At the heart of every organization are its employees, the engine that drives growth, fueled by the data they create and store on their laptops, tablets, and mobile phones, as well as access through data center and cloud servers. It should come as no surprise to CISOs that 60 percent of corporate data is stored on employee endpoints.

And cybercriminals are progressively targeting the valuable data contained on these enterprise endpoints, recognizing the higher return on investment compared to consumer prey. In fact, businesses saw a 235 percent increase in cyberattacks. What’s even more concerning is that there was over a six-fold increase in information-stealing Trojan malware such as Emotet and TrickBot and over a five-fold increase in ransomware such as Troldesh in 2018.

The job of every CISO is to secure the organization and minimize risk to business operations in the event of an attack. One successful endpoint attack can interrupt employee productivity and bring the business to a grinding halt. In an era when CISOs can no longer prepare for if there will be a breach but when a successful incident will occur, it’s more important than ever for organizations to adopt a proactive posture of endpoint resilience.

Establishing endpoint resilience minimizes the impact of a cyberattack and restores employee endpoints and operational systems to ensure business continuity. CISOs need to move beyond protection-only measures and adopt endpoint resilience through these five essential steps:

1. Prepare
2. Protect
3. Isolate
4. Remediate
5. Investigate


When it comes to endpoint resilience, the old adage “plan for the worst, hope for the best” holds true. Preparation ensures rigor is applied to your organization’s incident response methodologies. For example, conducting gap analyses ensures that your enterprise can contain the impact of incidents, bringing cloud and on-premise networks, endpoint systems, and applications back to a healthy state as quickly as possible.

Most importantly, when your organization experiences an attack, a prepared, nimble staff can react quickly and effectively.


Cybercriminals use multiple vectors to deliver a successful attack. The most effective way to counter the multiplicity of attack methods is through protection diversification. An interlocking web of matching and signature-less technologies work together to not only block known and unknown malware at execution, but also prevent deployment on the endpoint. If we’ve learned nothing else from the past two decades, we know attackers like to change up their methods.

Endpoint protection that applies multiple techniques to break the attack chain will provide your best defense against the threats of today and tomorrow.


When a successful attack occurs, it happens fast. Automated malware can wreak havoc within seconds of execution, moving laterally from “patient zero” to infect other endpoints within your network segment. Therefore, isolation capabilities are critical for endpoint resilience. While traditional fixed-perimeter security controls such as firewalls and intrusion detection systems can prevent attacks from entering the network, they are rendered useless against an infection’s lateral movement.

Containing an attack at the endpoint stops the bleeding and provides your IR team with the critical breathing room needed to ensure their efforts are applied to the most important
areas for effective response.


Organizations frequently rely on reimaging to remediate malware-infected endpoints—an expensive approach that is known to cost over $1,000 per endpoint by some accounts. For some IR teams, malware removal tools are used to manually remediate endpoints one-by-one. In the event of a significant attack, time-consuming remediation approaches don’t deliver efficient or rapid time to response.

In fact, 21 percent of security professionals claim their main barrier to effective incident response is too much time needed to detect and remediate an incident. For optimized endpoint resilience, empower your IR team to actively respond by orchestrating across your IT systems’ management workflows to remediate endpoints at scale and significantly reduce your organization’s MTTR.


Sophisticated malware dwells long after the initial detection. Dormant code remains hidden on infected devices, patiently biding time for the right moment to strike. Investigations of persistent threats were often considered a luxury only afforded to the largest of enterprises with red teams, complicated-analytics-powered technologies, and highly mature SOC operations. However, economical dark web marketplaces now make it possible for cybercriminals to broadly target any organization.

Therefore, companies small and large must have access to tools allowing them to cost effectively conduct investigations that restore the network after an attack and run proactive investigations to maintain a healthy state, rather than waiting for a payload to activate. Adopting the “assume-the-compromise” posture of conducting investigations will greatly improve your endpoint resilience and overall security hygiene.