Author: Nicole Brinson
Are You Making This Endpoint Security Mistake?
From our partners at Tenable
Detecting threats isn't enough. You must also remediate vulnerable endpoints and employ continuous monitoring to reduce exposure.
Importance Of Vulnerability Management
Malware-scanning technology such as endpoint antivirus runs in a memory resident mode to capture malicious activities in real time. These signature-based defenses require constantly updated databases of known malware patterns. However, as security researchers identify, create, test, and distribute malware detection signatures, attackers simply alter the pattern slightly to disguise the attack and avoid detection.
Consequently, antivirus signature databases on endpoints have become bloated with hundreds of updates and thousands of signatures to cover the permutations of an attack. This also impacts performance because the pattern-matching engine must inspect every file and data bit stored on the endpoint.
While new architectures have emerged to detect new threats and rapidly changing malware, organizations can be more effective by also removing the underlying vulnerabilities on endpoints. Findings from Verizon DBIR and research from software vendors, including Microsoft, emphasize this.
For example, removing a single vulnerability can diffuse the success of dozens of attack variants where each variation of an attack may require deployment of dozens of signatures on endpoint antivirus software to prevent compromise. The point here is that even an incremental improvement in remediating vulnerable endpoints through a faster patching cycle can have a huge impact on preventing an attack.
Evolution Of Vulnerability Management
A challenge with traditional endpoint scanning is that it’s periodic. Capturing vulnerabilities on transient systems that frequently connect and disconnect from the network is difficult. In fact, a large healthcare provider that I recently spoke with regularly saw 40% of its employees disconnected from the network during its vulnerability scan window.
Today’s solutions complement remote scanning by offering lightweight programs that install on transient endpoints such as laptops without the overhead of allocating large storage or memory footprints. These lightweight programs scan the host locally even when disconnected and report results when the system reconnects to the network.
Vulnerability management solutions are also evolving to leverage investments in mobile device management systems by extracting mobile device information and context for vulnerability analysis. By gathering mobile OS and application information, these solutions offer a better view of mobile device risk and configuration errors that can introduce malicious activity inside your environment.
The Rise Of Continuous Monitoring
In today’s agile IT environment, what can you do to reduce the attack surface between scans? Scanning more frequently is not feasible across large environments, nor does it fully solve the problem. And how do you address the problem of unknown threats and new vulnerabilities?
The answer to both questions is that it’s not easy. There are plenty of technologies, from sandbox analysis to statistical and behavior learning solutions, that help identify unknown threats, but the commonality across all is that you have to characterize what is the normal behavior of your endpoint and what is indicative of malicious behavior. This requires continuous monitoring of endpoints in your environment, to not only capture legitimate activities but also to monitor for abnormal endpoint behavior that exhibits signs of malicious intent. Continuous monitoring can help track the activities of each host over time and pull out patterns of endpoint behavior indicative of a compromise.
Such technologies, in addition to threat and vulnerability analysis, also aggregate multiple sources of information -- including host-to-host communications -- analyze data from endpoints and management systems, use multiple threat intelligence feeds, and monitor connections to external websites. They correlate this intelligence with risk and reputation data. The result is not just an aggregation of discrete endpoint activities that are abnormal, but also a prioritized view of endpoints that are vulnerable; hosting abnormal or malicious processes; exhibiting signs of compromise such as hosts starting to scan your environment; opening abnormal connections to suspicious domains; installing new programs and executable files; hiding processes; and more. With this context, administrators can reduce noise and achieve better insight into vulnerabilities that should be quickly remediated.
Detecting threats and remediating vulnerable endpoints reduces overhead and exposure to known and changing threats. Continuous monitoring can further help by detecting new malware and unknown threats.
To find out more about Tenable Networks, fill out the form below and one of our experts will be in touch shortly.