IT Focus Area: security
July 2, 2021
Essentials for Endpoint Security and the Modern Workforce
As more Americans gain COVID-19 vaccination protection, the business world is starting to look more like it did pre-pandemic. In-person events, meetings in the office, and lunches that aren’t outside on the patio are happening more often. While it’s great to emerge from our individual bubbles to come together again, some things aren’t likely to look like they did before.
At the start of 2020, remote work went from possible but not preferred, to essential. This caused a rising tide of endpoints for the IT team to manage and protect. While the quick response was necessary, it did cause many organizations to lose a degree of control over devices accessing their network. It also led to an increase in threats to the organization via endpoints.
Securing remote work for the long haul
Now that it’s safe to return to the office, employers are learning how true it is that you can’t unring a bell. The workforce adapted and embraced their employers’ need for continued productivity during the pandemic—and responded by closing the gap between their work and home lives. Now, much of that same remote work population doesn’t see an incentive to return to a daily grind of commute, commingle, and cubicle cohabitation. Some employers are acknowledging this by adapting a hybrid work model with days in the office combined with days working from home.
And what is true for workers is also true for customers. The pandemic pushed organizations to provide and improve e-commerce. Customers adapted to shopping and interacting online for things that had traditionally always occurred in brick-and-mortar locations. Some shoppers are eager to return to the storefront—but not all. While the complexities of engaging customers and retaining staff are under the direction of other business units, for the IT team it signals the end of thinking about security using the perimeter model.
Securing your new perimeter
The evolution of the modern business model has been underway for some time with the advance of cloud technologies, improved wi-fi, 5G and smart devices. The pandemic accelerated the process, and now the perimeter is everywhere. IT teams need to adapt now to secure their remote perimeter for the long haul. Adopting good IT hygiene practices is a necessary element of modern security.
IT hygiene for the device-based perimeter includes:
- Visibility across the user edge
- Patch and configuration management
- Detection and response across all endpoints
Endpoint visibility on and off the network
IT professionals need to understand what assets they own, what assets (owned or not) touch their network, which assets can be easily managed, and which ones can’t. All of which requires visibility. And visibility—with an ever-changing definition—has been an industry challenge for years. With the move to remote work in 2020, it’s been difficult to comprehend how to get the full scope of visibility needed.
Visibility is identified as a leading endpoint security challenge. But what should network and endpoint visibility look like in 2021? Organizations need to be able to answer these questions:
- What endpoints are connecting to the network, including IoT devices?
- Where are these endpoints located?
- Who owns each endpoint?
- When are the endpoint connections occurring?
- Why are the endpoints connecting?
Level-set the reach of your network visibility with an endpoint audit
An asset audit can help you to realign your awareness of the devices on your network. In our experience, it’s not uncommon for organizations to discover 20-30% more devices than they were currently tracking. From a visibility standpoint, that number is staggering. If you aren’t able to answer the questions above, a discovery and audit process may be your most important next step.
Cloud, colocation, remote access and branch locations significantly impact network access and security. Audits can produce some surprising results. We have worked with clients who thought they had a clear understanding of all network-connected devices, only to discover through an audit that this wasn’t the case.
Consider this example from the field. During a client network visibility engagement, the audit process identified a set of servers that had been left running long after the project was defunct. How did it happen? A datacenter failover occurred shortly after the project was terminated. In the failover, the backup servers were restarted and moved back into production for months without the client knowing. It’s a simple fact—you can’t manage or secure something you don’t know about, and in complex, digital environments things can easily slip through the cracks.
Organizations are staring to find real benefits from tracking endpoints in a configuration management database (CMDB). But this only helps if the information in the CMDB is reliable and up to date. Not all devices can be managed in the same way or with complete control. But this shouldn’t stop you from being able to identify each of them.
Endpoint inventory across the remote perimeter
It’s important to encompass activity across the enterprise when identifying endpoint network access. From the scanning of a badge to automated temperature checks for entry, IoT devices are now part of the modern business landscape and likely to be accessing critical data.
Discovering and managing all assets, including IoT devices and rogue assets not authorized by IT, must be in play. Tracking these endpoints in a configuration management database (CMDB) is essential. You can’t manage or secure something you don’t know about or can’t find.
