The continuous growth of ransomware, increasing number of exploits and lack of shared intelligence among disparate security products has resulted in a slower, less effective endpoint threat response for organisations that is acceptable. For example recent studies show that about 30 percent of known breaches involve malware being installed on endpoints.
An effective Cyber Security strategy should therefore include Endpoint Security as it is one of the most critical components for network security.
In this article, our experts sum up some of the best practices regarding Endpoint Security.
Endpoint devices: The backdoor to your most valuable data
Increasingly endpoint devices are becoming the main facilitator in the current Cyber threat landscape as often internal networks are not directly reachable from the internet anymore. These internal networks are usually protected by Next-Generation Firewall Protection, while publically available data does not reside on in-house company servers but is being accessed “in the cloud” via Content Delivery Networks (CDN’s).
To gain access to the company's valuable data, hackers increasingly need to have near-physical access. Thus an unsecured endpoint device is like an open backdoor to them, providing access to valuable and sensitive data within current network topologies.
Whilst company devices can be physically attached to the same network as where the asset and data reside, such an unsecured endpoint might also provide access to that data. If your current security measures are insufficient an endpoint will serve just fine for a hacker when trying to access the organisation’s valuable data, whilst the employee remains unaware of any malicious behaviour involving their endpoint.
Best practices for Endpoint Security
The best practices mentioned below give more insights and ideas to those looking for the best endpoint security solutions, fitting their current strategy (and budget).
1. Enforcing least privilege access of users on the end point device(s)
When an endpoint is accessed by the common user with “administrator level credentials”, installing malware can be done without any form of security control. Needless to say you have to make sure a user can perform all tasks needed for the role and function, but you will also have to enforce least privilege access rights. For most users, for example, having the right to install software is not a necessity, although users often perceive it as such! At most it is not a permanent requirement nor does it have to be provided in a non-centralised fashion.
When elevated rights are needed, make sure the user is required to go through Multi Factor Authentication in the process. Have the events of elevated rights logged and look through the reports of the logging promptly and periodically. This helps you to continually monitor and improve existing processes governing administration rights to ensure their accuracy and applicability.
2. Performing continuous (and timely) endpoint scans with a “Next-Generation Endpoint Security solution”
As cyber criminal advance in their knowledge and determination so we have seen malware evolve from being “just a virus” to becoming software-less, dormant & waiting. Such malware is therefore often not detected by the signature based anti-virus tools that exist today.
Having a NextGen EndPoint Security solution that protects from these types of malicious tactics is essential. But even with “the latest and greatest” or “best” Endpoint Security solution installed, the intrinsic configurational parameters of the solution are just as important as the deployment itself.
Make sure common abused file locations like the user profile folder, “temp” folders, the registry, registered files and the Windows folder are actively scanned or monitored. Configure daily memory on-demand scans or continuous monitoring of memory, for rootkits and running processes. Perform a full on-demand scan on any asset with a detection from these scans.
Have the solution scan upon insertion of media in local drives, if USB/peripheral media access is allowed at all for that specific device or user. If available, use a “scan cache”; the solution may maintain a cache of previously scanned files persevere even after rebooting the computer. This option improves performance by keeping track of “clean files” which will not be scanned again.
And not to forget, be sure to have an external intelligence feed available for the solution; many Cyber Security vendors are exchanging software verdicts & so called Indicators of Compromise (“IOCs”), establishing a higher security posture for organisation who deploy multi-vendor solutions.
3. Enforce System hardening
Many operating systems include a system firewall, but in most cases the applied configuration is minimal and results in diminishing the potential of these “free” security solutions. Consider the settings for internet access, access towards other internal networks and even the local subnet per system; if central management is used to update the operating system patches and the Endpoint Security solution. If traffic from an asset towards systems on the same subnet or towards other network segments is defined, all other listening UDP or TCP ports can be closed. After limiting the amount of applications that can be launched and that can communicate, this will greatly reduce the probability of malware being spread within the subnet or other network segments.
4. Enforce application control
Reducing the ability of end users (and hence hackers) to instigate application installation, execution or communication can greatly increase the security posture. As installation is already restricted (see enforcing least privilege access as mentioned above), application execution might be allowed.
Some Next-Generation Endpoint Security solutions provide the “whitelisting” of executable files. The parameters of either allowing or declining the execution can be based on a verdict of the application by either the solution vendor or the business’ IT department.
Basic application security deployments require a “learning period” in which the application activity on many endpoints is monitored. Based on its initial findings, a granular security posture is then implemented.
At the end of this monitoring period (during which you will have fine tuned what applications are allowed), a final setting regarding “unseen applications” should be enforced to block the execution of those files. Even when some applications are allowed to be executed, a current standard of network security should include a Next-Generation Firewall, which is able to block communications between network segments for specific applications. Again, when allowed applications are granted access (on the UDP or TCP ports as required), a last rule to block other communications will additionally safeguard the segment.
Make use of disk encryption where available
When every hard drive on every system at your office has data at rest encryption enabled, your security posture is stronger. A stolen laptop is no longer an existential security threat. The data simply won’t be accessible to the thief without another vector of attack (e.g. stolen credentials). And also enable encryption on all peripheral media like flash/thumb-drives, these are even more prone to accidental loss and thus data leakage.
This is IT at its best: containing a broad, physical threat with a systematic, IT-based solution.
Ideally the decryption restore key(s) are kept in a non-digital format, enclosed in a secure cabinet or safe at a restricted off-site area.
Make use of back-up facilities (for limited folders/files)
Enterprises are at an increasing risk of data loss due to the growing amount of company data stored on endpoints. Think of all the laptops, smartphones, tablets and other devices in use that reside on the edge of your network. Employees create and access company data on tablets, laptops and phones from anywhere at any time. Most of them don’t intentionally expose corporate data to risk; they’re just doing what it takes to get their work done. So it’s up to enterprise IT to make sure data on devices is protected. Once that data has been backed up, your company can more easily take on initiatives around e-discovery, legal hold, disaster recovery and data migration. Endpoint backup is therefore the foundation for a comprehensive data governance strategy.
5. Deploy a SIEM solution
As many Endpoint devices are not limited to the business premise, it is essential to have a centralised logging solution that receives all the Endpoint logging data of a user, operating system and (security) application events. However, unless you are required to hold these logs for compliance reason then simply collecting these logs is meaningless unless you’re processing the logs into meaningful and actionable events.
During normal operations and even with reduced event logging, an endpoint already generates a lot of logging. As most businesses have many endpoint devices, the deployment of a SIEM solution is seen as a best practice; a SIEM solution is not only receiving events from various sources, but it should also be capable of addressing the relevance of events, perform event/data correlation & utilising a ruleset to ultimately discriminate between “just an event” and a “possible incident”.
It would be even better to have a solution in place which is highly precise in determining the probability of an event being an incident or the onset of a security breach. Based on the involved risk and impact of asset compromise, some solutions even provide notification services or execute the most likely actions needed for incident containment or remediation. SIEM solutions are no longer a novelty. They have become a standard security control. All features and functionality specifications, alongside the pricing and pricing model, should be carefully examined to determine if they can offer what you need, as many SIEM solutions differ among the many endpoint security vendors out there.
The above is just a mere selection of effective endpoint security practises. Other important elements to achieve the best endpoint security solution for you business are to add regular data erasure for example, as well as keeping Operating Systems up to date, disabling unused ports, Third-Party patching and conducting Cyber Security Awareness campaigns. Companies should ensure that the endpoint security solutions can meet the security, manageability, and flexibility requirements to avoid limited or unmanageable solutions.
29 August 2019