The area of security has the most increased focus recently is protecting the endpoint. Once you stop snickering, it makes some sense. For years (or decades, depending on how cynical you want to be) endpoint security was the beneficiary of the compliance driver. Whether the technologies actually protected anything was beside the point. Assessors would show up, and you needed to have AV. Then advanced attackers happened and the industry started innovating, starting with network security, leaving the endpoint largely unprotected.
But that’s no longer a defensible strategy. Endpoints are more likely untethered than not, so these devices are no longer within the corporate perimeter. You could route all traffic through your corporate network, but that defeats the purpose of the cloud and the Internet. We have seen a renaissance of sorts with lots of interesting technologies designed to protect endpoints. We covered many of these developments in our Advanced Endpoint and Server Protection paper.
But the fact remains: many organizations are not even prepared to deal with unsophisticated attackers. You know, that dude in the basement banging on your stuff with Metasploit. Those organizations don’t really need advanced security – their needs are more fundamental. They need to understand what really needs to get done – not the hot topic at industry conferences. They cannot do everything to fully protect endpoints, so they need to start with the essentials.
So this post is all about these Essential Practices of Endpoint Defense. Thanks to our friends at Viewfinity, we will turn this post into a short paper.
Securing Endpoints Is Hard
Why is this still a discussion? Endpoints have been around for decades, and organizations have spent tens of billions of {name your favorite currency} to protect these devices. But every minute more devices are compromised, breaches result, and your Board of Directors wants an explanation of why this keeps happening. Two issues underlie the difficulties of endpoint protection. First, let’s be candid. It’s a software issue – software has defects, which attackers exploit. Second, employees routinely fall for simplistic social engineering attacks, resulting in a software install or clicked link – the beginning of a successful attack.
And you are a target, regardless of the size of your organization. You have something someone else wants to steal, and they will try. Complicating the situation, adversaries continue to automate their reconnaissance and attack efforts. You are not protected by resource constraints – the entire Internet can be scanned for common vulnerabilities daily.
The status quo doesn’t work for our side. We need to take a step back, and look at protecting endpoints with fresh eyes. This provides an opportunity to determine what’s really essential.
Defending Endpoints
As we have alluded, there are two aspects to defending endpoints: hygiene and threat management. They are co-dependent – you cannot just address either on and expect your endpoints to be protected.
- Endpoint Hygiene: The operational aspects of reducing device attack surface are an integral aspect of endpoint security strategy. You need to ensure you have sufficient capabilities to manage patches and enforce security configuration policies. Additionally, you should ensure employees have the least privilege necessary on each device to prevent privilege escalation, and lock down device ports.
- Endpoint Threat Management: Advanced attackers are only as advanced as they need to be: they take the path of least resistance. But the converse is also true. When these adversaries need advanced techniques, they use them. Traditional malware defenses such as antivirus don’t stand much chance against a zero-day attack. An effective threat management process incorporates people, processes, and technology.
Now let’s dig into both aspects of endpoint defense to identify these essential practices.
Endpoint Hygiene
Consistent and effective hygiene practices are elusive, both personally (look at your dentist’s fancy car) and within security. It is not a lack of desire – everyone wants to ensure their devices are difficult to compromise. It has been a challenge of operational excellence. To be clear, effective hygiene practices don’t completely protect endpoints, but they certainly make them much harder targets.
The essential practices we lump into the hygiene bucket include:
- Patch Management
- Configuration Management
- Device Control
- Least Privilege
Patch Management
Patch managers install fixes from software vendors to address vulnerabilities. The most well-known patching process is Microsoft’s monthly Patch Tuesday, when the company issues a variety of software fixes to address defects in its products – many of which could result in system exploitation. Other vendors have adopted similar approaches, with a periodic patch cycle and out-of-cycle patches for more serious issues. Once a patch is issued your organization needs to assess it, figure out which devices need to be patched, and install it within the window specified by policy – typically a few days. A patch management product scans devices, installs patches, and reports on the success or failure of the process. Our Patch Management Quant research provides a detailed view of the patching process, so refer to it for more information.