Whether your CMDB involves one tool or multiple, you must be able to accurately—and within a required timeframe—identify all assets touching your network and accessing your data. Only then can you begin the task of securing them. Visibility must be first and foremost in every CISO’s mind when securing endpoints.
Patching heads the security strategy roster
Another cornerstone to securing the endpoints of a modern perimeter is patching. Patching isn’t very glamourous—it’s unlikely to win anyone a commendation even when done well, and it makes for a pretty boring topic of conversation. But the stakes are high if patching is incomplete. Some of the top data breaches in the past year have been directly linked to incomplete patching.
Patching is security 101. It is a mission-critical component of your security program and should be treated like one. Boring and mundane? Maybe, but do you really want the “excitement” that comes with the exploitation of a missed patch?
Depending on the organization’s size, patch management may be executed with an endpoint management tool alone or alongside a vulnerability scanning solution. Vulnerability scanners help find issues with applications, operating systems for servers and end-users, and often IoT devices. Without a vulnerability scan, you are much more likely to fall victim to a cyberattack.
“By 2022, organizations that use the risk-based vulnerability management method will suffer 80% fewer breaches.” - Gartner
Patch management and the battle for your endpoints
Once discovered, vulnerabilities are made public by vendors and others to alert users to security issues that create attack doorways. Both sides of the battle are getting that information at the same time. How and when this information is leveraged makes all the difference. Attackers can use it as a blueprint to gain access. You can use it as a top-level alert requiring immediate action. The winner in this scenario is the one who responds the fastest.
But when it comes to how and when a vulnerability is released, attackers generally have the advantage. For black-hat hackers, finding and exploiting vulnerabilities is their full-time job. They want to find and exploit these vulnerabilities in as many locations as possible before discovery. The moment the exploited vulnerability is discovered, it becomes a zero-day vulnerability (the day it is first known) and impacted vendors typically rush to issue a patch for the problem or provide indicators of compromise (IoCs) to detect it with a vulnerability scan.
The attacker advantage calls for faster discovery and action
This same vulnerability found by a white-hat hacker often takes weeks or months to be released to the public because the vendor is given time to develop a patch or workaround before announcing the vulnerability. The Zero Day Initiative is helping to combat this with efforts to encourage faster disclosure of vulnerabilities, but regardless of whether the vulnerability is discovered by a black-hat or white-hat hacker, organizations are vulnerable without knowing it.
Organizations that fall behind in patching give the attackers the edge. But by pairing the results of a vulnerability scan with patch management, you can jump the starter’s gun in for a distinct advantage. Consider these numbers from recent research on endpoint vulnerabilities and exploits:
Aligning patch management and vulnerability scans
Most organizations have multiple vendors and multiple solutions to contend with as they work to maintain a healthy patching practice. This includes vendors or applications, hardware and operating systems. When these vendors release a patch, it’s generally identified using their unique severity score system. Some use Fatal, Critical, Minor while others use High, Medium and Low or possibly Level 1, 2 or 3. These disparate rankings mean that admins for these tools spend valuable time prioritizing patches based on risk and SLAs.
Meanwhile, the team responsible for vulnerability scanning is reporting identified issues using the Common Vulnerability Scoring System (CVSS), an industry-standard ranking for vulnerabilities in software and hardware using an assigned risk number, the Common Vulnerabilities and Exposures (CVE) number. This number rises from 1.0 to 10.0 based on criteria that includes the level of access allowed, ease of revocation, and the likelihood of the vulnerability being exploited. The use of this system is a good thing, but the admins for other tools struggle to match CVSS reporting with the alerts provided by their various tools.
The larger the organization, the more complex this can get and the more teams likely to be involved. If, for example, the security team passes the vulnerability scan results on to the endpoint management team, there needs to be an easy way to align this information to the vulnerabilities identified by the endpoint tools using a different rating system.
Endpoint management and control tools that use the CVSS and CVE numbers can help your team quickly align the results of your vulnerability scan with your endpoint solution. They now have a clearer path for translating scan results to patch “content” for deployment and remediation. This uniform ranking methodology helps to break down siloed activities that can impact the effectiveness of your endpoint security program.
When selecting a modern endpoint management and control solution, look for one with this feature built-in or one that interfaces with solutions that map vulnerabilities to specific patch content. This process is extremely valuable because it reduces the time to remediate and gives you a better chance of winning the race against attackers.
