HP Technology at Work

Endpoint Security:

by Shivaun Albright, Distinguished Technologist, HP;
Vali Ali; HP Fellow, and Chief Technologist for Security and Privacy, Personal Systems Business, HP;
Boris Balacheff, HP fellow, Chief Technologist for Security Research and Innovation, HP;
Stephan Schmitt, Head of Product Management, HP Office Printing Solutions;
Simon Shiu, Head of Security, HP Labs;
Gagan Singh, VP and Global Head of Premium Notebook Product Management,
Security, Innovation and Software, Personal Systems Business, HP

One of the greatest challenges to protecting a business against cybercrime is the shape-shifting nature of security threats. Innovation is not the sole domain of the good guys: cyber criminals are constantly finding ingenious new ways to tunnel into consumer, enterprise and institutional IT systems. They are increasingly professional, more aggressively funded, and better-equipped than ever to exploit any weak link in the security chain.

With everything connected and interconnected, security is more important than ever. The rampant rise in cybercrimes--over 1700 significant data breaches[1] in 2016 alone — is pushing cybercrime costs to the global economy to about $445 billion[2] every year. The damage to businesses from theft of intellectual property alone exceeded $160 billion[3] in loss due to hacking.

In this worsening threat landscape, endpoint devices are on the frontline. From healthcare to manufacturing, from transportation to the home, from agriculture to critical utility infrastructures, endpoint devices are the first line of defence for the data and resources we care about. They are the interface between the physical and digital world, and a prime target for cyber-attacks today, and for years to come. And the threat landscape will get worse. We are seeing a rise in firmware attacks, which are attacks on the software embedded in hardware that can provide an attacker with control over an entire system and are undetectable by any security software.

Even more worrisome, we are seeing an accelerating trend in destructive attacks that target low-level firmware to disable hardware devices and render them inoperable on a large scale. In fact, in today's threat landscape, buying hardware devices is already a security decision, as hardware provides the foundations and low-level security that is increasingly critical to any operating system, or software security solution, on and around endpoints.

To address this degrading threat environment, HP has been leading the industry in designing systems and devices with security built-in from the hardware-up, to help protect, detect and remediate attacks, with minimal interruption to users. 

We call this “design for cyber-resilience”: designing hardware-enforced security from the lowest level of firmware of an endpoint device and working up through the software stack and even management solutions. Design for cyber-resilience is meant to ensure that devices are not only built with protections, but that they can reliably detect successful attacks, and recover from them. 

HP has been a leader in endpoint device security for over two decades, pioneering research, driving security standards with industry partners, and raising the bar of personal computer and print security, with many industry firsts. But this is only the beginning. Moving forward, HP is committed to continually strive to deliver the most secure devices, along with the solutions and services to help our customers use them securely, as well as lead and drive the entire industry forward.

Call out box: To stay ahead of attackers, we need to always be on the look-out for emerging and future trends in the threat landscape. To this end, we recently announced a new HP Security Advisory Board, a trio of outside experts with unique first-hand expertise in the world of hacking and the latest developments in security technology and strategies.

Security starts with the devices at the edge: HP Personal Systems and Printers

Personal Systems Security

For too long, users have solely relied on third party software security products to protect their devices. With hackers now able to seamlessly bypass traditional network perimeter security and antivirus programs to attack the PCs themselves, it’s time we consider the security of the hardware we purchase as closely as our software and network security solutions.

Securing Business Devices
At the heart of HP’s security strategy for devices is HP SureStart, taking cyber-resilience out to the endpoint device level. HP SureStart introduced the industry’s first self-healing BIOS: built-upon an Embedded Security Controller designed to protect, detect, and self-heal from BIOS attacks capable of evading traditional anti-virus.

 But HP never stops innovating, and we are introducing new device capabilities to help address modern threats to PC infrastructures:

  • HP Sure Start Gen 4 will now come with third-party certification and additional support for encryption and more extensive platform resilience
  • New HP Sure Run capability uniquely provides hardware-enforced monitoring and self-healing of critical security software
  • New HP Sure Recovery capability is the world’s first hardware-enforced network-based capability to fetch and reinstall an Operating System, automatically or at the demand of a user
  • A Manageability Integration Kit to automate security management and deployment across fleets of end point devices by integrating directly on top of Microsoft SCCM 

 Securing Data
HP delivers world-class data protection on its business devices through the entire lifecycle.
  • HP Sure View is the world’s only integrated privacy screen to protect against visual hacking attempts—which have a 90 percent success rate with unprotected screens.

