Social Network For Security Executives: Network, Learn & Collaborate
Today’s organizations face huge challenges securing and protecting servers, networks, and digital assets. This goes double for mobile users, as they — and their laptops, tablets, and other devices. Also, more organizations are moving IT workloads to the cloud, leveraging hosted and SaaS models. With an expanded definition of endpoints that includes any connected device, physical or virtual, it’s good that cybersecurity solutions are available to help IT security organizations cope. Such solutions offer protection, monitoring, and support to secure business‐critical assets and quickly respond to a breach.
Endpoint security refers generally to a well‐described and understood method to protect an organization’s data and network as accessed with end‐user, connected devices. However, traditional endpoint security solutions can’t keep up with conventional endpoints, let alone all the new “things” coming online in today’s networks.
This guide focuses on how to deploy and manage security for many kinds of endpoints. It also digs into how endpoints and security incidents are detected, identified, monitored, and handled, including effective response and remediation. It even discusses the key role of automation in detecting and responding to threats and managing risk.
An endpoint is any connected device used to access an organization’s data and network. Traditionally, IT pros interpreted this as “anything with a CPU and a keyboard.” That definition is now expanding to include “things” (IoT, IIoT and OT), as new devices — even sensors — further increase the attack surface for businesses and organizations. Platforms considered infrastructure in the past now qualify as endpoints and are subject to exploitable vulnerabilities. Thus, we need to expand our definition of an endpoint to include servers, mobile devices, kiosks, POS, HVAC, medical gear, industrial systems, cameras and, yes, even cars. With more systems — physical or virtual, on‐premises or in the cloud — accessing organizational data and networks, the definition will be stretched even further.
Endpoint Detection and Response (EDR) systems demand at least four types of capability. The first item is the detection part; other items comprise the response part.
Systems must -
In broader terms, EDR can go beyond detecting incidents and responding to them. Advanced EDR systems can help reduce the overall attack surface (to whatever extent intelligence and technology allow), limit the impact of an attack, and use intelligence and observation to predict when and how attacks might occur.
Securing endpoints begins with their discovery. You can’t protect what you don’t know about! And with the proliferation of all kinds of endpoints and applications, it is important to quickly detect any shadow IT or rogue endpoint instance on your network. An EDR system continuously scans the entire extended network across the organization to detect any new endpoint asset (hardware, software, or operating system).
The next step in the endpoint intake process is to take inventory of that device. Which versions of firmware, OS, and software is it running? Security analysts can then classify it automatically based on a known set of attributes and scan it for vulnerabilities. Is it patched and up to date? The endpoint configuration and version information are logged and recorded along with all known vulnerabilities, scored for their severity.
All endpoints are monitored, which means at least two things: One, it means their current configuration — firmware, OS, software, patches, security posture, and so on — is continuously checked. Also, the system is monitored for any changes, policy violations, and unauthorized file changes.
The second aspect of monitoring is to observe what endpoints are doing. Monitoring makes sure that any system or file change and access is detected and analyzed for unauthorized or malicious access or intent. This kind of monitoring can be understood as “keeping an eye out for suspicious, untoward, or malicious behavior.”
All endpoints must also be protected. To some extent, this requirement is addressed by managing device configurations so that updates and patches are kept current, and by making sure that any “drift” from baseline “safe” configuration or any policy violation is immediately flagged and analyzed for unwanted, unauthorized, or malicious incidents.
EDR systems can use small, lightweight programs called agents that run on each endpoint in the form of an application, an app, or even a kernel‐level add‐in on devices that may not support applications or apps directly. An agent provides deep and real‐time monitoring, analysis, and response. In some cases, a remote or agent‐less approach is used for discovery and less intrusive monitoring and response when an agent is not feasible, acceptable, or requires longer deployment cycles.
EDR system monitors endpoint state changes so it can correlate those changes with system events and application logs. Such changes can include installed software, files on an endpoint, the Registry, user privileges and account information, user behavior, running processes, and open ports or communications activity.
A good EDR system uses multiple methods of detection to identify threats on endpoints-
IOC detection: This method identifies changes in the system state and compares it to internal IOC (Indicator of Compromise). Sometimes it may be necessary to send the state changes or a suspect file to a threat intelligence service for analysis and evaluation.
Anomaly detection: Changes to a system from a known good base configuration can also help to identify threats.
Behavior detection: Identifying bad, odd, or illicit behavior on a system can indicate a threat. Logging such events helps with threat identification and may identify the time when an incident occurred or began.
Policy violations: System changes (for example, scheduled maintenance or upgrades, new software installs, new users, or account changes) outside approved configuration windows may indicate a threat actor at work.
