Earlier in this series, we discussed how the very definition of the network perimeter has changed during the work-from-home (WFH) era. I would make the argument that the concept of the endpoint has changed along with it as well. Most of us were securing every desktop and laptop that connects to our networks in February, but to belabor the obvious, we now have many newly inherited unmanaged endpoints, greatly raising our risk profile. And we must also deal with Office 365 mailboxes that are taking on a “”threat life”” of their own.
Every MSP worthy of the name already provides endpoint protection, often by means of next-generation products. But today the need for a more sophisticated response is even greater. Endpoint protection has actually “”trifurcated,”” if you will, and is now a three-legged stool of traditional anti-malware, threat hunting on the endpoints, and security operations center (SOC) remediation tools and services. And Office 365 mailboxes, one of the top vectors for malware and other attacks, are becoming “”email endpoints.””
Defining the Issue
During the initial mad rush to provide instantaneous WFH capabilities, we did the unthinkable: We provided the remote capabilities first and considered the security implications later. (This is a bit overstated, as Net Sciences had elected to provide that remote access by means of proxied, secure RDS through TruGrid, an inherently secure option.) But our new priority was not only to protect those new endpoints in the homes of our user base, but also to improve the protection of the target machines and mailboxes (more on that later).
As an aside, some managed services providers have a very cloud-centric user base with virtually all applications and data hosted, and perhaps even desktop or workspace as a service or virtual desktop infrastructure (VDI) as the norm. If you have the affordable, stable bandwidth in your market, and the technical expertise to pull this off, pat yourself on the virtual back. However, most of us are still supporting endpoints on premises, either through proxied RDS or across SSL VPN connections (but, of course, never over open RDS or any port-forwarded access).
To armor up against these WFH and email threats, we face three main challenges: securing those new remote machines, better protecting their remote targets (already under our care), and working to improve security of our new “”email endpoints.”” Each of these brings its own challenges, which I will explain as we go forward. First, I want to say that, like many of you, until March, we did not allow remote access to any of our client networks from anything but a managed machine. That fell by the wayside quickly, as it did for many others, due to the circumstances.
Armoring the Targets
For Net Sciences, the extra protection we needed on our target machines was easily provided by simply expanding the services we already had in place with our friends at Solutions Granted. We already had CylancePROTECT plus CylanceOPTICS, but by engaging their Tier 3 services (including Active Ready Response) we were able to do even more at very little cost. This new service, for nickels a month, provides upgraded SOC services for the endpoints, as well as the ability for them to lock down any suspect endpoint to allow traffic only between it and their SOC, to enable them to remediate it. This extra layer of protection of the target endpoints really goes a long way toward better sleep hygiene for all.
Our next step was to find a way to more fully protect all these new unmanaged endpoints that were suddenly connecting in from users’ homes to their networks. We wanted to protect these endpoints with affordable and lightweight tools. While our managed endpoints are typically Intel Core i5, 8G, SSD boxes, that cannot be said of our new endpoints. Many of these home machines just do not have the “”juice”” to manage the overhead of CylanceOPTICS (or even “”dwell time”” limiters such as the Huntress Labs endpoint detection solution).
This led us to RocketCyber, a suite of lightweight and very affordable security tools for our new endpoints. RocketCyber also offers a great security service for Office 365 mailboxes. Obviously, the perimeter and endpoints are critical to protect, but what about the cloud? Office 365 compromises are now among the most common security issues in our industry. That leaves many MSPs with a giant blind spot in their services. So how do we respond to that reality? And is this really something we have to address?
Is O365 An Endpoint?
Now we get into some rather philosophical territory. Does an O365 mailbox count as an endpoint? At first, this may seem an almost absurd question. After all, how can a service be an endpoint? But the reality is that as we all move from equipment and software to cloud-hosted services, it is time for us to reconsider some of the categories and constructs we’ve created over the years to manage our clients, their data, and its security. I make the argument that anything that can be targeted with an attack aimed at depriving a user or business of data or services, especially something that can be used to propagate social media attacks against said people or entities, is an endpoint needing protection.
With that in mind, last year we assembled a bundle of services around Office 365 known as “”Office 365 Complete”” including Mailprotector (mail filtering) and Dropsuite Advanced (OneDrive, Outlook, SharePoint, and Teams backup and email archiving). As anyone supporting O365 knows, there is still the issue of it being the high-profile target on the block. That means we needed more; O365 security settings reviews and log monitoring, for example. With RocketCyber’s Office 365 security monitoring tools and SOC, we have that missing link. And with so many working from home and under new stresses that we could not have conceived of a quarter ago, O365 security services are more critical than ever.
The Final Analysis
Securing our clients’ sites is not our job, it is our duty. Because of the strange times we are in, we decided to execute first and ask questions later, absorbing the cost of these services in the short term. As the pandemic fades, we will educate our clients about why they must remain diligent in protecting their new endpoints. Whether that means fully managed new machines, or dedicated profiles and a suite of security provision on their existing ones, we will be there for them. These times will pass but the need to secure every endpoint will not.
JOSHUA LIBERMAN is president of Net Sciences, founded in 1996. A 25-year ASCII Group member, former rock climber and martial artist, and lifelong photographer, Liberman has visited five continents and speaks many languages. He also writes and speaks in the IT field and raises Siberian Huskies with his wife Heidi, who calls him the Most Interesting Geek in the World.
Image: iStock