Configuration Management
Configuration management enables an organization to define an authorized set of configurations for devices. These configurations can control pretty much everything that happens on the device, including: applications installed, device settings, running services, and on-device security controls. Another aspect of configuration management is the ability to assess configurations and identify changes, which is valuable because unauthorized configuration changes may indicate malware execution or an exploitable operational error. Additionally, configuration management can help ease the provisioning burden of setting up and reimaging devices after infection.
Device Control
End users love the flexibility USB ports provide for ‘productivity’. Unfortunately USB doesn’t just enable employees to share music with buddies – it also lets them download your entire customer database onto their phones. It all became much easier once the industry standardized on USB a decade ago. The ability to easily share data has facilitated employee collaboration, while also greatly increasing the risks of data leakage and malware proliferation. Device control technology enables you to enforce policy – both who can use USB ports and how – and capture whatever is copied to and from USB devices. As an active control, monitoring and control over device usage addresses a major risk.
Least Privilege
Employees don’t mean to mess up their devices, for the most part. But allowing them to install software, use new devices like printers, and change endpoint configurations can lead to device exploitation. So eliminating device owners’ ability to manage devices can dramatically reduce attack surface. That said, a lot of endpoint changes are legitimate, so a key aspect of implementing least privilege is ensuring there is a clear process to allow employees to do their jobs. For instance, trusted employees might be able to get a 24-hour grace period for a change, while less sophisticated employees may need to run through an approval process to install new software.
Endpoint Threat Management
We define threat management within the context of dealing with an attack, as a subset of a larger security program – typically the most visible capability. So it’s time to explain the components of threat management.
Assessment
You cannot protect what you don’t know about – that hasn’t changed and is not about to. So the first step is to gain visibility into all devices, data sources, and applications that present risk to your environment. Additionally you need to understand the security posture of anything you have to protect.
You need to know what you have, how vulnerable it is, and how exposed it is. With this information you can prioritize your exposure and design a set of security controls to protect your assets.
- Mission Assessment: As we described in our CISO’s Guide to Advanced Attackers, you need to understand what attackers will try to access in your environment, and why. We call this Mission Assessment, and it involves figuring out what’s important in your environment.
- Discovery: This process finds the endpoints and servers on your network and makes sure everything is accounted for. It includes an ongoing discovery process to shorten the window between something popping up on your network, you discovering it, and figuring out whether it has been compromised.
- Determine Security Posture: Once you know what’s out there you need to figure out how vulnerable it is. That typically requires some kind of vulnerability scan on the devices you discovered. There are many aspects to vulnerability scanning – at the endpoint, server, and application layers. Check out our Vulnerability Management Evolution research to understand how a vulnerability management platform can help prioritize operational security.
It may not be as sexy as a shiny malware sandbox or advanced detection technology, but these assessment tasks are necessary before you can even start thinking about building a set of controls to prevent attacks. Assessment needs to happen on an ongoing basis because your technology environment is dynamic, and the attacks you see are subject to change as well – sometimes daily.
Prevention
Next you try to stop attacks from succeeding. This is where most of the effort in security has been for the past decade, with mixed (okay – lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the plain fact is that you cannot prevent every attack. It is now a question of reducing your attack surface as much as practical.
- Traditional Signatures: Signature-based controls are all about maintaining a huge blacklist of known malicious files to prevent from executing.
- Advanced Heuristics: You cannot depend on matching what a file looks like, so you need to pay close attention to what it does, and profile typical patterns of successful attacks. This is the concept behind the advanced heuristics used to detect malware.
- Application Control/Whitelisting: Application control implies a default deny posture on devices. You define a set of authorized executables that can run on a device, and block everything else. With a strong policy in place, application control provides true device lockdown – no executables (either malicious or legitimate) can execute without explicit authorization. Check out our Application Control research for a lot more detail on this approach.
- Isolation: In addition to better profiling malware and searching for indicators of compromise, another prevention technique with growing popularity is isolating executables from the rest of the device by running them in a sandbox. The idea is to spin up a walled garden for a limited set of applications, to shield the rest of the device from anything bad happening within those applications.
