Endpoints (and their users) are at the frontline of data defence
Workers across enterprise today use a variety of devices (endpoints) both in and out of internally-controlled networks. In computing circles, so-called “carbon errors” (mistakes made by human beings) form a major part of day-to-day and strategic headaches.
From an IT security point of view, loss of control of data (such as when a laptop leaves the LAN) always comprises a potentially more dangerous situation. But workers’ needs, working methods, and daily activities are what drive a business, and at the end of the day, make profits for the organization.
IT departments, therefore, have to accept that endpoint security is a necessity, on a par with firewalling, packet filtering and intrusion detection etc., as part of an overall security arsenal.
Traditional endpoint security systems, work on the basis of comparing anomalous activity with databases of known exploits. When there’s a match, a flag is raised and, hopefully, measures can be put in place that prevent further damage.
To this facility, some suppliers of endpoint security soft- and hardware add a level of machine learning (ML), so that established patterns of code and behavior on the part of malicious activity can be used to extrapolate possible new attack variations. Therefore such solutions may be able to raise flags with a degree of pro-activity that an iterative, comparative code method may miss.
It is of course in cyber criminals’ best interests to find new exploits that are undocumented, and ideally, come at its target at a new angle, one that won’t trigger defenses. Such exploits are either used by their developers personally, or more likely, sold to the highest bidder (often a broker). Sometimes, the exploit is released across a wider community to cause PR damage to the hard- or software vendor.
Most data breaches work on a three stage process:
- Exploit. After a doorway is found into an application (the more widely-used the app the better), code and distribution methods are devised to take advantage of it.
- Payload delivery. Once access is gained to the host computer, a payload is delivered into the system that delivers its ends, often being the assignation of control to the hack’s perpetrator.
- Action. This will take the form of one or more of the following, or their variants: data corruption, prevention of access to data, or data collection and export, known as exfiltration.
The key to successful endpoint protection is, therefore, the combination of attack database cross-correlation, intelligent pattern detection derived from known techniques (sometimes using ML/artificial intelligence), and the garnering of real-time activity from across a large network of security systems.
The larger the network of systems available to gather data, of course, the better the probability that new, unknown exploits can be detected. For this reason, Tech Wire Asia would recommend (see below) larger providers, for two reasons:
- The ability of larger security organizations to employ and pay the highest caliber of minds among their technical staff
- The larger organizations can collate the data from many clients for an individual client’s use.
Additionally, good endpoint protection suppliers should produce solutions which:
- Effectively eliminate any further spread of malicious code from a single point
- Provide analysis of the exploit, in order that similar threats can be mitigated across the provider’s network of clients (and thence to the rest of the security community, in turn).
It is also useful to be able to determine what actions were being taken on the endpoint that led up to the exploit taking root (literally). With that knowledge, usually derived from usage logs, a client organization may feed back to all its staff to inform procedure and training to prevent future issues.
Common “carbon errors” are always being found, and in turn, exploited. For a seasoned IT professional, joining suspect open wifi networks, opening attachments, running macros and so forth may seem obvious and eminently avoidable. But to many endpoint users, lack of knowledge, naivety, time constraints and trusting natures (remember those?) may create a situation that can (and does) bring down entire infrastructures.
Total protection against zero-day events cannot be guaranteed, but by choosing carefully, organizations can mitigate intelligently and protect their endpoints and their users, who, after all, are essential parts of the enterprise’s function.
Here are four providers of endpoint protection solutions that you may wish to consider:
Symantec is about as much of a household name as a data security company can be, with its products installed on many of the world’s home computers.
The company’s based in California, USA, is a Fortune 500 company and is the most used certification authority worldwide.
Its endpoint security systems clearly are part of a range of security options available that cover most areas of computing and tech in the enterprise. Its solutions protect PCs, Macs, Linux distros of most common flavors, VMs and even embedded OSes,
The specific tech used in the endpoint security offering comprises a number of arrows in the security bow.
