Endpoint monitoring and management
As we move forward into 2021, despite all the changes that the WFA (Work from Anywhere) shift has wrought, most of us consider desktops and laptops the most vulnerable targets.
Illustration: Karthikeyan Ganesh
But I would make the argument that increasingly, M365 has become the true target of choice, and I have focused a great deal of attention on it, treating them much as endpoints.
Start with the basics
Today’s table stakes including effective patch management for endpoint monitoring, and most of us rely on our RMM for this. DNS filtering for our endpoints is also a must, whether behind a firewall, in a home, or on the move. This has become much easier now that most solutions include mobile agents. I would also argue that encryption of every endpoint, or at least the mobile ones, is also now a baseline requirement. Just a year or two ago, I would have finished with traditional antivirus protection. But traditional signature-based antivirus protection just does not cut it in 2021.
Endpoint monitoring, detection, and response
Traditional antivirus has been recast in the guise of a more capable set of protections known as EDR (endpoint detection and response). Big names here include Cylance, Sentinel One, and others. These solutions protect against common malware as well as new variants collectively known as fileless malware such as script and registry-based attacks. Rather than identifying “fingerprints” rather they identify aberrant behaviors. As a bonus, their performance does not suffer in the absence of frequent updates, a real plus for your traveling endpoints.
Many MSPs are now pairing EDR with threat hunting clients such as Huntress or Infocyte to look for IOCs (indicators of compromise) that are either already in place or that manage to breach your EDR defenses. Combining these services with a SOC (security operations center) to monitor your endpoints and respond 24x7 brings us to MDR (managed detection and response). MDR can identify compromises in action and lock down endpoints for instant remediation and protection against lateral movement on networks or VPN traversal.
Meet the new endpoints
I know that considering Microsoft M365 as an endpoint may sound like a stretch. But just like traditional endpoints, M365 is susceptible to compromise, hijack, and data loss, which sounds a lot like an endpoint, right? That means as I see it, that we must provide sophisticated protection to those M365 endpoints too. This includes traditional antispam filtering, dedicated protection against phishing and impersonation, and SOC services to monitor logs for IOCs such as “impossible” logins, rule creation, and more. And we cannot forget comprehensive backup.
Mail filtering & antiphishing
Two years ago, I was convinced that mail filtering alone was sufficient to stop both “traditional” spam and just about any phishing attempt. And then I came a few keystrokes away from falling for a particularly well-crafted spear-phishing attempt that employed impersonation and some data that had most likely been culled from a colleague’s social media posting(s). I realized that dedicated anti-phishing was the only answer. We now cover every mailbox with dedicated antiphishing products. Names such as Avanan, Great Horn, and others are big here.
M365 SOC services
The next step is to attach active endpoint monitoring and alerting to your M365 endpoints; and MDR for your M365 endpoints. These SOC services watch for things like logins to the same mailbox from geographically disparate locations over a short timeframe, the creation of new global admins, or rules that copy messages to outside email addresses, trigger message deletions, or clear logs. With the focus of so much cybercrime now directed at the O365 cloud, having a live set of eyes on your M365 tenants is every bit as critical as it is on your traditional endpoints.
With the focus of so much malign activity now on the M365 tenant, comprehensive backup has become critical. That means frequent, automated backup of OneDrive, Outlook, Sharepoint, and with truly granular restore. While nothing beats preventing a compromise, the harsh reality is that eventually, most of us will face a compromise and great backup is our safety net. Of course, the destructive power of the end-user should never be underestimated either. There are now more players in this market than ever, so you should be spoiled for options here.
Tying it together
We have been protecting traditional endpoints for at least two decades now. We have always focused on patching and endpoint protection (antivirus), but that has now evolved into more advanced technologies such as EDR/MDR options. We have added DNS filtering to our endpoints, protected them with encryption, and tied SOC services to them. But the biggest change has been addressing M365 as the new endpoint. From mail filtering to anti-phishing, SOC services to comprehensive backup, M365 has become the new target of choice and thus, our newest challenge.