5 Steps to Mitigate Endpoint Security Incidents
Endpoint security may be the best investment you have ever made. According to a Ponemon survey (The 2017 State of Endpoint Security Risk), an organization’s average cost for attacks that managed to breach endpoint security was $5 million.
In this article, we will look at what you need to know about endpoint security in order to develop a workable strategy to mitigate endpoint-related incidents.
What Is Endpoint Security?
In IT, an endpoint is a device – a computer, mobile or wireless device, server and so on – that has a remote connection to a network and is a potentially vulnerable access point or gateway to a network.
Endpoint security involves creating policies that lay down the rules with which devices must comply before they can access network resources. Endpoint security is particularly important today as more and more organizations adopt BYOD, increasing the number of devices presenting a risk to the network. And traditional antivirus protection is no longer sufficient to protect endpoints and organizations.
The four essentials of an effective endpoint security strategy are:
- Discovery (and Inventory): Discovery and vulnerability scanning tools can help you inventory your network assets and unprotected endpoints, and assist you in drawing up a security requirements plan
- Monitoring (and Threat Hunting): A centralized endpoint management tool will enable automated, consistent monitoring of the network and should include active threat hunting software
- Protection: While antivirus is not sufficient on its own as an endpoint security strategy, implementing an advanced anti-malware application is still absolutely necessary
- Response (and Alerting): Your network management tool must include the capability for instant remediation in the event of a breach. You will also need a written incident response policy
Important Steps to Mitigate Cybersecurity Incidents
An endpoint security strategy is just one part of an organization’s bigger cybersecurity picture. Endpoints do not operate in a vacuum; patching your operating system, performing daily backups and educating your users will all contribute to bolstering your endpoint security.
A document developed by the Australian Signals Directorate (ASD) provides an excellent overview of all the steps you need to take to bolster the security of your entire system, including its endpoints. The list is comprehensive and gives a sobering overview of the challenges your IT security employees need to address.
According to a Kaspersky Lab article, the ASD directorate is “the best publicly available guidelines from a government organization on how to successfully fight APTs.”
In an innovative approach to developing security foci, Kaspersky summarizes the ASD’s strategies (what we have labeled steps) by four logical types. Next to each type below, we suggest an example of an application of this strategy, applicable to endpoint security:
- Administrative: Training and security awareness: A 2016 survey of security professionals found that negligent employee behavior when it came to following organizations’ security rules and procedures was the biggest endpoint security threat
- Networking: Network segmentation can prevent unauthorized traffic from spreading across a breached network and affecting other endpoints
- System administration: Software patching. A new trend in endpoint security threats is the fileless attack. According to McAfee, the best protection is keeping your software up-to-date
- Specialized security administration: Endpoint Detection and Response (EDR) software to find vulnerabilities before a breach occurs
5 Strategies to Mitigate Endpoint Incidents
Professional endpoint security solutions usually provide the software to help you implement the below strategies, but there are also free and open-source tools to help you get started. It is recommended that you initially use a free tool to map the endpoints on your network in order to get a better understanding of your security requirements. A specialist tool can later do a more detailed scan.
