Endpoint security used to only cover laptops and computers, but as more devices connect to the internet, managing everything at once becomes a Herculean task. This predicament does not only cover smartphones and tablets— typical gadgets that are used for work, but also sensors, wearables, and medical devices— which directly affect human life.

As gadgets become smaller and smaller, and users of these connected devices continuously grow in number, it is clear the technology will only grow more sophisticated over time. The question then is how do enterprises maintain their network protected against cyberthreats from an endpoint perspective?

To unlock some answers, Jicara Media organised a panel entitled “Securing Endpoints: Mobile Devices, Wearables, Sensors, and Medical Devices,” as part of the latest IT Security Frontiers online conference.

For Tushar Vagal, Chief Information Officer of Larsen & Toubro Realty, all endpoints must be secured, no matter the methodology, or else risk a data breach.

“For us, the endpoints are in multiple layers. For example, we have chiller plants, (where) we have software/hardware, a BMS room, a data centre, (and) cloud-based mobile apps. This four-tier architecture has multiple endpoints, and we have to secure all of them. Today we use very crude methods, like what we do is the edge device in the data centre is not giving up public IP; it’s only got private IP— so there is no way it can be hacked. Now there are also other endpoints, like the point of users working from home. Those endpoints are also important,” Vagal shared.

As increasingly more employees work remotely, a more systematised approach to securing endpoints must be implemented, noted Rubaiyyaat Aakbar, Head of IT & Cybersecurity at patient intelligence platform DocDoc.

“We go for (a) more risk-based approach. We are to understand which staff has more access to privileged information and who does not, based on their profile data security, because if we apply (a one-size-fits-all approach), there’ll be a problem also. We cannot offer a VPN, or (the) same security for all because (in) some of the areas, the internet may not be that good, and the service or the activity they do may be hampered. So we identify which user needs more protection, and who has more access to privileged data,” he said.

Meanwhile, Daniel Toh, Senior Director of Solution Architecture, Asia-Pacific & Japan at Armis, identified two main gaps among enterprises when it comes to endpoint security: extended attack surface, and unmanaged endpoints that are not owned by the company.

“Just think about the case of any sensors, medical devices, or something as simple as BYOD. If I connect back to my home network, that effectively extends the traditional attack surface. Multiply this by the number of remote employees, (and) by the number of remote warehouses and whatnot. That’s the entire extended attack surface. Today, most of us are assessing our crown jewels right in the enterprise via secure channels, like VPN (and) SASE— we do have visibility on that. But what we don’t have, is that if I come in from a remote location, what about all the other devices looking at my neighbour’s place? Next door? My home devices? That is the biggest question mark,” Toh explained.

Evolving challenges

Although enterprises do what they can to secure their endpoints, the security threats are also evolving on all fronts.

For Aakbar, the hardships are fought more on the software side of things.

“The challenge we face is that we are heavily cloud-based. These are not really real physical devices. A lot of devices are spun off on the fly due to auto scaling resiliency. Another reason is that most of our workforce are hybrid, so they work remotely permanently from various countries. Some have to work from home due to pandemic restrictions in certain countries we operate, (hence) we have to assume that when they’re outside our network, we have no control. What we try to do is profile the user rather than focusing on the physical device,” Akbar said.

“For end users, we have to be more flexible, because sometimes we don’t even know (that) they might be travelling from various areas. So we use profile data to ensure that they are actually our real users. If they are not, we may raise flags instead of blocking them because we don’t want to stop (operations). But for the service, obviously, we can block them. We don’t want any servers having public IP, unless they are our web servers or part of the public-facing asset group. Everything else should have a private IP,” he added.

Since IoT devices require exposure to the internet, enterprises are constantly seeking solutions on how to securely share and access data without compromising their IT infrastructure, Vagal pointed out.

“If I have a building with 5,000 people, it will have at least 300 cameras. These cameras have to be intelligent. (For) example, (if) somebody at 11 o’clock is down on the floor in the parking lot, that means he’s having a medical problem. I need to expose this camera to the internet. I can’t have everything only on-premises now, because I will do ML. How much ML software can I have within the data centre? I need to expose, I need to have that (data) now. How do I do this? I can go with a traditional network, SDA, or a parallel network. Back in the olden days, I used reverse proxies. I always have a reverse proxy server whenever I have to put up a good server to the internet. But that age is gone now. So we are looking for solutions, which can help us do that,” he said.

For connected medical devices, the stakes are even higher, because unwanted intrusion can result in bodily harm, and even death.

“Based on my experience, I think the device comes with very limited firmware or software support. So I think (the) key focus should be to secure the medical device, to design it securely, because many of (these) devices did not actually even consider (the possibility of being hacked). So they just come up with, ‘Okay, disconnect to Wi-Fi’ and let it be done,” Akbar said.

“When we talk about monitoring medical devices, we want to have good enough visibility, meaning if I do not have good medical domain knowledge, I still want to be able to know in layman’s terms, what is the risk, looking at what is considered normal or abnormal for a medical device. From there, I want to rethink my network segmentation strategy,” Toh added.

Taking back control

Although attempting to manage all IoT devices at this point seems like an exercise in futility, there is a way forward in harmonising all data pertaining to them, regardless of brand, make, or function, Toh said.

“Imagine if we could have this huge data model or huge database in a world where we have so much data, that we can build a data model for every type of IoT device, every type of digital asset. Then we apply this model uniformly across the different industry enterprises. The outcome is that we can accelerate the entire process of identifying the device, the associated risk, (and) the non-behavior versus the anomaly. In that case, we might be able to find the so-called best fit solution for all the complex device management problems we spoke about,” he explained.

For Aakbar, enterprises should focus more resources on improving the security around hardware.

“Security is continuously changing. More and more people will have wearable gadgets, and those people connect to the internet. You just can’t protect every wearable device, every IoT (device), which is going to do public access. I think we have to go back to the basics of securing the hardware. We have to go back to the hardware and make the piece harder (to crack) because people have access to the actual hardware,” Aakbar said.

According to him, another important aspect of IoT devices which merits urgent concern is data privacy.

“These devices (are) collecting a lot of data, and the communication between (the) device to (the) server and other things are not always that secure. So anyone who can access that data, even without hacking the device, they’re going to use this for a lot of purposes. These privacy concerns should also be taken at ‘How much should we give access to those devices?,’ and ‘How should we secure them?’ I think that’s a difficult decision on how to balance digital lifestyle with security and privacy,” he added.

“I think there’s a big transition here for us from moving from traditional, like antivirus firewalls, which are mostly like ruler pattern-based. Now we’re trying to understand behaviour. So it is kind of new, everyone’s learning through AI and machine learning. Once we know more about the behavioural signature, we (will be able to) establish some patterns. At some point, we’ll be (better) at maintaining these SASE service providers, and better security, but until then, we will have some pros and cons. It cannot be just one solution for all— you have to make a mixture of SASE, your old security signatures, and traditional on premise security as well,” Aakbar concluded.