Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:47 PM
Connect Directly

Gathering More Security Data From Your Endpoints

Endpoint security intelligence and controls have not kept pace with similar visibility and management of the network

Even though many of the most troublesome and advanced threats hitting enterprise networks originate from the endpoint, most organizations today aren't investing in the same kind of visibility and control over these devices as they spend on network-based controls. This disparity is leaving organizations with a huge blind spot where they need it most, experts say.

"We've seen this advancement in techniques for network-based detection, but we haven't seen quite that much advancement on the endpoint," says Scott Crawford, research director for Enterprise Management Associates. "And, yet, if you look at what the target is in most of these cases, the strategic target may be the users' privileges to sensitive data, so the tactical objective in a lot of cases is the endpoint. You're going to focus on compromising endpoint functionality to gain visibility into the users' activities and get access to their credentials."

According to Crawford, enterprises are missing this to a large degree, with most organizations maintaining a huge dependence on legacy techniques, such as antivirus. Part of it is the scale and distribution of endpoints -- it is much more difficult to deploy technology that will give centralized views of what's happening across the endpoint infrastructure, compared to network visibility. But if organizations don't try, they're going to miss a lot of the threat detection picture.

[Why do injection attacks still stand on top of the OWASP Top 10 2013? See Myth-Busting SQL- And Other Injection Attacks.]

"If you're not doing a similar job of collecting intel from the endpoint that you're collecting on the network, or you can't identify where or if the endpoint has been compromised, then one of the legs of your stool is a little short," Crawford says.

This is a message that John Prisco, CEO of Triumfant, has been preaching for some time now. He's a firm believer that organizations have to invest in gathering more information than they do from their endpoints so they can better detect the important configuration and behavioral changes that will flag malicious activity.

"You've got to be fighting the battle in the trenches, and the trenches in this case would be the endpoint," he says. "You have to have something on the endpoint that isn't antivirus that's looking at changes [to the endpoint]. It has got to be looking at everything and making decisions based on normal behavior changes."

He believes that even beyond traditional antivirus, many of the advanced endpoint protection measures out today depend on the same fatal flaw.

"It all comes down to the rule set that's being used -- success and failure depends on the rule set or the thing that's making the decision as to whether something is malware or not," Prisco says. "There are a lot of fatal flaws out there, and there's one thing that ties them all together and that's prior knowledge. The most advance adversaries are going to defeat all those products because their rule set is predictive."

Of course, not all endpoint security plays depend on prior knowledge -- Prisco's very arguments about chasing the known bad are the same ones that application control and whitelisting players have been beating the drum about for a long time. Prisco claims that whitelisting isn't feasible for endpoints -- "It's really cumbersome. I don't know anybody who would try to make whitelisting products work on an endpoint" -- but it's a contentious point up for debate.

Neil MacDonald of Gartner recently wrote that such claims about the cumbersome nature of application control are old-fashioned and based on previous iterations of the technology.

"Unfortunately, application control has a historical reputation of not being deployable or manageable for end-user systems," MacDonald says. "The reality is that application control can and will be successfully deployed for end user systems and provides excellent protection from these types of [advanced] attacks."

Crawford sits in the middle, stating that at first blush application control vendors have the capability to offer some proactive level of control in high enforcement mode, but that there are limitations.

"Administering high enforcement mode across a number of endpoints does very likely have its limits because you run the risk of having end users contact the support desk and saying, 'I can't load software I really need, and it's interfering with business processes,'" Crawford says. "It's not the solution for every endpoint for every situation."

And in those cases where infection still slips through the cracks of either white or black lists, that's where the importance of intelligence on the state of the endpoints lies. For their part, whitelisting vendors are teaming with others to offer that kind of intelligence and control. In fact, Bit9 just last week made an announcement of a partnership with Fire Eye and Palo Alto Networks to do so.

On his end, Prisco advocates for agent-based technology to offer the right information. Crawford says that it depends on the use case. For example, the off-host capabilities of network access control technology have come a long way from the early days of NAC, and can offer a degree of visibility into endpoints connecting onto the network.

"You've got to ask, what's the objective here? If you're looking to get a better handle on some sanity over what can access your network and what cannot, then the approach of doing preadmission inspection probably has some merit for maintaining visibility into the state of that endpoint," Crawford says. "But depending on how far you want to go in terms of visibility on that host and the level of control you want to exert on that host, then in those cases you are probably going to need some on-host capabilities."

In the end, threat intelligence plays a role in bridging the gap between network intelligence and endpoint malware detection capabilities -- whatever they are. According to Mike Rothman, analyst for Securosis, bidirectional communication between both is key.

"You want bidirectional communication so malware indicators found by the network device or in the cloud are accessible to endpoint agents," Rothman wrote recently in a piece on network-based malware detection. "Additionally, you want malware identified on devices to be sent to the network for further analysis, profiling, determination, and ultimately distribution of indicators to other protected devices."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-22
In permission declarations of DeviceAdminReceiver.java, there is a possible lack of broadcast protection due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: Android...
PUBLISHED: 2021-06-22
In wpas_ctrl_msg_queue_timeout of ctrl_iface_unix.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID...
PUBLISHED: 2021-06-22
In isBackupServiceActive of BackupManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-158482162
PUBLISHED: 2021-06-22
In RenderStruct of protostream_objectsource.cc, there is a possible crash due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-1791617...