Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12:08 PM
Manish Patel
Manish Patel
Partner Perspectives

Endpoint Security: Putting The Focus On What Matters

Five tips to help sift through the noise and focus on actions that can dramatically impact your endpoint security program.

One of the greatest challenges organizations face when it comes to endpoint security is identifying what is relevant and what actions can reduce the most amount of risk. Whether you have deployed endpoint antivirus or one of the many advanced threat detection solutions, or you are evaluating an endpoint detection and response (EDR) technology, at the end of the day, you have a limited number of resources. You must be decisive in taking action to minimize the chances of a breach and to ensure you are placing bets that will have the biggest payoff when it comes to reducing risk.

In this article, I offer some tips to help you sift through the noise and focus on actions that can dramatically improve your endpoint security program.

Tip #1: Gather Endpoint Context

Start by profiling your endpoints. Vulnerability scanners not only discover known and unknown endpoints, but also help provide context about them such as device type, installed applications, OS, and version information. Your DHCP and DNS severs are useful in identifying what to scan. Traffic-monitoring technologies that non-intrusively listen to network traffic can identify transient devices that might not be connected at the time of scanning. Also, use server logs -- from your Exchange email server or IIS server, for example -- to identify what devices connect to your environment.

Use this data to better understand the role your endpoints play, what types of services they support, and what other systems they communicate with. For example, is an endpoint a client that is accessed by a single user or a server that supports thousands of transactions such as a Web server? Is it a network infrastructure device that enables connectivity between the client and server? Is it running a current operating system or an older version that is vulnerable? Does it support critical applications?

Armed with this information, you can build appropriate scan policies and prioritize critical assets in your environment.

Tip #2: Use Vulnerability Context

Once you have a good understanding of what’s in your environment and have the context from scan results, use this information to prioritize remediation of what’s vulnerable and at risk or compromised already. Identify what vulnerabilities exist on the endpoint operating system and the applications that run on it. Use CVSS scores as a first step to help focus on the most severe vulnerabilities. CVSS scores break down vulnerabilities based on whether they are locally or remotely exploitable as well as the complexity of attack and level of access required.

Tip #3: Use Exploitability Context

At the enterprise level, there might be hundreds of critical endpoint vulnerabilities. So what can you do to make the process more manageable? As noted in the 2015 Verizon Data Breach Investigations Report, “a CVE [common vulnerability and exposure] being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.” Include multiple commercial exploit frameworks such as Canvas, Core Impact, and Exploit Hub to complete the exploitability view of your environment. Exploitable vulnerabilities should be remediated promptly since attackers leverage these as a quick path to compromise. To further refine your approach, you can include context such as whether the endpoint is Internet facing, allowing an outside attacker to compromise the vulnerability remotely.

Tip #4: Use Threat Context

Adding threat context to your vulnerability results can help further prioritize what is critical. For example, modern vulnerability scanners can detect running processes on the endpoint. By correlating running processes against multiple threat intelligence feeds, you can identify rapidly changing malware that might not be detected by an antivirus engine. When you observe a malicious process with an exploitable and critical vulnerability on the endpoint, prioritize this particular event at the top of your response.

Here are some other scenarios to prioritize:

  • A vulnerable endpoint that has an exploitable vulnerability that is communicating to a known command and control (C&C) server and sending data
  • A vulnerable endpoint that has an exploitable vulnerability that is scanning other endpoints inside the network
  • A vulnerable endpoint that has an exploitable vulnerability that is sending unencrypted PII data to an outside server

Tip #5: Prioritize Remediation

Once you have correlated threats and vulnerabilities, you have what you need to best prioritize your remediation efforts. Start with immediate needs and use countermeasures that you may already have. For example, if there are connections to a C&C server, prioritize response by blocking those communications with existing defenses such as a firewall or IPS.

Other types of responses include quarantining the host, blocking an application, or denying user permission to resources. It’s important to note that implementing blocking based on malware patterns may provide temporary shielding from the threat, but you may still remain susceptible to permutations of the attack so removing the vulnerability should be the next step.

Next, turn your attention to patching vulnerable hosts, focus on those that offer the biggest bang by identifying actions that reduce the most amount of risk first. Then, tackle the remaining vulnerabilities -- such as those that are most prevalent or those associated with specific asset groups that are critical to your environment. Don’t forget to independently verify your patching process by rescanning those assets and correlating the results to your patch-management system. You may find errors that prevented a patch from being applied or that your patch-management reporting is outdated.

Final Thoughts

Implementing a prioritized approach to endpoint security can help you focus on actions that can quickly reduce risk in your environment. To learn more about improving your endpoint security program, please join the Tenable Webcast titled “Four Reasons Why Endpoint Security Fails” on Nov 18th.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/29/2015 | 1:49:29 PM
Metasploit- Good DashBoard
Excellent comment regarding watching if the vulnerability ends up on Metasploit.  This is a quick step that can help determine your risk.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station (an...
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::get_mut method. This synchronization issue can be lead to memory safety issues through race conditions.