoint security has traditionally revolved around securing corporate networks and all devices attached to them by putting a system in place to detect known malware and isolate and destroy them before they spread across the network. McAfee terms endpoint security as “cybersecurity’s frontline” and a must-have for organizations to secure an increasing number of endpoints.

Thousands of new malware variants are discovered every year, and cybersecurity vendors and SoC teams release patches and update their anti-malware solutions to disrupt their effectiveness. The timely release of security patches is a very effective mode to defeat malware campaigns. According to data collated by Aberdeen Strategy & Research, endpoint security solutions that detect and isolate malware based on their signatures can prevent 91.5% of endpoint devices from getting infected.

See More: How Enterprises Can Secure Endpoints With Extended and Managed Detection and Response

Why the Days of Signature-based Malware Detection Are Over

It is, however, an uphill task for organizations to rely on signature-based detection at all times. Every year, cybercriminals create millions of malware varieties to defeat signature-based detection and enhance their ability to evade detection and move laterally within networks. In 2021, Kaspersky’s detection systems discoveredOpens a new window as many as 380,000 malicious files per day, 20,000 more than the number of such files found in the previous year. 

The security firm found that malicious hackers used Trojan Droppers frequently in 2021 to deliver other, more sophisticated malware to a victim’s device. They also started spreading threats associated with the Linux operating system compared to the traditional practice of spreading threats associated with WindowsPE files – a file format specific to Windows operating systems. 

Given the speed at which new malware varieties are released, detecting them and issuing patches is a race against time, especially when the cybersecurity industry is woefully short of skilled professionals and resources. It is also a fact that many organizations fall short when it comes to applying patches on time, and more critically, enterprise IT security teams lack visibility over a large number of endpoint devices.

Since early 2020, the number of endpoint devices deployed by organizations rose significantly to accommodate the rapid switch to hybrid work. According to data from Mordor Intelligence, in the EU’s healthcare industry alone, the number of IoT devices increased from 2.79 million in 2019 to 6.05 millionOpens a new window in 2022 and is expected to touch 10.34 million by 2025. The firm says the rapid deployment of IoT devices has exacerbated a lack of visibility, impacting organizations’ vulnerability to fileless malware, advanced attacks, and evasive threats.

According to Aberdeen Strategy & Research, an average of 33% of endpoint devices (ranging from 5% to 80%) on an enterprise network are not visible to the IT security staff. Considering that between 4.7% to 8.5% of endpoint devices are likely infected with malware, a lack of visibility increases the likelihood of malware spreading to other devices.

The research firm also says that endpoint devices are vulnerable to zero-day exploits for up to 52 days before a vendor patch is available. At least 20% of endpoint devices remain unpatched 90 days after zero-day, partly because vendor patches are unavailable and partly because vendor patches are not implemented.

Device discovery, posture assessment, and virtual patching

To overcome this crisis, the endpoint security industry has evolved to accommodate the principle of zero trust. This ensures that all endpoint devices, such as laptops, desktop PCs, mobile devices, or IoT devices, are authenticated and monitored round the clock. Another new capability in endpoint solutions is assessing device posture. This gives SoC teams visibility into the operating system, installed software, version levels, signature updates, patch levels, security policies, user identities, network interfaces, and other identifiers.

Both device discovery and device posture assessment ensure organizations can carry out pre-emptive patching of vulnerable devices and software before hackers can exploit inherent vulnerabilities. Aberdeen states that while signature-based detection ensures the likelihood of endpoint infection is contained at 8.5%, a package of signature-based detection, device discovery, and pre-emptive device posture reduces the possibility of endpoint infection to just 4.7%.

Derek Brink, vice president and research fellow at Aberdeen Strategy & Research, says that today, between 80% to 90% of malware is not previously known. Threat actors have moved aggressively towards more sophisticated approaches such as polymorphic malware and file-less attacks. “This is why signature-based approaches are no longer enough to reduce the likelihood of a compromise to an acceptable level,” he says.

