Written by Uwe Sievers
The starting point for major data thefts is often a laptop or PC, because that’s where users can be attacked directly. Any wrong click can have devastating consequences. Manufacturers of endpoint protection software are countering new attack vectors with new technologies like the cloud and artificial intelligence.
For attackers, the PC or laptop is still the main gateway into the company. This is where users sit, tempted by cyber criminals to click on a malicious link or open compromised Office documents. That's why these devices are at the forefront of IT security measures.
According to an IDG study (German), the security of end devices is the biggest IT security task for 38 percent of those surveyed in management or the board of directors. Endpoint protection therefore represents a significant cost factor: Up to one third of the security budget is spent on security. The total volume of this software segment is correspondingly large: The global market totalled just under 14 billion US dollars in 2020 and is expected to grow to over 22 billion by 2026, according to forecasts.
The cost drivers are new attack vectors that software providers can only counter with adapted technologies. Due to the staggering increase in the number of malware variants, which are created individually for specific attack targets at short notice, the traditional signature-based malware detection no longer works (read more). To be able to react faster and more flexibly, manufacturers of endpoint protection products are relying on cloud technologies and artificial intelligence (AI). Using machine learning, the software adapts to new types of threats. Instead of byte sequences, it looks for suspicious behaviour patterns, i.e., conspicuous actions on computers. This could be a user who was just logged in at the company's domestic location but suddenly accesses company data from China or other faraway regions. Or even users accessing data they’ve never used before. To detect these kinds of anomalies, endpoint products work in a networked structure and exchange information with cloud servers. This enables the AI that’s deployed centrally to identify comparable anomalies from different companies occurring at the same time and establish correlations.
In addition, almost all major providers of protection software operate their own security operation centers (SOC) to perform analyses. The software installed on company endpoints also serves as a sensor. The global network of these sensors can detect correlations with individual anomalies and detect attacks early on. This leads to warnings or updates for all customers. As a rule, smaller competitors can’t offer this advantage to large providers.
But AI solutions aren’t always the better choice: The systems need time to learn and require appropriate learning material. Criminals have long since adapted to this and try, for example, to irritate learning algorithms by flooding them with false information. If attackers succeed in penetrating the company, the first thing they often try to do is shut down the AI.
Often overlooked in the planning of protective measures is the fact that PCs aren’t the only end devices. Laptops, tablets, smartphones, and IoT devices are also considered endpoints that need of protection. If they form a weak point in the protection concept, they easily become the starting point from where attackers hijack the network.
