Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Sharpening Endpoint Security

Configuration Management

Configuration management helps companies detect and analyze the hardware and software on their networks. Done right, it provides the foundation for change management, policy auditing and enforcement. It also can feed into other areas of IT. For example, based on configuration management, information security teams can make more-informed decisions about vulnerability exposure by knowing what versions of software are installed on which machines. Depending on the level of detail captured, configuration management can even help identify the installation of rogue software and the use of unauthorized USB devices.

Configuration and policy management tools and processes let companies monitor endpoints, detecting changes that put the hosts at risk. In some cases, these tools can be used to revert a user's configuration back to its original state, overriding any changes the user made to local security settings, maintaining a consistent state among all endpoints and reducing vulnerabilities.

Reporting from configuration and policy management tools provides clues as to what happened to an endpoint system during a security incident. However, the accuracy of this data may be questionable, especially if the system is set to report only periodically rather than when a change is detected.

Change management tools also can measure the impact and risk that changes in settings and configurations create, limiting vulnerabilities that the IT organization itself creates. Changes to group policy, endpoint protection settings and anything else that directly affects endpoints are reviewed to ensure that they don't introduce vulnerabilities.

Patch Management

Keeping endpoints patched is fundamental to their security, though it doesn't get much attention unless Microsoft issues a security update or a patch is issued for a zero-day vulnerability. Native patch management tools are usually sufficient to install patches, but they tend to be weak in reporting patch levels across a company. Third-party tools improve reporting, offer options for creating custom patches and let companies manage patches across many different types of software and operating systems.

Whether you use native or third-party tools, you must patch endpoints regularly. You can verify the state of your patches using many vulnerability scanners.

Centralized Logging And Monitoring

IT often is so focused on maintaining server security and uptime that it overlooks the endpoint logs. These logs are a rich source of information that can feed into a security team's operational awareness of what's happening throughout its network. For example, Windows Event Logs show failed and successful logins, USB devices connected and software installed. Endpoint logs also show services that were shut down and processes that crashed, which could indicate that they've been disabled by an attacker or exploited through a Web-based exploit kit.

To make use of these logs, first figure out where you're going to store them. If there's no centralized log server or SIEM (security information and event management) system in place, set up a syslog server on Linux or Windows to begin collecting the logs. Or if you have the resources, a commercial log management and SIEM product can receive the events and provide event correlation, real-time alerting and detailed reports.

After you know where you're going to store them, you must get the logs from the endpoints to the central system. Tools such as InterSect Alliance's Snare and Tibco LogLogic's Lasso can help, and commercial SIEM products often include software agents to install on endpoints. These tools pull the logs from the local host and ship them via syslog, or a proprietary protocol, to a central syslog or SIEM system.

Some of these tools can filter the logs to forward only selected events; others forward everything. Choose carefully because you don't want to find out too late that you could have detected an attack sooner had you been collecting all the logs.

The biggest hurdle with centralized logging is getting started. After that, even baby steps are better than none. Start by slowly implementing daily and weekly log reviews to turn logs into actionable information, such as which users are most prone to malware infections. Then inventory new USB storage devices, and identify changes to local user accounts and group membership. From there, move on to correlated analyses that can help identify small problems and trends that indicate more serious issues.

Host-Based Firewalls

Traditional firewalls that focus on port-based security aren't particularly helpful as the security perimeter changes. Today, most attacks come over ports that also carry legitimate traffic and can't be blocked, such as TCP ports 80 and 443. Endpoints are the new perimeter, and they're often exposed to the outside world through Web browsing, instant messaging, email and social networks. Configuring endpoints correctly is an important part of protecting enterprise data at the core.

For example, internal workstations typically don't need to talk to each other, so consider enabling firewalls on the individual hosts. Need to enable ICMP to see if machines are up? Then consider limiting that function to management servers and the workstations of systems administrators and help desk and security teams. When ports are opened for remote support or management tools, they should be locked down to just those authorized systems. Unnecessary host-to-host communications may let attackers move laterally through the network.

chart: 12 month outpoint for endpoint tech

2 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/6/2013 | 10:43:37 AM
re: Sharpening Endpoint Security
Find the best security softwares from the below link,
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-12
Octeth Oempro 4.7 allows SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
PUBLISHED: 2019-12-12
make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type.
PUBLISHED: 2019-12-12
The Work Time Calendar app before 4.7.1 for Jira allows XSS.
PUBLISHED: 2019-12-12
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
PUBLISHED: 2019-12-12
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from th...