Thinking about Security Culture with EDR and SASE

September 23, 2022

The year 2021-22  saw a sudden surge in remote working. It was also marred by increased intensity, complexity and frequency of security attacks through unsuspecting endpoints. Considering the acceptance of WFH and cloud-based services, data security at all levels has become more critical than ever.

Today, let’s learn a little about protecting and managing the risk at the endpoints of enterprise computing infrastructure. 

Back in the day, endpoint security was simply considered taken care of when one installed an Anti Virus. However, today endpoint security has evolved, starting with defining an EDR (Endpoint Detection and Response) strategy. An EDR strategy would entail detecting and responding directly to human-operated ransomware and file-less malware.

EDR focuses on threats that are capable of breaching the first line of defense - perimeter security. EDR comprises of threat detection, containment, investigation and elimination. It involves efforts by a lot of experts using multiple security diagnostics and breach prevention techniques and tools.

Threat detection is the cornerstone of EDR strategy. Stealthy and morphing malware capable of breaching a perimeter defense must be detected early enough. Clearly, detection of such types of malware needs the detection engine to be super intelligent and self learning.

The next step after detection of a breach is containing the threat. Segmentation helps arrest lateral spread of the malware across the network. EDR can help in network-isolation of an intruding malware and thereby control the damage that it can inflict.

The 3rd step is to investigate the cause of the breach. If a malicious file has been able to penetrate through your perimeter defense, it clearly means that it is vulnerable. It is also possible that your threat detection engine has never been challenged with this kind of malware, and has therefore not been able to understand its signatures.

This investigation and knowledge gathering is best done using sandboxing. Sandboxing in EDR is isolating a file in a controlled simulated environment and testing its properties and behavior. This helps the EDR to learn critical attributes and disallow further breaches from similar attacks.

The final component of EDR is its elimination capability. Further to detection, isolation and testing, the EDR needs to eliminate the threat. Also, further to elimination, it should also provide for remediation. For this to happen, the EDR needs complete visibility into the lifecycle of the malware since the breach.

The next step of EDR is the evolution of a more integrated approach to cybersecurity - Secure Access Service Edge (SASE).

The SASE approach takes security to the next level. The endpoints that were earlier within a corporate network are now located in the extended network connected through shared cloud services. The scope of security policies is therefore shifted further away from the network and is now applied where the end point is located.

Irrespective of the network connectivity or the location of the endpoint, the security policies are applied and enforced consistently. There is no difference in the security protection to remote endpoints and the endpoints within the enterprise LAN.

SASE architecture essentially integrates VPN, SD WAN and cloud native security functions. By virtue of such a combination, security functions can now be delivered from the cloud and be provided as a service.

SD-WAN provides some of the building blocks of desired cloud architecture. Cloud security functions such as secure web gateways, cloud access security brokers, firewalls all defend against the threats lurking in the cyberspace.

Finally the Zero Trust network access establishes and verifies the correct credentials of the end point before allowing it to connect to the applications.

EDR and SASE are holistic security architectures for ensuring cybersecurity. Both cover multiple forms of security protection, centralized management, incident response processes, user awareness, etc. 

All said and done, security products and technology are one thing, and security culture is another. Organizations need a security culture rather than products. Establishing EDR and SASE architectures are enablers for creating such a security culture.

So if you are in the midst of your cloud transformation journey or embarking  on one, our security practice team can help you enable such a security culture.

Let’s build something amazing together