4 Hardware-Based Endpoint Security Strategies for a Distributed Workforce
By Richa Bhatia
Cybercrime has become the inevitable downside of the lockdown economy. As organizations quickly pivoted to large-scale distributed, WFH and remote enablement of the workforce, businesses expanded VPN accessibility and deployed more end-user devices to help employees transition to virtual environments. Companies also relaxed norms and broadened support for employees to use their own devices, expanding the attack surface and risking proprietary data and credentials.
For IT managers, the task of putting in place security guardrails to ward off cyberattacks on endpoints, networks, and the cloud, suddenly became more urgent and far more high-stakes. Keeping the business running, while creating a highly secure, connected remote workforce, has become the new key performance indicator (KPI) in this climate.
But even before the pandemic brought in a new wave of security woes, hardware-level security tended to be an overlooked element of the overall cybersecurity strategy. While organizations continue to spend significant IT resources in software-led security aspects, including securing enterprise networks and web applications, and ad-hoc patching efforts, the same diligence has not been extended to hardware-led security enhancements for endpoints, laptop fleets and company-issued devices. Unsurprisingly, hardware breaches have emerged as the lowest hanging fruit for cyberattackers, and are becoming harder to prevent in the days of widespread virtual, distributed workforces.
A recent report by Forrester titled BIOS Security – The Next Frontier for Endpoint Protection report1, found that 63% of organizations experienced one data breach over the past year due to a hardware security vulnerability. More worryingly, almost half – 47% of firms surveyed – faced at least two hardware-level attacks in a span of 12 months. End-users, and their end-point devices, continue to be an easy gateway for cyber criminals into business systems.
Software-based security can be bypassed by an attacker who has higher privileges through a vulnerability in the software or hardware. While critical to detecting threats, a predominantly software-based approach to networks or end-point security is simply not enough to keep up with modern threats, as hackers attempt to inject malware into the code beneath the operating system. Some of the most common security failures in BIOS firmware also arise when end-users continue using aging, vulnerable or un-updated devices.
A combined software- and hardware – based security approach can help protect vital assets, data, and infrastructure. In this context, securing the starting point – the hardware – and building an integrated approach to security is crucial to sustainable management of firmware and network security.
The Strategic Value of Hardware Security
Typically, organizations close security gaps by adding new tools to their arsenal meant to protect corporate networks. The widespread assumption is that by adding more firewalls, encrypting sensitive data at rest, upping advanced threat protection (ATP) on devices to block zero-day attacks, and prioritizing IAM capabilities, IT teams can better protect networks, sensitive data and devices.
But like we said, that’s not enough. We’re operating in a drastically different environment. Over the course of the last decade, even as hardware and BIOS level breaches have increased, the strain on IT ops to manage diverse end-points and the effort of keeping people trained on the latest security best practices has become a constant challenge.
Speaking to Toolbox, endpoint security software maker Adaptiva’s founder-CEO Deepak Kumar2 summarized the current situation succinctly, “Endpoints are typically less controlled than, say, the data center. And with everyone working from home, they are literally on the front lines and potentially more exposed due to the enterprises’ lack of control over home networks.”
The bottom line is – hardware security is not easy, but it has become increasingly urgent in today’s business landscape, which is more distributed and connected than ever before. Michela Menting, Digital Security Research Director at technology research firm ABI Research3, further buttresses the point: “Hardware-based security offers better protection from manipulation and interference than its software-based counterpart, because it’s more difficult to alter or attack the physical device or data entry points.”
By design, hardware and firmware have a better view of the system—and so, a greater ability to protect it. So, how can IT managers get a grip on hardware security as a critical component of an integrated approach to cybersecurity?
4 Critical Hardware-Based End-Point Security Must-Haves for Businesses
As the needs of the workplace grow, an integrated approach to hardware, firmware, software, and identity protection enables a full spectrum ‘hardware to software visibility’. This approach acknowledges that PC security needs additional layers of hardware-based security, built in at the silicon level4 to strengthen the endpoint security strategy.
Especially for small and mid-sized businesses (SMBs), trusted hardware-based security features can help counter pain points specific to rapidly growing businesses, including increased cost pressures, threats of security breaches (yes, 43% of attacks are aimed at small businesses5) and IT complexity.
Here are 4 Hardware-Based Endpoint Security Strategies for Optimal Outcomes:
1. Focus on Hardware-Enhanced Endpoint Security Practice
Cybersecurity is not just about remediating vulnerabilities – IT teams need to proactively go one layer deeper – beyond anti-virus software to the fleet of employee laptops, PCs, and devices, which are often the first point of attack, and examine how well they are aligned with the wider remote access management and security strategy.
The business implications of hackers gaining access to company data or embedding malware inside the corporate firewall are pushing organizations towards a hardware-enhanced protection model. For example, hardware-enhanced security features coupled with user-friendly technologies such as remote management tools (remotely reboot laptops and apply patches) can help significantly reduce the attack surface.
