[wpramazon asin=”B00BWS7CWS” keyword=”SiteLock”]
[wpramazon asin=”B01C83WW3Y” keyword=”Microsoft Security Essential”]
During the past decade, attackers have demonstrated incredible creativity in adjusting to changes in the security industry. Each time security vendors create a new type of “lock” to protect enterprise assets and data, the criminal underground builds a new set of lock picks in the form of malware to help them circumvent the new controls.
A proactive cybersecurity defense is the best strategy for protecting your business against cyber threats. Endpoint Detection and Response (EDR) is a new, proactive approach that focuses on behavior that indicates an attack is underway rather than just indicators of compromise (IoC). In this way, it helps you protect your network against zero-day threats and a wide range of emerging threats. It also reframes the security problem so you’re not just focused on keeping the bad guys out. Instead, you’re also working to quickly detect intrusions, minimize cyber attackers’ abilities and reduce the potential damage they can cause if they do get in.
You must know your hardware to defend it.
Keeping track of your endpoints is essential work that facilitates hardware and software management, license compliance, regulatory compliance and, most critically, security.
The principles of asset discovery are:
- A) Removing security blind spots: It’s difficult to create a complete picture of your enterprise network endpoints all at once, but breaking down the process into stages makes it more manageable. You can start with the systems and processes that already exist in your organization. These inputs are likely to be spreadsheets, or some out-of-date network diagrams, or notes stored in the desktops or brains of your IT staff.
- B) Standardization now will save time later: Standards, like the NIST Specification for Asset Identification1, are useful for identifying endpoints using information you already know about them. With a common format you will be able to share asset information between tools and groups that may not “speak the same language,” such as tool sets like IT Service Management (ITSM) and Security Information and Event Management (SIEM), or IT and OT.
You really can’t get out of doing this: Before you can defend your network against an enemy, you need an accurate picture of yourself and your environment. While third-party management of endpoints can be an attractive option, no one knows your business and the value of your data and systems the way you do. One of the first steps an attacker targeting your network will take is building an inventory of potential targets connected to your networks. Attackers do this as part of a process of discovering your weaknesses, because those are the easiest places to attack. To defend your endpoints, you need to know where your weaknesses are, so you can fix them before the enemy uses them to attack you. There’s no way to find all of the weaknesses in your network if you don’t first have an accurate list of your assets. Impediments to Discovery These things can trip you up:
- Segregated networks: In larger organizations, endpoints are usually located across a global collection of multi-segmented networks, physically secured areas, and behind data diodes that prevent unauthorized access. Appliance and cloud-based options that deploy data collectors on remote and segmented networks can be useful for endpoint discovery in segregated environments.
- Proprietary protocols: Not all networks support traditional IT protocols2. Some endpoints, like Industrial Internet of Things (IIoT) devices will speak proprietary protocols that are not IP-based.
- Fragile as an autumn leaf: Scanning some types of endpoints, such as IIoT devices, can result in disrupted service. Passive discovery and asking around may be the only ways to inventory these devices safely without affecting availability or reliability.
Establish a baseline of your endpoints
- Collect information from existing records: Ask for all of the network maps, Excel sheets of endpoint assets, sticky notes and other odds and ends of information that comprise your system of record.
- Scan you network: After gathering tribal knowledge about what people think is on your network, it’s a good idea to find out what’s actually on your network using an automated discovery tool to scan it. Use a commercial product (e.g. Tripwire® Asset Discovery3) or free networking tool (such as Nmap4), to start mapping your network. 3 Passive Discovery: Use a commercial product, such as Lumeta IPSonar5, or a free tool, such as Kismet6, to map the endpoints, including wireless access points. 4 Reduce your addressable IP space: Make sure your organization is using the fewest number of IPs possible, and make sure those IPs are within the private address space7.
You must know your software to defend it.
Keeping track of your software assets is essential for a well-run enterprise and facilitates more effective software management, license compliance and, most critically, security. Nearly every regulatory compliance standard includes software inventory because attackers could exploit unknown or unnecessary applications. In addition, the mere presence of an application on an endpoint could be an indication of an attack.