There’s a degree of machine learning (ML) code built into each lightweight install, and this is extended by use of a runtime application environment, so suspect files can be inspected to see if they behave suspiciously on virtual “install”, such as the release of a malware payload.
Symantec’s intelligence network is described by the company as “the world’s largest civilian threat […] network” and comprises 175m endpoints in 157 countries.
The company is aware that across a large enterprise, bandwidth chatter is best minimized, so not only is the endpoint client lightweight, but data traffic for upkeep/updates etc. is kept minimal by, for instance, distribution of only the latest threat information. This is said to reduce the size of signature files by up to 70%.
FireEye’s endpoint security offerings are extensions of its overall data security provision portfolio. This is either a physical hardware installation, a hosted service, or the company also offer a full, bespoke service to clients who take all aspects of their data security very seriously.
Being a large provider, one of FireEye’s USPs is the extent of its existing network which straddles the world, including 5,800 customers across 67 countries, including more than 40 percent of the Forbes Global 2000.
If a FireEye product detects an attack, it is negated at its source and the rest of the client’s network’s endpoints are updated, regardless of their data connection type.
FireEye’s endpoint protection system’s power stems from the sum of its various parts.
The Triage and Audit Viewers, for instance, are the first line of defense and are capable of inspecting for and analyzing potential threats by looking for key indicators that there is anomalous activity.
The enterprise-wide search, which, having identified an issue, alerts systems administrators who can either act manually or have automated systems come into action.
The company’s sizeable user base leads directly to one of its key positives, which is the effective development of a wide-ranging source of data that identifies problems across the world as they occur. The use of this private data, owned by FireEye, is first employed by the company’s clients, and in turn by the rest of the data security community. Read their full profile…
In addition to offering specific endpoint security for Windows, Mac, and Linux nodes, the company also claims to be able to protect the increasing number of Android and iOS devices used in today’s organizations.
Employing built-in remote management and encryption facilities, ESET’s endpoint security offerings make specific mention of protection from botnets, the latest malware, rootkit, worm and exploit distribution method.
There’s also a degree of user protection, including two way firewalling and hardware lockdown that can prevent certain types of user activity, and anti-phishing facilities in place.
Solutions are tailored for business or domestic use, and there is a host of pricing options depending on the scale and scope of proposed deployments.
Virtual machine deployments can take advantage of ESET’s Shared Local Cache, which, when combined with an accompanying security product by the company, gives the same tools and facilities gained in a “real world” environment, but a much-reduced time to scan. The Shared Local Cache compares files’ metadata against that of previously scanned files and skips whitelisted files. New files found to be safe are added to the whitelist, so the cumulative effect is of benefit to the entire virtual environment.
Interested users for the enterprise can request a specific “business trial” and there are web demos to view and enough data sheets to satisfy the most stringent of Compliance Officers.
A survey carried out on behalf of McAfee states that on average, organizations monitor ten different security provisions, moving between five interfaces in order to provide a rounded security provision.
The company’s onus is therefore placed on integrating all aspects of security and having a single point of reference for IT departments to administer. Part of this overall structure is endpoint security.
As part of an adapting security framework, McAfee offers an automated system that is active across a range of system architectures, including both fixed and mobile assets.
When threats are countered, it’s often incumbent on systems administrators and security specialists to track down and neutralize all ensuing infections, which may not be immediately obvious. This might require the use of a forensics specialist, but McAfee’s offering purports to be able to automate the process.
Ideal threat intelligence strategies combine external sources such as cloud ML and databases with intelligence gathered from the enterprise’s own environment. It’s essential that platforms share intelligence across multiple layers of defenses in real-time. In practice, this means firewalls need to talk to AV, anti-malware systems need to talk to phishing definitions, in-house systems need updating from centrally-administered clouds, and so forth. By minimizing required manual interventions, McAfee customers save time and security worries.
*Some of the companies featured in this article are commercial partners of Tech Wire Asia