The recent increase in remote workers has shifted considerable attention on endpoint resilience, especially as vulnerable endpoint devices continue to be added to enterprise networks. And these ongoing work-from-home conditions will be around for the foreseeable future, with some organizations expecting this to become a permanent strategy.

In the first half of 2020, the FortiGuard Labs team observed an increase in malicious activity targeting end users, browsers, email systems and home networks. As might be expected, ransomware was high on the list of these attacks. And, according to the most recent Global Threat Landscape Report from FortiGuard Labs, no industry was spared from this ransomware activity, with the most heavily targeted sectors including telcos, MSSPs, schools, governments and technology organizations.

The rise in ransomware, including hybrid attacks and the growing availability of RaaS (ransomware as a service), suggests that things are likely to worsen before they improve. Remote workers and their home networks represent a new and fertile attack surface that cyber criminals are highly motivated to exploit. And as more devices get added to the network, IT teams will continue to struggle with increased complexity and a lack of visibility and control, all of which can weaken their organizations’ endpoint security posture.

For this reason, IT and security teams must prioritize endpoint security to protect their growing remote workforce and related digital transformation efforts from attackers. And, because this is an area overwhelmed IT teams are struggling to address, it is something for which partners are in a prime position to help.

Ransomware and the Endpoint

During the first six months of the year, FortiGuard Labs saw a widening range of malicious activity involving the use of COVID-19-related attacks, including phishing and business email compromise schemes, along with nation-state backed campaigns and ransomware attacks. Ransomware activity targeted at enterprise organizations, in particular, was particularly severe.

Attackers continue to attempt to leverage endpoints, or devices that remote users employ to connect to the network, to try and gain entrance to enterprise resources. Once they have gained access to a device, they use it as a launching pad into the network, where they not only lock organizational data but steal it, as well, posting it to public servers and then threatening a widescale data breach release as further leverage to extort ransom payments from their targets. One example of this is the use of Cobalt Strike, a penetration tool that cyber criminals have exploited and made available on the black market. By leveraging this tool, malicious threat actors can deploy payloads in the form of ransomware or a keylogger within the compromised network, ultimately resulting in data theft.

Ransomware hidden in COVID-19-themed messages, attachments, and documents, specifically, was a widely noted threat during the first six months of 2020. The FortiGuard Labs team tracked three specific samples during that time: NetWalker, Ransomware-GVZ and CoViper. The last of the three, CoViper, was especially malicious, as it was used to rewrite the targeted systems’ master boot record (MBR) before encrypting data. Ransomware combined with an MBR wiper can completely paralyze target computers, making these attacks much more severe.

Because of the pernicious nature of ransomware attacks, especially in light of the rapid transition to a teleworker business strategy, organizations need to make endpoint resilience a top priority during the coming six months and beyond as they work to secure their increasingly distributed organizations.

The Challenge: Endpoint Devices Are Treated Separately from The Network

One of the biggest challenges with endpoint resilience is that it is often isolated from the rest of the network security framework. Because of this, visibility and control over network security only begin at the point at which an endpoint device joins the network. This is not ideal, especially with a remote workforce and highly mobile end users.

Research shows that 63% of organizations are unable to monitor endpoint devices when they leave the enterprise network. An additional 56% of surveyed IT professionals admit that they are unable to verify compliance for endpoint devices. And an alarming 70% state that they have a “below average” ability to minimize losses related to endpoint failure.

This challenge is compounded by the fact that today’s networks span multiple ecosystems, including multi-cloud infrastructures and numerous cloud-based services, including shadow IT. Applications and workflows now often span multiple ecosystems to accomplish their tasks. At the same time, a growing number of endpoints are connecting to resources distributed across the network, making the point at which each device connects to the network–whether to the WAN edge, LAN edge, data center edge or cloud edge–increasingly difficult to ascertain and defend. In addition, many of these devices combine personal and professional profiles and information, heightening the chances of exploitation. With this in mind, enterprises looking to protect data against ransomware threats can no longer keep endpoint devices separate from the rest of the network.

Helping Customers Address Their Endpoint Security Challenges

To address this increasingly complex and expanding challenge, organizations must employ an effective endpoint security strategy. This strategy should tie endpoint devices–including end user, host and IoT–into the broader corporate network security framework.

Partners and MSSPs now have a unique opportunity to help their enterprise customers meet this challenge. Service providers must work to provide an effective and comprehensive endpoint security solution that enables full, 24×7 visibility, compliance and control, as well as the ability to integrate their endpoint devices and security solutions into the broader security framework. This way, organizations can share advanced threat intelligence across the network and develop a more extensive, automated threat response that includes stopping threats at the endpoint device before they can access the network.

Before the widespread shift to remote work, IT teams that came across compromised systems preferred to address the issue by rebuilding, but this is no longer realistic. So, in addition to choosing a solution that helps with visibility, preemptive control, threat detection and threat response, organizations require one that features remote remediation capabilities to reverse the effects of malicious changes.

Two tools, in particular, will be helpful in achieving this task: endpoint detection and response (EDR) and network access control (NAC) solutions.

When planning to leverage these tools, partners have an additional opportunity to help their customers through the integration process to automate responses beyond the endpoint. This will then enable them to segment rogue, vulnerable or suspicious devices from others, or even place compromised endpoints in remediation VLANs.

Final Thoughts

EDR and NAC are two of the best ways to address the daunting challenge of endpoint resilience. In addition to protecting individual devices, they can be seamlessly integrated into the organization’s larger security fabric. For partners and MSSPs, it is important to provide customers with endpoint solutions that are appropriate for their specific networks, and that increasingly includes enabling complete end-to-end security across the entire network. To start, service providers must take care to deploy integrated, comprehensive network and endpoint security solutions designed to protect enterprise organizations from ransomware and similar threats without compromising business objectives or user experience.

Stephan Tallent is Senior Director MSSP & Service Enablement, Fortinet.

This guest blog is part of a Channel Futures sponsorship.