- Network analysis: You can’t protect an endpoint you don’t know is there. In the industry, this is called a dark endpoint, rogue access point or blind spot. You can use an automated network discovery tool to inventory your endpoints, identify who is accessing them and what software they are running
- Brush up on modern endpoint security techniques: DLP, EDR, NAC, HIPS … Do you know what these techniques are all about? Read more below
- Research specialized endpoint security solution options: There are many professional endpoint security suites on the market. It can be confusing. Learn what to ask a vendor before you select a solution. Solution Review provides some tips below
- Prioritize automated endpoint detection and response (EDR): EDR should be the cornerstone of your strategy as, among other things, it proactively hunts for potential threats
- Implement an endpoint security policy: This should be a written document that describes the software and hardware your company has employed to protect network endpoints. It should also provide security guidelines for employees, e.g., how to secure their BYOD endpoints
Modern Security Techniques
When you choose an endpoint solution, ask your vendor whether their product includes the following layers of protection:
- Host-Based Intrusion Prevention System (HIPS): Incorporates intrusion detection and firewall elements to alert users to attempted malicious activity and prevent it being carried out. It protects your network from known and unknown cyber-attacks by monitoring code for suspicious activity on a host. For example, a HIPS might notice that code is being executed to try and shut down your anti-virus and prevent it from doing so
- Data Loss Prevention (DLP): Designed to help network administrators prevent sensitive information from being sent outside a network, e.g., emails or files
- Network Access Control (NAC): Enforces policies that define who can have access to a network and what privileges they have. For example, NAC can ensure compromised endpoints are shut down in the event of an incident
- Endpoint Detection and Response (EDR): A one-stop solution that allows administrators to monitor networks, detect and investigate possible threats, and respond to attacks. EDR utilizes complex analytic algorithms to provide constant visibility into the network from a centralized portal. Top EDRs allow integration with third-party tools, enabling organizations to customize their endpoint security strategy and align it with their existing security software
Specialized Endpoint Security Solutions
Specialist, reputable endpoint solution vendors include Check Point, Comodo, Symantec, Kaspersky and McAfee. The problem is not the price but deciding which solution to run with. The above products are largely similar; they are just marketed differently.
The Check Point solution provides an example of what basic features you should be looking for to protect your endpoints:
- Ability to encrypt entire disks, removable devices and ports
- Advanced antivirus and anti-malware software
- Intelligent behavioral analysis and reporting
- Remote access VPN for employees on the road
- An advanced firewall and compliance checking ability to ensure endpoint behavior is in accordance with your organization’s security policies
- Sandbox isolation and quarantine of threats and compromised hosts
- An endpoint policy management dashboard that provides maximum visibility into all security areas in the company and allows for immediate remediation in the event of an incident
Solutions Review’s Endpoint Security Buyer’s Guide (paywall) is a guide to choosing an endpoint solution from the most popular vendors. The downloadable PDF includes tips on what you should ask your potential new provider:
- Does the product’s core functionality – anti-malware, firewall and device control – feature the latest techniques, such as behavioral detection?
- Is the solution platform- and OS-agnostic?
- Does it have a centralized management console that can provide a granular view of your data?
- How does it react to unexpected threats, such as Zero Day?
- What support does the vendor offer?
Free Endpoint Security Tools
Bearing in mind that you (hopefully) have security software and policies in place, it might be a good idea to try before you buy and explore your options. This will give you a high-level view of your current endpoint security situation and help you learn more about your network, the devices connected to it and what the best solution for your requirements might be.
- Use Shodan to identify any unprotected internet-connected devices on your network
- Try PacketFence, a free Network Access Control (NAC) solution
- Experiment with a solution that offers a trial evaluation. eSecurity Planet has done all the research. Also, check out SecureAPlus, DeviceLock and Comodo
- Two network discovery tools to try out are Open-AudIT and NetSurveyor
- Nmap is a popular and powerful open-source network mapper
- OPSWAT is a free endpoint security scanner that includes networking mapping and anti-malware
- Kismet is a penetration testing tool used to test a network for vulnerabilities
Endpoint Security Awareness
Endpoint security is a changing landscape, in the words of Infosec Institute. For this reason, organizations need to keep up to date with the latest security techniques and technologies and ensure they do not neglect other security areas (such as insider threats) which may affect endpoint security.
Regular security training and education is vital. To get your developers started, share How to write insecure code with them. It may just be the catalyst to get your employees talking about security and becoming more aware of endpoint vulnerabilities!
Strategies to Mitigate Cyber Security Incidents – Mitigation Details, Australian Government
Fileless attacks, McAfee
How to write insecure code, OWASP
Read More at InfoSec Institute
All you need to know about Network Discovery Tools