Partner Perspectives  Connecting marketers to our tech communities.
10/19/2015
01:55 PM
Manish Patel
Manish Patel
Partner Perspectives
100%
0%

Are You Making This Endpoint Security Mistake?

Detecting threats isn't enough. You must also remediate vulnerable endpoints and employ continuous monitoring to reduce exposure.

To be successful in fortifying your endpoints, you must take steps that complete the security picture by not just detecting threats on the endpoint but also by remediating vulnerabilities, identifying weaknesses, finding unprotected hosts, and continuously monitoring for indications of compromise. Let’s take a look at the benefits of complementing traditional endpoint security with vulnerability management.

Importance Of Vulnerability Management

Malware-scanning technology such as endpoint antivirus runs in a memory resident mode to capture malicious activities in real time. These signature-based defenses require constantly updated databases of known malware patterns. However, as security researchers identify, create, test, and distribute malware detection signatures, attackers simply alter the pattern slightly to disguise the attack and avoid detection.

Consequently, antivirus signature databases on endpoints have become bloated with hundreds of updates and thousands of signatures to cover the permutations of an attack. This also impacts performance because the pattern-matching engine must inspect every file and data bit stored on the endpoint.

While new architectures have emerged to detect new threats and rapidly changing malware, organizations can be more effective by also removing the underlying vulnerabilities on endpoints. Findings from Verizon DBIR and research from software vendors, including Microsoft, emphasize this.

For example, removing a single vulnerability can diffuse the success of dozens of attack variants where each variation of an attack may require deployment of dozens of signatures on endpoint antivirus software to prevent compromise. The point here is that even an incremental improvement in remediating vulnerable endpoints through a faster patching cycle can have a huge impact on preventing an attack.

Evolution Of Vulnerability Management

A challenge with traditional endpoint scanning is that it’s periodic. Capturing vulnerabilities on transient systems that frequently connect and disconnect from the network is difficult. In fact, a large healthcare provider that I recently spoke with regularly saw 40% of its employees disconnected from the network during its vulnerability scan window.

Today’s solutions complement remote scanning by offering lightweight programs that install on transient endpoints such as laptops without the overhead of allocating large storage or memory footprints. These lightweight programs scan the host locally even when disconnected and report results when the system reconnects to the network.

Vulnerability management solutions are also evolving to leverage investments in mobile device management systems by extracting mobile device information and context for vulnerability analysis. By gathering mobile OS and application information, these solutions offer a better view of mobile device risk and configuration errors that can introduce malicious activity inside your environment.

The Rise Of Continuous Monitoring

In today’s agile IT environment, what can you do to reduce the attack surface between scans? Scanning more frequently is not feasible across large environments, nor does it fully solve the problem. And how do you address the problem of unknown threats and new vulnerabilities?

The answer to both questions is that it’s not easy. There are plenty of technologies, from sandbox analysis to statistical and behavior learning solutions, that help identify unknown threats, but the commonality across all is that you have to characterize what is the normal behavior of your endpoint and what is indicative of malicious behavior. This requires continuous monitoring of endpoints in your environment, to not only capture legitimate activities but also to monitor for abnormal endpoint behavior that exhibits signs of malicious intent. Continuous monitoring can help track the activities of each host over time and pull out patterns of endpoint behavior indicative of a compromise.

Such technologies, in addition to threat and vulnerability analysis, also aggregate multiple sources of information -- including host-to-host communications -- analyze data from endpoints and management systems, use multiple threat intelligence feeds, and monitor connections to external websites. They correlate this intelligence with risk and reputation data. The result is not just an aggregation of discrete endpoint activities that are abnormal, but also a prioritized view of endpoints that are vulnerable; hosting abnormal or malicious processes; exhibiting signs of compromise such as hosts starting to scan your environment; opening abnormal connections to suspicious domains; installing new programs and executable files;  hiding processes; and more. With this context, administrators can reduce noise and achieve better insight into vulnerabilities that should be quickly remediated.

Final Thoughts

Detecting threats and remediating vulnerable endpoints reduces overhead and exposure to known and changing threats. Continuous monitoring can further help by detecting new malware and unknown threats.

Are you interested in learning about the top reasons why endpoint security fails and about practical approaches to solving the endpoint challenge? Register for the Tenable webcast.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-2491
PUBLISHED: 2018-11-13
When opening a deep link URL in SAP Fiori Client with log level set to "Debug", the client application logs the URL to the log file. If this URL contains malicious JavaScript code it can eventually run inside the built-in log viewer of the application in case user opens the viewer and taps...
CVE-2018-2473
PUBLISHED: 2018-11-13
SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
CVE-2018-2476
PUBLISHED: 2018-11-13
Due to insufficient URL Validation in forums in SAP NetWeaver versions 7.30, 7.31, 7.40, an attacker can redirect users to a malicious site.
CVE-2018-2477
PUBLISHED: 2018-11-13
Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source.
CVE-2018-2478
PUBLISHED: 2018-11-13
An attacker can use specially crafted inputs to execute commands on the host of a TREX / BWA installation, SAP Basis, versions: 7.0 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40 and 7.50 to 7.53. Not all commands are possible, only those that can be executed by the <sid>adm user. The commands execut...