Opens a new window
Aberdeen outlines why organizations looking to upgrade to —and expand their existing use of —enterprise endpoints based on Windows 10 should think “inside the box†to take advantage of built-in security capabilities to protect firmware, system-level software, and credential stores, as well as ruggedized capabilities for use cases with challenging physical / environmental conditions.
Turning the Page on Windows 7; Dealing with Increasing Attacks on Enterprise Endpoints
Microsoft Windows 7, first released in October 2009, has now reached the formal end of software updates that help to protect enterprise endpoints from security-related threats. As a result, many organizations are looking to upgrade to —and expand their existing use of —systems based on Windows 10.
At the same time, endpoint-related threats and vulnerabilities are relentlessly on the rise. For example:
- Attackers are more likely to be successful in achieving data breaches on endpoints than on servers.
Aberdeen’s analysis of empirical data from the Verizon Data Breach Investigation Report series shows that endpoints were more than 2 times more likely to be compromised than servers, trending worse over time (see Figure 1).
- Attackers are increasingly targeting the growing number of vulnerabilities in endpoint firmware.
Aberdeen’s analysis of empirical data from the NIST National Vulnerability Database shows that the number of firmware-related vulnerabilities has increased by a factor of 18.6 times over the last 10 years. As a percentage of all vulnerabilities, firmware-related vulnerabilities have increased by a factor of 5 times over this period (see Figure 2). For the first 50 firmware-related vulnerabilities reported in 2020, two-thirds (66%) were categorized as critical or high.
Figure 1: Analysis of Data Breaches by Asset Type Shows That Endpoints are More Likely to Be Compromised, and Trending Worse
Source: Empirical data adapted from Verizon DBIR2018
(N = 4,020 incidents; 1,530 breaches) and Verizon DBIR2019
(N = 3,667 incidents; 1,068 breaches); Aberdeen, February 2020
Figure 2: Attackers Are Increasingly Targeting the Growing Number of Vulnerabilities in Endpoint Firmware
Source: Empirical data adapted from NIST National Vulnerability Database
2010-2019 (N = 127,748 public vulnerability disclosures);
Aberdeen, February 2020
High-profile examples of attacks on hardware vulnerabilities, such as MeltdownOpens a new window and Spectre in 2018, have brought mainstream attention to a very serious problem with enterprise endpoints: virtually every computer chip deployed over the last 20 years is vulnerable, the likelihood of a successful exploit is high, and the business impact from exposure of personal data or passwords from kernel-memory locations could be significant.
Improving on Existing Protections, With Built-In Endpoint Security Capabilities
In truth, virtually all organizations have already deployed one or more security capabilities to help protect their enterprise endpoints and reduce their security-related risks. For example, Figure 3 shows the findings from Aberdeen’s recent benchmark study on endpoint and mobile security for selected solution categories: anti-virus / anti-malware, device authentication, network access control, and patch management. And yet, as discussed above, these existing protections by themselves are no longer enough to protect against these threats.
Figure 3: Virtually All Organizations Have Deployed One or More Security Capabilities to Help Protect Their Enterprise Endpoints and Reduce Their Security-Related Risks
Source: Aberdeen, February 2020
Fortunately, organizations that are looking to upgrade to or expand the existing use of systems based on Windows 10 now have an additional option —Windows 10 Secured-core PCs—which provides enterprise-class PCs with the following security capabilities natively built-in:
- Hardware root of trust. Industry standard Trusted Platform Module (TPM)chips providea hardware-based root of trust, which enables a higher level of assurance than software-only implementations. On-chip security operations, which are executed in a closed hardware environment, include public-key cryptographic functions, integrity measurement functions to protect data from access by malicious code, and attestation functions to provide cryptographic proof that software has not been compromised.
- Known good state. Secured-core systems boot up into a trusted, “known good†state, protecting against advanced malware attacks at the firmware level.
- Verified code. The Secured-core OS checks and enforces code integrity, to ensure that all code in the operating system kernel is trustworthy.
- Protected credentials. Network credentials, data encryption keys, and user identities are isolated and protected from unauthorized access.
In combination with existing endpoint security controls and counter measures, these additional levels of security —hardware, firmware, operating system, and identities —are designed to protect against the new and emerging attacks on enterprise endpoints.
Built-in Physical / Environmental Protections, As Well
For organizations with use cases that involve challenging physical / environmental conditions —such as shock, vibration, temperature, humidity, dust, moisture, and so on —as well as the ubiquitous cyber security threats, Secured-core PCs are also available in ruggedized versions that are designed to protect against these issues. Common examples include:
- Law Enforcement, First Responders, Defense
- Healthcare
- Manufacturing
- Field Service
Selected ruggedized Secured-core PCs also offer a variety of customizable configurations that are designed to provide additional layers of security and identity protection, such as: multiple, removable solid-state drives (SSDs); back-facing and front-facing cameras; and fingerprint, smart card, and contactless card readers.
Summary and Key Takeaways
Endpoint-related threats and vulnerabilities are relentlessly on the rise; for example:
- Microsoft Windows 7 has reached the formal end of software updates that help to protect enterprise endpoints from security-related risks.
- In general, attackers are more likely to be successful in achieving data breaches on endpoints than on servers.
- Attackers are increasingly targeting vulnerabilities in endpoint firmware.
- High-profile examples of attacks on hardware vulnerabilities, such as Melt down and Spectre in 2018, have brought mainstream attention to a very serious problem.
- Existing endpoint security protections by themselves are no longer enough to protect against these issues.
Secured-core PCs provide organizations with an additional, attractive option as they look to upgrade or expand their existing use of systems based on Windows 10, in three complementary dimensions:
- Natively built-in security capabilities that are designed to protect firmware, system-level software, and credential stores against new and emerging cyber security threats.
- Ruggedized versions that are designed to protect against challenging physical / environmental conditions, in use cases such as those commonly found in law enforcement, defense, healthcare, manufacturing, and field service.
- Customizable configurations for selected ruggedized versions, which are designed to provide additional layers of security and identity protection.
Opens a new window
Aberdeen Strategy & ResearchOpens a new window , a division of Spiceworks Ziff DavisOpens a new window , with over three decades of experience in independent, credible market research, helps illuminate market realities and inform business strategies. Our fact-based, unbiased, and outcome-centric research approach provides insights on technology, customer management, and business operations, to inspire critical thinking and ignite data-driven business actions.