The principles of software discovery are:
- Attackers will find the weakest parts of your attack surfaces: The bad guys love to find a juicy unpatched software package. Whether it’s a server running an old version of SSH or Apache or a laptop with 5 year old Internet Explorer exploits are easy to find and use.
- What you don’t know can hurt you: In terms of licensing and security, not knowing exactly which software is used on each endpoint can be expensive. When it comes time to pay for licenses of premium software, knowing the number of licenses you are paying for versus actual license usage may help you negotiate a lower maintenance renewal cost. Unknown or unnecessary software increases security risks because these installations are easier for attackers to misuse or exploit. If you don’t need a specific software package on an endpoint, turn it off.
- For lack of a backup the kingdom was lost: When a system fails-over during a planned outage, having an identical system to pick up the tasks is critical. Part of a comprehensive software inventory process is identifying backups. This makes recovery more successful and helps minimize repair costs.
Vulnerabilities and exposures are your enemy’s allies.
Attackers benefit from the same innovations that drive digital business: automation, crowdsourcing, low cost cloud computing resources, big data, mobile, and social networks. All of these innovations can also be used to attack you. Worse, an attacker only needs to be successful once through any attack vector; meanwhile, you must remain ever vigilant. Somewhere, in the tangle of interconnected hardware and software packages running on your networks, are vulnerabilities that can be exploited given enough time and effort. Managing those risks continuously and in a timely fashion is crucial to security.
You may also face another challenge if your board of directors does not “get” security and has difficulty understanding the connection between risk reduction and vulnerability management. You will need to communicate your efforts in terms of risk reduction and potential impacts of breaches avoided. The principles of vulnerability management are:
- Highest risks first: You need to work toward continuous vulnerability scans. They will provide you with up-todate scan results from all the endpoints identified in endpoint and software discovery. These scans will find and prioritize all the vulnerabilities across your network. Once located, you will be tasked with remediating the riskiest vulnerabilities quickly
- Attackers are looking for the same things you are: They have access to myriad resources, and all they need to do is find a single vulnerability that can be exploited to get in. You must plug holes continuously to reduce your attack surface and limit security risk.
- Fix vulnerabilities that jeopardize the mission: CVSS provides a useful mechanism for prioritizing vulnerabilities in a standard way that is easily understood between different people, departments and organizations. Advanced vulnerability management tools, like Tripwire IP3608, include more granular scoring mechanisms that provide predictive “heat map” capabilities. These tools identify areas of highest risk on your network. These are the places where a successful attack is most likely to disrupt business or operations.
SECURITY CONFIGURATION MANAGEMENT
Default configurations are built for maximum availability and rarely for security. Hardening default configurations will mitigate many security issues on endpoints. Further, any prescriptive compliance policy will already have out-of-the-box guidance on these first steps, so this is a logical place to start.
The principles of security configuration management:
- The right settings will evolve over time: There are millions of ways to configure systems. The right mix of security, availability and performance often requires ongoing adjustments, unless you standardize on a legacy platform16 where that never changes. Don’t laugh — it’s a viable option.
- Security policy, like the endpoints, need to be reassessed periodically: Even after you have tuned the finest configuration settings over countless meetings, there will come a time when the business or mission changes, software is updated, or new exposures are detected. Then policies will need to be re-tuned and all endpoints checked against them. This is typically done in conjunction with preparation for annual IT audits, but it should be done anytime there is a significant business change.
- Unnecessary services and ports are dangerous: Use applications and services identified during software discovery to start trimming back on things that aren’t required by the business. Unneeded web servers, unauthorized file sharing applications, media players and unused programs are examples of applications that should be found and then turned off.
- Users and their access: User credentials have become a new target in today’s threat landscape. Hackers frequently go after accounts and credentials that are enabled, but not closely monitored or actively used. Since these accounts and credentials are legitimate, hackers can easily evade detection because their activities appear to be part of business as usual.
