Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
9/17/2015
10:00 AM
Manish Patel
Manish Patel
Partner Perspectives
100%
0%

Why Is Endpoint Security Failing?

Endpoint security assurance is not just about detecting threats, but about building a more effective endpoint security program.

It should come as no surprise that the next major battle in IT security is focused on endpoints. Mobility and BYOD have made it possible for users to remotely access just about any business resource. The adoption of cloud-delivered services enables workloads to move to a shared environment bypassing on-premises, layered security defenses and directly accessible by the mobile workforce.

In this segmented and diverse environment, organizations are implementing a variety of security solutions focused on preventing the latest threats. What often gets neglected is eliminating the weaknesses that lead to attack in the first place, and continuously monitoring for signs of compromise throughout your environment. What can you do to effectively fight the endpoint battle?

Tip #1: Illuminate Hidden Endpoints

A mobile workforce with a plethora of mobile devices challenges traditional security architectures. Consider that limited connectivity can cause devices to not always be visible, that many devices may not have the resources to run full versions of security software, and since ownership of the device lies with the user, it often falls outside the control of IT.

What can you do?

  • Start by getting a firm understanding of what’s connecting to your network. Use multiple techniques to form a composite view of connected endpoints and applications.
  • Supplementing endpoint agents with active scanning, passive monitoring, and even analyzing events from your network infrastructure such as DNS or DHCP servers and logs from network components can help identify both managed and unmanaged endpoints. This information is pivotal in then helping build scan policies to identify vulnerabilities, non-compliant systems, or unprotected endpoints that are at risk or that are unprotected.

Tip #2: Identify Weaknesses

Traditional signature-based endpoint protection is no longer sufficient in preventing targeted malware. Innovative technologies such as sandboxing and application wrapping may help in some areas by identifying unknown threats. While all of this is focused on analyzing traffic to look for indications of possible threats, as the Verizon DBIR clearly notes time and time again, a prominent way attackers infiltrate organizations is through known vulnerabilities and security weaknesses.

What can you do?

  • Before investing in exotic technologies, become exceptionally good at the basics.
  • First, button up your endpoints and ensure they are hardened and regularly updated. Hardening your endpoints can reduce your exposure by removing weaknesses such as open ports that allow attackers to access critical servers or unencrypted communications from payment-processing terminals.
  • Next, monitor critical changes on systems and track systems that drift out of compliance. Look to vulnerability management products to identify misconfigurations or extraneous applications as well as to continuous monitoring solutions that can track endpoints as they move out of compliance.

Tip #3: Routinely Check For Compromise

Compromised endpoints that connect to your network can propagate malware or become a springboard for advanced attacks. They can infiltrate critical resources by scanning for possible attack paths or weaknesses inside your network to transmit infection, gain root access through privilege escalation, or open pathways to access sensitive data.

What can you do?

  • Identify endpoints and applications that are not authorized or updated or those that are vulnerable. Once vulnerable systems are identified, prioritize remediation of critical vulnerabilities that are exploitable by commercial frameworks such as Metasploit.
  • Other recommendations include looking for signs of infection by identifying malicious processes on endpoints that are associated with malware; using threat intelligence services or looking for outbound communications to malicious sites; and monitoring sensitive data leaving your environment.
  • Finally, look for anomalies and behavior indicative of malware For example, is the endpoint probing other endpoints or networks? Is it behaving like a bot or opening ports to botnet sites? Is it reaching out to critical servers or initiating never-before-seen activities or processes?

Tip #4: Measure Endpoint Security Effectiveness

Security, network infrastructure, and compliance solutions are often deployed and managed by separate parts of the organization. Often, the objectives of each team are independent, yet sharing goals and information from security activities and assessments can surely help all parties reach their unique goals and help the organization elevate its security profile.

What can you do?

  • Start by building consistent security policies and then measuring your endpoint effectiveness against them.
  • Then, identify the gaps where endpoint security policies are failing to meet business objectives. For example, build dashboards and reports that continuously measure how quickly you identify critically vulnerable and compromised endpoints and how quickly you remediate them.
  • Implementing an endpoint security program based on defined frameworks such as critical cyber controls can help create a comprehensive, closed-loop process that can bring consistency to how endpoint security is implemented and measured in your organization.

Final Thoughts

Endpoint security assurance is not just about detecting threats, but about building a more effective endpoint security program -- one that proactively detects known and unknown endpoints, helps identify what is critically vulnerable to attacks, what weaknesses exist in your environment, and how effective you are at identifying threats and remediating them. If you are clearly able to answer the question “How secure are we?” and demonstrate this throughout the organization, you are already on your way to a successful endpoint security program.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sincee
100%
0%
Sincee,
User Rank: Strategist
9/21/2015 | 4:11:21 AM
Re: Security starts when you press the POWER switch
thank you for this article informative!
macker490
50%
50%
macker490,
User Rank: Ninja
9/20/2015 | 8:50:47 AM
Security starts when you press the POWER switch
your Operating System Software controls Endpoint Security

what are you using?    is it doing waht is required ?
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.