Partner Perspectives  Connecting marketers to our tech communities.
12:08 PM
Manish Patel
Manish Patel
Partner Perspectives

Endpoint Security: Putting The Focus On What Matters

Five tips to help sift through the noise and focus on actions that can dramatically impact your endpoint security program.

One of the greatest challenges organizations face when it comes to endpoint security is identifying what is relevant and what actions can reduce the most amount of risk. Whether you have deployed endpoint antivirus or one of the many advanced threat detection solutions, or you are evaluating an endpoint detection and response (EDR) technology, at the end of the day, you have a limited number of resources. You must be decisive in taking action to minimize the chances of a breach and to ensure you are placing bets that will have the biggest payoff when it comes to reducing risk.

In this article, I offer some tips to help you sift through the noise and focus on actions that can dramatically improve your endpoint security program.

Tip #1: Gather Endpoint Context

Start by profiling your endpoints. Vulnerability scanners not only discover known and unknown endpoints, but also help provide context about them such as device type, installed applications, OS, and version information. Your DHCP and DNS severs are useful in identifying what to scan. Traffic-monitoring technologies that non-intrusively listen to network traffic can identify transient devices that might not be connected at the time of scanning. Also, use server logs -- from your Exchange email server or IIS server, for example -- to identify what devices connect to your environment.

Use this data to better understand the role your endpoints play, what types of services they support, and what other systems they communicate with. For example, is an endpoint a client that is accessed by a single user or a server that supports thousands of transactions such as a Web server? Is it a network infrastructure device that enables connectivity between the client and server? Is it running a current operating system or an older version that is vulnerable? Does it support critical applications?

Armed with this information, you can build appropriate scan policies and prioritize critical assets in your environment.

Tip #2: Use Vulnerability Context

Once you have a good understanding of what’s in your environment and have the context from scan results, use this information to prioritize remediation of what’s vulnerable and at risk or compromised already. Identify what vulnerabilities exist on the endpoint operating system and the applications that run on it. Use CVSS scores as a first step to help focus on the most severe vulnerabilities. CVSS scores break down vulnerabilities based on whether they are locally or remotely exploitable as well as the complexity of attack and level of access required.

Tip #3: Use Exploitability Context

At the enterprise level, there might be hundreds of critical endpoint vulnerabilities. So what can you do to make the process more manageable? As noted in the 2015 Verizon Data Breach Investigations Report, “a CVE [common vulnerability and exposure] being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.” Include multiple commercial exploit frameworks such as Canvas, Core Impact, and Exploit Hub to complete the exploitability view of your environment. Exploitable vulnerabilities should be remediated promptly since attackers leverage these as a quick path to compromise. To further refine your approach, you can include context such as whether the endpoint is Internet facing, allowing an outside attacker to compromise the vulnerability remotely.

Tip #4: Use Threat Context

Adding threat context to your vulnerability results can help further prioritize what is critical. For example, modern vulnerability scanners can detect running processes on the endpoint. By correlating running processes against multiple threat intelligence feeds, you can identify rapidly changing malware that might not be detected by an antivirus engine. When you observe a malicious process with an exploitable and critical vulnerability on the endpoint, prioritize this particular event at the top of your response.

Here are some other scenarios to prioritize:

  • A vulnerable endpoint that has an exploitable vulnerability that is communicating to a known command and control (C&C) server and sending data
  • A vulnerable endpoint that has an exploitable vulnerability that is scanning other endpoints inside the network
  • A vulnerable endpoint that has an exploitable vulnerability that is sending unencrypted PII data to an outside server

Tip #5: Prioritize Remediation

Once you have correlated threats and vulnerabilities, you have what you need to best prioritize your remediation efforts. Start with immediate needs and use countermeasures that you may already have. For example, if there are connections to a C&C server, prioritize response by blocking those communications with existing defenses such as a firewall or IPS.

Other types of responses include quarantining the host, blocking an application, or denying user permission to resources. It’s important to note that implementing blocking based on malware patterns may provide temporary shielding from the threat, but you may still remain susceptible to permutations of the attack so removing the vulnerability should be the next step.

Next, turn your attention to patching vulnerable hosts, focus on those that offer the biggest bang by identifying actions that reduce the most amount of risk first. Then, tackle the remaining vulnerabilities -- such as those that are most prevalent or those associated with specific asset groups that are critical to your environment. Don’t forget to independently verify your patching process by rescanning those assets and correlating the results to your patch-management system. You may find errors that prevented a patch from being applied or that your patch-management reporting is outdated.

Final Thoughts

Implementing a prioritized approach to endpoint security can help you focus on actions that can quickly reduce risk in your environment. To learn more about improving your endpoint security program, please join the Tenable Webcast titled “Four Reasons Why Endpoint Security Fails” on Nov 18th.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/29/2015 | 1:49:29 PM
Metasploit- Good DashBoard
Excellent comment regarding watching if the vulnerability ends up on Metasploit.  This is a quick step that can help determine your risk.
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-11-13
There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
PUBLISHED: 2018-11-13
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to a...
PUBLISHED: 2018-11-13
VMware vRealize Log Insight (4.7.x before 4.7.1 and 4.6.x before 4.6.2) contains a vulnerability due to improper authorization in the user registration method. Successful exploitation of this issue may allow Admin users with view only permission to perform certain administrative functions which they...
PUBLISHED: 2018-11-13
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Losant Arduino MQTT Client prior to V2.7. User interaction is not required to exploit this vulnerability. The specific flaw exists within the parsing of MQTT PUBLISH packets. The issue results from th...
PUBLISHED: 2018-11-13
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.