Partner Perspectives  Connecting marketers to our tech communities.
9/17/2015
10:00 AM
Manish Patel
Manish Patel
Partner Perspectives
100%
0%

Why Is Endpoint Security Failing?

Endpoint security assurance is not just about detecting threats, but about building a more effective endpoint security program.

It should come as no surprise that the next major battle in IT security is focused on endpoints. Mobility and BYOD have made it possible for users to remotely access just about any business resource. The adoption of cloud-delivered services enables workloads to move to a shared environment bypassing on-premises, layered security defenses and directly accessible by the mobile workforce.

In this segmented and diverse environment, organizations are implementing a variety of security solutions focused on preventing the latest threats. What often gets neglected is eliminating the weaknesses that lead to attack in the first place, and continuously monitoring for signs of compromise throughout your environment. What can you do to effectively fight the endpoint battle?

Tip #1: Illuminate Hidden Endpoints

A mobile workforce with a plethora of mobile devices challenges traditional security architectures. Consider that limited connectivity can cause devices to not always be visible, that many devices may not have the resources to run full versions of security software, and since ownership of the device lies with the user, it often falls outside the control of IT.

What can you do?

  • Start by getting a firm understanding of what’s connecting to your network. Use multiple techniques to form a composite view of connected endpoints and applications.
  • Supplementing endpoint agents with active scanning, passive monitoring, and even analyzing events from your network infrastructure such as DNS or DHCP servers and logs from network components can help identify both managed and unmanaged endpoints. This information is pivotal in then helping build scan policies to identify vulnerabilities, non-compliant systems, or unprotected endpoints that are at risk or that are unprotected.

Tip #2: Identify Weaknesses

Traditional signature-based endpoint protection is no longer sufficient in preventing targeted malware. Innovative technologies such as sandboxing and application wrapping may help in some areas by identifying unknown threats. While all of this is focused on analyzing traffic to look for indications of possible threats, as the Verizon DBIR clearly notes time and time again, a prominent way attackers infiltrate organizations is through known vulnerabilities and security weaknesses.

What can you do?

  • Before investing in exotic technologies, become exceptionally good at the basics.
  • First, button up your endpoints and ensure they are hardened and regularly updated. Hardening your endpoints can reduce your exposure by removing weaknesses such as open ports that allow attackers to access critical servers or unencrypted communications from payment-processing terminals.
  • Next, monitor critical changes on systems and track systems that drift out of compliance. Look to vulnerability management products to identify misconfigurations or extraneous applications as well as to continuous monitoring solutions that can track endpoints as they move out of compliance.

Tip #3: Routinely Check For Compromise

Compromised endpoints that connect to your network can propagate malware or become a springboard for advanced attacks. They can infiltrate critical resources by scanning for possible attack paths or weaknesses inside your network to transmit infection, gain root access through privilege escalation, or open pathways to access sensitive data.

What can you do?

  • Identify endpoints and applications that are not authorized or updated or those that are vulnerable. Once vulnerable systems are identified, prioritize remediation of critical vulnerabilities that are exploitable by commercial frameworks such as Metasploit.
  • Other recommendations include looking for signs of infection by identifying malicious processes on endpoints that are associated with malware; using threat intelligence services or looking for outbound communications to malicious sites; and monitoring sensitive data leaving your environment.
  • Finally, look for anomalies and behavior indicative of malware For example, is the endpoint probing other endpoints or networks? Is it behaving like a bot or opening ports to botnet sites? Is it reaching out to critical servers or initiating never-before-seen activities or processes?

Tip #4: Measure Endpoint Security Effectiveness

Security, network infrastructure, and compliance solutions are often deployed and managed by separate parts of the organization. Often, the objectives of each team are independent, yet sharing goals and information from security activities and assessments can surely help all parties reach their unique goals and help the organization elevate its security profile.

What can you do?

  • Start by building consistent security policies and then measuring your endpoint effectiveness against them.
  • Then, identify the gaps where endpoint security policies are failing to meet business objectives. For example, build dashboards and reports that continuously measure how quickly you identify critically vulnerable and compromised endpoints and how quickly you remediate them.
  • Implementing an endpoint security program based on defined frameworks such as critical cyber controls can help create a comprehensive, closed-loop process that can bring consistency to how endpoint security is implemented and measured in your organization.

Final Thoughts

Endpoint security assurance is not just about detecting threats, but about building a more effective endpoint security program -- one that proactively detects known and unknown endpoints, helps identify what is critically vulnerable to attacks, what weaknesses exist in your environment, and how effective you are at identifying threats and remediating them. If you are clearly able to answer the question “How secure are we?” and demonstrate this throughout the organization, you are already on your way to a successful endpoint security program.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sincee
100%
0%
Sincee,
User Rank: Strategist
9/21/2015 | 4:11:21 AM
Re: Security starts when you press the POWER switch
thank you for this article informative!
macker490
50%
50%
macker490,
User Rank: Ninja
9/20/2015 | 8:50:47 AM
Security starts when you press the POWER switch
your Operating System Software controls Endpoint Security

what are you using?    is it doing waht is required ?
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-14185
PUBLISHED: 2018-05-25
An Information Disclosure vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.8 and 5.2 all versions allows SSL VPN web portal users to access internal FortiOS configuration information (eg:addresses) via specifically crafted URLs inside the SSL-VPN web portal.
CVE-2018-8862
PUBLISHED: 2018-05-25
In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, an improper authentication vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.
CVE-2018-8864
PUBLISHED: 2018-05-25
In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, a missing encryption of sensitive data vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.
CVE-2018-8871
PUBLISHED: 2018-05-25
In Delta Electronics Automation TPEditor version 1.89 or prior, parsing a malformed program file may cause heap-based buffer overflow vulnerability, which may allow remote code execution.
CVE-2017-9641
PUBLISHED: 2018-05-25
PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability.