Technology Background

Chrome Soothes Endpoint Security Chaos in the Cloud

Posted by Steve Holly, Product Manager, Chrome & Devices on Oct 24, 2018

Endpoint SecurityRecent tech headlines say it all. Media coverage and industry reports paint if not a bleak picture for endpoint admins and businesses, then at least a sobering one. Take a look at the growing evidence of chaos in the realm of endpoints:

“Endpoints are a significant source of successful attacks on organizations.

Traditional AV is only effective against 43 percent of attacks.

Windows updates seem to be causing more and more problems for admins.

According to the Ponemon Institute’s 2018 State of Endpoint Security Risk report, more than two-thirds of enterprise players have been compromised by attacks originating at endpoints in the past 12 months. This increase in successful attacks is taking a toll on endpoint security confidence. According to respondents, an average of 52 percent of all attacks cannot realistically be stopped.The status quo is not working. “The status is not quo,” to quote Dr. Horrible.

10-Second Read...

There’s mounting evidence that traditional endpoints are IT security’s weak link, causing significant problems for businesses, endpoint managers and end users alike. But, there’s a solution to this chaos; Chrome OS.

Designed for the cloud computing age, ChromeOS is highly secure and easy to use and manage. As Chrome has evolved over the last ten years, more enterprise workloads have shifted to web apps and the cloud. 

Chrome devices can easily replace traditional endpoints for a majority of use cases to improve an organization’s security and IT staff efficiencies — and provide a better experience for their end users.

It’s time for your endpoints to evolve.

The report also quantifies the costs the attacks inflict on compromised organizations, noting costs have increased as a result of lost IT and end-user productivity.

Information theft has also increased. The average cost per compromised endpoint is $440, the report says, while small-and-medium-sized (SMB) companies face higher costs, $763 per endpoint on average.

Windows Updates Aren't the Answer

Traditionally, one way to ensure your endpoints are protected is to keep them current with the latest Windows updates. That’s been a fact of life for as long as I can remember. Unfortunately, the facts of life have been changing.

The Windows 10 rollout introduced its Windows as a Service feature, which delivers updates twice a year along with the monthly “Patch Tuesday” updates. This change in how Microsoft delivers software updates has created a lot of frustration for admins.

Just this year, Microsoft halted the July and October updates after problems were identified after the initial rollout. July’s update had problems with the .NET framework that broke SQL Server, Skype for Business, Exchange Server and other enterprise applications. October’s update caused blue screens of death — and deleted files from hard drives without warning.

Ars Technica posted an excellent article about the problems inherent in the Windows as a Service development process. Not surprisingly, the issues seem to be rooted in processes that were created when Microsoft was delivering new versions of software every three years or so. Take time to read this article for a much deeper understanding of the situation.

One thing is clear; for whatever reason, it seems as if the Windows team cannot deliver quality software using this new model. Admins are asking Microsoft to slow down because they can’t keep up.

In an open letter to Microsoft management that was published at Computerworld, Susan Bradley, the moderator of the listserv community patchmanagement.org, and a well known Windows admin advocate said:

The quality of updates released in the month of July, in particular, has placed customers in a quandary: install updates and face issues with applications, or don't install updates and leave machines subject to attack.

Patching Takes Too Long

Patch management challenges are actually leading to a less secure environment. According to the Ponemon Institute, the average time to patch is 102 days. In organizations that have a patch management process, 43 percent say they are taking longer to test and roll out patches in order to avoid issues and assess the impact on performance.

A recent survey of members of the patchmanagement.org listserv generated the following results based on a 1-5 scale, with 5 being the best.

  • Satisfied with the quality of Windows Updates in general: 2.20 avg; 1,137 respondents
  • Satisfied with quality of Windows Updating: 2.11 avg; 1,131 respondents

All of this paints a fairly unflattering picture for Windows as endpoints. And if you read any of the supporting evidence, you’ll know I’m just scratching the surface. So how can you fix this?

Simple. Adopt an operating system that’s designed from the ground up to be the endpoint for the new computing paradigm. That’s ChromeOS.

Chrome is More than a Shiny Thing

ChromeOS reaches well beyond the familiar chrome browser. ChromeOS is built...

  • For the cloud
  • On open source
  • For security
  • For simplicity

I’ll never say ChromeOS is impervious from attacks or 100 percent bug-free, but I will say Chrome is the best endpoint solution for addressing the problems we’ve discussed. Here’s a look at why.

The Ponemon Institute’s 2018 State of Endpoint Security Risk report highlighted two reasons current endpoint security is weak.

  • Zero-day and fileless attacks, compared to known or existing attacks, are more likely to compromise an organization than existing or known attacks.
  • Traditional antivirus and malware protections are ineffective.

ChromeOS, while not completely immune to zero-day and fileless attacks, does present a smaller window of opportunity for these attacks to cause damage, thanks to a process called Verified Boot.

