Essentials for Endpoint Security and the Modern Workforce

At the start of 2020, remote work went from possible, to essential. This caused a rising tide of endpoints for the IT team to manage and protect. While the quick response was necessary, it did cause many organizations to lose a degree of control over devices accessing their network. It also led to an increase in threats to the organization via endpoints.

Now that it’s safe to return to the office, employers are learning how true it is that you can’t unring a bell.

The workforce adapted and embraced their employers’ need for continued productivity during the pandemic — and responded by closing the gap between their work and home lives. Now, much of that same remote work population doesn’t see an incentive to return to a daily grind of commute and cubicle cohabitation. Some employers are acknowledging this by adapting a hybrid work model, with days in the office combined with days working from home.

And what is true for workers is also true for customers.

The pandemic pushed organizations to provide and improve e-commerce. Customers adapted to shopping and interacting online for things that had traditionally always occurred in brick-and-mortar locations. Some shoppers are eager to return to the storefront—but not all. While the complexities of engaging customers and retaining staff are under the direction of other business units, for the IT team it signals the end of thinking about security using the perimeter model.

IT professionals need to understand what assets they own, what assets (owned or not) touch their network, which assets can be easily managed, and which ones can’t. All of which requires visibility. And visibility — with an ever-changing definition — has been an industry challenge for years. With the move to remote work in 2020, it’s been difficult to comprehend how to get the full scope of visibility needed.

Visibility is identified as a leading endpoint security challenge. But what should network and endpoint visibility look like today? Organizations need to be able to answer these questions:

• What endpoints are connecting to the network, including IoT devices?

• Where are these endpoints located?

• Who owns each endpoint?

• When are the endpoint connections occurring?

• Why are the endpoints connecting?

An asset audit can help you to realign your awareness of the devices on your network. In our experience, it’s not uncommon for organizations to discover 20 to 30 percent more devices than they were currently tracking. From a visibility standpoint, that number is staggering. If you aren’t able to answer the questions above, a discovery and audit process may be your most important next step.

Cloud, colocation, remote access and branch locations significantly impact network access and security. Audits can produce some surprising results. We have worked with clients who thought they had a clear understanding of all network-connected devices, only to discover through an audit that this wasn’t the case.

Consider this example from the field. During a client network visibility engagement, the audit process identified a set of servers that had been left running long after the project was defunct. How did it happen? A data center failover occurred shortly after the project was terminated. In the failover, the backup servers were restarted and moved back into production for months without the client knowing. It’s a simple fact — you can’t manage or secure something you don’t know about, and in complex, digital environments things can easily slip through the cracks.

Organizations are staring to find real benefits from tracking endpoints in a configuration management database (CMDB). But this only helps if the information in the CMDB is reliable and up to date. Not all devices can be managed in the same way or with complete control. But this shouldn’t stop you from being able to identify each of them.

It’s important to encompass activity across the enterprise when identifying endpoint network access. From the scanning of a badge to automated temperature checks for entry, IoT devices are now part of the modern business landscape and likely to be accessing critical data.

Discovering and managing all assets, including IoT devices and rogue assets not authorized by IT, must be in play. Tracking these endpoints in a configuration management database (CMDB) is essential. You can’t manage or secure something you don’t know about or can’t find.

Whether your CMDB involves one tool or multiple, you must be able to accurately — and within a required timeframe — identify all assets touching your network and accessing your data. Only then can you begin the task of securing them. Visibility must be first and foremost in every CISO’s mind when securing endpoints.

Another cornerstone to securing the endpoints of a modern perimeter is patching. Patching isn’t very glamourous — it’s unlikely to win anyone a commendation even when done well, and it makes for a pretty boring topic of conversation. But the stakes are high if patching is incomplete. Some of the top data breaches in the past year have been directly linked to incomplete patching.

Patching is security 101. It is a mission-critical component of your security program and should be treated like one. Boring and mundane? Maybe, but do you really want the “excitement” that comes with the exploitation of a missed patch?

Depending on the organization’s size, patch management may be executed with an endpoint management tool alone or alongside a vulnerability scanning solution. Vulnerability scanners help find issues with applications, operating systems for servers and end-users, and often IoT devices. Without a vulnerability scan, you are much more likely to fall victim to a cyberattack.

Once discovered, vulnerabilities are made public by vendors and others to alert users to security issues that create attack doorways. Both sides of the battle are getting that information at the same time. How and when this information is leveraged makes all the difference.

Attackers can use it as a blueprint to gain access. You can use it as a top-level alert requiring immediate action. The winner in this scenario is the one who responds the fastest.

But when it comes to how and when a vulnerability is released, attackers generally have the advantage. For black-hat hackers, finding and exploiting vulnerabilities is their full-time job. They want to find and exploit these vulnerabilities in as many locations as possible before discovery.

The moment the exploited vulnerability is discovered, it becomes a zero-day vulnerability (the day it is first known) and impacted vendors typically rush to issue a patch for the problem or provide indicators of compromise (IoCs) to detect it with a vulnerability scan.