See More: What Is Endpoint Detection and Response? Definition, Importance, Key Components, and Best Practices

Enter Managed Detection and Response

Brink says adhering to zero trust, conducting signature-based detection, and assessing device posture are highly effective prevention mechanisms. Still, it’s unrealistic to think that any prevention-only strategy can be 100% effective. Organizations also have to invest heavily in post-incident capabilities to respond and recover more effectively from compromises. However, this is easier said than done.

Aberdeen found that it takes an organization between 46 minutes and 46 weeks (median: 59 hours) to detect, investigate, and recover from a security incident. Only 45% of all security alerts are automated, and 39% are resolved by Tier 1 staff. But the sheer scale of alerts that need investigation can stress existing staff, especially when most SoC teams are understaffed. 

The inability of an organization to quickly detect, investigate and respond to security incidents can also result in financial loss. Aberdeen states that the median annual impact of ransomware for an organization of 1,000 employees and 10TB of data to backup and recover is about $490,000 per year, and 10% of ransomware attacks can take $2.5 million per year to recover. Also, the median cost of a data breach for an organization with $10 billion in annual revenue, 25,000 employees, and $1 billion in annual revenue from intellectual property data is $3.4 million per year ($200 million per year max).

This is where Managed Detection and Response (MDR) comes in. According to Check PointOpens a new window , an MDR service provides security monitoring and management across an organization’s entire IT environment. The service comes with proactive threat hunting capabilities, 24/7/365 monitoring, and specialized incident response teams that quickly respond to security incidents, reducing an organization’s reliance on internal SoC teams. Brink says leading solutions providers are now offering Managed Detection and Response solutions as a natural complement to Endpoint Detection and Response (EDR).

Most modern EDR and MDR solutions today offer a couple of critical security capabilities that improve an organization’s security posture. The first is Preemptive Virtual Patching which ensures automated patching of vulnerable devices and software to eliminate possibilities of delayed patching or human error. Combining virtual patching with signature-based detection, device discovery, and pre-emptive device posture reduces the likelihood of endpoint infection to just 3.7%.

Another robust EDR/MDR feature is dynamic endpoint detection and response. This comes with post-execution capabilities like stopping processes, blocking or deleting files, and remotely isolating or shutting down affected devices. It also helps apply dynamic analysis to monitor files and fileless behaviors– how they are formed, accessed, and executed. When combined with virtual patching, signature-based detection, device discovery, and pre-emptive device posture, dynamic EDR reduced the likelihood of endpoint infection to just 0.4% on average. This represents a reduction of 95% compared to EDR solutions based only on the traditional signature-based detection, says Brink.

Choosing the right EDR solution for your organization

Modern EDR solutions feature advanced and dynamic capabilities to reduce the likelihood of malware infection (and also outperform competitors). For instance, network detection and response (NDR) solutions provider Vectra offers unified NDR and EDR experience in a single UI, letting users get turnkey integrations that offer comprehensive security coverage across the enterprise, IoT devices, hybrid cloud, and cloud native applications. The Vectra Host Lockdown feature enables the Vectra Cognito platform to automatically disable hosts that demonstrate suspicious activity at the endpoint and allow analysts to disable hosts during a security investigation manually. This gives the Security Operations Center (SOC) more time to investigate and remediate attacks. 

Similarly, AT&T Managed Endpoint Security, launched in partnership with SentinelOne, correlates the detection of endpoint threats through a single software agent that consolidates antivirus, endpoint protection, EDR, and IoT security functions. The service tracks every process on and between each endpoint by applying AI and ML that resides on the agent to identify and counteract threats at machine speed. 

To choose the suitable endpoint detection and response solution to suit your organization’s needs, you may also refer to a comprehensive review and comparisonOpens a new window of 19 leading EDR solutions by independent ISO-certified security testing lab AV-Comparatives. The research compares EDR services offered by the likes of Acronis, Avast, Bitdefender, Cisco, CrowdStrike, Cybereason, Elastic, ESET, FireEye, G Data, K7, Kaspersky, Malwarebytes, Microsoft, Panda, Sophos, VIPRE and VMware on parameters like real-world protection, malware protection, and performance.

Do you think signature-based endpoint security is still relevant in 2022? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!