Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10/19/2015
01:55 PM
Manish Patel
Manish Patel
Partner Perspectives
100%
0%

Are You Making This Endpoint Security Mistake?

Detecting threats isn't enough. You must also remediate vulnerable endpoints and employ continuous monitoring to reduce exposure.

To be successful in fortifying your endpoints, you must take steps that complete the security picture by not just detecting threats on the endpoint but also by remediating vulnerabilities, identifying weaknesses, finding unprotected hosts, and continuously monitoring for indications of compromise. Let’s take a look at the benefits of complementing traditional endpoint security with vulnerability management.

Importance Of Vulnerability Management

Malware-scanning technology such as endpoint antivirus runs in a memory resident mode to capture malicious activities in real time. These signature-based defenses require constantly updated databases of known malware patterns. However, as security researchers identify, create, test, and distribute malware detection signatures, attackers simply alter the pattern slightly to disguise the attack and avoid detection.

Consequently, antivirus signature databases on endpoints have become bloated with hundreds of updates and thousands of signatures to cover the permutations of an attack. This also impacts performance because the pattern-matching engine must inspect every file and data bit stored on the endpoint.

While new architectures have emerged to detect new threats and rapidly changing malware, organizations can be more effective by also removing the underlying vulnerabilities on endpoints. Findings from Verizon DBIR and research from software vendors, including Microsoft, emphasize this.

For example, removing a single vulnerability can diffuse the success of dozens of attack variants where each variation of an attack may require deployment of dozens of signatures on endpoint antivirus software to prevent compromise. The point here is that even an incremental improvement in remediating vulnerable endpoints through a faster patching cycle can have a huge impact on preventing an attack.

Evolution Of Vulnerability Management

A challenge with traditional endpoint scanning is that it’s periodic. Capturing vulnerabilities on transient systems that frequently connect and disconnect from the network is difficult. In fact, a large healthcare provider that I recently spoke with regularly saw 40% of its employees disconnected from the network during its vulnerability scan window.

Today’s solutions complement remote scanning by offering lightweight programs that install on transient endpoints such as laptops without the overhead of allocating large storage or memory footprints. These lightweight programs scan the host locally even when disconnected and report results when the system reconnects to the network.

Vulnerability management solutions are also evolving to leverage investments in mobile device management systems by extracting mobile device information and context for vulnerability analysis. By gathering mobile OS and application information, these solutions offer a better view of mobile device risk and configuration errors that can introduce malicious activity inside your environment.

The Rise Of Continuous Monitoring

In today’s agile IT environment, what can you do to reduce the attack surface between scans? Scanning more frequently is not feasible across large environments, nor does it fully solve the problem. And how do you address the problem of unknown threats and new vulnerabilities?

The answer to both questions is that it’s not easy. There are plenty of technologies, from sandbox analysis to statistical and behavior learning solutions, that help identify unknown threats, but the commonality across all is that you have to characterize what is the normal behavior of your endpoint and what is indicative of malicious behavior. This requires continuous monitoring of endpoints in your environment, to not only capture legitimate activities but also to monitor for abnormal endpoint behavior that exhibits signs of malicious intent. Continuous monitoring can help track the activities of each host over time and pull out patterns of endpoint behavior indicative of a compromise.

Such technologies, in addition to threat and vulnerability analysis, also aggregate multiple sources of information -- including host-to-host communications -- analyze data from endpoints and management systems, use multiple threat intelligence feeds, and monitor connections to external websites. They correlate this intelligence with risk and reputation data. The result is not just an aggregation of discrete endpoint activities that are abnormal, but also a prioritized view of endpoints that are vulnerable; hosting abnormal or malicious processes; exhibiting signs of compromise such as hosts starting to scan your environment; opening abnormal connections to suspicious domains; installing new programs and executable files;  hiding processes; and more. With this context, administrators can reduce noise and achieve better insight into vulnerabilities that should be quickly remediated.

Final Thoughts

Detecting threats and remediating vulnerable endpoints reduces overhead and exposure to known and changing threats. Continuous monitoring can further help by detecting new malware and unknown threats.

Are you interested in learning about the top reasons why endpoint security fails and about practical approaches to solving the endpoint challenge? Register for the Tenable webcast.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...