Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12:08 PM
Manish Patel
Manish Patel
Partner Perspectives

Endpoint Security: Putting The Focus On What Matters

Five tips to help sift through the noise and focus on actions that can dramatically impact your endpoint security program.

One of the greatest challenges organizations face when it comes to endpoint security is identifying what is relevant and what actions can reduce the most amount of risk. Whether you have deployed endpoint antivirus or one of the many advanced threat detection solutions, or you are evaluating an endpoint detection and response (EDR) technology, at the end of the day, you have a limited number of resources. You must be decisive in taking action to minimize the chances of a breach and to ensure you are placing bets that will have the biggest payoff when it comes to reducing risk.

In this article, I offer some tips to help you sift through the noise and focus on actions that can dramatically improve your endpoint security program.

Tip #1: Gather Endpoint Context

Start by profiling your endpoints. Vulnerability scanners not only discover known and unknown endpoints, but also help provide context about them such as device type, installed applications, OS, and version information. Your DHCP and DNS severs are useful in identifying what to scan. Traffic-monitoring technologies that non-intrusively listen to network traffic can identify transient devices that might not be connected at the time of scanning. Also, use server logs -- from your Exchange email server or IIS server, for example -- to identify what devices connect to your environment.

Use this data to better understand the role your endpoints play, what types of services they support, and what other systems they communicate with. For example, is an endpoint a client that is accessed by a single user or a server that supports thousands of transactions such as a Web server? Is it a network infrastructure device that enables connectivity between the client and server? Is it running a current operating system or an older version that is vulnerable? Does it support critical applications?

Armed with this information, you can build appropriate scan policies and prioritize critical assets in your environment.

Tip #2: Use Vulnerability Context

Once you have a good understanding of what’s in your environment and have the context from scan results, use this information to prioritize remediation of what’s vulnerable and at risk or compromised already. Identify what vulnerabilities exist on the endpoint operating system and the applications that run on it. Use CVSS scores as a first step to help focus on the most severe vulnerabilities. CVSS scores break down vulnerabilities based on whether they are locally or remotely exploitable as well as the complexity of attack and level of access required.

Tip #3: Use Exploitability Context

At the enterprise level, there might be hundreds of critical endpoint vulnerabilities. So what can you do to make the process more manageable? As noted in the 2015 Verizon Data Breach Investigations Report, “a CVE [common vulnerability and exposure] being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.” Include multiple commercial exploit frameworks such as Canvas, Core Impact, and Exploit Hub to complete the exploitability view of your environment. Exploitable vulnerabilities should be remediated promptly since attackers leverage these as a quick path to compromise. To further refine your approach, you can include context such as whether the endpoint is Internet facing, allowing an outside attacker to compromise the vulnerability remotely.

Tip #4: Use Threat Context

Adding threat context to your vulnerability results can help further prioritize what is critical. For example, modern vulnerability scanners can detect running processes on the endpoint. By correlating running processes against multiple threat intelligence feeds, you can identify rapidly changing malware that might not be detected by an antivirus engine. When you observe a malicious process with an exploitable and critical vulnerability on the endpoint, prioritize this particular event at the top of your response.

Here are some other scenarios to prioritize:

  • A vulnerable endpoint that has an exploitable vulnerability that is communicating to a known command and control (C&C) server and sending data
  • A vulnerable endpoint that has an exploitable vulnerability that is scanning other endpoints inside the network
  • A vulnerable endpoint that has an exploitable vulnerability that is sending unencrypted PII data to an outside server

Tip #5: Prioritize Remediation

Once you have correlated threats and vulnerabilities, you have what you need to best prioritize your remediation efforts. Start with immediate needs and use countermeasures that you may already have. For example, if there are connections to a C&C server, prioritize response by blocking those communications with existing defenses such as a firewall or IPS.

Other types of responses include quarantining the host, blocking an application, or denying user permission to resources. It’s important to note that implementing blocking based on malware patterns may provide temporary shielding from the threat, but you may still remain susceptible to permutations of the attack so removing the vulnerability should be the next step.

Next, turn your attention to patching vulnerable hosts, focus on those that offer the biggest bang by identifying actions that reduce the most amount of risk first. Then, tackle the remaining vulnerabilities -- such as those that are most prevalent or those associated with specific asset groups that are critical to your environment. Don’t forget to independently verify your patching process by rescanning those assets and correlating the results to your patch-management system. You may find errors that prevented a patch from being applied or that your patch-management reporting is outdated.

Final Thoughts

Implementing a prioritized approach to endpoint security can help you focus on actions that can quickly reduce risk in your environment. To learn more about improving your endpoint security program, please join the Tenable Webcast titled “Four Reasons Why Endpoint Security Fails” on Nov 18th.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/29/2015 | 1:49:29 PM
Metasploit- Good DashBoard
Excellent comment regarding watching if the vulnerability ends up on Metasploit.  This is a quick step that can help determine your risk.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.