IT Focus Area: Security
June 15, 2017
Maturing Endpoint Security: 5 Key Considerations
Endpoints are everywhere. The word “endpoint” has transitioned from an allusion to desktops, laptops and corporate servers to a ubiquitous term encompassing smartphones, tablets, virtual machines, Internet of Things (IoT) devices and even printers, ATMs and point of sale (PoS) terminals. Endpoint security is the front line in the fight against cyber attacks, because every device that connects to a corporate network represents a potential back door. Hackers like to focus their efforts on endpoints because they are connected to the weakest link in enterprise data protection: humans.
"No matter what technology we put in place, no matter how much money we spend on protections for the organization, we still have people, and people are fallible."
- Theodore Kobus, leader of law firm BakerHostetler’s Privacy and Data Protection team
Verizon’s 2016 Data Breach Investigations Report revealed that users and user devices represent the largest and fastest-growing target group. While there has been a notable acceleration of both the aggressiveness and sophistication of cybercriminals, enterprise security defenses have been slower to evolve. Hackers routinely compromise systems in minutes or less. Organizations, meanwhile, can take weeks or even months to discover that a breach has occurred — and it is typically customers or law enforcement that sound the alarm, not internal security measures.
Additionally, the WannaCry outbreak demonstrated that ransomware continues to increase and grow in complexity, getting stealthier and using automation to attack. Now, more than ever, it is critical to have the right endpoint protections in place, but security teams are struggling to implement effective endpoint security strategies.
Distinguishing the Good from the Bad
In the past, endpoint security focused on signature-based solutions such as anti-virus and host IPS to prevent exploits and malware propagation. The “signatures” are actually hash files of malicious code. Local endpoint protection solutions create a hash of any suspicious files and compare it against published signatures. If there is a match, the system executes a prescribed security action – removing or quarantining the infected file.
While traditional solutions are far from perfect, they do help to protect against threats – just not the new ones. A recent industry report found that 30 percent of malware attacks in the fourth quarter of 2016 were zero-day exploits that could evade anti-virus programs. That means the majority were not zero-days; attacks often originated from virus strains that have been around for months, if not years.
However, there are problems with relying solely on the capabilities of standard protection methods such as anti-virus solutions. According to the 2016 Verizon Data Breach Investigations Report, 99 percent of malware hashes are seen for 58 seconds or less. In fact, most malware is seen only once, which demonstrates how quickly hackers are modifying code in order to avoid detection. This renders controls that rely on signatures ineffective, since they can only protect against known threats, for which signatures already exist. Endpoint signature databases are essentially outdated in the time it takes to download them.
"When I started, we saw 30 pieces [of new malware] a day. Now it's 150,000 a day if not more. By the time tomorrow comes, it's all new again."
- David Perry, independent security consultant who has worked for Symantec, McAfee, F-Secure, and Trend Micro
Many malware attacks are now polymorphic, meaning they are specifically designed to avoid signature-based detection software; while their function is constant, their code automatically changes each time it is delivered. Columbia University researchers have shown there are more possible strains of polymorphic malware than there are atoms in the universe.
Despite modern threats, organizations have been slow to evolve their endpoint security strategies. Many companies have layered in numerous solutions over time; on average, they are monitoring 10 different security agents, and swiveling between at least five different interfaces to investigate and remediate incidents. This increases cost and complexity, and creates a lot of manual processes that strain limited staff and resources.
A 2016 Forrester security survey revealed that 80 percent of organizations are still relying on point products such as anti-virus. Less than 60 percent have implemented more advanced application control, and endpoint visibility and control solutions — tools that don’t rely on prior knowledge of a threat, and therefore offer better protection against unknown malware. Patching practices are also poor; only 63 percent of companies reported engaging in managed software patching. Considering the majority of all endpoint attacks involve a software exploit, that’s a tremendous security gap.
The Bottom Line
The days of simple endpoint protection are over. In order to keep pace with hackers’ methods, organizations need to refocus their endpoint security strategies with an eye towards enhancing current prevention methods, adding the ability to detect and respond to emerging threats, and automating security processes. The IT security skills gap requires organizations to do more with less. Time is critical; it is imperative to find a way to block attacks up front, identify threats that bypass prevention solutions, and integrate and automate for greater efficiency and faster time to containment.
