Compromise of client systems and devices has become the most common entry vector for enterprise cyber security breaches. In contrast to tightly controlled and intensely monitored datacenter assets, the client endpoint population is loosely managed with only modest oversight and generally scant endpoint visibility. Couple that with thousands of naïve and inexperienced non-IT users, and it represents a hugely tempting attack surface for targeted penetrations of enterprise cyber defenses.
Highly proficient attack organizations readily evade the usual enterprise network and endpoint security barriers, such as firewalls, sandboxes, and antivirus suites. This can be as simple as remixing the attack code to foil signature detection, while standing up fresh command and control infrastructure not yet blacklisted. With most enterprise security budgets invested in blocking of previously seen attacks, and without continuous endpoint monitoring, it is not difficult for skilled attackers to compromise endpoints and operate across the enterprise network completely undetected for extended periods.
Here are eight ways that enterprises may effectively step up the security stance of their endpoint populations. Keep in mind that there are no magic bullets, no Easy buttons—the right toolset can help amplify, but won’t displace, active engagement by skilled security staff.
1. Deploy and employ continuous endpoint monitoring
If you don’t have a continuous endpoint monitoring product, in the emerging endpoint security category Gartner terms Endpoint Detection and Response (EDR), then select, deploy, and employ one. You can’t defend what you can’t see, and EDR tools are specifically designed to provide transparent endpoint visibility for critical situational awareness.
2. Continuously monitor and resolve endpoint compliance
Periodic compliance audits don’t cut it. Continuously monitor and verify that mandated system and data security agents and mandated configuration settings are complied with across your endpoint population. The right EDR tool should support this basic capability. Endpoint compliance is not a sufficient condition for avoiding endpoint compromise, but it is a necessary one. Clean this up!
3. Continuously monitor and resolve exposed vulnerabilities
Attackers employ exploit kits that operate against client-side vulnerabilities. Most enterprise endpoint populations are so rife with exposed vulnerabilities, that exploit kits have little challenge in compromising victims. Google around to find which CVE’s are supported by the more popular exploit kits, then compare those CVE’s to the exposed vulnerability audit of your own organization. There are purpose-built tools for this, or the right EDR tool can provide such an audit. See how easily your endpoints can be pwned. Clean this up!
4. Converge network and endpoint security contexts
Network security tools that collect network flow data can be greatly enhanced with the additional context available through continuous endpoint monitoring by EDR tools that can provide process attribution and user context. This converged network and endpoint context can give your Security Operations Center the instant visibility they need to rapidly resolve a network alert. The right EDR tool will have integrations in place with the leading network flow analytics providers to provide this enhanced visibility.
5. Move beyond defender mentality, become a hunter
According to Gartner research, it is prudent to assume any sufficiently large enterprise has active compromise somewhere across its endpoint and network landscape. The compromises your traditional security tools detect (i.e. previously seen attacks) may not be the highest risk threats you face, in fact they may be diversions. Adopt an active hunter mindset to explore for signs of undetected compromise that poses the greatest risk from highly skilled targeted attack organizations. That is where network and endpoint visibility coupled with anomaly-seeking security analytics will be most helpful in putting your security staff on the trail while it is still warm.
6. Understand what is normal, check out what is not
To adopt the hunter mentality requires being able to recognize attacker signs, and that is done by learning what is normal in your enterprise and identifying significant departures from normality for staff attention. Tools that employ statistical divergence measures are very helpful in this role and can rapidly focus analyst attention on the most prominent anomalies.
7. Hone the capability for instant drilldown and rapid triage
Even with sophisticated security analytics and anomaly detection, there will still be more issues asking for attention than most organizations have analyst bandwidth to investigate. This is where instant drilldown via converged transparent network and endpoint visibility will allow your overburdened security staff to rapidly triage and minimize time spent on unproductive leads. Simpler issues should be resolvable in seconds, and more challenging issues within minutes. The product of staff skill level and their time efficiency can strongly determine your enterprise’s security effectiveness. Your tools should accelerate and amplify the application of human intelligence, not retard it.
8. Tightly integrate your response platform with threat intelligence feeds
Your EDR tool must be well-integrated with the latest threat intelligence in the form of real-time feeds that keep pace with the fast evolving threat environment. Several of the points above are greatly enhanced when combined with timely threat information, including suspect network contacts, latest vulnerability and exploit findings, most current binary analyses, etc. Even though skilled targeted attackers can evade these checks, for example using zero-day exploits, virgin C&C infrastructure, and remixed malware, you are still raising the bar for them and increasing the cost and difficulty of their attacks. You are also minimizing the time spent chasing down previously encountered threats that otherwise would divert precious analyst effort. Play smart, use the best available intelligence.
About the Author
Al Hartmann is Chief Scientest at Ziften. Ziften is an Open Threat Exchange (OTX) partner.