October is National Cybersecurity Awareness Month, and we wholeheartedly support this important initiative to focus attention on the critical security challenges facing all of us. This week’s theme focuses on the continued proliferation of IoT with, “The Future of Connected Devices.”

If there’s one major cyber trend we’ve seen unfold around connected devices, it’s that there is a tendency to focus cybersecurity awareness on what we can see – phones, laptops, and IoT devices, while assuming that protecting endpoints will stop the epidemic of damaging cyberattacks.

According to the 2020 Verizon Data Breach Investigation Report (DBIR), more than 70% of breaches are targeting servers – not user endpoints. This makes sense, because most attackers are financially motivated, and they will go where there is valuable data. The math is clear – if you encrypt and ransom someone’s laptop data, you may extort a few hundred dollars. But if you successfully steal the “Crown Jewels” from a company, the value skyrockets into the millions.

While end-users may play a role in corporate attacks, falling for phishing scams or clicking on risky links, but merely protecting their devices in no way assure protection for critical applications and servers. There are simply too many ingress points, and to protect the Crown Jewels, we must shift our thinking and start from the inside.

Many conventional security vendors have claimed that all endpoints are basically the same, and legacy technology such as anti-virus will be effective at protecting servers. This is simply not true – servers require very different security strategies and technologies.

Gartner states this unequivocally in their Market Guide for Cloud Workload Protection Platforms:

“Enterprises using EPP offerings designed solely for protecting end-user devices (e.g., desktops, laptops) for server workload protection are putting enterprise data and applications at risk.”

The report goes on to say:

“Do not use an offering designed to protect end-user endpoints and expect it to provide  adequate protection for server workloads. These are ill-suited for the requirements of dynamic workload protection.”

So, what exactly are the requirements of dynamic workload protection? To start, we need to shift away from the endless cycles of threat chasing. Attackers are resourceful, creative, and constantly shifting strategies to avoid detection by conventional tools. Trying to beat them with signatures, rules, learning, or even AI will always leave gaps, and is usually reactive – only stopping what’s been seen before.

Instead of perpetually “chasing bad” we need to focus on “ensuring good.” This means mapping and understanding exactly what applications are supposed to do, and then monitoring them in runtime to instantly detect any deviations from normal. By protecting dynamic server workloads, you are in essence, protecting your applications from the inside.

Protecting connected devices at their end points is essential. But remember that it is only the first step of many in an effective security strategy. It’s critical for businesses to look beyond the many ingress points and go deep within the systems themselves. We must stop thinking attacks will only come from an external source and shift our focus inward to protect critical application workloads from the inside.