“Now, more than ever, the “new threat, new widget” approach must evolve. It’s not sustainable to continue frantically filling cracks in a foundation that is sinking; we must begin building the proper foundation to begin with.”
- Brian Dye, executive vice president of McAfee and general manager of enterprise security products.
Traditional solutions such as anti-virus will remain part of the security equation for defending against persistent, run-of-the-mill malware, but they’re not enough to protect against attacks at the endpoint.
Introduction to Endpoint Detection & Response (EDR)
The need to bolster traditional endpoint protection methods has fueled the growth of a new breed of security technology designed to help organizations deal with the challenges of evolving threats: endpoint detection and response (EDR). Organizations that are struggling with alert resolution and incident response, as well as looking to improve security operation center (SOC) productivity, have been turning to EDR solutions.
Gartner predicts that “by 2020, 80% of large enterprises, 25% of midsize organizations and 10% of small organizations will have invested in EDR capabilities.”
EDR tools record endpoint activity and events (e.g., user, file, process, registry, memory and network events) and store that information either on the endpoint itself, or in a centralized database. Databases of known indicators of compromise (IOCs) and behavior analytics are then used to search the data for early breach identification in order to facilitate rapid response to malicious activity. EDR technology helps organizations achieve the following:
- Protect endpoints from known and unknown threats (including ransomware)
- Protect data wherever it resides, regardless of the endpoint’s function (a corporate server functions very differently from a smartphone, for instance) or the network it uses
- Centralize endpoint security with a holistic management platform that allows policies to be applied across all endpoints
EDR capabilities are offered both by stand-alone EDR providers and by emerging solutions from endpoint protection platform (EPP) providers. EDR solutions include all of the components of traditional endpoint defenses but also enable SOCs and IR teams to leverage additional capabilities such as ransomware detection, continuous endpoint recording, live endpoint investigation, remediation, and rapid attack blocking. They are generally broken down into the following categories:
Although EDR by definition is not “about” prevention, some EDR solutions can in fact facilitate the thwarting of attacks. These solutions make it more difficult for hackers to exploit vulnerabilities and infiltrate, install, and propagate malware on endpoints. Key prevention methods used by these solutions include application whitelisting/control, container-based virtualization, exploit prevention, algorithmic analysis, cloud sandboxing, as well as a suite of more traditional signature and rule-based methods, such as anti-virus, anti-malware, host IPS and host firewall.
Threat Detection and Response
Solutions in this category focus on detecting and investigating suspicious activities and issues on endpoints. They typically monitor process actions, file access information, network events and endpoint configuration changes, look for indicators of compromise (IOC), and can leverage machine learning as well as threat intelligence feeds from their own research teams and from third parties. In addition to detection, they also have response mechanisms to remediate the endpoint and limit propagation. Built-in incident response capabilities enable them to record successful intrusions to create a permanent record of the attack and use it to improve response procedures.
Endpoint Monitoring and Management
These solutions help organizations centrally enforce security policies, ensure proper controls are in place and reduce human-error misconfigurations. They also help to achieve key activities:
- Provision hardware and virtual systems
- Deploy hardware and software
- Patch operating systems and applications
- Inventory hardware and software assets
- Monitor software and licensing usage
- Manage configurations
- Manage reimaging, re-deployments and decommissioning of assets
With these tools, organizations can set a security baseline, ensure there is no drift from established standards, establish automatic updates, protect against user-induced errors, and block unapproved configuration changes. Some also offer an asset discovery feature, filling the critical need to discover all of the endpoints that are connected to the endpoint.
These tools provide continuous monitoring of endpoint anomalies and user behaviors, and enable the recovery and investigation of material found in endpoints, often related to a breach. They can rapidly acquire data from a variety of devices, provide disk-level forensic analysis for potential evidence, and produce comprehensive reporting. They help to create a timeline of an attack, determine which data was stolen and which endpoints were impacted, and map where malicious artifacts reside for faster remediation. Automated incident response capabilities enable them to kill processes, remove malicious files, and reset registry keys without downtime or the need to wipe and re-image hard drives. They are deployed primarily with the goal of learning from attacks that have evaded all other solutions within the organization, and they also facilitate future prevention.