Attackers use numerous techniques to steal employee credentials so they can gain access to corporate systems and networks. Sophisticated phishing campaigns can trick even the most skeptical users into entering their credentials on fraudulent websites. Advanced malware enables cybercriminals to capture employee credentials as they’re entered on an infected endpoint. What’s more, cybercriminals don’t even need to try to obtain corporate credentials directly from employees. Reuse of corporate credentials on third-party sites is so high that some criminal groups focus on stealing login credentials from social networks and other consumer websites, knowing there’s a good chance they’ll obtain credentials that will give them entry into corporate systems.
Another concern is disgruntled insiders. Accounts that aren’t deactivated after employees leave can be misused by both insiders and external actors. For example, a disgruntled terminated employee with remote access to company systems has the potential to cause a lot of problems.
As the volume and sophistication of cyber threats increase, organizations must sift through mountains of data to detect anomalies and identify real threats.
The traditional approach of handling ever-increasing log and event data has been to rely on basic log collection utilities or expensive large-scale SIEM deployments.
THREAT DETECTION & RESPONSE
Advanced threats are designed to outwit traditional signature-based anti-virus (AV) solutions using polymorphic and self-updating, environment-aware malware18. This shouldn’t be surprising. Old school detection was developed based on a very different threat landscape, one in which threats evolved much more slowly and were less sophisticated. Not too long ago, the security industry just needed to know something about an attack to write a signature or rule that would protect against it.
EDR is a new approach that evolved from the realization that the industry can’t prevent attackers from getting in. Instead, we should assume they will get in, so focus on real-time detection of behavior that indicates a breach. Then, it’s important to create effective incident responses designed to limit damage. EDR supplements traditional, signature-based technologies with anomaly detection and visibility across all enterprise endpoints, not just servers and workstations. The principles of malware detection and response are:
- Faster than a sniper’s bullet: Modern phishing attacks occur at nearly the speed of light, and the first hit is likely to be an innocent user clicking on a malicious attachment or URL in an email. The malware this action unleashes can cut through security defenses.
- Attackers customize their attacks for your enterprise: These are targeted attacks. The attackers will use non- invasive techniques like social engineering to glean who your employees are and what their emails look like.
SUMMARY: ENDPOINT SECURITY SCORECARD
Knowing how mature your organization’s EDR program is in comparison to the principles outlined in this field guide will quickly give you an idea of where additional refinements may be necessary.
We recommend you measure your organization against the guidance in this field guide to help improve your security risk posture. Complete the following scorecard and tally the results to help you understand what you need to do to improve the efficacy of each control as part of your EDR program.
Source: ENDPOINT SECURITY SURVIVAL GUIDE – A Field Manual for Cybersecurity Professionals
[wpramazon asin=”020163466X” keyword=”firewall”]
[wpramazon asin=”B00O4UJHFG” keyword=”firewall”]
[wpramazon asin=”B00Q7T7NZ8″ keyword=”Panda Security”]
Find More Panda Security Products
Beyond Trust – RNSS-B-SUB (512) – Retina Network Security Scanner – Subscription license ( 1 year ) + 1 Year Basic Reviews
[wpramazon asin=”B00CP8WO9K” keyword=”Network security scanner”]
Beyond Trust RNSS-B-SUB(256)?EMC Retina Network Security Scanner – Subscription license ( 1 year ) + 1 Year Basic Support – 256 IP – Win Reviews
[wpramazon asin=”B00X8CBU8S” keyword=”Network security scanner”]
Find More Network Security Scanner Products
Beyond Trust – RNSS-P-SUB (512) – Retina Network Security Scanner – Subscription license ( 1 year ) + 1 Year Platinum Support – 512 IP – Win
[wpramazon asin=”B00BN3K0GC” keyword=”Network security scanner”]
Hacking: How to Computer Hack: An Ultimate Beginner’s Guide to Hacking (Programming, Penetration Testing, Network Security) (Cyber Hacking with Virus, Malware and Trojan Testing)
[wpramazon asin=”B011MQNEF8″ keyword=”Virus & Malware”]
Find More Virus & Malware Products
[wpramazon asin=”B013LKV5CM” keyword=”Panda Security”]
Related Panda Security Products