How Much Risk Are You Willing to Take?

Just as the threat landscape evolves over time, so does security technology. Having been in the cyber security space for more than 15 years, I have witnessed a number of evolutions first hand. I have seen macro changes such as the rotation of antivirus solutions from the endpoint to the gateway and back again, as well as the bundling of endpoint security products such as antivirus, antispyware, host intrusion prevention, and application control into an endpoint protection platform (EPP). And then EPP expanded even further to not only protect the endpoint but also the data residing on it, adding stand-alone data loss prevention, port and device control, full disk encryption and similar capabilities into the platform. Now today, new enhancements to protection capabilities complement those focused on detection and response.

Different EPP vendors offer a different mix of technologies. It often depends on when the vendor was founded and the customer challenges they were attempting to solve. Because vendors often have different prices for different combinations of features, organizations need to determine which features they need to procure and deploy to reduce their risk to an acceptable level.

Traditional Antivirus: The Ubiquitous Baseline

Today, most all endpoint devices will at least run traditional antivirus solutions that identify and block known malware. According to Aberdeen Strategy and Research, the median effectiveness of these products is 91.5%. Given the ready availability of traditional antivirus programs within native operating environments and multi-product security suites, the first question organizations should consider is whether an 8.5% likelihood of infections is acceptable.

Endpoint Visibility: Avoiding Blind Spots

Of course that 8.5% risk of infection also considers that the average enterprise will only have line of sight into 2/3 of the devices used in their organization. The remaining 1/3 may have no security configuration or protection at all.

By improving endpoint visibility, organizations are empirically able to reduce that 8.5% down to a median of 4.7%. In other words, they cut the likelihood of infection almost in half.

Pre-emptive Control: Reducing the Endpoint Attack Surface

By also enforcing appropriate security configurations such as the availability of ports and services on the device and shielding vulnerabilities from exploit, organizations can reduce that likelihood of infection by more than half again. Aberdeen’s analysis establishes the likelihood of compromise when traditional antivirus, improved endpoint visibility and pre-emptive controls are employed at 3.7%. Although it can be challenging, good cybersecurity hygiene can go a long way to reducing risk, even before moving to more advanced endpoint security capabilities.

Post-execution: Detecting and Defusing Unknown Malware

To go the extra mile, organizations are increasingly adding dynamic, behavior-based protection, detection and response that addresses unknown malware. By focusing on identifying recurring malicious behaviors rather than specific files, even previously unknown malware can be identified.

In analyzing the effectiveness of these newer technologies across multiple products over time, Aberdeen estimates the median likelihood of a security incident is 0.4%. Of course the analysis assumes that all of the technologies are properly deployed and enabled.

Key Take-away: What Level of Risk is Acceptable to You

To determine the right endpoint security capabilities and select their associated products and vendors, organizations need to determine whether they are comfortable with an 8.5% risk of a security incident. If so, almost any credible endpoint security solution will do. If not, they need to determine what technologies they need to add in order to reduce that risk and by how much.  Is ~5% risk acceptable?  3.5%?  Less than 1%?  The answer will guide your endpoint security approach.

Impact: The Second Variable

Final note, to quantify the business decision, both the likelihood (discussed above) and impact of an incident need to be taken into account. A recent ransomware survey revealed an astonishing 67% of organizations having been a ransomware target, and if the high-profile ransomware incidents of 2021 are any indication, the impact can be high,including paying ransomware demands, lost productivity while systems are restored, and business impacts from the loss of intellectual property.

Organizations should carefully consider their risk tolerance before sticking with a traditional endpoint security product they got “for free” because it was already licensed. On the flip side, they also shouldn’t rush to select the latest “hot” endpoint security technology that might not include capabilities to handle the basics of good cyber hygiene or one that sits in a silo and adds complexity by not integrating well with other security solutions. Another investment consideration involves taking a look not at new technology, but at training and education for employees as 85% of data breaches involve human interaction, according to the 2021 Verizon Data Breach Investigations Report.

With so many factors to consider, there is no single right answer for everyone, so think it through. By taking into account both the financial impacts of purchasing solutions to mitigate attacks and the financial impacts of an attack itself, while also asking the question, “How much risk am I willing to take?” you will find the best course of action for your organization.

Learn more about Fortinet’s FortiEDR solution and how it has the unique ability to defuse and disarm a threat in real time, even after an endpoint is already infected.