Finding the Right Fit
There are numerous EDR solutions to choose from, as well as next-generation endpoint security solutions from EPP providers that incorporate EDR capabilities. The evolution of endpoint security technology is blurring the lines between EDR and EPP, and there is a convergence of capabilities that can cause confusion. EDR and next-generation EPP solutions have varying levels of capability maturity, and some use multiple methods to prevent and detect exploits and malware. When evaluating platforms, it is important to understand that there are a variety of tools under the EDR market category that work differently from one another, and they are often leveraged by disparate teams to consume various types of information.
Some tools focus on prevention; in other words, never allowing the malware to reach the endpoints. This often manifests itself through whitelisting or similar technologies. Others focus on detection, and do not have the ability to block the malware from executing, but instead focus on alerting the security team of potential issues. Lastly, some EDR tools focus on remediation, the main goal being to take an affected system off the network and triage the issue. Some solutions integrate well together, while others do not. Many companies leverage a vendor-independent technology partner to help them test and evaluate potential solutions to find the right fit.
Understanding goals is the first step to narrowing the field. Important considerations include business needs, technical requirements and internal capabilities (including the availability of threat hunters/analysts who can analyze the data the solution will provide), as well as the potential impact an EDR product will have on security operations. Professional security assessments can pave the way to successful deployment by evaluating the overall state of your organization’s endpoint security, and objectively detailing current policies, controls and processes.
A comprehensive evaluation is critical to finding the best match for an organization’s needs. Below are some initial questions to consider:
- What do you want to protect? What’s working, and what's not working?
- What are your precise needs for prevention, detection and remediation; are you looking for a solution that alerts before an attack, during an attempt in order to gather intelligence, and/or after an attack for forensic and historical analysis?
- Does the considered solution cover the organization’s disparate environment?
- How are staff going to consume the information?
- Which teams are going to consume it, and how will they get the information they need?
- What threat intelligence does the product provide, and does it require additional feeds to enhance the deployment?
- Are there industry-specific IOCs that the tool enhances?
- How will this fit in with currently installed security tools?
- Does it incorporate machine learning capabilities to replace processes that would otherwise require arduous human analysis?
- Does it provide the ability to remediate?
- Are the solution’s features mature enough?
- Is there appropriate internal staff in place, or will outside resources need to be engaged?
Building Your Strategy
In addition to evaluating EDR and next-generation EPP solutions, there are five key steps to maturing your organization’s endpoint security strategy:
1. Gauge Your Maturity
IT security is an iterative process. Organizations need to evaluate their current capabilities before they can advance their programs. Professional security assessments can help. By developing an understanding of your baseline and goals, you can make progress towards better endpoint security.
The maturity model below provides a measurable ranking, and a structure for objectively examining endpoint security practices. It can be leveraged to gain insight and provide information about the current state, and can also facilitate building a business case for attaining the resources needed to move up the maturity curve.
The following steps should be taken in order to appropriately leverage the maturity model:
- Assess the organization’s current level of maturity
- Define processes for improvement
- Align activities with business needs
- Get buy-in from senior management
- Continue on the path to improvement
Using this model helps to gauge current endpoint security practices, and provide a basic roadmap for organizations that want to further their efforts and make security part of their culture. Companies that are able to transition to Managed and Optimized levels typically have leadership that is interested in making security a core priority.
2. Ensure Comprehensive Protection
Endpoint security isn’t easy, and no single solution can keep up with today’s sophisticated, emerging threats. You need multiple technologies, co-located and working together in an integrated, automated fashion. That way, even if a threat makes it past one stage of defenses, the encounter can be learned from, and the threat can be stopped by a complementary control. By implementing defense layers that communicate with each other, greater efficiency and efficacy is achieved. Additionally, incorporating solutions that offer machine learning capabilities via endpoints and the cloud can enhance the ability to analyze file attributes, behaviors and relationships, and block both known and unknown malware without the need for exhaustive scans and signature updates.
A comprehensive endpoint security strategy includes a defense-in-depth architecture:
3. Centralize Management
It is not possible to manually manage all of the endpoints on your network. Cobbling together disjointed point solutions can lead to a variety of issues, including poor system integration, redundant alerts, and overwhelming administration duties.
