Contributed by Chris Roberts, Chief Security Architect, Acalvio Technologies
Open letter, let’s see. I like the CISO opening, it’s truthful and it’s part of the spark for this. I’ve been vocal about endpoint being the mythical silver bullet for a while. Too many companies still rely upon it as the be-all/end-all for security and they typically can’t implement it all correctly, or monitor it. More and more organizations are selling the utopia of “secure endpoint and all will be forgiven.” This is a challenge to that thinking AND hopefully somewhat of a mindset change for people. We might as well start with the worst-case scenario and go from there, but I encourage you to read to the end as there IS hope! So, without further ado, here are my initial feelings about end point protection in blunt bullet points:
- A hiding to nothing?
- A waste of time and resources?
- Snake oil in a slick marketing campaign?
- All flash and no go?
It’s arguable that the endpoint has already been compromised. Devices are still one of the core points of access into most organizations, therefore, don’t bother with endpoint security, give up, go home and have a good cup of tea. That’s what I really want to say BUT there must be some hope, some ray of light, otherwise why would we still have a vibrant and active commercial sector doing all they can to stave of what seems to be the inevitable onslaught of attacks launched at the very systems we strive to protect?
So, lets take a step back and look at what is working, what’s not, and what we can do for the future. After all, there is little we can do to secure the actual user who still, after 25 years of InfoSec, wants to click on anything that comes into vision or is happy to jot down their passwords on post-it notes and leave them all over the office like confetti.
As an attacker, my goal is quite simple: get you or your computer to do something against your/its will, against (hopefully) company policy and against your best interest. To do this I need to facilitate a behavior change or get lucky and hit the systems that are not patched or protected (too often this is the case, but for this exercise we’ll take the utopian view that you have ALL your protection active.).
Now, before we go on, let’s take a quick look at what you and your endpoint have to have to be protected in today’s world:
- Antimalware or whatever that’s called these days
- Heuristic detection capabilities
- HIDS (Host Intrusion Detection)
- Network behavior analytics
- UBA (User Behavior Analytics)
- OS patches
- Application patches
- Web browser patches
- We browser all protected too, meaning no flash, popups, redirects, Java, etc. Basically plain, vanilla text, and nothing else!
- Web browser outbound analysis, DNS validation, and ensuring you ARE going to the right cloud
- Application containerization
- Email filtering
- Email anti-malware, anti-anything-useful removal of all attachments enabled
- NOT admin on your local machine
- You, yes, you the squishy bag of flesh – you’d better have done your regular (monthly?) security training and know NOT to click sh*t, open attachments, give out your passwords, or anything else.
So, a nice tidy list, easy to implement AND keep up-to-date daily (hourly would be preferable, but we don’t want to completely saturate the network with updates).
And we didn’t even get to the good stuff – the technology that is starting to make a difference, like the intelligent systems that are now being deployed within enterprises to facilitate the deceptive technologies, the preventative and proactive systems that monitor and watch traffic, logs, systems for behavioral anomalies and/or the logging systems surrounding them.
So, now we have all of this in place: we have the reactive, the proactive, and the preventative systems fired up, ready to protect us –and hopefully an army of staff behind the scenes watching, monitoring, managing, and generally causing a nuisance to the business by demanding security be considered at every corner. They’ll be standing by eagerly watching all the logs ALL the time for that one time the bad guy tries to get lucky.
Hopefully this sounds familiar to you all. Hopefully this situation is how you are operating, how you are protecting your users – you have not only their work systems wrapped up in an InfoSec condom but also all their portable devices, their phones, watches, wearables, home systems, kids’ systems, doorbells, Nests, and anything else that might somehow break into them to get to you. After all, you are the CISO and you have your hands firmly around all of this – right?
