Partner Perspectives  Connecting marketers to our tech communities.
10/19/2015
01:55 PM
Manish Patel
Manish Patel
Partner Perspectives
100%
0%

Are You Making This Endpoint Security Mistake?

Detecting threats isn't enough. You must also remediate vulnerable endpoints and employ continuous monitoring to reduce exposure.

To be successful in fortifying your endpoints, you must take steps that complete the security picture by not just detecting threats on the endpoint but also by remediating vulnerabilities, identifying weaknesses, finding unprotected hosts, and continuously monitoring for indications of compromise. Let’s take a look at the benefits of complementing traditional endpoint security with vulnerability management.

Importance Of Vulnerability Management

Malware-scanning technology such as endpoint antivirus runs in a memory resident mode to capture malicious activities in real time. These signature-based defenses require constantly updated databases of known malware patterns. However, as security researchers identify, create, test, and distribute malware detection signatures, attackers simply alter the pattern slightly to disguise the attack and avoid detection.

Consequently, antivirus signature databases on endpoints have become bloated with hundreds of updates and thousands of signatures to cover the permutations of an attack. This also impacts performance because the pattern-matching engine must inspect every file and data bit stored on the endpoint.

While new architectures have emerged to detect new threats and rapidly changing malware, organizations can be more effective by also removing the underlying vulnerabilities on endpoints. Findings from Verizon DBIR and research from software vendors, including Microsoft, emphasize this.

For example, removing a single vulnerability can diffuse the success of dozens of attack variants where each variation of an attack may require deployment of dozens of signatures on endpoint antivirus software to prevent compromise. The point here is that even an incremental improvement in remediating vulnerable endpoints through a faster patching cycle can have a huge impact on preventing an attack.

Evolution Of Vulnerability Management

A challenge with traditional endpoint scanning is that it’s periodic. Capturing vulnerabilities on transient systems that frequently connect and disconnect from the network is difficult. In fact, a large healthcare provider that I recently spoke with regularly saw 40% of its employees disconnected from the network during its vulnerability scan window.

Today’s solutions complement remote scanning by offering lightweight programs that install on transient endpoints such as laptops without the overhead of allocating large storage or memory footprints. These lightweight programs scan the host locally even when disconnected and report results when the system reconnects to the network.

Vulnerability management solutions are also evolving to leverage investments in mobile device management systems by extracting mobile device information and context for vulnerability analysis. By gathering mobile OS and application information, these solutions offer a better view of mobile device risk and configuration errors that can introduce malicious activity inside your environment.

The Rise Of Continuous Monitoring

In today’s agile IT environment, what can you do to reduce the attack surface between scans? Scanning more frequently is not feasible across large environments, nor does it fully solve the problem. And how do you address the problem of unknown threats and new vulnerabilities?

The answer to both questions is that it’s not easy. There are plenty of technologies, from sandbox analysis to statistical and behavior learning solutions, that help identify unknown threats, but the commonality across all is that you have to characterize what is the normal behavior of your endpoint and what is indicative of malicious behavior. This requires continuous monitoring of endpoints in your environment, to not only capture legitimate activities but also to monitor for abnormal endpoint behavior that exhibits signs of malicious intent. Continuous monitoring can help track the activities of each host over time and pull out patterns of endpoint behavior indicative of a compromise.

Such technologies, in addition to threat and vulnerability analysis, also aggregate multiple sources of information -- including host-to-host communications -- analyze data from endpoints and management systems, use multiple threat intelligence feeds, and monitor connections to external websites. They correlate this intelligence with risk and reputation data. The result is not just an aggregation of discrete endpoint activities that are abnormal, but also a prioritized view of endpoints that are vulnerable; hosting abnormal or malicious processes; exhibiting signs of compromise such as hosts starting to scan your environment; opening abnormal connections to suspicious domains; installing new programs and executable files;  hiding processes; and more. With this context, administrators can reduce noise and achieve better insight into vulnerabilities that should be quickly remediated.

Final Thoughts

Detecting threats and remediating vulnerable endpoints reduces overhead and exposure to known and changing threats. Continuous monitoring can further help by detecting new malware and unknown threats.

Are you interested in learning about the top reasons why endpoint security fails and about practical approaches to solving the endpoint challenge? Register for the Tenable webcast.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.