Endpoint detection and response (EDR) tools did a great job when the endpoint was the target of attacks, but is “ill-equipped” to deal with this decade’s threats.

Speaking at 44CON in London, Luke Jennings, VP of R&D at Push Security, said that in the 2000s, the network was the perimeter. This was replaced with the endpoint in the 2010s, and now in the 2020s “identity is the new perimeter” and this is where attacks are now focused.

Jennings admitted that there is “nothing wrong with EDR” and it is “a great tool,” but said it was designed in response to endpoint attacks. He explained that most infostealers talk directly to apps and services or touch the browser, “but the browser is pretty opaque” and there is not that much visibility into what is going on.

Also, he said that identity attacks tend to target users’ browsers more than ransomware, which hits file shares and encrypts, and also there is SaaS data extortion as most modern web apps are built in Javascript that execute in the browser. “Everything is moving to the web space and the tech keeps moving too,” he said. 

Identity and Credentials

Pointing at research which highlights that 80 percent of attacks involve identity and compromised credentials, Jennings said identity-based attacks are “not what is next, it is what is happening now.”

Jennings highlighted several types of identity attacks, which he said were “modern variants of phishing and infostealers” and often use credentials or cookies. He also said that single factor authentication can be overcome with stolen credentials, multi-factor authentication can be bypassed with a session hacking attack, and along with credential stuffing, “can all lead to account takeover.” 

In the future, Jennings predicted more reliance on browser extensions which he admitted are not flawless, but are becoming the “most important component for security and general IT purposes.”

He admitted that the risks can include:

* Users self-installing unapproved extensions

* Extensions are effectively an unmonitored EXE source and not subject to application control

* Are a supply chain risk for hijacked extensions

However browser extensions can be rolled out using managed deployments, have auto-updating capabilities, and a browser policy can be used to lock down extensions also. “Using browser extensions to solve security use-cases is a big opportunity that we cannot ignore,” he said.