While it is important to have a defense-in-depth endpoint security architecture, it is equally important to consolidate agents and processes wherever possible. With a centralized solution for monitoring endpoints, your organization can achieve the following:
- Fewer security incidents
- Easier deployment of complementary features or products
- Reduced technology and management costs
- Faster response to suspicious activity
By adopting a consolidated approach, the number of agents administered by security teams can be reduced, and manual tasks can be automated with streamlined workflows. Instead of spending hours battling disparate interfaces, analysts are empowered to control multiple layers of endpoint security with automated, “set-it-and-forget-it” capabilities. Integrated solutions such as EDR and next-generation EPP help organizations facilitate the handling of the whole process of endpoint security, including attack prevention, detection, and remediation.
4. Streamline Incident Response
Historically, too much IT security spending has focused on the prevention of data breaches, and not enough has gone towards preparing for the inevitable.
- Prevention alone fails: just read the data breach headlines making news on a weekly — if not daily — basis.
- Detection alone fails: consider the fact that the majority of incidents are detected externally by law enforcement such as the FBI, not internally by the victim organizations themselves.
- What’s left when all else fails? Incident response.
How can you gauge your organization’s IR capabilities?
Consider the following questions:
- Do you have an incident response program in place?
- Are employees aware of what constitutes an incident to begin with, and how to report and manage an incident?
- Do the endpoint security tools you’re using today adequately protect against and detect incidents, and contain attacks before harm is done?
- Has your program been updated and tested to support today’s cyber threats and compliance with breach notification requirements?
- Does the executive team know their role and what is expected of them?
- Do you have the staff, tools and relationships in place to accelerate your response to a serious security incident for containment and public management?
- Does your plan include considerations for retaining forensic and public relation firms that directly align to your cybersecurity insurance policy?
Professional services such as security program assessments can help organizations focus on their ability to detect and respond to security incidents, formally document the workflow required to triage and manage the incidents impacting the environment, and improve the processes that support current incident concerns. Compromise assessments help to determine if there has already been an incident or an incident is currently in progress. Additionally, interactive tabletop exercises and breach simulations — in conjunction with forensic and incident response “emergency services” partnerships — can also be of great value.
A comprehensive incident response plan will enable your organization to respond aggressively to an attack, maintain compliance, minimize damage and align defenses to mitigate future intrusions.
5. Bolster Security Awareness
Humans are the weakest link in any security strategy. Even the most advanced security controls can be accidentally or intentionally circumvented by human interaction. Many employees have neither the knowledge, nor the time to track whether or not their endpoints have updated security software installed. Defending against human behavior involves a combination of endpoint security solutions and increased awareness. Solutions such as EDR help to ensure every connected device is protected, and getting software updates. User security awareness at all levels of the organization is equally critical. After all, employees can't practice good security if they aren't educated about best practices, or informed of what the latest threats look like.
Many targeted attacks take the form of emails that leverage social engineering tactics and entice users to click on a malicious link or open an attached file, thereby triggering the hackers’ code and installing a back door for outbound communications to command and control servers. In Wombat Security's 2017 State of the Phish report, 76 percent of respondents reported being the victim of a phishing attack in 2016. The average business end user faces at least one risky email per day, and Verizon’s 2017 Data Breach Investigations report found that 1 in 14 were tricked into following a link or opening an attachment, and a quarter of those users went on to be duped more than once.
You can reduce successful phishing attacks and malware infections by continually educating employees — especially those with access to critical intellectual property — about the threat to their company, their personal information and their livelihood. Continuous security awareness training programs help organizations in all industries inform users about the latest security best practices, deliver targeted training when and where it’s most needed, and effectively change lax behaviors over time.
Mastering Modern Endpoint Security
Endpoint security is more complex than ever, requiring increased capability in our defenses. The volume and types of endpoints have evolved, increasing the number of operating systems, applications, attack surfaces and exploits that IT security teams have to deal with. As cybercriminals continue to come up with new ways to attack, we need new ways to respond. Next-generation endpoint security solutions built for centralization, consolidation, and integration bolster traditional prevention techniques, and offer advanced threat detection, investigation and response capabilities while streamlining operations. Endpoints will always appeal to attackers as doorways to systems and data. By staying on top of your maturity level, implementing comprehensive protection and centralized management with advanced EDR and EPP solutions, and streamlining incident response and security awareness programs, organizations can effectively master modern endpoint security, and meet the next generation of cyber challenges.
View more presentations from Forsythe Technology