Closing the VPN gap
With the workforce shifting to remote work from home, many organizations were forced to update or change their VPN strategy due to bandwidth constraints. This led to the inability to perform network-based vulnerability scanning on remote devices. Closing this gap remains a struggle. Most legacy scanning tools can’t handle remote devices and this hampers efforts to maintain basic hygiene. If you have a legacy scanning tool and remote work is going to remain a regular part of the staff landscape in your organization, it’s probably time to re-think your strategy to handle vulnerabilities on end-user devices.
Detection and response for endpoints
Signature-based anti-virus (AV) solutions use a known attack list built and supplied by the AV vendor that captures attack file signatures into definitions available for customers to push out to their endpoints. In the 1990s, this was really all that was needed.
Fast-forward to today’s attack environment. While signature-based AV is more effective than you might think, it’s not precise, and unlike horseshoes or hand-grenades, close isn’t good enough. Viruses now develop and mutate so quickly that keeping endpoints current with vendor-provided definitions doesn’t move fast enough.
NGAVs add precision to standard AV detection
The evolution of the next-generation anti-virus (NGAV) solution helped to close that gap with non-signature-based solutions. Some NGAV vendors claim a 99%+ effectiveness rate. How are they achieving this? NGAV adds context to the detection process. Files, processes, applications and network connections are all considered when identifying data with malicious intent, behaviors and activities.
Artificial intelligence (AI) and machine learning (ML) play a role in this improved process. NGAV vendors have AI rules that can examine millions of attack vectors and defined patterns. Once detected, the attack process is stopped and quarantined quickly. NGAV vendors generally only update their patterns a few times each year because of their effectiveness against attackers.
Attackers continually evolve their processes and targeted attack vectors. They have created AI-based engines that target NGAVs. A perfectly protected NGAV today is breached tomorrow. Staying ahead of the attackers is essential to ensure there isn’t a door left open.
Endpoint detection and response (EDR) solutions capture what the NGAV missed
What if your patching is current, you are using a powerful NGAV, and attackers still gain access to your endpoints? For attacks that go around your NGAV, an EDR solution can help to reduce your security risk further. While an NGAV analyzes behavior and threats on a single endpoint, an endpoint security platform with EDR can help to tell a fuller story with analysis of the threats across your endpoint landscape, giving you a fuller picture of your endpoint risk.
An EDR records events agnostically, labeling events neither good nor bad. It uses user and entity behavior analysis (UEBA) to help identify if an event is an actual attack. Once identified as an attack, the event can be quickly terminated. You also have access to a process tree of actions to determine the entry point so that you can prevent the attack on all endpoints.
EDRs improve security against breached endpoints
For a compromised endpoint, the nuclear response of reformatting the hard drive and reinstalling a corporate image seems like the best course of action. Unfortunately, this action also wipes out evidence of the attack, making it unlikely that you will be able to determine the point of entry. Without the necessary information to block this attack, it can occur again on this endpoint and others.
Before going this route, be sure to capture the information necessary to respond and defend against this attack. Better yet, invest in an EDR that automates identifying assets and vulnerabilities across your environment—and then fixing them quickly at scale.
Use approved server processes to protect AV and NGAV functions
A breached endpoint isn’t usually an attacker’s endgame. It only serves as the gateway to your network and servers. Servers are the Holy Grail for attackers and once they have access, they can run processes that stop security solutions like AV and NGAV from operating. They use scan processes to determine which AV is active and then implement a process that automatically stops it every time it tries to block activity.
Create a whitelist of approved processes to protect your servers. This security approach remains effective and shouldn’t be overlooked. Whitelisting user endpoints can also be done, but comes with a much heavier workload and usually results in end-user satisfaction issues.
Close the endpoint front door against attacks
There are many potential points of entry for an attacker to use to infiltrate your organization and none should be overlooked. But make your endpoints a priority. Endpoint access is low-hanging fruit for attackers and an unprotected endpoint is the equivalent of leaving your front door wide open. Afterall, other security measures become pointless once an attacker has reached your server.
Close and bolt the endpoint front door by pairing a strong NGAV with an EDR solution. This will improve your IT hygiene and establish a process of continuous discover and management of assets, risks and vulnerabilities across your environment. The alignment of these solutions also helps to unify your teams around a single, actionable source of truth for a cooperative approach to security.