Most organizations have multiple vendors and multiple solutions to contend with as they work to maintain a healthy patching practice. This includes vendors or applications, hardware and operating systems. When these vendors release a patch, it’s generally identified using their unique severity score system. Some use Fatal, Critical and Minor, while others use High, Medium and Low or possibly Level 1, 2 or 3. These disparate rankings mean that admins for these tools spend valuable time prioritizing patches based on risk and SLAs.

Meanwhile, the team responsible for vulnerability scanning is reporting identified issues using the Common Vulnerability Scoring System (CVSS), an industry-standard ranking for vulnerabilities in software and hardware using an assigned risk number, the Common Vulnerabilities and Exposures (CVE) number. This number rises from 1.0 to 10.0 based on criteria that includes the level of access allowed, ease of revocation, and the likelihood of the vulnerability being exploited. The use of this system is a good thing, but the admins for other tools struggle to match CVSS reporting with the alerts provided by their various tools.

The larger the organization, the more complex this can get and the more teams likely to be involved. If, for example, the security team passes the vulnerability scan results on to the endpoint management team, there needs to be an easy way to align this information to the vulnerabilities identified by the endpoint tools using a different rating system.

Endpoint management and control tools that use the CVSS and CVE numbers can help your team quickly align the results of your vulnerability scan with your endpoint solution. They now have a clearer path for translating scan results to patch “content” for deployment and remediation. This uniform ranking methodology helps to break down siloed activities that can impact the effectiveness of your endpoint security program. 

When selecting a modern endpoint management and control solution, look for one with this feature built-in or one that interfaces with solutions that map vulnerabilities to specific patch content. This process is extremely valuable because it reduces the time to remediate and gives you a better chance of winning the race against attackers.

With the workforce shifting to remote work from home, many organizations were forced to update or change their VPN strategy due to bandwidth constraints. This led to the inability to perform network-based vulnerability scanning on remote devices. Closing this gap remains a struggle. Most legacy scanning tools can’t handle remote devices, and this hampers efforts to maintain basic hygiene. If you have a legacy scanning tool and remote work is going to remain a regular part of the staff landscape in your organization, it’s probably time to re-think your strategy to handle vulnerabilities on end-user devices.

Signature-based anti-virus (AV) solutions use a known attack list built and supplied by the AV vendor that captures attack file signatures into definitions available for customers to push out to their endpoints. In the 1990s, this was really all that was needed.

Fast-forward to today’s attack environment. While signature-based AV is more effective than you might think, it’s not precise, and unlike horseshoes or hand-grenades, close isn’t good enough. Viruses now develop and mutate so quickly that keeping endpoints current with vendor-provided definitions doesn’t move fast enough.

The evolution of the next-generation anti-virus (NGAV) solutions helped to close that gap with non-signature-based solutions. Some NGAV vendors claim a 99-plus percent effectiveness rate. How are they achieving this? NGAV adds context to the detection process. Files, processes, applications and network connections are all considered when identifying data with malicious intent, behaviors and activities.

Artificial intelligence (AI) and machine learning (ML) play a role in this improved process. NGAV vendors have AI rules that can examine millions of attack vectors and defined patterns. Once detected, the attack process is stopped and quarantined quickly. NGAV vendors generally only update their patterns a few times each year because of their effectiveness against attackers.

Attackers continually evolve their processes and targeted attack vectors. They have created AI-based engines that target NGAVs. A perfectly protected NGAV today is breached tomorrow. Staying ahead of the attackers is essential to ensure there isn’t a door left open.

For a compromised endpoint, the nuclear response of reformatting the hard drive and reinstalling a corporate image seems like the best course of action. Unfortunately, this action also wipes out evidence of the attack, making it unlikely that you will be able to determine the point of entry. Without the necessary information to block this attack, it can occur again on this endpoint and others.

Before going this route, be sure to capture the information necessary to respond and defend against this attack. Better yet, invest in an EDR that automates identifying assets and vulnerabilities across your environment — and then fixing them quickly at scale.

A breached endpoint isn’t usually an attacker’s endgame. It only serves as the gateway to your network and servers. Servers are the Holy Grail for attackers and once they have access, they can run processes that stop security solutions like AV and NGAV from operating. They use scan processes to determine which AV is active and then implement a process that automatically stops it every time it tries to block activity.

Create a whitelist of approved processes to protect your servers. This security approach remains effective and shouldn’t be overlooked. Whitelisting user endpoints can also be done, but comes with a much heavier workload and usually results in end-user satisfaction issues.

There are many potential points of entry for an attacker to use to infiltrate your organization and none should be overlooked. But make your endpoints a priority. Endpoint access is low-hanging fruit for attackers and an unprotected endpoint is the equivalent of leaving your front door wide open. Afterall, other security measures become pointless once an attacker has reached your server.

Close and bolt the endpoint front door by pairing a strong NGAV with an EDR solution. This will improve your IT hygiene and establish a process of continuous discover and management of assets, risks and vulnerabilities across your environment. The alignment of these solutions also helps to unify your teams around a single, actionable source of truth for a cooperative approach to security.