One of the greatest challenges organizations face when it comes to endpoint security is identifying what is relevant and what actions can reduce the most amount of risk. Whether you have deployed endpoint antivirus or one of the many advanced threat detection solutions, or you are evaluating an endpoint detection and response (EDR) technology, at the end of the day, you have a limited number of resources. You must be decisive in taking action to minimize the chances of a breach and to ensure you are placing bets that will have the biggest payoff when it comes to reducing risk.
In this article, I offer some tips to help you sift through the noise and focus on actions that can dramatically improve your endpoint security program.
Tip #1: Gather Endpoint Context
Start by profiling your endpoints. Vulnerability scanners not only discover known and unknown endpoints, but also help provide context about them such as device type, installed applications, OS, and version information. Your DHCP and DNS severs are useful in identifying what to scan. Traffic-monitoring technologies that non-intrusively listen to network traffic can identify transient devices that might not be connected at the time of scanning. Also, use server logs -- from your Exchange email server or IIS server, for example -- to identify what devices connect to your environment.
Use this data to better understand the role your endpoints play, what types of services they support, and what other systems they communicate with. For example, is an endpoint a client that is accessed by a single user or a server that supports thousands of transactions such as a Web server? Is it a network infrastructure device that enables connectivity between the client and server? Is it running a current operating system or an older version that is vulnerable? Does it support critical applications?
Armed with this information, you can build appropriate scan policies and prioritize critical assets in your environment.
Tip #2: Use Vulnerability Context
Once you have a good understanding of what’s in your environment and have the context from scan results, use this information to prioritize remediation of what’s vulnerable and at risk or compromised already. Identify what vulnerabilities exist on the endpoint operating system and the applications that run on it. Use CVSS scores as a first step to help focus on the most severe vulnerabilities. CVSS scores break down vulnerabilities based on whether they are locally or remotely exploitable as well as the complexity of attack and level of access required.
Tip #3: Use Exploitability Context
At the enterprise level, there might be hundreds of critical endpoint vulnerabilities. So what can you do to make the process more manageable? As noted in the 2015 Verizon Data Breach Investigations Report, “a CVE [common vulnerability and exposure] being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.” Include multiple commercial exploit frameworks such as Canvas, Core Impact, and Exploit Hub to complete the exploitability view of your environment. Exploitable vulnerabilities should be remediated promptly since attackers leverage these as a quick path to compromise. To further refine your approach, you can include context such as whether the endpoint is Internet facing, allowing an outside attacker to compromise the vulnerability remotely.
Tip #4: Use Threat Context
Adding threat context to your vulnerability results can help further prioritize what is critical. For example, modern vulnerability scanners can detect running processes on the endpoint. By correlating running processes against multiple threat intelligence feeds, you can identify rapidly changing malware that might not be detected by an antivirus engine. When you observe a malicious process with an exploitable and critical vulnerability on the endpoint, prioritize this particular event at the top of your response.
Here are some other scenarios to prioritize:
- A vulnerable endpoint that has an exploitable vulnerability that is communicating to a known command and control (C&C) server and sending data
- A vulnerable endpoint that has an exploitable vulnerability that is scanning other endpoints inside the network
- A vulnerable endpoint that has an exploitable vulnerability that is sending unencrypted PII data to an outside server
Tip #5: Prioritize Remediation
Once you have correlated threats and vulnerabilities, you have what you need to best prioritize your remediation efforts. Start with immediate needs and use countermeasures that you may already have. For example, if there are connections to a C&C server, prioritize response by blocking those communications with existing defenses such as a firewall or IPS.
Other types of responses include quarantining the host, blocking an application, or denying user permission to resources. It’s important to note that implementing blocking based on malware patterns may provide temporary shielding from the threat, but you may still remain susceptible to permutations of the attack so removing the vulnerability should be the next step.
Next, turn your attention to patching vulnerable hosts, focus on those that offer the biggest bang by identifying actions that reduce the most amount of risk first. Then, tackle the remaining vulnerabilities -- such as those that are most prevalent or those associated with specific asset groups that are critical to your environment. Don’t forget to independently verify your patching process by rescanning those assets and correlating the results to your patch-management system. You may find errors that prevented a patch from being applied or that your patch-management reporting is outdated.
Implementing a prioritized approach to endpoint security can help you focus on actions that can quickly reduce risk in your environment. To learn more about improving your endpoint security program, please join the Tenable Webcast titled “Four Reasons Why Endpoint Security Fails” on Nov 18th.