Ok, now reality has set in, you’ve grabbed yourself a good glass of something Scottish and peaty, and realized that this task is something more than slamming another product into the stack. It’s more than relying upon the latest vendor presentation and if you have your wits about you, it’s going to have a positive impact on that maturity model the last penetration test helped put together so you can finally track changes, risks, and report up to the board how you are being successful. You have looked at the statistics and realized that endpoint protection can be a useful tool in the defense-in-depth model as long as it’s implemented with other controls and procedures. Lets take a look at some of those:
- Users will still click sh*t even with protection in place. Protection does its best to mitigate, therefore, let’s train the users more effectively and combine some user grey matter with whatever brand of machine learning employed by the endpoint.
- Users will be users – some won’t listen and will do their best to avoid the protections we put in place. Therefore, both evaluate what is necessary and required against a good risk model to ensure both the business and users can actually be productive and you can protect all the necessary assets. On top of this add in a set of tasks to ensure exceptions are handled correctly and documented accordingly and when the user doesn’t listen for the third time, you have disciplinary processes in place to deal with them accordingly.
- Not all endpoint users are to be treated equally. Therefore, remove everyone’s ability to administer their own systems and provide the required support structure and polices to deal with the special snowflakes that need and can justify the elevated privileges.
- Endpoint can’t work effectively in a vacuum. Therefore, support it with a well-architected log management system that is also bolstered by more proactive, predictive, and preventative measures. Look beyond the traditional IDS/IPS stack towards the deceptive and other technologies that exist to complement the endpoints and other security systems. Chose wisely and don’t be fooled by the thousands of vendors that can solve all your problems.
- Be aware that the attackers focused on your environment already have the upper hand; they have the time and resources to research not only you and your enterprise but also your people and technologies. The less you put out there about what is protecting you, the less you let your vendors and partners talk about how they’ve protected you in a public forum, the better chance you have of slowing them down. You won’t stop them, but you will buy yourself valuable time. Combine this with an internal training focused on data, intelligence gathering, and other social engineering tactics that the users can use both in the work environment and at home and you’ll have added another layer to what is traditionally the weakest link –us, the humans, the employees, the people at the keyboards.
Revisiting those opening statements, let’s add a little more context:
- A hiding to nothing?
- Relying on basic antivirus and some basic web browsing heuristics is not going to protect you. If you are going to look at endpoint, then you need to focus on it, work through what you need for your enterprise, and approach it as carefully as you would a major overhaul of an ERP or other enterprise level system. It’s complex and requires both technical and human resources to be completely effective. Treat it with the necessary respect and you will have built yourself another effective layer of defense – treat it as a quick software purchase and you will find yourself living a lie, believing you are protected when you are not.
- A waste of time and resources?
- No, but as with any product that is going to be integrated into an environment, careful planning and implementation will be key. Simply buying the software or solution and not also getting the professional services and training for your teams or ensuring adequate coverage for the solution is going to end in failure and another product gathering dust on the shelf of useless ideas and wasted money.
- Snake oil in a well wrapped marketing campaign?
- Yes, there are a number of vendors who wrap their solution in artificial intelligence, threat analytics, and other verbiage designed to entice and blind you to the simple fact that they’ve spent more on the marketing than the actual product. Some of these vendors are well known names, so do your due diligence, trust the team you employ to dissect the entire thing, and involve the end users in the selection process. Worst case call me – I’ll help!
- All flash and no go?
- When they’ve spent more developing the GUI than the engine behind the tools, when the CLI has more horsepower than the flashy graphics, and the executive report has more colors to choose from than the latest car brochure, back away slowly and look for a vendor that allows you to talk with the geeks, where they are proud of what they have built, and they are willing to go geek-to-geek with your team at any point. Chose someone who actually is willing to work with you and not simply integrate you into this quarter’s sales numbers.
Hopefully this has been helpful, insightful, and a little provocative. As a researcher and security architect, I’m in a unique position to be able to both assess what’s out there, break it, and implement it. In my experience, there ARE good tools out there the challenge sometimes is looking through the FUD to see the diamonds (sometimes still in the rough).
Good luck and thanks for reading to the end.
The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.