Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
9/17/2015
10:00 AM
Manish Patel
Manish Patel
Partner Perspectives
100%
0%

Why Is Endpoint Security Failing?

Endpoint security assurance is not just about detecting threats, but about building a more effective endpoint security program.

It should come as no surprise that the next major battle in IT security is focused on endpoints. Mobility and BYOD have made it possible for users to remotely access just about any business resource. The adoption of cloud-delivered services enables workloads to move to a shared environment bypassing on-premises, layered security defenses and directly accessible by the mobile workforce.

In this segmented and diverse environment, organizations are implementing a variety of security solutions focused on preventing the latest threats. What often gets neglected is eliminating the weaknesses that lead to attack in the first place, and continuously monitoring for signs of compromise throughout your environment. What can you do to effectively fight the endpoint battle?

Tip #1: Illuminate Hidden Endpoints

A mobile workforce with a plethora of mobile devices challenges traditional security architectures. Consider that limited connectivity can cause devices to not always be visible, that many devices may not have the resources to run full versions of security software, and since ownership of the device lies with the user, it often falls outside the control of IT.

What can you do?

  • Start by getting a firm understanding of what’s connecting to your network. Use multiple techniques to form a composite view of connected endpoints and applications.
  • Supplementing endpoint agents with active scanning, passive monitoring, and even analyzing events from your network infrastructure such as DNS or DHCP servers and logs from network components can help identify both managed and unmanaged endpoints. This information is pivotal in then helping build scan policies to identify vulnerabilities, non-compliant systems, or unprotected endpoints that are at risk or that are unprotected.

Tip #2: Identify Weaknesses

Traditional signature-based endpoint protection is no longer sufficient in preventing targeted malware. Innovative technologies such as sandboxing and application wrapping may help in some areas by identifying unknown threats. While all of this is focused on analyzing traffic to look for indications of possible threats, as the Verizon DBIR clearly notes time and time again, a prominent way attackers infiltrate organizations is through known vulnerabilities and security weaknesses.

What can you do?

  • Before investing in exotic technologies, become exceptionally good at the basics.
  • First, button up your endpoints and ensure they are hardened and regularly updated. Hardening your endpoints can reduce your exposure by removing weaknesses such as open ports that allow attackers to access critical servers or unencrypted communications from payment-processing terminals.
  • Next, monitor critical changes on systems and track systems that drift out of compliance. Look to vulnerability management products to identify misconfigurations or extraneous applications as well as to continuous monitoring solutions that can track endpoints as they move out of compliance.

Tip #3: Routinely Check For Compromise

Compromised endpoints that connect to your network can propagate malware or become a springboard for advanced attacks. They can infiltrate critical resources by scanning for possible attack paths or weaknesses inside your network to transmit infection, gain root access through privilege escalation, or open pathways to access sensitive data.

What can you do?

  • Identify endpoints and applications that are not authorized or updated or those that are vulnerable. Once vulnerable systems are identified, prioritize remediation of critical vulnerabilities that are exploitable by commercial frameworks such as Metasploit.
  • Other recommendations include looking for signs of infection by identifying malicious processes on endpoints that are associated with malware; using threat intelligence services or looking for outbound communications to malicious sites; and monitoring sensitive data leaving your environment.
  • Finally, look for anomalies and behavior indicative of malware For example, is the endpoint probing other endpoints or networks? Is it behaving like a bot or opening ports to botnet sites? Is it reaching out to critical servers or initiating never-before-seen activities or processes?

Tip #4: Measure Endpoint Security Effectiveness

Security, network infrastructure, and compliance solutions are often deployed and managed by separate parts of the organization. Often, the objectives of each team are independent, yet sharing goals and information from security activities and assessments can surely help all parties reach their unique goals and help the organization elevate its security profile.

What can you do?

  • Start by building consistent security policies and then measuring your endpoint effectiveness against them.
  • Then, identify the gaps where endpoint security policies are failing to meet business objectives. For example, build dashboards and reports that continuously measure how quickly you identify critically vulnerable and compromised endpoints and how quickly you remediate them.
  • Implementing an endpoint security program based on defined frameworks such as critical cyber controls can help create a comprehensive, closed-loop process that can bring consistency to how endpoint security is implemented and measured in your organization.

Final Thoughts

Endpoint security assurance is not just about detecting threats, but about building a more effective endpoint security program -- one that proactively detects known and unknown endpoints, helps identify what is critically vulnerable to attacks, what weaknesses exist in your environment, and how effective you are at identifying threats and remediating them. If you are clearly able to answer the question “How secure are we?” and demonstrate this throughout the organization, you are already on your way to a successful endpoint security program.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sincee
100%
0%
Sincee,
User Rank: Strategist
9/21/2015 | 4:11:21 AM
Re: Security starts when you press the POWER switch
thank you for this article informative!
macker490
50%
50%
macker490,
User Rank: Ninja
9/20/2015 | 8:50:47 AM
Security starts when you press the POWER switch
your Operating System Software controls Endpoint Security

what are you using?    is it doing waht is required ?
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...