Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10/19/2015
01:55 PM
Manish Patel
Manish Patel
Partner Perspectives
100%
0%

Are You Making This Endpoint Security Mistake?

Detecting threats isn't enough. You must also remediate vulnerable endpoints and employ continuous monitoring to reduce exposure.

To be successful in fortifying your endpoints, you must take steps that complete the security picture by not just detecting threats on the endpoint but also by remediating vulnerabilities, identifying weaknesses, finding unprotected hosts, and continuously monitoring for indications of compromise. Let’s take a look at the benefits of complementing traditional endpoint security with vulnerability management.

Importance Of Vulnerability Management

Malware-scanning technology such as endpoint antivirus runs in a memory resident mode to capture malicious activities in real time. These signature-based defenses require constantly updated databases of known malware patterns. However, as security researchers identify, create, test, and distribute malware detection signatures, attackers simply alter the pattern slightly to disguise the attack and avoid detection.

Consequently, antivirus signature databases on endpoints have become bloated with hundreds of updates and thousands of signatures to cover the permutations of an attack. This also impacts performance because the pattern-matching engine must inspect every file and data bit stored on the endpoint.

While new architectures have emerged to detect new threats and rapidly changing malware, organizations can be more effective by also removing the underlying vulnerabilities on endpoints. Findings from Verizon DBIR and research from software vendors, including Microsoft, emphasize this.

For example, removing a single vulnerability can diffuse the success of dozens of attack variants where each variation of an attack may require deployment of dozens of signatures on endpoint antivirus software to prevent compromise. The point here is that even an incremental improvement in remediating vulnerable endpoints through a faster patching cycle can have a huge impact on preventing an attack.

Evolution Of Vulnerability Management

A challenge with traditional endpoint scanning is that it’s periodic. Capturing vulnerabilities on transient systems that frequently connect and disconnect from the network is difficult. In fact, a large healthcare provider that I recently spoke with regularly saw 40% of its employees disconnected from the network during its vulnerability scan window.

Today’s solutions complement remote scanning by offering lightweight programs that install on transient endpoints such as laptops without the overhead of allocating large storage or memory footprints. These lightweight programs scan the host locally even when disconnected and report results when the system reconnects to the network.

Vulnerability management solutions are also evolving to leverage investments in mobile device management systems by extracting mobile device information and context for vulnerability analysis. By gathering mobile OS and application information, these solutions offer a better view of mobile device risk and configuration errors that can introduce malicious activity inside your environment.

The Rise Of Continuous Monitoring

In today’s agile IT environment, what can you do to reduce the attack surface between scans? Scanning more frequently is not feasible across large environments, nor does it fully solve the problem. And how do you address the problem of unknown threats and new vulnerabilities?

The answer to both questions is that it’s not easy. There are plenty of technologies, from sandbox analysis to statistical and behavior learning solutions, that help identify unknown threats, but the commonality across all is that you have to characterize what is the normal behavior of your endpoint and what is indicative of malicious behavior. This requires continuous monitoring of endpoints in your environment, to not only capture legitimate activities but also to monitor for abnormal endpoint behavior that exhibits signs of malicious intent. Continuous monitoring can help track the activities of each host over time and pull out patterns of endpoint behavior indicative of a compromise.

Such technologies, in addition to threat and vulnerability analysis, also aggregate multiple sources of information -- including host-to-host communications -- analyze data from endpoints and management systems, use multiple threat intelligence feeds, and monitor connections to external websites. They correlate this intelligence with risk and reputation data. The result is not just an aggregation of discrete endpoint activities that are abnormal, but also a prioritized view of endpoints that are vulnerable; hosting abnormal or malicious processes; exhibiting signs of compromise such as hosts starting to scan your environment; opening abnormal connections to suspicious domains; installing new programs and executable files;  hiding processes; and more. With this context, administrators can reduce noise and achieve better insight into vulnerabilities that should be quickly remediated.

Final Thoughts

Detecting threats and remediating vulnerable endpoints reduces overhead and exposure to known and changing threats. Continuous monitoring can further help by detecting new malware and unknown threats.

Are you interested in learning about the top reasons why endpoint security fails and about practical approaches to solving the endpoint challenge? Register for the Tenable webcast.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.