A New Approach to Endpoint Security: Think ‘Positive’It's time to move away from traditional blacklisting models that define what should be restricted and implicitly allow everything else.
Traditional approaches of managing security through checklists, rules, and compliance can't keep up with the increasing malware volumes and propagation rates we are seeing today. A case in point is several recent "Threat Reports" detailing the severity of the modern threat landscape where:
With the rapid proliferation of mobile technology, traditional personal computing devices today represent a much smaller share of endpoint devices than in the past.
In the report "Enterprise Endpoint Protection When the Consumer Is King" (subscription required), Gartner indicates that, even though traditional personal computing devices like laptops and desktops represent a smaller share of endpoint devices used, they still represent the most infected and require the most effort to secure. Additionally, due to our continued use of traditional signature-based or blacklisting technologies, these devices remain the primary target for cyberattacks.
A game of cat and mouse
At a high level, the four primary goals of almost all cyberattacks are to target a vulnerability, drop payload, remain undetected, and harvest data. But today, it's not feasible to continue playing "cat and mouse" with cyber criminals when they have invested significant effort in understanding our blacklisting technologies' weaknesses, strengths, and even how they handle different attacks patterns. With this knowledge, cyber criminals are able to wreak havoc by:
- Developing attacks that have limited distribution and are intended for targeted individuals/organizations
- Circulating attacks quickly to guarantee blind spots in blacklisting technologies can be exploited
- Creating noise to divert the security team's attention and increase the possibility of an attack going unnoticed.
As the ineffectiveness of blacklisting creates greater opportunities for attacks, we as security professionals must re-evaluate whether continuing to model our methodologies on the principle of constant "known-bad" protection is working. More important, as our IT infrastructure expands further to accommodate mobile computing platforms, desktop virtualization and cloud, we must work towards implementing security controls that are based on dynamic "known-good" protection.
To do this, we have to turn our attention to the security strategies that reduce our attack surface(s) through deny by default application control mechanisms and vulnerability management.
Consider all of the security controls we deploy to traditional personal computing devices -- anti-virus, intrusion prevention, data loss prevention, etc. These are just a few of the security technologies that contribute -- in varying degrees of effectiveness -- to endpoint protection. However, to maintain acceptable risk levels in the face of increasing threats and evolving technologies, we must change our outlook and approach to an endpoint protection strategy with a risk-based perspective.
There are many technologies that contribute to reducing the attack surface of traditional personal computing devices. Historically, our industry has followed blacklisting security models that define what should be restricted and implicitly allows everything else but this is proving to be ineffective due to declining detection rates.
Look on the bright side
With a risk-based approach, instead of managing threats through specific technology functionalities, we manage the attack surface with the goal of reducing a much larger number of threats without getting into specifics. In 2010, for example, when the Australian Signals Directorate adopted a risk-based approach to mitigate targeted cyber intrusions, it found that no single security control prevents malicious activity, but a combination of specific "positive security" strategies proved to be 85% effective in mitigating intrusions.
A risk-based or positive security methodology will also result in demonstrable business benefits with respect to traditional personal computing devices by:
- Displacing security controls (such as antivirus) that have become ineffective and/or contribute little value to the overall endpoint protection
- Improving overall endpoint performance by eliminating (blacklist) signature databases that consume significant network and system resources
- Reducing the strain on supporting infrastructure(s) for deploying (blacklisting) signature updates across remote locations
- Enhancing operational efficiencies by lessening the work effort required to reactively maintain security technologies.
By changing our endpoint protection strategy to follow positive security models, we align with proven industry practices of least-privilege, or deny-by-default, and we position ourselves as attack-agnostic where we can be more relaxed when it comes to attack-signature deployment. In an environment where threats are a constantly moving target, this approach is a far more effective endpoint protection strategy.
Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio