The term “endpoint security” is often used by vendors and security professionals alike, but what is it really all about? While it might seem obvious that endpoint security by definition is all about defending endpoints, as opposed to say networks, there are many levels of nuance and technologies involved in endpoint security.
In a session at the SecTor security conference in Toronto, Kurtis Armour, principal security specialist at Scalar Decisions, provided an overview of the endpoint security landscape from a penetration tester‘s point of view.
Endpoint protection technologies are intended to give organizations the ability to detect and respond to security events within their environments.
How endpoints are compromised
Armour said endpoints are being compromised by a variety of different methods that ultimately aim to gain some kind of foothold in a victim system. Among the most popular forms of endpoint exploits is the use of various dropper technologies, which literally ‘drop’ a malicious payload on an endpoint. Droppers can be delivered via malicious files, links and macros, among other infection vectors.
Endpoints are being compromised for a variety of different reasons: insufficient security controls, lack of user education, lack of patch management and lack of environment hardening.
The endpoint security stack
While attackers have multiple tools for exploiting endpoints, organizations also have multiple tools that can be used to make up a complete endpoint security stack, including:
- Endpoint protection platform (EPP)
- Endpoint detection and response (EDR)
- Application whitelisting
- Privilege management
- Vulnerability and patch management
- OS hardening
- Central alerting and monitoring
Armour said the goal of an Endpoint Protection Platform is all about preventing code execution.
EPP technologies include anti-virus (AV) and anti-malware technologies that aim to block malicious code from running on endpoints. EPP can be used to block known vulnerabilities as well. EPP has expanded in recent years beyond its AV roots and can also include encryption and data loss prevention (DLP) capabilities.
Armour said sometimes the prevention capabilities that an EPP provides aren’t enough, and that’s where data recorders for endpoints come in as part of endpoint detection and response (EDR) platforms.
EDR gives organizations the ability to see what’s happening on an endpoint and enables security professionals to hunt for bad things that might be present in an environment that an EPP might not know about.
Capabilities commonly found in EDR include: a recording system, behavior detection capabilities, data search, suspicious activity detection and response capabilities.
If you’re looking for an EDR solution be sure to try out eSecurity Planet’s EDR selection tool
In Armour’s view, application whitelisting is perhaps the number one approach used by organizations to stop file-based malware from executing in a corporate environment.
Implementing application whitelisting isn’t always an easy task though. Armour said organizations need to first have a strategy in place to determine what asset will be covered. Application whitelisting isn’t effective for dynamic users where things change often, but Armour said it can be beneficial for static servers or point-of-sale (POS) systems that are intended to be limited to certain range of tasks.
Process whitelisting is another endpoint security approach that can be highly effective. Armour noted that Microsoft Windows Device Guard feature can be used to explicitly allow process that are trusted to run, while blocking the execution of unknown, untrusted processes.
Protecting privileged accounts is a core element of endpoint security, as one of the main activities that an attacker does is steal credentials in order to gain wider access to an environment.
Privileged accounts include local administrator accounts as well as domain-level accounts. Armour said that if an attacker can compromise one system in an environment and there are shared passwords across the entire organization for local admins, the attacker will be able to authenticate across the entire organization.
Privilege management technologies enable organizations to limit the ability for password compromise and reuse.
Vulnerability and patch management technologies are two different but highly related capabilities that are often tightly integrated.
Armour said vulnerability management technology is used to identify unknown security vulnerabilities within an organization.
“Knowing that and being able to patch that information makes it so that someone cannot exploit an application or an operating system that is vulnerable to attack,” he said. “Patch management obviously goes hand in hand with vulnerability management. You have to be able to patch the vulnerabilities that you know about.”
Looking for more information on patch management? Check out the eSecurity Planet Guide to the Top 10 Patch Management solutions
Operating Systems such as Windows, Linux and MacOS don’t always have the most secure setting on by default. Armour said there are multiple steps organizations can take to harden desktop operating systems to make it harder for attackers to compromise.
Armour said hardening takes time and is specific to each corporate environment.
An increasingly popular endpoint security approach in recent years has been the use of deception techniques to trick attackers.
With deception technologies, bogus credentials and services are presented to an attacker. When the deception services are attacked, the organization is alerted and can take additional steps to limit risks and protect the rest of their environment.
“Deception is used as an early indicator of threat actors in your environment,” he said.
While having the other elements of an endpoint security stack are important, Armour said that having the ability to ingest alerts from across an enterprise infrastructure is critical.
“If you’re not looking at the entire endpoint environment, you could miss something that is happening,” he said.
He added that visibility into alerts from a central location is key to being able to respond in a timely fashion.
Security information and event management SIEM can also play a role in monitoring, learn more in eSecurityPlanet’s SIEM guide
The endpoint maturity model
Having an endpoint security stack is one thing, but having one that properly limits risk can be another discussion altogether. Armour suggests that a comprehensive endpoint security stack needs to be comprehensively deployed.
“When you’re looking at your endpoint security strategy, you need to cover your entire environment,” he said. “So make sure that you know what assets are in your organization and that you’re doing an assessment, and make sure that they’re covered by your endpoint security strategy.”
Additionally, it’s important for organizations to make full use of the capabilities that are present in the endpoint security technologies that are deployed. Armour also suggests that organization get proper training and implementation support for endpoint security technologies rather than trying to do it on their own.
“Don’t just buy something and implement it yourself, especially if it’s a difficult product to implement, because that is going to be a failed deployment,” he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.