From the 2021 Retrospective Report published last month by the Identity Theft Resource Center (ITRC), we inferred that almost half of 2021 data breaches were due to failed endpoint protection. The derivation is sound but let's acknowledge that this figure is approximate at best. Still, it is useful for setting cyber stack and Sec-Ops priorities for 2022. More protection at the endpoint is needed.
Why this Failed Endpoint Protection Figure Matters
No one’s budget is large enough to pay for all possible risk mitigations. Decision-makers must choose what might make the most impact at the least cost.
They have already funded cyber stacks of multiple layers for defense in depth. Staffing costs generally far exceed the costs of the tools. All organizations have at least one software-based defense on each endpoint (e.g., traditional AV, endpoint protection platform). Other layers are deployed in front (i.e., perimeter), around (e.g., intrusion detection, entity user behavior analytics, etc.), and after the endpoints (SIEM, XDR, etc.). Alerts from endpoint defenses should also be regarded as involving resources after endpoint defenses because nothing is blocked or terminated until after an analyst investigates. And, let’s not forget the remediation and other post-incident costs.
Perfect preventative endpoint protection would leave much less for the staff of layers “around” and “after” the endpoints to do. Conversely, more endpoint protection failures drive up the costs of “around” and “after”. It also increases risks because while staff chases down numerous relatively low-impact incidents, they are not attending to high-impact incidents. Alerts fatigue also lowers staff effectiveness, which drives up risk.
Decision-makers are always struggling to choose among many potential cyber defense investments. The assertion that 46% of 2021’s data breaches were due to failed endpoint protection simply means that improvements there are easier to choose with the figure than without the figure. Doing so improves overall risk mitigation and lowers IT/Sec-Ops costs.
How we Derived the Figure and Why it might Understate the Cause
The report categorizes “cyber-attack” data breach causes into: “Phishing/Smishing/BEC”, “Ransomware”, “Malware”, “Non-secured Cloud Environment”, “Credential Stuffing”, “Unpatched Software Flaw”, “Zero Day Attack”, “Other - not specified”, and “NA” (not defined). We excluded non-attributed breaches and then combined the individual causes for “Ransomware” (33%), “Malware” (13%), “Unpatched Software Flaw” (0.4%), and “Zero Day Attack” (0.4%) into our derived “Failed Endpoint Protection” figure (46%). These figures pertain ONLY to those data breaches where a root cause was attributed.
Phishing attacks can involve social engineering, malware, or both. We cannot say what percentage of the phishing attacks involved malware. The good folks behind the Verizon Data Breach Investigations Reports have told us over the years that incident/breach submissions are often problematic. Some of the phishing attacks likely involved malware but were not categorized as such. Similarly, many, if not most, organizations lack the forensics capabilities to readily identify incidents/breaches due to “Unpatched Software Flaw” or “Zero Day Attack”. So, the data breaches due to failed endpoint protection is likely understated.
The “Zero-day Attack” figure is not very surprising. They have always made up a low percentage because there are so many other ways to compromise an enterprise. Still, the year over year increase was 300%. Then again, 2021 did see a large increase in reported zero-day vulnerabilities over 2020.
Ransomware and Malware Caused Data Breaches Increased in 2021
The reports numbers show that Ransomware caused data breaches increased over 2020 by 122% in 2021. Similarly, malware caused data breaches did so by 34%.
2021 Data Breaches increased by 84% over 2020
ITRC’s data states there were 1,613 and 878 data breaches due to cyber-attacks in 2021 and 2020, respectively. That equates to an 83.7% increase. Many say this is due to more work from home, which means greater dependence on endpoint protection.
One-third of Breaches are NOT Attributed to a Root Cause
What does this say about all of the above numbers? We could only speculate. However, it does say a lot of potential information is helping everybody make better decisions. You might have noticed that public data breach reports rarely specify what cyber defenses failed and in what way.
A Malware “Detection Gap” puts Everybody at Risk
We believe enterprise defenses suffer from too much dependence on detection technologies that are failing to recognize the nearly infinite varieties of malicious files and behaviors in malware attacks. Worse, too many organizations rely on low-end detection-based defenses. Some are far better than others. But even the best of them fail. And the best are increasingly detecting and reacting to sophisticated malware attacks after one or more endpoints and credentials are compromised, hours to months later. The later this happens the greater the clean-up costs and financial impact.
Add a Non-Detection Layer of Endpoint Protection
Most anti-malware cyber defenses are detection based. There is always a detection gap because there cannot always be pattern-matching detection data for nearly infinite varieties of malicious files and behaviors. AppGuard helps fill the detection gap by not applying detection itself. It's non-detection approach of applying zero trust principles within endpoints blocks malware technique activities rather than any specific malware sample. That means it blocks attacks without having to recognize them.
While AppGuard has been found to be remarkably effective against the headlined malware attacks of the last year or more, it is not perfect. If there’s part of a malware technique that cannot be deterministically discerned from legitimate activities, then AppGuard risks disrupting user productivity or mission critical applications. This is why AppGuard is not positioned as the only software-based defense against malware attacks. Instead, combine AppGuard with whatever detection-based defenses are already deployed. One can catch what the other might miss. And some detectable attacks are blocked by AppGuard before enough attack stages execute to allow for detection, and some of these detections only produce alerts that need to be handled by security analysts. The combination of AppGuard and detection defenses increases malware risk mitigation as well as lowers IT/Sec-Ops costs.