Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:47 PM
Connect Directly

Gathering More Security Data From Your Endpoints

Endpoint security intelligence and controls have not kept pace with similar visibility and management of the network

Even though many of the most troublesome and advanced threats hitting enterprise networks originate from the endpoint, most organizations today aren't investing in the same kind of visibility and control over these devices as they spend on network-based controls. This disparity is leaving organizations with a huge blind spot where they need it most, experts say.

"We've seen this advancement in techniques for network-based detection, but we haven't seen quite that much advancement on the endpoint," says Scott Crawford, research director for Enterprise Management Associates. "And, yet, if you look at what the target is in most of these cases, the strategic target may be the users' privileges to sensitive data, so the tactical objective in a lot of cases is the endpoint. You're going to focus on compromising endpoint functionality to gain visibility into the users' activities and get access to their credentials."

According to Crawford, enterprises are missing this to a large degree, with most organizations maintaining a huge dependence on legacy techniques, such as antivirus. Part of it is the scale and distribution of endpoints -- it is much more difficult to deploy technology that will give centralized views of what's happening across the endpoint infrastructure, compared to network visibility. But if organizations don't try, they're going to miss a lot of the threat detection picture.

[Why do injection attacks still stand on top of the OWASP Top 10 2013? See Myth-Busting SQL- And Other Injection Attacks.]

"If you're not doing a similar job of collecting intel from the endpoint that you're collecting on the network, or you can't identify where or if the endpoint has been compromised, then one of the legs of your stool is a little short," Crawford says.

This is a message that John Prisco, CEO of Triumfant, has been preaching for some time now. He's a firm believer that organizations have to invest in gathering more information than they do from their endpoints so they can better detect the important configuration and behavioral changes that will flag malicious activity.

"You've got to be fighting the battle in the trenches, and the trenches in this case would be the endpoint," he says. "You have to have something on the endpoint that isn't antivirus that's looking at changes [to the endpoint]. It has got to be looking at everything and making decisions based on normal behavior changes."

He believes that even beyond traditional antivirus, many of the advanced endpoint protection measures out today depend on the same fatal flaw.

"It all comes down to the rule set that's being used -- success and failure depends on the rule set or the thing that's making the decision as to whether something is malware or not," Prisco says. "There are a lot of fatal flaws out there, and there's one thing that ties them all together and that's prior knowledge. The most advance adversaries are going to defeat all those products because their rule set is predictive."

Of course, not all endpoint security plays depend on prior knowledge -- Prisco's very arguments about chasing the known bad are the same ones that application control and whitelisting players have been beating the drum about for a long time. Prisco claims that whitelisting isn't feasible for endpoints -- "It's really cumbersome. I don't know anybody who would try to make whitelisting products work on an endpoint" -- but it's a contentious point up for debate.

Neil MacDonald of Gartner recently wrote that such claims about the cumbersome nature of application control are old-fashioned and based on previous iterations of the technology.

"Unfortunately, application control has a historical reputation of not being deployable or manageable for end-user systems," MacDonald says. "The reality is that application control can and will be successfully deployed for end user systems and provides excellent protection from these types of [advanced] attacks."

Crawford sits in the middle, stating that at first blush application control vendors have the capability to offer some proactive level of control in high enforcement mode, but that there are limitations.

"Administering high enforcement mode across a number of endpoints does very likely have its limits because you run the risk of having end users contact the support desk and saying, 'I can't load software I really need, and it's interfering with business processes,'" Crawford says. "It's not the solution for every endpoint for every situation."

And in those cases where infection still slips through the cracks of either white or black lists, that's where the importance of intelligence on the state of the endpoints lies. For their part, whitelisting vendors are teaming with others to offer that kind of intelligence and control. In fact, Bit9 just last week made an announcement of a partnership with Fire Eye and Palo Alto Networks to do so.

On his end, Prisco advocates for agent-based technology to offer the right information. Crawford says that it depends on the use case. For example, the off-host capabilities of network access control technology have come a long way from the early days of NAC, and can offer a degree of visibility into endpoints connecting onto the network.

"You've got to ask, what's the objective here? If you're looking to get a better handle on some sanity over what can access your network and what cannot, then the approach of doing preadmission inspection probably has some merit for maintaining visibility into the state of that endpoint," Crawford says. "But depending on how far you want to go in terms of visibility on that host and the level of control you want to exert on that host, then in those cases you are probably going to need some on-host capabilities."

In the end, threat intelligence plays a role in bridging the gap between network intelligence and endpoint malware detection capabilities -- whatever they are. According to Mike Rothman, analyst for Securosis, bidirectional communication between both is key.

"You want bidirectional communication so malware indicators found by the network device or in the cloud are accessible to endpoint agents," Rothman wrote recently in a piece on network-based malware detection. "Additionally, you want malware identified on devices to be sent to the network for further analysis, profiling, determination, and ultimately distribution of indicators to other protected devices."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 ( and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...