Now it’s time for the hard truth. You cannot block all attacks. Adversaries have gotten much better, attack surface has increased dramatically, and you are not going to prevent every attack. Pwnage happens, so what you do next is critical – both to protecting critical information in your environment, and to your success as a security professional.
Detection
There are a number of different options for detection – most based on watching for patterns that indicate a compromised device. The key is to shorten the time between when the device is compromised and when you discover it has been compromised.
In the broader sense, detection needs to include finding attacks you missed during execution because:
- You didn’t know it was malware at the time – which happens frequently, especially given how quickly attackers innovate. Advanced attackers have stockpiles of unknown exploits (0-days) which they use as needed. So your prevention technology could be working as designed, but still not recognize an attack. There is no shame in that.
- The prevention technology missed the attack – This is common because advanced adversaries specialize in evading known preventative controls.
So how can you detect after compromise? Monitor other data sources for indicators that a device has been compromised. Very few organizations have the dubious distinction of being first to see a new ‘advanced’ attack, so you should be able to look for emerging attack indicators, IP and file reputation, etc. as a basis for detecting attacks. This kind of “threat intelligence” enables you to benefit from the misfortune of others, by looking for attacks you haven’t seen yet.
Once you identify a potentially compromised device, you need to verify your suspicion. Verification involves scrutinizing what the endpoint has done recently for indicators of compromise, or other activity that confirms a successful attack.
Investigation
Once you detect an attack you need to verify the compromise and understand what it actually did. This typically involves a formal investigation – including a structured process to gather forensic data from devices, triage to determine the root cause, and a search to determine how widely the attack spread within your environment.
- Data Capture: To really investigate a device you need to capture what’s happening on endpoints and servers at a very granular level. This includes file activity, registry changes, privilege escalation, executed programs, network activity, and a variety of other activity on the device.
- Analytics: Endpoints and servers generate a huge amount of data, so a product needs to perform Big Data style analysis on telemetry data to identify patterns and develop relationships across data sources. Having the data is the first step. Supplementing it with external information to help prioritize focus areas is second. Being able to analyze data to provide useful information to security practitioners and incident responders is the third leg of the device activity monitoring triangle.
Remediation
Once you understand what happened you can put a plan in place to recover. This might involve cleaning the machine, or more likely reimaging it and starting over again. This step can leverage ongoing hygiene activities (such as patch and configuration management), because you can and should use tools you already have to reimage compromised devices.
It also requires tight integration with the Operations team – most organizations separate out threat management functions from endpoint operations functions. This means integrating systems and ensuring that the handoffs between the security and Ops teams are well-structured and efficient.
Bringing It All Together
The key to making both sides of endpoint defense work well is a common data model. You should be able to integrate and analyze data about endpoints, without moving between systems or only looking at only half the story (either threat management or hygiene). For example if you detect a known malware file on an endpoint you know has been patched to protect it from that compromise, you can move on to other more pressing concerns.
On the other side of the coin, if a different device has known malware installed and recently escalated privileges (as recorded by policy), you know that’s a serious problem; you can immediately quarantine the device by shutting down the network connectivity, then locking down what software it can execute by enforcing a whitelisting policy. Without hygiene and threat management consolidating data into a common view you cannot attain that level of integrated defense.
You do not need to use one solution for everything, but you must be able to integrate data to build a consistent end-to- end view. This might involve sending data to a separate aggregation platform like a SIEM or security analytics product, or ensuring that both your hygiene and threat management vendors can export data to your integration point.
Summary
Perfectly defending against endpoint attacks is a pipe dream, so organizations need to shift away from ineffective legacy protection technologies and procedures. Endpoint security has two major components: hygiene and threat management. Neither is sufficient itself – you need to implement and test both to adequately defend endpoints. It is tempting to focus on state-of-the-art defenses to protect against advanced attacks, but without a strong foundation to reduce attack surface and ensure endpoint hygiene, your devices will be compromised.
This is another situation where you need to walk before you can run. Get the essential pieces of the foundation in place, and then layer more advanced prevention and detection technologies onto your foundation. That isn’t what most organizations want to hear, but it’s necessary. If you can’t get the basic functions right you have no chance against an adversary who knows what they are doing.
Comments