April 16, 2020 | By Michael Wainshtain, Technical Team Leader
Why Endpoint Security is Extremely Significant for Your Organization
An endpoint is primarily an end user system or device which is connected with a network. This could be a physical or virtual computer, Point of Sale (POS) terminals, ATMs and even an advertisement kiosk which, if, has access to a network, is considered to be IN the Network.
Until the last decade, threat actors predominantly used to breach the perimeter technologies such as firewalls, to get into a targeted network. Today, the threat landscape has evolved along with, what we consider a perimeter to be. With the emergence of BYOD, Cloud, and the replacement of MPLS with SDWAN technologies, threat actors have started targeting vulnerable endpoints to gain access to the enterprise network.
As endpoints are ought to be the last hurdle for most of the occurred breaches, the adversaries are cognizant of the emerging trends. Thus, endpoint attacks have become much more sophisticated leveraging file less attacks, for instance with memory executions and AV bypasses. According to IDC, 70 percent of all breaches originated at the endpoint.
We at TSOC believe that having a stealth and stringent endpoint security posture reduces the overall risk of full network compromise. To protect your corporate endpoints and the associated connected network, we have enlisted below key actionable items:
1. Do: Run an updated anti-virus software and patch it periodically
Why: Antivirus software is a set of programs\capabilities that are designed to detect, prevent and remove viruses, worms, trojans, adware, and more.
2. Do: Regularly patch OS and installed software’s
Why: A patch is a set of changes/updates to a computer program or its supporting data designed to update, fix, or improve the program. It is recommended to have software’s always up to date. As software vulnerabilities could assist threat actors to own an entire infrastructure, patch management is extremely crucial.
3. Do: Use of advanced dynamic analysis solution for unknown files (sandbox)
Why: Until recent years, static analysis was sufficient to curb potential threats but today, it is challenging to determine the intent of an unknown file\program without analyzing it in a simulated environment and see what it does.
4. Do: Log everything
Why: As we have emphasized in our earlier posts about file less attacks, it is evident that these kinds of attack vectors do not leave much traces for IR team, thus we need to ensure, the logs are enabled across the environment
5. Do: Have adequate control of your devices (managed corporate devices)
Why: It is crucial to deploy solutions to manage and maintain control over the corporate devices to prevent misuse of assets by employees and avoid untrusted devices connect to the enterprise network.
6. Do: Encrypt hard drives across all the corporate assets
Why: Drive encryption is a must in the situation wherein for instance if a laptop is stolen, threat actors can learn a lot about the network and the corporate environments especially in today’s date wherein bypassing windows passwords are feasible and accessing the data is an easy victory for adversaries.
7. Do: Comprehensive application control policy
Why: App control solutions will help address files\programs that are not identified as a potential threat (or virus) by security vendor tools but which can assist threat actors while they attack your network. For example, tools such as certutil, PowerShell and WMIC.
8. Do: Capability to isolate the issue
Why: It is recommended that organizations must have the capability to isolate an endpoint of the network. As per our earlier posts, it is relatively easy to footprint the entire network to identify workflows that could potentially compromise the entire domain of an organization. Thus, under an active attack, having tools to support isolation would be useful to remediate endpoints (virtual/physical) that are under attack.
9. Do: Anti-Ransomware capability
Why: Ransomware has been one of the top concerns for every CISO. Thus, it is recommended to deploy a security solution that could also detect potential ransomware (using decoys) in the environment and can prevent the attacks. We would also recommend testing the solution before deployment and not to take the vendor commitments for granted.
10. Do: Awareness
Why: As we have always emphasized the weakest link is human across any organization, every organization must have awareness and security trainings to educate all the employees. As 91% of cyber attacks across the organization commonly start with a phishing email, employees need to be aware of what to click.
Stay Safe with TrustNet!