Making Your Endpoints Intelligent
November 24, 2015
As you have probably heard ad nauseam by now, security in the modern computing world is no longer about putting up a wall and preventing threats from entering our environments. Securing our networks and more specifically our endpoints is only possible if we completely disconnect from other computers and eliminate human beings. In other words, the idea of being completely secure is a unicorn.
Today’s security posture accepts that comprise WILL happen. Being able to identify an anomaly, determine it is a threat (or not a threat for that matter) and mitigate it as quickly as possible is necessary. While this sounds like a simple concept, it is often far more difficult than realized.
While visibility is essential, it alone is as good as nothing. This has been proven over the last year with the vast majority of high profile breaches that have occurred. In most cases, the hackers were present in the victim’s systems for as many as 90 days before the breach occurred. Many of them had what they thought were the best tools in place to provide the needed visibility. The truth is they were right; they did have the best tools and they had the right data needed to prove they were hacked. In hindsight, what they were missing was the intelligence to understand the data. Having the correct information, but not the intelligence to do anything with the data is what prevented them from being able to take the necessary actions to prevent the breach.
As a result of these attacks, many tools have emerged on the scene that automates the coloration of this data, producing actionable intelligence. Next generation Firewall, IDS, SIEM and ATP (advanced threat protection) platforms are all powerful when used together to find threats at the perimeter and on the network. While these tools have improved time to resolution for some incidents, many attacks are still successful and getting around our network defenses.
With all of these new tools for intelligently identifying applications and threat activity, why are security events still happening at an unprecedented level?
The reason for this is that the endpoint is the new perimeter. Attackers are no longer coming in through the front door. Most attacks are starting at the endpoint, via the end users. Using social engineering techniques such as phishing, malware makes its way onto the endpoint, giving the attacker a foothold on the network. From there, they use various techniques to pivot and make their way to their target. The communication required for a modern attack traverses east/west communication channels to gain user information and for gathering data to be exfiltrated. Outbound traffic flow is used for stealing the information that has been targeted and by the time our perimeter defenses see the malware, it is already too late.
Host systems to date, have been ignored. The entry point (the endpoint) and the target (the server) are still using the same protection that was implemented 30 years ago. Implementing all of our intelligence at the network at perimeter is not effective enough. By not focusing on the endpoints and servers, attackers are able to thrive in our environments long enough to circumvent even the best intelligent network defenses.
As a result of the above facts, 2016 is poised to be considered the year of the endpoint. This is a commonly held belief as many organizations are either in the process of, or getting ready to re-evaluate their endpoint and sever protection strategies. In addition, many new “next generation” endpoint protection platforms have immerged on the scene. These new platforms use varying techniques to deliver on the promise of reducing the attack surface and better prevention from zero day threats. However, even if they are capable of delivering on their promise, the same truth remains. They will never prevent every threat from succeeding. At the end of the day, endpoint protection alone does not add visibility and intelligence to the most critical resource in our environment, the endpoint.
Like the network and perimeter, the key to success in protecting endpoints and servers is visibility and intelligence. The opportunity to revamp the security for an attacker’s entry point and target should be taken advantage of, and making your endpoints intelligent is the key to having the best weapon against the bad guys.
Next generation tools must include capabilities that go beyond prevention. This is true, even if the prevention tools are using the positive enforcement model. It is critical that endpoints can understand “odd” behavior, alert and take action on it. Endpoint intelligence uses a big data approach to understanding the operating posture of an endpoint, its users and the applications to identify anomalies and inappropriate behavior. Furthermore, it should be able to work with other next generation technologies on the network, such as IDS platforms and SIEM technologies. With intelligent endpoints and servers, visibility is more complete and actionable intelligence is produced. This powerful capability at the entry point and target will empower security responders to identify and mitigate threats quickly and efficiently, before damage is done.