Why protection of tips is very important not only in times of pandemic
End devices are basically all machines connected via the Internet to your network,the technical heart of your business. It is a term that describes all desktops, laptops, smartphones, POS systems, printers, scanners, and tablets. Everything employees use to communicate with each other. These devices are the lifeblood of your business, and protecting them is critical to your organization’s success.
With the shift towards mobility, centralized security systems that assume one “go out” turn out to be ineffective. As the organization grows, the number of endpoints and the cost of protection increase. The costs of unsecured networks are also rising – data loss, statutory penalties and loss of reputation are the tragic consequences that we can read about on industry websites every day.
Already in 2019, the research company IDC published disturbing statistics (offtop – most statistics on cybersecurity are disturbing) – in 70% of successful attacks, the problem was an insufficiently protected end device. Ransomware encrypts data and blackmails owners, spyware collects passwords silently. But it’s not just downloaded programs – in 2019 file-less malware was responsible for over 50% of attacks on endpoints. In addition, social engineering tricks such as phishing and whaling constantly test employees, trying to extract information. In 2020, with the global pandemic forcing many employees to work remotely, organizations must protect more endpoints than ever before. Attackers know that people who often work outside of the controlled environment provided by office computers and networks today are the weakest link in security. People who find work outside the corporate network are more prone to misjudgment, which creates opportunities for attack. Do you also have the impression that your business laptop is “for sure safe”?
So how to ensure the security of end devices?
The times when antivirus did the trick are long gone, and previous generations of antivirus solutions that scanned every single file do not keep up with the capabilities and disk volumes of current devices. Therefore, AV is only one of the tools in a solution called EDR – Endpoint Detection and Response. As the name suggests, the development of endpoint tactics and techniques meant that threats should be approached more broadly, divided into detection and response.
EDR solutions work from centralized software management console with agents on each device. All endpoint security solutions should provide protection against malware (the more advanced the solution, the more methods of analysis), protection against file-less malware – files executable from the browser level, allows you to apply access protection to files and folders, and enables data encryption. Not to mention the need to access a global, constantly updated database of signatures and algorithms. Various manufacturers offer additional functionalities, but the aforementioned ones are the core of EDR systems.
Below, we describe a few key functionalities for EDR – broken down into security mechanisms and administrative functions – after all, it is one thing to detect threats, and another to provide this information to analysts in an accessible way and enable them to act.
The most common security mechanisms used in EDR
Scanning “invisible” to the user – volumes have already been written about the mythical conflict between business and security. Scanning consumes computing resources and it is not a very good idea to perform it while you are working. EDR should detect when your computer is idle and then perform a scan. It is not entirely a security mechanism, but the method and quality of scanning is one of the key parameters when choosing EDR and it cannot be ignored.
Access to a database of threats updated by vendor – usually attacks take place with the use of already known exploits and vulnerabilities. Periodic updates allow you to automatically increase the level of security. Some manufacturers use an internal division into “thematic” databases of threats, e.g .:
- Generic buffer overflow protection (GBOP) – GBOP provides content-based protection for specific application programming interfaces (APIs). Buffer overflow attacks are based on developer errors and occur when the memory range for variables is insufficiently defined.
- Data Execution Prevention – Designed to prevent damage from viruses and other security threats through programs that monitor system memory usage.
- Kill-bit – secures web browsers and other applications that use ActiveX controls. Kill-bit determines the Object Class Identifier (CLSID) of the ActiveX control and compares it with the list of those identified as vulnerable threats. Protection is also content based – string analysis.
Despite the constant evolution of malware – a good signature suit is still essential.
Application control and monitoring – the best EDRs have the ability to analyze the behavior of the application and “make a decision” about its possible sandboxing or blocking.
Controlled actions include, but are not limited to: accessing files or system memory, creating or copying files, changing registers, etc. An example of technology is McAfee’s Dynamic Application Containment. This may be termed pre-sandboxing.
Protection against zero-day attacks – usually using heuristic methods supported by Machine Learning and detecting the correlation of code, behavior or file properties. In this type of analysis, there is no clear division into “definitely bad” and “definitely good”, the level of risk is determined on a scale between these values.
Elements of Web Security and Firewall functionality – they can be integrated into EDR solutions and are certainly useful. Control of ports and protocols or analysis of the reputation of the visited website improve the security of end devices.
Information about the dangers detected on end devices starts the incident response process – we remind you that 70% of attacks start with end devices – so it is extremely important to provide information to analysts efficiently and to be easily configurable.
Several aspects that certainly make the life of the security department easier
Central management console – an absolute must-have, taking into account the number of end devices, centralized management makes this solution useful.
Configurable scanning – the administrator should have various scanning capabilities to be fully informed and at the same time not to disrupt business processes. For example, in one of the solutions we find the following modes:
- Full Scan.
- Fast scanning.
- Custom Scan.
Comprehensive records and reporting – mainly reduced to three areas:
- Activity logs: illustrate all events related to a change in system state.
- Threats: Provide visibility into the host name and location, discovery function, file hash, file date and time if detected via. DATs, Duration of a file on the system before it was detected.
- Debug logs: concern broadly understood troubleshoot.
The right way of configuring policies – a very subjective issue what is the “right” way of configuring. It is worth considering:
- Granularity: how many policy levels can you define in a high risk-low risk context.
- The number of parameters: in practice, a policy is a container for rules, how exactly can you define them.
- Division by devices: often a separate set of rules includes workstations and other servers, it is worth considering how such a division will facilitate your work and whether it is needed.
- Division by user groups: depending on the department or the level of risk they present.
- Possibilities of adding exceptions.
- Automation rules.
Additional security mechanisms – such as preventing uninstallation of the agent, separate administrator passwords or granularity of access for individual administrators
End devices are and will be the weakest links in any company’s network – because they are an access point to sensitive systems and are often managed by unaware users. Due to the steady increase in their number in developing companies, cybersecurity programs are becoming more and more complex. While mobility and ease of communication facilitate effective operations, they can also pose a challenge to security. To counter attacks on endpoints, we need to create network-independent security policies – after all, the endpoint is the new edge of the network. Due to the variety of attacks, only an EDR solution can be considered an adequate protective measure.