Every ChromeOS device has two boot partitions. Each time ChromeOS boots, the active boot partition is cryptographically checked for abnormalities that would indicate a nefarious program trying to rewrite something in the system. If an exception is found, the boot process reverts to the second boot partition and goes through the checks again. If the second boot partition is also compromised, the device enters recovery mode and won’t boot until an admin reimages the unit, a ten-minute process.

This model ensures your users are always working from an uncompromised system without support intervention, except in rare cases. So even if there was a zero-day or fileless attack that could infect a Chrome device, the infection would persist only until the next reboot.

Organizations spend a lot of money on antivirus and malware protection. Sadly, it’s a failed investment. According to the Ponemon Institute report, AV products miss an average of 57 percent of all attacks.

Another 55 percent of all security alerts from AV solutions are false positives or reliable software, meaning software that’s really good, but the protection agent thinks it is bad and blocks the user.

So, this a not only a huge security issue, but it’s also a pretty significant administrative burden and usability nightmare.

Enjoying Native, Web-Designed Protection

ChromeOS was specifically developed for the web. Because of that, ChromeOS uses several features to natively protect against viruses and malware.

  • Verified Boot. As we discussed earlier, it is a core design principle that creates a strong foundation for the rest of the built-in defense mechanisms.
  • Sandboxing. Each webpage and application runs in its own restricted environment. If the Chromebook is directed to an infected page, it can’t affect other tabs or apps on the device or anything else on the machine. Even if an attack gets through, it would only affect that one tab.
  • Data Encryption. Each user on a ChromeOS device gets a private, encrypted partition. ChromeOS encrypts the data using tamper-resistant hardware that makes it very difficult for anyone to access without having the user’s password.
  • Recovery Mode. If anything goes really wrong on the device, it just takes a few keystrokes or the push of a button or two to return the device to a factory-fresh state. For G Suite users, wiping the device and resetting it doesn’t cause any issues since all the user’s data is stored in the cloud within Gmail, Calendar, Drive and/or Chat. In less than ten minutes, the user is back up and running on a clean device.
  • Automatic updates. This process ensures the Chrome device is always up to date with the latest security and feature updates. Google rolls out updates roughly every six weeks.

But if Microsoft’s “Windows as a Service” update schedule is causing admins headaches, how can Google’s update schedule of every six weeks be any better?

Enjoy Headache-Free Cloud Computing

A lot has to do with the quality of the updates and the admin process for managing them. ChromeOS is built on ChromiumOS, the open source project. Open source development practices are well-known. The development takes place in the open if you’re so inclined to review the code. The commit process is well documented, and the quality of the code, even in dev and beta channels is far superior.

Well before they hit production, admins can subscribe devices to the developer and beta channels of ChromeOS to get a feel for upcoming changes. The dev channel gives admins about a 12-week preview of what’s coming. The beta channel is about six weeks ahead of production. As an admin, you can lock down your production branch to a specific version of ChromeOS to make sure it is not upgraded to the next major release until you’re ready.

When you factor in Google’s ChromeOS development process, the quality of code and the controls admins have over updates, it’s safe to say the experience of managing Chrome devices is much less frustrating than managing Windows devices.

ChromeOS is an operating system that was built specifically for today’s cloud computing environment. The days where Chromebooks were seen as cheap toys or just for students have quickly passed. Chrome devices now offer more security and administrative features in one package, simplifying your endpoint management team’s job — while significantly enhancing your organization’s security posture.

Innovative and diverse companies like Netflix, Whirlpool and Veolia are securing their endpoints with Chrome.

With zero-day and fileless attacks on endpoints only increasing, Microsoft’s Windows as a Service fundamentally broken and the inability of anti-virus tools to effectively protect endpoints, it’s time for a hard look at your endpoint strategy.

Isn’t it time for it to catch up with the rest of today’s technologies?

Suggested Reading

  1. Microsoft’s problem isn’t how often it updates Windows—it’s how it develops it
  2. An open letter to Microsoft management re: Windows updating
  3. Windows 10 patch expert begs Microsoft: 'Please fix uptick in botched updates'
  4. Results of Windows Satisfaction Survey from patchmanagement.org members
  5. Two Windows 10 feature updates a year is too many
  6. Zero-days, fileless attacks are now the most dangerous threats to the enterprise
  7. How Chromebooks became the go-to laptops for security experts

Topics: Google Chrome, Workplace Cloud Collaboration

cta placeholder
Request a Consultation Background Image

Request a Consultation

MEET THE AUTHOR

Steve Holly, Product Manager, Chrome & Devices

Steve Holly, Product Manager, Chrome & Devices

Since 2008, Steve has been on the forefront of the transition to cloud-based services. He has helped companies like Whirlpool, Lexmark, Fujifilm America, Celestica, The New York Times, and the Canadian Broadcast Corporation make the transition to Google’s cloud-based services. Steve spent six years in the Navy, where he got his start in computers. During his service, he visited Japan, Thailand, Bali, Austrailia, Hong Kong, and more.

MORE POSTS BY STEVE HOLLY, PRODUCT MANAGER, CHROME & DEVICES