Endpoint security may be the best investment you have ever made. According to a Ponemon survey The 2017 State of Endpoint Security Risk the average cost to an organization of attacks that managed to breach endpoint security was $5 million.
In this article, we will look at what you need to know about endpoint security in order to develop a workable strategy to mitigate endpoint-related incidents.
What is an endpoint?In IT, an endpoint is a device e.g. a computer, mobile or wireless device, server, etc. that has a remote connection to a network, and is a potentially vulnerable access point or gateway to a network.
What is endpoint security?Endpoint security involves creating policies that lay down the rules with which devices must comply before they can access network resources. Endpoint security is particularly important today as more and more organizations adopt BYOD, increasing the number of devices presenting a risk to the network.
Traditional anti-virus protection is no longer sufficient to protect endpoints and organizations. The four essentials of an effective endpoint security strategy are:
Discovery (and Inventory) Discovery and vulnerability scanning tools can help you inventory your network assets as well as unprotected endpoints, and assist you in drawing up a security requirements plan Monitoring (and Threat Hunting) A centralized endpoint management tool will enable automated, consistent monitoring of the network and should include active threat hunting software Protection While anti-virus is not sufficient on its own as an endpoint security strategy, implementing an advanced anti-malware application is non-negotiable Response (and Alerting) Your network management tool must include the capability for instant remediation in the event of a breach. You will also need a written incident response policy. Important steps to mitigate cyber security incidents generallyAn endpoint security strategy is just one part of an organization’s bigger cybersecurity picture. Endpoints do not operate in a vacuum; patching your operating system, performing daily backups and educating your users will all contribute to bolstering your endpoint security.
A document developed by the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents Mitigation Details provides an excellent overview of all the steps you need to take to bolster the security of your entire system, including its endpoints. The list is comprehensive and gives a sobering overview of the challenges your IT security employees need to address. The following steps are lifted verbatim from the document and provide a useful checklist for companies to analyze their current protection policies and potential vulnerabilities, including those related to endpoints.
Mitigation strategies to prevent malware delivery and execution Application whitelisting Patch applications Configure Microsoft Office macro settings User application hardening Automated dynamic analysis of email and web content run in a sandbox Email content filtering Web content filtering Deny corporate computers direct Internet connectivity Operating system generic exploit mitigation Server application hardening Operating system hardening Antivirus software using heuristics and reputation ratings Control removable storage media and connected devices Block spoofed emails User education Antivirus software with up-to-date signatures TLS encryption between email servers Mitigation strategies to limit the extent of cyber security incidents Restrict administrative privileges Patch operating systems Multi-factor authentication Disable local administrator accounts Network segmentation Protect authentication credentials Non-persistent virtualized sandboxed environment Software-based application firewall, blocking incoming network traffic Software-based application firewall, blocking outgoing network traffic Outbound web and email data loss prevention Mitigation strategies to detect cyber security incidents and respond Continuous incident detection and response Host-based intrusion detection/prevention system Endpoint detection and response software Hunt to discover incidents Network-based intrusion detection/prevention system Capture network traffic Mitigation strategies to recover data and system availability Daily backups Business continuity and disaster recovery plans System recovery capabilities Mitigation strategy specific to preventing malicious insiders Personnel managementAccording to a Kaspersky Lab article How to mitigate 85% of threats with only four strategies the ASD directorate is “the best publicly available guidelines from a government organization on how to successfully fight APTs.”
In an innovative approach to developing security foci, Kaspersky summarizes the ASD’s strategies (what we have labeled steps) by four logical types. Next to each type below, we suggest an example of an application of this strategy, applicable to endpoint security:
Administrative Training and security awareness: A 2016 survey What are the biggest threats to endpoint security in your organization? of security professionals found that negligent employee behavior when it came to following organizations’ security rules and procedures was the biggest endpoint security threat. Networking Network segmentation can prevent unauthorized traffic from spreading across a breached network and affecting other endpoints. System administration Software patching: A new trend in endpoint security threats is the fileless attack . According to Mcafee, the best protection is keeping your software up-to-date. Specialized security administration Endpoint Detection and Response ( EDR ) software to find vulnerabilities before a breach occurs. 5 strategies to mitigate endpoint incidentsProfessional endpoint security solutions usually provide the software to help you implement the below strategies, but there are also free and open source tools to help you get started. It is recommended you use a free tool initially to map the endpoints on your network in order to get a better understanding of your security requirements. A specialist tool can later do a more detailed scan.
