Gathering More Security Data From Your Endpoints

Even though many of the most troublesome and advanced threats hitting enterprise networks originate from the endpoint, most organizations today aren't investing in the same kind of visibility and control over these devices as they spend on network-based controls. This disparity is leaving organizations with a huge blind spot where they need it most, experts say.

"We've seen this advancement in techniques for network-based detection, but we haven't seen quite that much advancement on the endpoint," says Scott Crawford, research director for Enterprise Management Associates. "And, yet, if you look at what the target is in most of these cases, the strategic target may be the users' privileges to sensitive data, so the tactical objective in a lot of cases is the endpoint. You're going to focus on compromising endpoint functionality to gain visibility into the users' activities and get access to their credentials."

According to Crawford, enterprises are missing this to a large degree, with most organizations maintaining a huge dependence on legacy techniques, such as antivirus. Part of it is the scale and distribution of endpoints -- it is much more difficult to deploy technology that will give centralized views of what's happening across the endpoint infrastructure, compared to network visibility. But if organizations don't try, they're going to miss a lot of the threat detection picture.

[Why do injection attacks still stand on top of the OWASP Top 10 2013? See Myth-Busting SQL- And Other Injection Attacks.]

"If you're not doing a similar job of collecting intel from the endpoint that you're collecting on the network, or you can't identify where or if the endpoint has been compromised, then one of the legs of your stool is a little short," Crawford says.

This is a message that John Prisco, CEO of Triumfant, has been preaching for some time now. He's a firm believer that organizations have to invest in gathering more information than they do from their endpoints so they can better detect the important configuration and behavioral changes that will flag malicious activity.

"You've got to be fighting the battle in the trenches, and the trenches in this case would be the endpoint," he says. "You have to have something on the endpoint that isn't antivirus that's looking at changes [to the endpoint]. It has got to be looking at everything and making decisions based on normal behavior changes."

He believes that even beyond traditional antivirus, many of the advanced endpoint protection measures out today depend on the same fatal flaw.

"It all comes down to the rule set that's being used -- success and failure depends on the rule set or the thing that's making the decision as to whether something is malware or not," Prisco says. "There are a lot of fatal flaws out there, and there's one thing that ties them all together and that's prior knowledge. The most advance adversaries are going to defeat all those products because their rule set is predictive."

Of course, not all endpoint security plays depend on prior knowledge -- Prisco's very arguments about chasing the known bad are the same ones that application control and whitelisting players have been beating the drum about for a long time. Prisco claims that whitelisting isn't feasible for endpoints -- "It's really cumbersome. I don't know anybody who would try to make whitelisting products work on an endpoint" -- but it's a contentious point up for debate.

Neil MacDonald of Gartner recently wrote that such claims about the cumbersome nature of application control are old-fashioned and based on previous iterations of the technology.

"Unfortunately, application control has a historical reputation of not being deployable or manageable for end-user systems," MacDonald says. "The reality is that application control can and will be successfully deployed for end user systems and provides excellent protection from these types of [advanced] attacks."

Crawford sits in the middle, stating that at first blush application control vendors have the capability to offer some proactive level of control in high enforcement mode, but that there are limitations.

"Administering high enforcement mode across a number of endpoints does very likely have its limits because you run the risk of having end users contact the support desk and saying, 'I can't load software I really need, and it's interfering with business processes,'" Crawford says. "It's not the solution for every endpoint for every situation."

And in those cases where infection still slips through the cracks of either white or black lists, that's where the importance of intelligence on the state of the endpoints lies. For their part, whitelisting vendors are teaming with others to offer that kind of intelligence and control. In fact, Bit9 just last week made an announcement of a partnership with Fire Eye and Palo Alto Networks to do so.

On his end, Prisco advocates for agent-based technology to offer the right information. Crawford says that it depends on the use case. For example, the off-host capabilities of network access control technology have come a long way from the early days of NAC, and can offer a degree of visibility into endpoints connecting onto the network.

"You've got to ask, what's the objective here? If you're looking to get a better handle on some sanity over what can access your network and what cannot, then the approach of doing preadmission inspection probably has some merit for maintaining visibility into the state of that endpoint," Crawford says. "But depending on how far you want to go in terms of visibility on that host and the level of control you want to exert on that host, then in those cases you are probably going to need some on-host capabilities."

In the end, threat intelligence plays a role in bridging the gap between network intelligence and endpoint malware detection capabilities -- whatever they are. According to Mike Rothman, analyst for Securosis, bidirectional communication between both is key.

"You want bidirectional communication so malware indicators found by the network device or in the cloud are accessible to endpoint agents," Rothman wrote recently in a piece on network-based malware detection. "Additionally, you want malware identified on devices to be sent to the network for further analysis, profiling, determination, and ultimately distribution of indicators to other protected devices."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.