The battle at the endpoint - phones, tablets and mobile computing - faces an endless onslaught of malware delivered from websites, bots, and pretty much any other malicious code that can be thrown at endpoints. Why are the endpoints always under attack? Simple, when they are off corporate networks there are no firewalls, no IPS, none of the enterprise grade protection that exists in a corporate environment. You and I know this, unfortunately so do the bad guys. Understanding this helps us understand why these devices are frequently targeted by malicious individuals and organizations. It is good to think of the endpoints as the new perimeter.
Endpoints pose a unique challenge when attempting to protect our valuable data. These devices are not built to run a firewall, run an intrusion detection system, or to be used as full time security devices. These solutions are generally agent based and it s challenging to get as much functionality as possible into a footprint that requires minimal resources enabling the user to actually perform business tasks.
The new industry term is “advanced threats” - these threats have 2 key attributes that make them stand out from traditional nuisance malware.
The attacks are targeted, the individual or company is specifically chosen by the attacker. When this occurs the malware does not reach a multitude of users to be picked up and have signatures written. This type of malware that has not been publicly distributed is often referred to as “zero day”.
The attacks are typically multistage and driven by human interaction. You often hear of these types of malware being referred to as botnets being controlled by command and control (C2) servers on the outside. The code residing on the individual machine is not malicious in and of itself, however once directives are given by the C2 servers the infected machine begins performing tasks as directed by the attacker.
With advanced threats come the need for advanced defenses. The traits of a strong solution include the following characteristics:
Ability to watch all endpoint activity-We do not know what is bad in advance we need to watch all activity all of the time so both known and unknown activy can be identified. The key is understanding all activity and having an automated way to detect anomalous patterns.
Create a centralized system of record- activity on the endpoints should be recorded and retained. This allows the practitioner the ability to roll back and determine the questions that are often asked during the forensics phase. How long has it been compromised? When did that activity spread to other systems? The centralized model also reduces impact to end user systems which becomes a huge benefit when productivity is critical.
Ability to customize threat detection-an advanced product should have the ability to look for attacks and suspicious behavior based on multiple intel sources. The system should allow you to tune the system to find exactly what you are looking for. This enables the system to continue to evolve without waiting for signature updates.
Ability to respond and neutralize attacks- the Chosen solution needs to be able to identify and remove the threat at a minimum. The standout in this area would be the ability to determine the root cause of the attack and be able to actually disrupt the attackers behavior forcing them to change their tactics.
Apply multiple forms of prevention-IT security is really about risk management. Data center servers and even end user devices are not all equal in risk or usage. The ability to categorize these assets within your management platform assists in protecting the most critical devices and assess a risk rating to each of the devices.
Automate and integrate the solution into your organization's operating policy- a comprehensive security program involves dozens of solutions working together in support of a common outcome.
Leverage collective defense- Threat intelligence is key to quickly identifying and categorizing threats. Security practitioners, vendors, and corporate entities are collaborating and producing vast amounts of threat intel that can be imported and used in various platforms.
These characteristics should sound familiar as that is the overall strategy applied to securing and protecting a data center. Moving away from the “detect and stop” mindset will result in more complete and efficient management of your new perimeter, the endpoint.
In October, hackers launched major DDoS attacks, disrupting a host of websites, including Twitter, Netflix, PayPal, Pinterest and the PlayStation Network. The attackers did this by compromising thousands of endpoint IoT devices, such as home routers and surveillance cameras, and transforming them into a botnet. Botnets are collections of millions of infected computers that are used maliciously for attacks. These botnets flooded traffic to the DNS hosting provider causing some sites to go offline for several hours. This type of endpoint attack will continue to be a common occurrence with the growth of "connected" things.
Traditional endpoint functions on the assumption that it can detect everything that is bad. Enter Carbon Black – a leader in next-generation endpoint security - the company functions on the assumption that it’s impossible to detect everything that is bad therefore the safest solution is to assume everything is bad. Carbon Black’s Defense Cloud continuously gathers raw endpoint data from more than 7 million computers protected by Cb Defense, Cb Response and Cb Protection, and analyzes information related to attacks, threats, behaviors, and change, with the singular purpose of identifying malicious activity. Rigorous analytic techniques are applied using a variety of methodologies including machine learning and behavioral analytics.
Cisco Advanced Malware Protection has been given a makeover leading to Cisco AMP for Endpoints. Integrated with Cognitive Threat Analytics, CTA inspects web logs, traffic and telemetry from the web proxy, and then CTA detection events are pushed to AMP for Endpoints for further investigation, giving you an added level of visibility.
Two key features of Cisco’s AMP for Endpoints:
With added visibility from the CTA integration, you can find additional types of malware, like additional polymorphic malware; file-less or memory-only malware, powershell script attacks, and infections that live in a web browser only.
You get visibility into devices where you can’t install an AMP for Endpoints connector. AMP for Endpoints can be deployed on Windows, Macs, Linux, and mobile devices, and gives you deep visibility into activities on those devices. But since CTA analyzes web traffic across all devices on the network, the security team can get an expanded view into other devices like connected TVs or printers, and BYOD devices where a user might not want a connector on their personal device.
As a result of this integration with CTA, Cisco engineers have reported that AMP for Endpoints is seeing about 30% more infections on average.
Next week brings an end to our Security Series with Part 5: Enabling Secure IT Operations for your Organization.
- Malware Blog Series Introduction
- Part 1 of 5- Detecting and Blocking Malware at the Gateway Before Users are Affected
- Part 2 of 5- Educating the User and Social Engineering
- Part 3 of 5- Hunting Hidden Malware in your Datacenter
- Part 5 of 5- Enabling Secure IT Operations for your Organization