Because so many cybersecurity breaches start with users and their devices, anything that improves endpoint management will bolster an agency’s cybersecurity protections.
That’s the idea behind the emerging technology of autonomous endpoint management.
Sam Kinch, director of technical account management at Tanium, likens autonomous endpoint management to self-driving vehicles programmed to deal with whatever they encounter in traveling from Point A to Point B.
“We want to get to that point in the same way with endpoint management, whether it’s patching or compliance, or even threat response” Kinch said during Federal News Network’s Industry Exchange Cyber 2024.
The goal? “To take that whole enterprise and automate it to the point where I can have fewer people” managing endpoints, Kinch said. That makes more of the cyber team available for “more prioritized business processes, rather than the mundane, day-in and day-out tasks,” he added.
This level of automation can detect when an endpoint goes offline errantly, prompting submission of a trouble ticket — sometimes even before a user is aware of a problem. In a larger sense, Kinch said, a high level of automation can rein in what Tanium’s chief technology officer refers to as the “suburban sprawl” of cybersecurity operations.
That sprawl stems from “a massive shift in the amount of data that’s been absorbed by businesses as part of their daily business practices,” Kinch said. There’s also a wider variety of data, all of which adds complexity. Deployment of hyperconverged workloads in commercial computing clouds adds to the levels of data and complexity too, he said. Still another factor: the large numbers of people permanently teleworking at least some of the time. Kinch pointed to several independent studies that indicate “70% of successful breaches source from the endpoint.”
“What we have are businesses that have really grown up very fast and haven’t brought their IT infrastructures along with them,” he said. “That’s where automation really shines. You bring in automation to reduce the complexity — reducing those mundane tasks.”
Gathering the right data for endpoint cyber management
As machine learning and artificial intelligence increasingly power automation, Kinch said it’s important to understand and control the data feeding the algorithms. He again used the analogy of an autonomous car. Suppose the car reaches a stop sign at which it stopped yesterday and then proceeded to go straight. If on a subsequent day construction blocked the road straight ahead, the car must have relevant data to find a different course.
“The most important thing that makes that AI effective is the real-time nature of data, having data that is not days or weeks old,” Kinch said.
The same thinking applies to automating the patching of endpoint software. Kinch said that many of the thousands of software components on a given device don’t automatically update themselves. AI-driven automation can take over both the patching and the validation of patches, which reduces the chances of breaking something while simultaneously speeding up the patch process.
“If I had real-time data, I would know exactly what endpoints I would have to update,” Kinch said. “I could roll it through a patch update cycle through test rings. Maybe it’s a dozen devices, and then 100 devices, and then the rest of the enterprise.”
It’s an AI use that takes the human out of the equation. “The automation, not the human, is pushing the patches out, checking to see if the patches applied successfully and monitoring the CPU to say if there any issues going on,” he said. “Did the patch apply successfully?”
He described another example of how automation can work in an organization with hundreds of thousands of deployed endpoints. Suppose endpoint monitoring detects a device executing Mimikatz, notorious shareware capable of extracting user passwords and credentials from system memory. Both criminal hackers and security professionals use it.
“I have artificial intelligence and automation looking at it, going, ‘Hey, Mimikatz isn’t normal. It shouldn’t have fired. Let me say with about a 95% chance that is nefarious activity,’” Kinch said.
The system would then halt the Mimikatz process, quarantine the affected device and analyze the string of events.
“Within seconds, you’ve already deduced down that you need to isolate that endpoint,” Kinch said. “And you have no human in the loop. I think that’s what we’re trying to get to.”