Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Sharpening Endpoint Security

Configuration Management

Configuration management helps companies detect and analyze the hardware and software on their networks. Done right, it provides the foundation for change management, policy auditing and enforcement. It also can feed into other areas of IT. For example, based on configuration management, information security teams can make more-informed decisions about vulnerability exposure by knowing what versions of software are installed on which machines. Depending on the level of detail captured, configuration management can even help identify the installation of rogue software and the use of unauthorized USB devices.

Configuration and policy management tools and processes let companies monitor endpoints, detecting changes that put the hosts at risk. In some cases, these tools can be used to revert a user's configuration back to its original state, overriding any changes the user made to local security settings, maintaining a consistent state among all endpoints and reducing vulnerabilities.

Reporting from configuration and policy management tools provides clues as to what happened to an endpoint system during a security incident. However, the accuracy of this data may be questionable, especially if the system is set to report only periodically rather than when a change is detected.

Change management tools also can measure the impact and risk that changes in settings and configurations create, limiting vulnerabilities that the IT organization itself creates. Changes to group policy, endpoint protection settings and anything else that directly affects endpoints are reviewed to ensure that they don't introduce vulnerabilities.

Patch Management

Keeping endpoints patched is fundamental to their security, though it doesn't get much attention unless Microsoft issues a security update or a patch is issued for a zero-day vulnerability. Native patch management tools are usually sufficient to install patches, but they tend to be weak in reporting patch levels across a company. Third-party tools improve reporting, offer options for creating custom patches and let companies manage patches across many different types of software and operating systems.

Whether you use native or third-party tools, you must patch endpoints regularly. You can verify the state of your patches using many vulnerability scanners.

Centralized Logging And Monitoring

IT often is so focused on maintaining server security and uptime that it overlooks the endpoint logs. These logs are a rich source of information that can feed into a security team's operational awareness of what's happening throughout its network. For example, Windows Event Logs show failed and successful logins, USB devices connected and software installed. Endpoint logs also show services that were shut down and processes that crashed, which could indicate that they've been disabled by an attacker or exploited through a Web-based exploit kit.

To make use of these logs, first figure out where you're going to store them. If there's no centralized log server or SIEM (security information and event management) system in place, set up a syslog server on Linux or Windows to begin collecting the logs. Or if you have the resources, a commercial log management and SIEM product can receive the events and provide event correlation, real-time alerting and detailed reports.

After you know where you're going to store them, you must get the logs from the endpoints to the central system. Tools such as InterSect Alliance's Snare and Tibco LogLogic's Lasso can help, and commercial SIEM products often include software agents to install on endpoints. These tools pull the logs from the local host and ship them via syslog, or a proprietary protocol, to a central syslog or SIEM system.

Some of these tools can filter the logs to forward only selected events; others forward everything. Choose carefully because you don't want to find out too late that you could have detected an attack sooner had you been collecting all the logs.

The biggest hurdle with centralized logging is getting started. After that, even baby steps are better than none. Start by slowly implementing daily and weekly log reviews to turn logs into actionable information, such as which users are most prone to malware infections. Then inventory new USB storage devices, and identify changes to local user accounts and group membership. From there, move on to correlated analyses that can help identify small problems and trends that indicate more serious issues.

Host-Based Firewalls

Traditional firewalls that focus on port-based security aren't particularly helpful as the security perimeter changes. Today, most attacks come over ports that also carry legitimate traffic and can't be blocked, such as TCP ports 80 and 443. Endpoints are the new perimeter, and they're often exposed to the outside world through Web browsing, instant messaging, email and social networks. Configuring endpoints correctly is an important part of protecting enterprise data at the core.

For example, internal workstations typically don't need to talk to each other, so consider enabling firewalls on the individual hosts. Need to enable ICMP to see if machines are up? Then consider limiting that function to management servers and the workstations of systems administrators and help desk and security teams. When ports are opened for remote support or management tools, they should be locked down to just those authorized systems. Unnecessary host-to-host communications may let attackers move laterally through the network.

chart: 12 month outpoint for endpoint tech

2 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/6/2013 | 10:43:37 AM
re: Sharpening Endpoint Security
Find the best security softwares from the below link,
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-20
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
PUBLISHED: 2019-08-20
Webmin 1.890, in a default installation, contains a backdoor that allows an unauthenticated attacker to remotely execute commands. This is different from CVE-2019-15107. NOTE: as of 2019-08-19, the vendor reports that "at some point" malicious code was inserted into their build infrastruct...
PUBLISHED: 2019-08-20
Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.