Network analysis You can’t protect an endpoint you don’t know is there, what in the industry is called a dark endpoint, rogue access point or blind spot. You can use an automated network discovery tool to inventory your endpoints, identify who is accessing them and what software they are running. Brush up on modern endpoint security techniques DLP, EDR, NAC, HIPS … do you know what these techniques are all about? Read more below. Research specialized endpoint security solution options There is a plethora of professional endpoint security suites on the market. It can be confusing. Learn what to ask a vendor before you select a solution. Solution Review provides some tips below. Prioritize automated endpoint detection and response (EDR) EDR should be the cornerstone of your strategy as, amongst other things, it proactively hunts for potential threats. Implement an endpoint security policy This should be a written document that describes the software and hardware your company has employed to protect network endpoints. It should also provide security guidelines for employees, e.g. how to secure their BYOD endpoints. Modern security techniquesWhen you choose an endpoint solution, ask your vendor whether their product includes the following layers of protection:
Host-Based Intrusion Prevention System (HIPS) Incorporates intrusion detection and firewall elements to alert users to attempted malicious activity and prevent it being carried out. It protects your network from known and unknown cyber attack by monitoring code for suspicious activity on a host. For example, a HIPS might notice that code is being executed to try and shut down your anti-virus and prevent it from doing so. Data Loss Prevention (DLP) Designed to help network administrators prevent sensitive information from being sent outside a network, e.g. emails or files. Network Access Control (NAC) Enforces policies that define who can have access to a network and what privileges they have, e.g. employees versus guests. For example, NAC can ensure compromised endpoints are shut down in the event of an incident. Endpoint Detection and Response (EDR) A one-stop solution that allows administrators to monitor networks, detect and investigate possible threats, and respond to attack. EDR utilizes complex analytic algorithms to provide constant visibility into the network from a centralized portal. Top EDRs allow integration with 3rd party tools, enabling organizations to customize their endpoint security strategy and align it with their existing security software.Security Awareness
Specialized endpoint security solutionsExpensive but worth it, specialist, reputable endpoint solution vendors include Check Point , Comodo , Symantec , Kaspersky and McAfee . The problem is not the price but deciding which solution to run with. Largely, the above products are very similar; they are just marketed differently.
The Check Point solution provides an example of what basic features you should be looking for to protect your endpoints:
Ability to encrypt entire disks, removable devices and ports Advanced anti-virus and anti-malware software Intelligent behavioral analysis and reporting Remote access VPN for employees on the road An advanced firewall and compliance checking ability to ensure endpoint behavior is in accordance with your organization’s security policies Sandbox isolation and quarantine of threats and compromised hosts An endpoint policy management dashboard that provides maximum visibility into all security areas in the company and allows for immediate remediation in the event of an incidentSolutions Review’s Endpoint Security Buyer’s Guide (paywall) is a guide to choosing an endpoint solution from the most popular vendors. The downloadable PDF includes tips on what you should ask your potential new provider:
Does the product’s core functionality anti-malware, firewall and device control feature the latest techniques, e.g. behavioral detection? Is the solution platform- and OS-agnostic? Does it have a centralized management console that can provide a granular view of your data? How does it react to unexpected threats, e.g. Zero Day? What support does the vendor offer? Free endpoint security toolsBearing in mind that you (hopefully) have security software and policies in place, it might be a good idea to try before you buy and explore your options. This will give you a high-level view of your current endpoint security situation, and help you learn more about your network, the devices connected to it and what the best solution for your requirements might be.
Use Shodan to identify any unprotected internet-connected devices on your network Try PacketFrence , a free Network Access Control (NAC) solution Experiment with a solution that offers a trial evaluation . eSecurity Planet has done all the research. Also, check out SecureAPlus , DeviceLock and Comodo . Two network discovery tools to try out are Open-AudIT and NetSurveyor Nmap is a popular, and powerful, open source network mapper OPSWAT is a free endpoint security scanner that includes networking mapping and anti-malware
