How Endpoint Modeling Helps Strengthen Network Security in Real-Time

PinIt
endpoint modeling

Finding threats in your network depends upon your ability to detect sensitive changes to network activity on all of your network endpoints. RTInsights contributor Bryan Doerr explains why it’s time to consider using endpoint modeling, a non-conventional security approach that offers new levels of real-time, threat-detection capabilities.

Death, taxes and network attacks? Unfortunately, we have reached the point where hacks, data breaches and other security attacks have become inevitable. For proof, you only have to turn your attention to the news, where high-profile examples seem to pop up on a weekly basis (if not more frequently). Attacks have become so common that there is now an inside joke among security professionals: “When it comes to security breaches, there are only two categories: Those who know they’ve been hacked and those who don’t know it—yet.”

With each new story, IT staff, security professionals and c-level executives still seem surprised that adversaries continue to get the upper hand. Many cling to the mindset of “a breach won’t happen here,” thinking that they have the right people, technology and overall approach to thwart attacks on their network. It is true that many organizations have a complete security stack—a combination of methods and tools such as encryption, antivirus, log-based audits and malware removal software. Yet, since none of these provide a “silver bullet” capable of defeating all threats, it is time for a different approach.

To paraphrase a song title from the 1970s band, The Who, “don’t get fooled again” when it comes to thinking attacks will not continue to occur and that they cannot happen to you. Today, endpoint-modeling technology offers a profoundly different—and extremely effective—way to improve network security.

What is Endpoint Modeling?

Finding threats in your network before damage is done depends upon your ability to detect sensitive changes to network activity on all of your network endpoints. Keep in mind that before any theft or malicious actions occur, a compromised endpoint device will begin to behave differently. Endpoint modeling monitors each device in your environment and tracks its behavior.

For example, it models how each device uses the network, how each device connects and to whom each device connects. The model that emerges from these processes is similar to the one your credit card company uses to protect your account. It enables an automated system to “ask” if a specific, current network activity (or transaction in the case of a credit card) is consistent with behavior that is predicted by the model. Whenever a device starts exhibiting abnormal behaviors, endpoint modeling lets you see them so you can take the most effective and efficient action before it is too late.

By providing increased insight into all of your devices, endpoint modeling provides a number of significant benefits that simply are not available using conventional security methods. First, endpoint-modeling technology sends real-time alerts when a device starts acting abnormally to detect risky or suspicious traffic. This technology also delivers a sustainable advantage because adversaries do not have the unobstructed understanding of your network and its devices that would be necessary to hide the evidence of their activities. Endpoint modeling continues to learn what is typical in your environment and builds more intelligence (in the form of model fidelity) over time.

Overcoming Challenges Inherent in Data Encryption

Additionally, endpoint modeling enhances existing security methods, unlike outdated threat-detection methods that depend upon attempting to know something about every single threat.

Consider the example of data encryption. Clearly, encryption is on the rise—to the point where encrypted data today could be as much as 25 to 35 percent of total network traffic. Yet, as companies move toward increasing the use of encryption to protect the privacy of network communications, the effectiveness of many network security tools decreases. The consequences may be a deterrent to the use of encryption.

It may seem counterintuitive but it is true. Many traditional security solutions depend on the ability to “look inside” network conversations to determine if malware is present. Unfortunately, encryption makes this impossible. This general approach to network security is called Deep Packet Inspection (DPI) and it is an important part of many Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) solutions, next-generation firewalls and other payload-analysis tools. Using DPI, security tools scan network packets for recognizable threat information.

Yet, encrypted data is invisible to conventional security tools; encrypted data is able to pass through them without the appropriate level of scrutiny and analysis. Today, some companies are already facing challenges related to DPI-based tools. Many other companies will need to anticipate the day when all network communications become encrypted. When they do, all tools that attempt any form of network-based DPI will be rendered useless.

Additional IT Security Shifts

There are other trends and IT security shifts that also contribute to the need for endpoint modeling:

1. Device proliferation and Bring Your Own Device (BYOD): Today, the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) trends are leading to a world in which almost every device and piece of technology connects to the network. In addition, the explosive growth in unmanaged devices due to the BYOD trend creates additional blind spots in a company’s overall security posture.

2. Increasingly complex networks: Networks are much more sophisticated these days, offering partner and mobile connectivity while relying on third-party hosting and software-as-a-service (SaaS) services. All of these things contribute to much more porous perimeters and additional risks.

3. Insider threats: Many of today’s breaches come from inside the company by way of attackers gaining inside access, so companies simply must watch everything—including employees and contractors.

4. Too many vectors: In today’s world, it is impossible to know all of your network’s threats and vulnerabilities. There are no bounds to the ways in which a company can be attacked or compromised—including due to device diversity challenges, operating system (OS) and application vulnerabilities, accessibility issues, and partner connectivity problems.

Endpoint modeling can address the challenges posed by all of these trends. Endpoint modeling can address these challenges by providing visibility into network activity and minute-by-minute endpoint behavior assessments, and letting security professionals know what is expected from each individual endpoint. This insight gives security professionals the best chance to spot the activities of a potential attack since (in most cases) an adversary’s actions will create recognizable changes to the overall security picture.

Increased Visibility Leads to Increased Security

When it comes to defending your network, do not be lulled into a false sense of security. While traditional security approaches are all important, many new and emerging trends may leave you more vulnerable than you think. All of this means it’s time to consider a new, non-conventional security approach that offers new levels of threat-detection capabilities, smarter and more efficient security actions, and improved operational durability. Endpoint modeling is that solution.


So many articles, so little time. Luckily, our content is edited for easy web reading! Read more:

Research from Gartner: Real-Time Analytics with the Internet of Things
From the Center to the Edge: The IoT Decentralizes Computing
Becoming an ‘Always On’ Smart Business
Urgency of Present and Past in IoT Analytics

Liked this article? Share it with your colleagues using the links below!

Bryan Doerr

About Bryan Doerr

Bryan Doerr has served as Observable Networks’ CEO since 2013. Bryan has over 25 years of industry experience in corporate research, product design, IT management and executive management. Prior to Observable, Bryan was CTO at Savvis (now CenturyLink) where he led technology research and development, and inspired the company's go-to-market strategy. Before joining Savvis, Bryan held a variety of software and hardware development and management positions at Bridge Information Systems, The Boeing Company, and the Applied Physics Laboratory at Johns Hopkins University. Bryan holds a BS in Electrical Engineering from the University of Missouri, a MS in Electrical Engineering from Johns Hopkins University in Baltimore, and a MS in Information Management from Washington University in St. Louis. Bryan is currently an adjunct professor at the Washington University Sever Institute of Technology and an advisory board member of the St. Louis Information Technology Entrepreneur Network (ITEN). Follow Observable Networks on Twitter @ObservableNet.

Leave a Reply