- Uptycs @ RSA
For a long time, Mac security threats weren’t a top of mind concern for security teams and vendors, who primarily focused on securing Windows where they had a much larger footprint. Now, many employees are using Macs to access production infrastructure, presenting new avenues for attackers to exploit.
The truth is, these Mac endpoints may not have the same level of security posture being applied as Windows desktops. So then, what do enterprises need to know about endpoint security for Mac?
What is an Endpoint in Security?
Desktops, laptops, smartphones, an endpoint is a remote computing device that communicates back and forth with a network to which it is connected.Other examples of endpoints include tablets, servers, workstations, and Internet-of-things (IoT) devices.
Least vulnerable when protected by an advanced endpoint security solution, an endpoint is best utilized when coupled with security that enables the prevention of known and unknown malware and exploits, the incorporation of automation to alleviate security team workloads, and the security and enablement of users without impacting system performance.
What is Endpoint Security for Mac?
A C API for monitoring system events for potentially malicious activity, successful Endpoint Security for Mac is defined by the ability to write a client in any language supporting native calls. Typically, the client will register with Endpoint Security to authorize pending events, or receive notifications of events that have previously occurred, such as process executions, mounting file systems, forking processes, and raising signals.
What is Endpoint Security for Mac Users Like in 2020?
Like Linux, Mac started as more of a niche operating system, attracting creative professionals with some technical know-how. The Mac operating system was not necessarily designed for everyday use.
However, over the past decade, Mac computers have become more user-friendly and ubiquitous in businesses, a change that started with the bring your own device (BYOD) policies in modern enterprises. This approach added a new layer of endpoints, which needed to be secured.
In addition to BYOD policies, many people just want to use Macs, particularly if they are already immersed in the Apple ecosystem with iPhones and other IoT devices.
There is a Lack of Visibility With Mac Endpoints
Many emerging, cloud native companies run their entire workforce on macOS. In these cases, they’re often aware that they have an incomplete security strategy, and are actively attempting to do something to reduce these IT blind spots. However, lack of comprehensive tooling is a real challenge.
Whereas Windows has comprehensive tooling and Linux has well-established auditing capabilities, Mac systems lack native tooling for endpoint security monitoring. (Tweet this!)
As a result, many Mac-heavy companies rely more on the users to keep systems up to date or on MDM type solutions that aren’t necessarily focused on security use cases. Those teams with the resources and skills may attempt to build homegrown security monitoring tools. Either way, security and IT admin teams will often still lack full visibility of their macOS environments.
Endpoint Security Monitoring For Macs: 5 Things You Should Know
1. There is a Knowledge Gap.
Many security professionals grew up in the Windows or Linux space and need to adapt to Macs. Similarly, many endpoint detection and response (EDR) solutions are only starting to address macOS now.
This reactive attitude means that many enterprises are playing catch up, mainly because of a rise in attacks against Mac endpoints. Research from Malwarebytes found that Mac users had more than double the number of threat detections than Windows users in 2019.
2. Tighter Controls May Impact User Experience.
In October 2019, Apple released the MacOS Catalina update, heralding tighter restrictions around data privacy and security controls. While this is good news from the corporate and security team’s perspective, it may pose new problems for users by impacting the user experience for some people. In some cases it’s simply an abundance of prompts and messages to the user authorizing application behavior in accordance with these new controls. In other cases, for admins of corporate Macs, it means additional work to configure their MDM or other solutions to ensure necessary applications are able to work as expected with all of the changes Catalina brings.
One other big change is that 32-bit applications are no longer supported under Catalina. Users relying on legacy applications for certain tasks will be forced to find alternatives.
Finding the right balance between security controls and the user experience isn’t always easy, as locking things down too much may put off users.
3. Communication Between Security Teams and Users is Vital.
One way of striking a balance is for security teams to work closely with pilot groups of power users on Mac systems. Through testing and communication, security teams can set controls to safeguard data and systems without having a detrimental impact on user accessibility or productivity.
4. Mac Security Threats are Not a Myth.
Gone are the days when Macs were bulletproof. Malware is a real problem for Macs, as enterprise users are susceptible to phishing and other threats.
Whether the hacker’s goal is to steal credentials, or to use the Mac as a jumping-off point to move laterally within the environment or gain access to cloud resources, security teams must prepare for this threat. (You can learn more about Mac malware and how to hunt for it using osquery in this blog.)
5. You Can’t Rely Blindly on Mac Users to Take Care of Security.
While assuming Macs are immune to threats is a bad move, a more dangerous misconception is that Mac users are more technical, and can be relied upon to be proactive about security issues. Leaving endpoint security for Mac (or any devices!) up to the users themselves - without any way to monitor if updates and configurations are properly enabled - is a risky move that should be avoided.
Your security team must take responsibility to oversee Mac best practices for security monitoring and protection.
Level Up Your macOS Visibility & Monitoring in 2020
For many enterprises, security teams, and vendors, endpoint security for Mac has historically represented a weak spot either due to lack of knowledge about risks or lack of tooling available to provide comprehensive visibility and monitoring. As Macs are now commonplace, security teams are focusing on catching up with savvy attackers who target these potential weak points. To learn more about improving your endpoint security for Mac with osquery and Uptycs, check out these additional resources:
- Video: osquery and 8 macOS Security Best Practices
- On-demand Webinar: macOS Security Best Practices
- Osquery Resource Hub - explore curated resources specific to macOS
To read more about Cloud Security and Best Practices, check out our Cloud Security and Fundamentals eBook
Tag(s): Endpoint Security
Other posts you might be interested in
6 min read | April 19, 2018
Is your Mac fleet secure? Tackling the myth of inherent mac securityRead More
4 min read | September 17, 2019
[Infographic] MacOS native security configurations and osqueryRead More
7 min read | December 16, 2019