The endpoint is one of the best vectors for an attacker. In this video, you’ll learn about posture assessments, health checks, EDR (Endpoint Detection and Response), and more.
The endpoint is the device used by the user. This might be a desktop, a laptop, or any type of mobile device. Applications running on this device can be exploited by an attacker to gain access to the user’s data or other sensitive information. To be able to identify any of this malicious software, we need to not only monitor information that is inbound but also information that may be going outbound.
There are many different platforms to monitor. We have systems on our desk. We have mobile phones that we’re carrying around, tablets that we use throughout the day, and all of these devices may be susceptible to an attack. For that reason, we need more than just one single type of protection. We need to have a layered approach. And defense in depth means that we’re going to have different types of security solutions on all of these different platforms.
The first place to look at security in most organizations is at the edge. The edge is the part of the network where the inside of the network meets the outside or internet side of the network. And usually, we protect the edge through the use of a firewall that will monitor all traffic going from the inside to the outside and vice versa. This is usually managed through a number of security rules that are on the firewall itself, and those rules tend to be very static.
Access control describes the ability to limit a device’s access to a certain type of data. This might be a user who’s on the outside trying to get access to inside data or vice versa. We can usually create access control rules that list a number of different parameters. For example, we can limit access based on the user name or the group that the user may belong to.
We can also create rules based on where this user happens to be or where the data happens to reside. And we can also control which applications may be used to access that data. Access control lists can be modified or even removed at any time. This means the security administrator can modify what type of access is available, depending on the current security posture.
When you have employees that are using so many different devices, there could be different configurations on every single one of these systems. For that reason, we need to constantly perform checks to make sure that that system is up to date with the latest security technologies. We refer to this check as a posture assessment. This is a process that’s usually done on all devices– desktops, laptops, mobile devices, and anything else. We’re looking for any part of the device that may not be up to the latest standards of security.
We need to make sure that antivirus is installed and running. We need to make sure that the applications that are in use have been updated to their latest versions. But if these devices are not up to date with the latest security technologies, then we need to limit their access to our production network. A good time to perform a posture assessment is when a device first connects to the network or logs into the network remotely.
From there, we should check different parameters on that device. For example, is the device a trusted device? Many organizations will put a company certificate on that device, and that identifies the device as being one that’s trusted by the organization. We then can look at security utilities like antivirus. Is antivirus installed, and is it running, and is it updated with the latest set of signatures? Does this device have all of the corporate applications installed, and are all of those applications up to date with the latest versions?
And we may want to look at the storage on this device to ensure that, if this is a remote device, we want to be sure that it’s providing full disk encryption. And this type of check is not specific to one operating system or a specific application. This applies to any device running any operating system that might connect to our network.
We can run these posture assessments in a number of different ways. We might have an agent that we have installed permanently onto these devices. We refer to these as persistent agents. This agent can run at any time, not just during the login process, and it can monitor any file and any application running on that system. Since this is software that’s running on that particular platform, we always have to make sure that it’s updated to the latest versions and that we’re providing the latest signatures.
Another type of agent is called a dissolvable agent. That means there’s no formal installation required to get this software to run, and it’s usually something that executes during a login process or a connection process. Once this agent performs its checks, it terminates itself and removes itself completely from that system.
Another type of security control is an agentless Network Access Control, or NAC. This type of agent is integrated with Active Directory and only runs when you log in or log out of the Active Directory database. Since this is integrated with the database, it doesn’t have a local agent, so there’s nothing that can be scheduled. Since there’s no agent installed onto a device, this can only operate when there’s access to that Active Directory database such as during the login and logoff process.
As a security administrator, you will be the one to determine what happens if a device does not pass the posture assessment. You have a lot of different options when that occurs. You might decide to quarantine the system, put it on its own VLAN, and provide them with instructions on how they can bring this system back into compliance. Once the user makes those changes, they can then perform the posture assessment again. And if everything passes, they can continue with the login process.
It’s estimated that there are over a million different virus variants being created every day. This means that our antivirus software has to constantly be updated, and we have to be sure that it’s able to scale with these very large numbers of viruses. Given this large number of virus variants and the different ways that attackers are using to get into our systems, we need a more modern way to monitor these endpoints.
One of those ways is through EDR. This is an Endpoint Detection and Response. EDR is designed to take the idea of signatures and extend its visibility into things like behavioral analysis or machine learning, be able to monitor processes running on the system, and correlate all of these together to determine if a threat might exist. This usually runs as an agent that’s running on the endpoint very similar to an antivirus or anti-malware agent.
EDR takes this one step further than antivirus or anti-malware by providing root-cause analysis. We are able to determine why that virus got onto that system and then work backward to find a way to remove the virus and then prevent it from infecting any other systems. The response to anything that may be found as suspicious can be completely automated.
So if a virus or malware is suddenly discovered on a system, it can be automatically isolated. That particular malware can be quarantined. And we can have the entire system rolled back to a known-good configuration. All of this happens automatically. There’s no user intervention required. And that system can be back up and running and that user working relatively quickly.
We can also build a more intelligent EDR by creating an Extended Detection and Response. We refer to this as XDR. XDR provides additional intelligence and provides a larger scope of data input to discover any malicious software. This means that we can catch detections that might have previously been missed. And anything that may have come up as a false positive might now be properly categorized. And the long investigation times that would previously exist with different systems are now sped up through automation using XDR.
Whenever there’s a virus infection or an attack on a network, it often involves more than one system. So instead of having a single agent that only knows what’s happening on a single device, XDR can interpret data from many different systems simultaneously. Add another data source relating to the type of network traffic running over the network, and you’re now able to correlate information across multiple systems and very diverse data types. This provides a much more efficient process for identifying, investigating, and removing the malicious code.
The key to XDR is being able to monitor a large amount of data and be able to correlate that data together. One data source that’s used for XDR are user-behavior analytics. This interprets user activity to build a baseline. XDR knows what users would commonly be on this network, what devices these users would connect to, the type of network traffic that would commonly be transferred, and the data repositories that are accessed by these users.
If we look at all of these data points and have an understanding of what normal activity might be, we can easily find when abnormal events occur. This definition of unusual, of course, can change over time. But it usually is referencing a set of rules that are configured in the XDR software. Maybe it’s performing some type of pattern-matching to a known vulnerability, or maybe it’s based on statistical analysis and making a best guess as to what type of traffic there might be on the network. The goal is to simplify the process of finding the malicious code and then stopping it in real time before it becomes a much larger problem.