Author: Karl Lankford – Director, Solutions Engineering, BeyondTrust
Threats to endpoints can come in the form of external attacks as well as insider threats, which may be either malicious or unintentional in nature. A compromised endpoint can give an attacker a foothold within an environment, enabling them to launch further attacks on systems to access data and compromise additional endpoints via lateral movement.
And with 70% of successful breaches starting at the endpoint, its imperative that security teams take a comprehensive, preventative approach to protecting all of the endpoints in the organization:
Typically, antivirus (AV) software is the first endpoint security tool deployed as it defends against common and known threats and is a generally well-accepted and pervasive toolset. However, AV is clearly not bulletproof with upwards of 60% of attacks missed by antivirus — due to unknown threats, or evasive techniques that exploit ‘trusted’ applications. Therefore, based on regulatory compliance and well-defined security best practices, antivirus should be considered as just one component of a more complete endpoint security strategy.
With perimeter security now stronger than ever, end user devices are heavily targeted by threat actors. Most users have unrestricted access through web browsers and can be manipulated through email, making it easy for a hacker to “lure them in” using social engineering techniques. If the user has local admin rights when they open an infected attachment or link, the “payload” can execute with their privileges, giving the hacker control of the machine by silently installing backdoors and reconfiguring (or disabling) other security controls.
By removing admin rights, the user can no longer download or execute malicious software that triggers ransomware or malware attacks. This dramatically reduces the attack surface and severely limits what threat actors that bypass AV can do — the vast majority of exploits and payloads will fail. With no infection present, they do not have the ability to move laterally to compromise sensitive data. For example, removing admin rights would have mitigated 77% of Microsoft vulnerabilities.
With least privilege management, users can perform admin tasks without using root or administrator credentials — giving the privileges themselves to the application, and not the user. This ‘Passwordless’ administration approach allows organizations to implement true least privilege, giving users just enough rights to do their jobs.
Not all endpoint attacks need to leverage privileges to compromise a machine, and this is where application control steps in. Application controls stops users, threat actors, and other applications from executing any inappropriate commands or applications on an endpoint.
Traditionally, Application Control is seen as difficult and was reserved only for the most static of environments. However, by layering Application Control on top of Privilege Management, critical functionality in the operating system is trusted by default (users without privilege cannot introduce new code to directories like Program Files, Windows, System32, or Drivers). This makes it a pragmatic approach because it only needs to be applied to specific directories and files, where threat actors typically ‘drop’ and execute their payloads.
Using an Endpoint Privilege Management solution as the second and third layer of endpoint security provides not only a model for least privilege, but also for robust application control. The combined result is a drastic reduction in the endpoint risk surface. Additionally, application control is a requirement of a number of compliance mandates and frameworks.
Since every risk will not be mitigated by antivirus, removing administrative rights or application control, it is also important to have endpoint security detection and response.
Endpoint Detection and Response (EDR) solutions are designed to help organizations identify and react to threats that have bypassed their other defenses. EDR runs locally on user workstations or servers to monitor processes, scheduled tasks, applications, logged in users and, more importantly, to determine if malicious or unauthorized activity is present on the system. This compliments EPM by acknowledging and alerting of possible attacker activity on a system outside of EPM’s scope as a privilege management tool. EDR alerting can include network related activity, known malicious applications, attempts to use built in programs maliciously, and other activity. And, if EDR does detect an event, the confidence of the attack is much higher because privileges and potentially malicious applications have had their execution mitigated by EPM. The number of false positives will decrease, reducing the time needed to review event data and anomalies.
It is important to remember that an EDR solution alone does not give your organization complete monitoring capabilities. Well trained security professionals and sound processes are needed to maximize your EDR investment and truly improve your security. Without the right team and time commitment, EDR products can amass data and alerts, which can in turn increase your resource costs.
Endpoint security strategies are not all one-size-fits-all. After your organization has implemented Steps 1-4, it’s imperative to review specific use cases and evaluate other endpoint solutions
based on needs. Some types of endpoint security tools to consider include log monitoring and security information and event management (SIEM) solutions, Endpoint Protection Platforms (EPP) and Web and Email Filtering applications, Data Loss Prevention, Encryption (endpoint and data security), Endpoint Hardening, Patch Management, Secure Configuration, Remote Access, and Web Proxy to name just a few.
Endpoint security solutions has evolved considerably over the last several decades — from simple, signature-based antivirus software to solutions like EPM and EDR. That being said, what most organizations fail to realize is that endpoint security is not just one solution — it is an ecosystem that should have prevention as a foundational element rather than only on reactive remediation.