As we get back to our Endpoint Advanced Protection series, let’s dig into the lifecycle we alluded to at the end of the intro post. We laid out a pretty straightforward set of activities required to protect endpoint devices. Though to be clear, just because it’s straightforward, doesn’t mean it’s easy to do.
The reality is that at some point you have deice where endpoint protection starts and where it ends. Additionally, figuring out how it integrates with the other defenses you use in your environment is critical because we know that today’s attacks require more than just a single control, rather an integrated system to protect the devices. The other caveat we’ll add before we jump into the lifecycle is that we are actually trying to address the security problem here, not a compliance problem. We aim to actually protect the devices from advanced attacks. Yes, that is a very aggressive objective, and some would say probably crazy given the rate of change on the part of adversary sophistication. But all the same, we wouldn’t be able to sleep at night accepting mediocrity of our defenses, and we figure you are similar – so we’ll aspire to this lofty goal.
- Gaining Visibility: You cannot protect what you don’t know about — that hasn’t changed and isn’t about to. So the first step is gaining visibility into all the devices that have access to sensitive data within your environment. It’s not enough to just find the devices, you need to assess and understand the risk associated with the devices. And although we’ll focus most of our efforts on more traditional computing devices, smartphones and tablets count because they are increasingly being used to gain access to corporate networks.
- Reducing Attack Surface: Once you know what’s out there, you want to make it as difficult as possible for the attacker to compromise those devices. That means practicing good hygiene on the devices, making sure they are properly configured, patched and monitored. And yes, we are aware that many organizations aren’t the best when it comes to operational excellence, but you’ll find protection to be more effective if you get rid of the low hanging fruit making it easy for the attackers.
- Preventing Threats: Next you try to stop successful attacks and despite the continued investment, and promise of better results, the reality is still less than stellar. And with new attacks like Ransomware making a compromise worse, the stakes are getting higher. Technology continues to advance, but there still isn’t a silver bullet that prevents every attack. It is now a question of reducing your attack surface as much as practical. If you can stop the simplistic attacks, you can focus on the advanced ones.
- Detecting Malicious Activity: You cannot prevent every attack, so you need a way to detect attacks after they penetrate your defenses. There are a number of different options for detection — most based on watching for patterns that indicate a compromised device, but there are many other indicators that can provide clues as to a device being attacked. The key is to shorten the time between when the device is compromised and when you realize it.
- Investigating and Responding to Attacks: Once you determine a device has been compromised you need to verify the successful attack, determine your exposure, and take action to contain the damage as quickly as possible. This typically involves a triage effort and quarantining the device, then moving to a formal investigation, including a structured process to gather forensic data from devices, establishing an attack timeline to determine the root cause of the attack, an initial determination of any potential data loss, and a search to determine how widely the attack spread within your environment.
- Remediation: After the attack has been investigated you can put a plan in place to recover. This might involve cleaning the machine or re-imaging it and starting over again. This step can leverage ongoing hygiene tools (such as patch and configuration management) because there is no purpose to reinventing the wheel relative to additional tools to do activities already within the organization’s operational capabilities.
Gaining Visibility
You need to know what you have, how vulnerable it is, and how exposed it is. With this information you can prioritize your exposure and design a set of security controls to protect it. You start by understanding what an adversary would be interested in within your environment. To be clear, there is something of interest in every organization. It could be as simple as compromising devices to launch attacks on other sites, or as focused as gaining access to your environment to steal your crown jewels. When trying to understand what an advanced attacker will probably come looking for, there is a fairly short list, including intellectual property, protected customer data, and business operational data (proposals, logistics, etc.)
Once you understand the potential targets you can begin to profile adversaries likely to be interested in them. The universe of likely attacker types hasn’t changed much over the past few years. You’re facing attacks from a number of groups across the sophistication continuum. These start with unsophisticated attackers (which may include a 400 pound hacker in a basement), organized crime, competitors, and/or state-sponsored adversaries. Understanding likely attackers provides insight into their tactics, which enables you to design and implement security controls to address the risks. But before you can design a security control set, you need to understand where the devices are, as well as their vulnerabilities.
Discovery
This process finds the devices accessing critical data and makes sure everything is accounted for. This simple function helps avoid “oh crap” moments, as it’s no good to stumble over a bunch of unknown devices with no idea what they are, what they have access to, or whether they are cesspools of malware.
A number of discovery techniques are available, including actively scanning your entire address space for devices and profiling what you find. This works well enough and is traditionally the main method of initial discovery. You can supplement active discovery with a passive discovery capability, which monitors network traffic and identifies new devices based on network communications. Depending on the sophistication of the passive analysis, devices can be profiled and vulnerabilities can be identified, but the primary goal of passive monitoring is to find new unmanaged devices faster. Passive discovery is also helpful for identifying devices hidden behind firewalls and on protected segments which active discovery cannot reach.
As if you needed complications, this cloud and mobility thing that everyone keeps talking about does make discovery a bit more challenging. Embracing software as a service (SaaS), as pretty much everyone has, means that you may never get a chance to figure out exactly which devices are accessing critical resources. For these devices that don’t need to to through the corporate networks, you’ll need to use other means to ensure they are properly protected. That may involve a trigger upon authentication to a SaaS service or possibly having the endpoint protection capability leverage the cloud and phone home to relay telemetry about the device to a central management function. We’ll dig into these new (and emerging) use cases when we discuss detection and forensics.
Assessment
Once you know what’s out there you need to figure out how vulnerable it is. That typically requires some kind of vulnerability scan on the devices you discovered. Key features to expect from your assessment function include:
- Device/Protocol Support: Once you find an endpoint you need to determine its security posture. Compliance demands that we scan all devices with access to private/sensitive/protected data, so any scanner should assess all varieties of devices running in your environment that have access to this critical data.
- External and Internal Scanning: Don’t assume adversaries are purely external or purely internal — you need to assess devices from both inside and outside your network. Look for a scanner appliance (which might be virtualized) to scan your environment from the inside. You will also want to monitor your IP space from the outside (either with a scanner on the outside of your network or cloud service) to identify new Internet-facing devices, find open ports, etc.
- Accuracy: False positives waste your time, so verifiable accuracy in scan results are key. Also pay attention to the ability to get prioritized results. Some vulnerabilities are more equal than others, so being able to identify the one’s truly presenting risk to the organization is critical.
- Threat Intelligence: The adversaries move fast and come up with new attacks daily. You’ll want to ensure you factor new indicators into the assessment of security posture.
- Scale: You likely have many endpoints. Today’s large enterprises can have hundreds of thousands (if not millions) of devices that require assessment. Also make sure the tool has the ability to assess devices that aren’t always on the corporate network, smartphones/tablets, and potentially resources residing in the cloud (like a desktop virtualization service).
The assessment provides perspective on how the specific device is vulnerable, but that doesn’t necessarily equate to risk. You presumably have a bunch of defenses in place on the network in front of your endpoints, so attackers may not be able to reach a vulnerable device. So you’ll need to factor that probability into the prioritization of the vulnerable devices.
It may not be as sexy as advanced detection or cool forensics technology, but these assessment tasks are necessary before you can even start thinking about building a set of controls to prevent advanced attacks. In the next post, we’ll dig into reducing attack surface and new and updated technologies that can help prevent the endpoint attacks in the first place.
- Mike Rothman (0) Comments Subscribe to our daily email digestfrom Endpoint Advanced Protection: The Endpoint Protection Lifecycle
No comments:
Post a Comment