Truly understanding the scope, depth, and breadth of the threat landscape requires understanding and respecting its features and layout. This requires accurate and insightful threat intelligence.
Threat intelligence provides data that you did not already have (such as reputation scoring, attack tools, threat actors, and so on). It provides data (or analysis of that data) that helps you make more and better decisions about defence and helps you figure out what else to look for, or what proactive measures to take.
Threat intelligence is widely available from many commercial and community sources — for example, Cisco, Check Point, Palo Alto Networks, CrowdStrike, and ThreatStream, among many others. Every organization needs to decide which threat intelligence services are most suitable for it, based on criteria such as origin, freshness, speed and scale, relevance, accuracy, confidence, completeness, and consumability.
Advanced EDR systems integrate with multiple independent threat intelligence services and support concurrent feeds for automated threat detection and validation. Because threat intelligence drives EDR (and much of enterprise security defenses), these decisions are vitally important. Intelligence feeds should be an important part of the conversation with any prospective EDR system vendor.
Real‐time response means an ability to detect and respond to threats as they appear. An ideal response is fast enough to prevent any threat from establishing itself on organizational networks or having an impact on organizational assets.
The best EDR systems work with threat intelligence to stay current with the threat landscape in real‐time, and to apply best‐practice responses when a threat is recognized. For high‐risk threats, this means sending up red flags and taking automatic action where possible and feasible. Red flags are important for a variety of reasons, including establishing the time when a threat occurred, marking endpoints that may be affected, and enabling monitoring of follow‐on changes to build a threat footprint that can be used to drive future intelligence and prevent repeat occurrences.
The best response is one where automated remediation can be applied in timely fashion. This is the goal toward which all EDR systems must strive. When several things have happened — data that describes the threat has been collected, the business and technical impact has been identified, and context data has been gathered — remediation can get underway. Such remediation, which can be automated or manual, may involve the endpoint in repair routines, rollbacks, de‐installation and cleanup of rogue software, and blocking access to IP addresses or resources.
Numerous threat intelligence exchanges facilitate response automation, so enterprises must develop processes that make it possible to implement automated responses whenever possible. Responding to less straightforward threats requires a bit more work.
security policy states clearly what must be done to protect digital information. A properly crafted policy states in writing what to do, so that how it gets done can be established, and then measured or audited. Security policy also protects people in an organization, recognizing that decisions or actions in situations where information is at risk also involves personal liability to corporate officers involved.
The areas that a security policy is meant to address are clearly spelled out in the SANS document; this alone makes it worth reading:
All in all, a well‐constructed security policy lays out the blueprint for implementing and practicing security within an organization. Any violation of these policies should be monitored and prioritized for analysis and response because these can be the mechanism that makes early detection of an impending or ongoing breach possible!
Good EDR implementation requires that we quickly identify new endpoints as they appear on an organization’s networks. Such systems generally make an inventory of what’s installed on each endpoint device including some or all of the following: firmware, operating system, applications, and communication software, along with the versions and updates or patches applied to these various components.
Baselining is a key concept in cybersecurity. It refers to establishing a detailed sense of what’s “normal” and “safe” for systems and devices to ensure a secure environment. This notion of what’s “normal” can be essential when monitoring systems, because it provides something against which to compare current state, configuration, and activity, and often allows threats to be detected by inference even when no direct evidence or means of recognition is available or known.
Baselining endpoints establishes a point of reference for subsequent monitoring and management. Like everything else in the security world, baselines must change when what’s “normal” changes. Thus, it’s best to think of a baseline as a snapshot of the ideal or desired state of an endpoint, which must be refreshed whenever changes are made by intent or design (adding or updating the OS or software, applying patches or fixes, adding or changing network services or configuration, and so forth and so on).
A list of tasks you should complete before you can choose and deploy an EDR system:
Choosing an EDR Solution
Of the many factors and items that should be in that list, the following are among the most important:
EDR is a never‐ending journey because of the sheer volume of ever‐changing threats with which organizations must contend. Some studies show that anywhere from hundreds of thousands to a million or more new threats manifest each day. This massive volume of threats requires constant vigilance and automation around endpoint state, configuration, and behavior. Reducing security risks requires attention to threat intelligence and correlating that information with careful attention to key files, objects, and configuration settings.
That’s why EDR involves a constant, ongoing round of activity. For threats that have already been detected, responses must be formulated and enacted. Once enacted, this information feeds into the prevention cycle to keep similar threats from recurring. In addition, there’s a constant need to stay alert for signs of new threats, and to make sure detection is working as it should be, starting the whole cycle over again.