What you should do: buy business-grade PC hardware with built-in protection for firmware vulnerabilities, to help mitigate the risks of software-based security at the device level. Conduct due diligence on firmware transparency, to help overcome firmware blind spots and enhance visibility into the device platform. This helps IT to build the trustworthiness of what resides within a given platform.
2. Adopt Robust Remote Management Capabilities
COVID-19 became a new reality check for businesses of all sizes, but SMBs that work with limited infosec resources were dealt the biggest blow. As SMBs worldwide moved to remote work policies, end-user devices deployed in unsecured home environments became more important to business continuity than before. But it also meant that IT and SecOps teams were forced to adopt a security-first posture, with a focus on agility, collaboration and connectivity, almost overnight.
Now more than ever, businesses need to keep their PC fleet compliant – especially when working off the corporate LAN. Stephanie Hallford, Intel vice president of the Client Computing Group and general manager of Business Client Platforms shares that the Intel vPro® platform helps companies provide more security and and manage PC fleet for present and future complexities. “Built for business, the Intel vPro platform is a comprehensive PC foundation for performance, hardware-enhanced security, manageability and stability. With our new 10th Gen Intel Core vPro processors, we’ve enhanced that solid PC foundation to help tackle not only today’s challenges, but also those of future work environments across the PC lifecycle.”
What you should do: invest in next-gen technologies packed with automated tools that enable remote asset management and compliance best practices. Look for solutions with built-in features that allow intelligent and real-time monitoring, secure updating of out of band devices, and scheduling remote maintenance that can be executed in the background, without disrupting employee experience or productivity. This can help minimize the complexity for IT Ops.
3. PC Lifecycle Management:
Device management is an increasingly complex and labor-intensive task for stretched IT teams – maintaining and updating company-wide endpoints, checking in on security and compliance when PCs are lost or stolen, and help provide secure access and connectivity to various devices and operating systems. For high-growth SMBs, while all these tasks are an added burden, they are also critical to competitiveness and continuity.
IT ops teams today want a PC platform that can keep pace with modern workplace challenges and performance expectations, is mobile-friendly, manageable, stable, secure and most importantly, helps meet business objectives. Features like improved battery life and connectivity are table stakes – businesses now look for advanced features such as built-in AI to detect stealth attacks, predictive analytics that allow end-users to self-heal the system and enhanced manageability capabilities that can remotely power up systems to deploy security patching or threat remediation.
What you should do: evaluate solutions based on centralized management capabilities, coupled with out-of-the-box features that IT teams can count on, through the lifecycle of the device. These manageability capabilities can also help many SMBs operating without fully staffed IT departments to simplify device lifecycle management.
4. Prioritize Vendors That Provide Hardware-Enhanced Security Features
The BIOS Security study by Forrester finds that nearly two-thirds of organizations are cognizant of threats to the hardware supply chain, yet only 59% have implemented a hardware supply chain security strategy. At the vendor end, hardware security falls to PC makers, chip makers, and BIOS vendors like American Megatrends Inc. (AMI) and Phoenix. Some chipmakers like Intel are investing in remote firmware and end-point security capabilities and technologies, as well as partnering with OEMs to help ensure an integrated hardware security approach for the fleet, at the source.
“Intel and the OEM’s capabilities provide the foundation for meeting what Intel has termed a secured-core PC6 which can help shield from attacks targeted at OS and firmware layers. Built in conjunction with Intel and other partners, the secured-core PCs help bring the zero-trust concept to hardware. In addition, technologies from Intel help businesses benefit from supply chain transparency and traceability of PC components, and help IT to quickly roll out software fixes on critical vulnerabilities to managed PCs. Talking about their partnership with Microsoft, David Weston, director of Enterprise and OS Security at Microsoft said, “As an opt-in feature in Windows 10, Microsoft has worked with Intel to offer hardware-enforced stack protection that builds on the extensive exploit protection built into Windows 10 to help enforce code integrity as well as helping terminate any malicious code.”
Tom Garrison, vice president of the Client Computing Group and general manager of Security Strategies and Initiatives (SSI) at Intel Corporation adds, “Security solutions rooted in hardware provide the greatest opportunity to provide more security assurance against current and future threats. Intel hardware, and the added assurance and security innovation it brings, help to harden the layers of the stack that depend on it.” What you should do: As PC and chip makers ramp up security practices, battle-test hardware, and reduce complexity for end-point remote security, IT Leaders should invest more time in understanding and implementing device security best practices and firmware/hardware validation with the help of MSPs/VARs and even directly from vendors.
The PC as the essential business device may have undergone a major evolution – from desktops to laptops and notebooks and increasingly intelligent, mobile devices; but the core concern of IT departments tasked with managing those devices remains the same — leveraging a platform that can reduce device management complexity and maintenance costs; while still supporting end-user mobility and helping improve significantly improving end-point security. A multidimensional approach to security will aim to integrate complementary hardware and software based security interventions, efficiently implement and manage protections to the organization’s computing infrastructure, and help bring a higher degree of confidence to dealing with end-point security vulnerabilities – all crucial capabilities in a world where business of all sizes are rapidly embracing the benefits of distributed workforces and virtual workspaces.