Securing endpoints in the age of remote working

Telework has become widespread in recent months and this change poses new challenges in terms of cybersecurity. How can organisations protect against threats when the IT environment is more open, employees are working remotely, and there is a greater range of employee devices (workstation, mobile or tablet) in play?

Thousands of employees are now working remotely in Luxembourg. They are reliant on equipment provided by their employers or their own hardware to carry out their daily tasks. This development, necessitated by the pandemic but set to continue, brings new challenges in terms of cybersecurity. In view of the evolving threat, players were quick to ask themselves how they could protect the IT environment (that is, the company’s digital assets), as well as the company’s data, and the servers and endpoints used by each employee.

For workstations, antivirus software is no longer sufficient

How can major players prevent, detect, block, respond to and analyse ransomware attacks from a remote terminal, avoiding rapid propagation of its effects and business paralysis?

“Antivirus software is not enough. Such a protective measure, analysing elements based on known signatures, will block old attacks. However, in many cases, it is necessary to go further and integrate an EDR-type solution,” explains Alban Rocheteau, Head of the CyberSecurity Operational Centre within the Covéa Group, the main mutual insurer in France, which owns the GMF, MMA and MAAF brands. “We can then base the response on behavioural analysis and protect each endpoint more effectively.”

Endpoint detection and response

The main role of an EDR (Endpoint Detection and Response) solution is to monitor all actions taken from an endpoint, be it a workstation or a server. Analysing this data ensures that any anomalies are detected quickly so that suspicious operations can be automatically blocked or suspended until further analysis is complete.

The Covéa group chose to protect its assets through the EDR solution developed by the French company TEHTRIS, achieving a high level of protection thanks to advanced automation. The group has 23,000 employees and a further 6,000 agents throughout the country, who are also equipped with hardware supplied by the group. In total, Covéa has to manage and protect 43,000 endpoints: 33,000 workstations and 10,000 servers. “In a ransomware attack, where the aim is to encrypt all of the company's assets, you have to act quickly. On average, this type of attack manages to paralyse more than 500 workstations per minute that passes,” explains Nicolas Cote, Head of Solutions at TEHTRIS. “If an attack hits several company machines, it can spread to the entire environment in no time. In a matter of minutes, medium and large companies can have their IT systems completely paralysed. To protect ourselves, contain the threat and stop the attack, we can no longer rely on manpower alone. We need automation to supplement human effort.”

Automation is essential

For an idea of the scope of the challenge, between 1 July and 31 August 2021, across the Covéa group, some 64 billion individual events were reported to the Security Information and Event Management (SIEM) system, also operated by TEHTRIS. Of these events, 8 billion concerned security issues. 117 million rules were triggered, of which 60 million were significant. Based on these events, SIEM analyses, after correlation work, led to 38 incidents being reported to the Covéa Security Operation Centre. These incidents fall into several categories, such as malware detected on a workstation, blocked ransomware, too many connection attempts on a server, etc. “In light of the number of events, we realise that automation is essential if we don't want to miss an alert and risk an attack spreading to the entire environment,” says Alban Rocheteau.

Blocking the threat at the endpoint

This automation concerns the detection and reporting of events to the SIEM, and allows for events to be correlated at the analysis level by relying on artificial intelligence, machine learning and deep learning. “With an advanced degree of automation, it is possible to develop cross-functional analytical snapshots and to strengthen decision-making capacity to better detect, protect and respond. In many cases, the solutions implemented will freeze the threat to give analysts time to undertake advanced investigations,” explains Nicolas Cote.

These tools, therefore, play an important role in making players more mature as regards IT security management. “An EDR is now the means of detection and response, with the advantage of operating at the finest level of granularity, i.e. the workstation, mobile or server. We can therefore block and isolate a threat locally, while preventing it from spreading widely,” continues Nicolas Cote.