  • HP Sure Click HW-enforced browser security; HP’s hardened protected browsing prevents phishing and malware attacks from compromising a user’s data and systems by seamlessly opening each browsing tab in a Micro Virtual Machine, isolating these threats from the PC’s core system 

  • Secure Erase makes it easy to permanently remove data from hardware devices, thereby protecting users even after a device has reached the end of its life
  • For strong data protection, HP provides FIPS Certified self-encrypting drives enabling hardware-based Full Drive Encryption 

  • HP Security/DaaS services (to come) will protect and guard data, and system configuration, to allow stringent device protection and identity 

 Securing Identities

HP provides the technology necessary to deploy next-gen identity and authentication to a mobile workforce.
  • HP Workwise provides a mobile security solution that locks your PC when you walk away and alerts you if someone tampers while you’re away 

  • HP Multi-Factor Authentication makes it easy to deploy strong authentication for enterprise users and reduce the problem of weak passwords 

  • HP Spare Key provides self-service password recovery, reducing management costs 

  • HP Device Access Manager provides just-in time access to ports and devices needed to work without exposing the device 

Call out box: Organizations tend to think about cybersecurity as an operational problem, which is to be addressed by deploying and managing the right software and network tools. In fact, in today's threat landscape, choosing a device is already a security decision, as hardware provides the foundations and low-level security that is increasingly critical to any operating system, software security solution, and robust recovery on and around endpoints.

Printer Security

While many IT departments apply rigorous security standards to PCs, tablets and other personal devices, they often overlook other devices on the network, first among them: the printer. In a recent survey of 300 enterprise IT decision makers, only 41 percent of respondents reported using network security on printers, as compared with 83 percent securing desktops/laptops and 55 percent for mobile devices[4].
HP is strengthening the defence by engineering business printers that are secure by design, with powerful layers of protection for the device, its data, and printed documents.
Securing Devices
Only HP designs business printers that are hardened and self- healing, with embedded features and add-on solutions to protect from threats throughout their lifecycle and help organizations defend their printers and networks.
HP Printers have layers of security that provide in-depth defences such as real- time threat detection, automated monitoring, and software validation to stop threats the moment they start:
  • HP Sure Start enables detection of, and self-healing recovery from, malicious BIOS (firmware) attacks 

  • Whitelisting ensures only known, good firmware can be loaded and executed on a printer 

  • Run-time Intrusion Detection provides in-device memory monitoring for malicious attacks and supplies provide incident details for selected SIEM tools
  • Connection Inspector monitors outbound network connections, inspects packets and stops suspicious packets  

  • Futuresmart firmware protects the customer’s fleet of HP Enterprise printers by updating them with new security features 

  • HP JetAdvantage Security Manager automatically brings printers into compliance to a customer-specific security policy and configures device identity certificates on the printer 

Securing Data
HP business printers protect data through strong encryption with data in transit and at rest, as well as managed services to help ensure systems are deployed securely.
  • Encryption–HP ensures that data–whether at rest, in transit to and from printers– is encrypted and is safe from interception 

  • Authentication–printer features and solutions to:
‒ Authorize people to access printers
‒ Limit access to printer functions by user
‒ Authorize users who can configure printer settings 

  • HP Access Control provides authentication, authorization and secure pull printing capabilities, with a simple swipe of a proximity card or smart card 

  • Secure mobile printing solutions (HP Jet Advantage Connect, HP Access Control) 

Securing Printed Documents
HP helps businesses ensure that documents are protected and only those who should be able to access them do.
  • HP Pull Print solutions–prevents sensitive documents from being left in the printer output tray 

  • Counterfeit solutions– avoids tampering and fraud of sensitive documents 

  • HP Data Protection solutions–prevents unauthorized printing of sensitive documents and provides forensics reporting of print, scan, copy and fax activity. HP is the first company to offer you the capability to stop a print job that contains ‘dirty words’ like ‘confidential,’ codenames or social security numbers before it is printed. 

[1] Gemalto

[2] Center for Strategic and International Studies

[3]  Center for Strategic and International Studies

[4] Spiceworks survey of 309 IT decision-makers in North America, EMEA, and APAC, on behalf of HP, November 2016