Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:47 PM
Connect Directly

Gathering More Security Data From Your Endpoints

Endpoint security intelligence and controls have not kept pace with similar visibility and management of the network

Even though many of the most troublesome and advanced threats hitting enterprise networks originate from the endpoint, most organizations today aren't investing in the same kind of visibility and control over these devices as they spend on network-based controls. This disparity is leaving organizations with a huge blind spot where they need it most, experts say.

"We've seen this advancement in techniques for network-based detection, but we haven't seen quite that much advancement on the endpoint," says Scott Crawford, research director for Enterprise Management Associates. "And, yet, if you look at what the target is in most of these cases, the strategic target may be the users' privileges to sensitive data, so the tactical objective in a lot of cases is the endpoint. You're going to focus on compromising endpoint functionality to gain visibility into the users' activities and get access to their credentials."

According to Crawford, enterprises are missing this to a large degree, with most organizations maintaining a huge dependence on legacy techniques, such as antivirus. Part of it is the scale and distribution of endpoints -- it is much more difficult to deploy technology that will give centralized views of what's happening across the endpoint infrastructure, compared to network visibility. But if organizations don't try, they're going to miss a lot of the threat detection picture.

[Why do injection attacks still stand on top of the OWASP Top 10 2013? See Myth-Busting SQL- And Other Injection Attacks.]

"If you're not doing a similar job of collecting intel from the endpoint that you're collecting on the network, or you can't identify where or if the endpoint has been compromised, then one of the legs of your stool is a little short," Crawford says.

This is a message that John Prisco, CEO of Triumfant, has been preaching for some time now. He's a firm believer that organizations have to invest in gathering more information than they do from their endpoints so they can better detect the important configuration and behavioral changes that will flag malicious activity.

"You've got to be fighting the battle in the trenches, and the trenches in this case would be the endpoint," he says. "You have to have something on the endpoint that isn't antivirus that's looking at changes [to the endpoint]. It has got to be looking at everything and making decisions based on normal behavior changes."

He believes that even beyond traditional antivirus, many of the advanced endpoint protection measures out today depend on the same fatal flaw.

"It all comes down to the rule set that's being used -- success and failure depends on the rule set or the thing that's making the decision as to whether something is malware or not," Prisco says. "There are a lot of fatal flaws out there, and there's one thing that ties them all together and that's prior knowledge. The most advance adversaries are going to defeat all those products because their rule set is predictive."

Of course, not all endpoint security plays depend on prior knowledge -- Prisco's very arguments about chasing the known bad are the same ones that application control and whitelisting players have been beating the drum about for a long time. Prisco claims that whitelisting isn't feasible for endpoints -- "It's really cumbersome. I don't know anybody who would try to make whitelisting products work on an endpoint" -- but it's a contentious point up for debate.

Neil MacDonald of Gartner recently wrote that such claims about the cumbersome nature of application control are old-fashioned and based on previous iterations of the technology.

"Unfortunately, application control has a historical reputation of not being deployable or manageable for end-user systems," MacDonald says. "The reality is that application control can and will be successfully deployed for end user systems and provides excellent protection from these types of [advanced] attacks."

Crawford sits in the middle, stating that at first blush application control vendors have the capability to offer some proactive level of control in high enforcement mode, but that there are limitations.

"Administering high enforcement mode across a number of endpoints does very likely have its limits because you run the risk of having end users contact the support desk and saying, 'I can't load software I really need, and it's interfering with business processes,'" Crawford says. "It's not the solution for every endpoint for every situation."

And in those cases where infection still slips through the cracks of either white or black lists, that's where the importance of intelligence on the state of the endpoints lies. For their part, whitelisting vendors are teaming with others to offer that kind of intelligence and control. In fact, Bit9 just last week made an announcement of a partnership with Fire Eye and Palo Alto Networks to do so.

On his end, Prisco advocates for agent-based technology to offer the right information. Crawford says that it depends on the use case. For example, the off-host capabilities of network access control technology have come a long way from the early days of NAC, and can offer a degree of visibility into endpoints connecting onto the network.

"You've got to ask, what's the objective here? If you're looking to get a better handle on some sanity over what can access your network and what cannot, then the approach of doing preadmission inspection probably has some merit for maintaining visibility into the state of that endpoint," Crawford says. "But depending on how far you want to go in terms of visibility on that host and the level of control you want to exert on that host, then in those cases you are probably going to need some on-host capabilities."

In the end, threat intelligence plays a role in bridging the gap between network intelligence and endpoint malware detection capabilities -- whatever they are. According to Mike Rothman, analyst for Securosis, bidirectional communication between both is key.

"You want bidirectional communication so malware indicators found by the network device or in the cloud are accessible to endpoint agents," Rothman wrote recently in a piece on network-based malware detection. "Additionally, you want malware identified on devices to be sent to the network for further analysis, profiling, determination, and ultimately distribution of indicators to other protected devices."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
PUBLISHED: 2020-08-11
Broker Protocol messages in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to 20.04.1 are not cleaned up in server memory, which may allow an attacker to read confidential information from a memory dump via forcing a crashing during the single sign-on procedure.
PUBLISHED: 2020-08-11
An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth'...
PUBLISHED: 2020-08-11
HUAWEI Mate 20 versions Versions earlier than;HUAWEI Mate 20 Pro versions Versions earlier than,Versions earlier than,Versions earlier than;HUAWEI Mate 20 X versions Versions earlier than
PUBLISHED: 2020-08-11
In PACTware before 4.1 SP6 and 5.x before, passwords are stored in a recoverable format, and may be retrieved by any user with access to the PACTware workstation.