In December 2023, HP invited industry analysts to its Security Summit 2023 in New York. The company shared its vision and strategy for HP Wolf Security and how its approach to endpoint protection addresses today’s advanced security threats. HP highlighted several areas of focus, including its approach to threat containment, endpoint isolation for zero trust environments, and stronger alignment across its PC and print security offerings.
The expanded attack surface
The shift to hybrid work has introduced a significant security challenge: the expansion of the attack surface. Hybrid work environments, with personal devices being used across home and public networks, have fragmented the well-defined network perimeter where centralised security controls have worked reasonably well in the past.
In particular, connected endpoint devices such as PCs and printers being compromised can lead to broader attacks on the network, such as distributed denial-of-service (DDoS) attacks. The UK Government has recently introduced the Product Security and Telecommunications Infrastructure (PSTI) bill, which aims to bolster internet of things (IoT) device security through measures such as barring default passwords, ensuring regular updates and providing transparency on vulnerabilities. HP is working to ensure its devices are compliant with PSTI.
Endpoint attacks
In HP’s Q3 2023 Wolf Security Threat Insights Report, 70% of attacks start at the endpoint, with 80% of threats identified by HP Wolf Security having been sent by email in Q3, with 12% of email threats detected by HP Wolf Security in Q3 having bypassed one or more email gateway scanner. Email was by far and away the biggest threat, followed by malicious web browser downloads (11%) and others (9%).
HP reports that the top malware file extensions used by attackers are .exe, .doc, .rar, .docx, .pdf, .zip, .xlam, .xls, .html, and .img, with a surge in use of Excel (.xll) files.
How HP Wolf Security combats advanced security threats
HP Wolf Security aims to protect organisations from these vulnerabilities by isolating risky activity in micro-virtual machines (uVMs), ensuring that malware that may have got past existing next-generation antivirus (NGAV) or endpoint detection and response (EDR) systems cannot infect the host computer or spread onto the corporate network. Such an approach can mitigate attacks from email attachments, web links and USB driver. HP Wolf Security uses introspection to collect rich forensic data to help organisations understand threats facing their networks and harden their infrastructure.
HP is focused on the following areas:
- Robust certifiable ‘Roots of Trust’. HP Wolf Security uses hardware-based Root of Trust which protects against firmware replacement attacks regardless of their deployment method and serves as the foundation upon which HP platform security is built. Quocirca believes that this is a strong step in ensuring that the security of the hardware is maintained throughout its life.
- Self-healing and resilience at scale. HP offers self-healing prior to boot, in alignment with NIST SP 800-193 guidelines for device cyber resiliency which is supported on both HP PC and print devices.
- Threat containment. To stop the propagation of threats, HP’s advanced threat containment strategy is built on CPU-enforced isolation technology.
- Zero trust and distributed security at scale. User identity is a core principle of zero trust and HP is extending this to understand the security posture of applications. For instance, HP Sure Click Enterprise uses the security in today’s Intel and AMD CPUs to create the uVMs and establish per-task micro-segmentation.
- Security across the lifecycle. HP is applying security across the device lifecycle, from procurement, preparation, and deployment to day-to-day management and device retirement.
The Wolf Security Portfolio
HP’s approach to endpoint protection involves HP Wolf Security above the OS (HP Wolf Security Controller), in the OS (HP Sure Click and HP Sure Sense), and below the OS (HP Sure Admin, HP Endpoint Security Controller, HP Sure Start, and HP Sure Recover). HP is working on a basis of accepting that humans make errors, and has different offerings that will help endpoints autonomously defend and heal themselves in the event of an attack.
Above the operating system
- HP Wolf Security Controller. This is a dedicated, cloud-hosted controller for IT administrators to properly manage myriad endpoints.
In the operating system
- HP Sure Click. This generates uVMs that are disposable and created on the fly by putting a secure envelope around events that users perform, such as clicking on a link or opening an email attachment. If a session turns out to be infected with malware, it prevents it from moving laterally. Ultimately, moving laterally is key for attackers in seeking out users with administration privileges to other servers, domain controllers, or a cloud console. Containing these threats in a secure envelope or air gap is critical for organisations that deal with highly sensitive data.
- HP Sure Access Enterprise. This acts as an isolation technology, geared towards users requiring privileged access to higher-value assets. It thwarts keylogging, memory tampering, and screen-capturing attacks, etc. The offering supports browser-based applications, virtual desktop clients, and a secure shell. A key use case for HP Secure Access Enterprise is in highly sensitive environments such as intelligence agencies and aerospace.
- HP Sure Sense. This is a machine learning-based NGAV offering that detects rapidly evolving, increasingly invasive and destructive malware, including day-zero attacks.
Below the operating system
- HP Sure Admin. This offers better management and administration to secure BIOS firmware using public key cryptography, rather than static passwords. Standard password-based access can be weak, forgotten, or mimicked across an entire PC fleet. If an attacker can compromise this password, they can alter security settings such as secure boot, and deploy a rootkit that is virtually undetectable by the operating system. The attacker may also disable direct access memory (DMA) attack protections gaining access to data held in volatile memory.
- HP Security Endpoint Controller. This has control of the device regardless of whether it is powered on. The controller is a microcontroller unit (MCU) that provides a secure platform root of trust that is physically separate and cryptographically protected. The HP Security Endpoint Controller is an addition to the industry-standard Trusted Platform Module (TPM).
- HP Sure Start. This ensures the integrity of endpoints by ensuring the BIOS and firmware settings are in a non-infected or clean state. If they are deemed to be infected, HP Sure Start self-heals them, providing a clean copy to ensure a non-infected boot-up process. To accomplish this, when the device is in start-up mode or powered on, HP Sure Start does not allow the CPU to access unified extensible firmware interface (UEFI) firmware until the copy is cross-checked.
- HP TamperLock. This offers protection for devices from physical attacks whether the device is on or off. For example, if a user’s computer is lost or stolen and someone tries to tamper with the device, HP TamperLock can lock down the system. The software also prevents systems from booting at the BIOS level until valid BIOS administrator credentials are provided.
- HP Sure Recover. This is an automated operating system recovery offering built into the hardware and firmware with the ability to install and reinstall the OS image without the software being present on the device itself. During the OS recovery, the process uses strong public key cryptography that verifies both the identity of the image and the provider itself.
- HP Wolf Connect. This is a solution for organisations with a highly distributed employee base needing a solution that can reliably find, lock, and erase devices in the field if they are lost or stolen. The solution can track and detect devices that are powered down and not tethered to the Ethernet network, whether they use a wired or wireless connection. The HP Wolf Connect solution leverages a cellular radio module, offering partners and organisations the ability to find, lock, and erase their devices.
Quocirca opinion
HP Wolf Security offers a robust portfolio of solutions such as self-healing devices and threat containment via disposable uVMs. HP is taking a very active role in ensuring that Wolf Security can be tailored to customers’ needs, for example, with Sure Sense being disabled if another NGAV is already present. HP has also ensured that the resource payload of Wolf Security is as low as possible. HP’s strong presence in the PC and print market, supported by what is becoming a comprehensive security portfolio spanning hardware, services, and print management software, serves as a solid foundation for building a stronger brand presence in the cybersecurity space.
The company’s extensive partner network, comprising over 200,000 partners across diverse regions, can amplify its reach and potential for accelerated adoption of HP Wolf Security solutions. The integration of all solutions and services under the Amplify Partner Program is poised to further catalyse partners’ up-selling and cross-selling capabilities.
By leveraging its unique strengths, proactively addressing evolving threats, and offering a holistic, unified security approach, HP should be able to expand its mindshare in the cybersecurity space.
