All’s well if the endpoint’s well: why security has to start with endpoint devices

The problem with today’s endpoints is that they are so varied:  a mix of desktop PCs, laptops and netbooks, frequently with different versions of OS and applications being used across organisations’ estates. This variety of endpoints also means that security may not be as robust as it could be.

This was highlighted in Check Point’s 2015 Security Report:  it found that 25% of enterprise endpoints do not have updated antivirus signatures; 25% don’t have the latest software updates and fixes for vulnerabilities; and 20% do not run a local firewall on their PC.

This can leave endpoints vulnerable to sophisticated malware, infected external storage devices, or malicious web content.

It’s no surprise, then, that hackers are now increasingly targeting endpoints, looking to exploit their relative lack of protection with advanced new attacks.  These can include evasive variants of Cryptowall and Cryptolocker ransomware, or other stealthy agents intended to compromise the PC or laptop, and then infect the enterprise network.

> See also: Why internal endpoints are a quick win in the fight against data theft

In the case of laptops, there’s a real risk that an infection could be injected directly into the heart of an organisation’s IT, which in turn demands a multi-layered security approach.

First, protecting the endpoint device needs to move beyond traditional signature-based antivirus that can only detect known threats. Second, organisations need better capabilities to identify and respond to emerging attacks across their network and endpoint estates, to quickly identify the source and scope of attacks, and find the best way to resolve them. Let’s look at each of these stages of security in turn.

The moment of attack

As touched on earlier, endpoints are vulnerable in large part because they often only have basic levels of malware protection.  However, it’s also easy for a hacker to use readily-available toolkits to make small changes to existing malware, and these changes make the infection invisible to conventional, signature-based antivirus solutions. There’s also the risk of hackers employing highly advanced, purpose-made malware to attack an organisation.

A security technique increasingly used to counter these threats is threat emulation, or sandboxing, in which suspicious files are intercepted as they arrive, and the files’ contents inspected in a virtualized, quarantined area (the sandbox) for unusual behaviour.

If a file behaves suspiciously, it is blocked.  Sandboxing dramatically increases malware detection and boosts security – but it can also consume significant processing power when running on a conventional laptop PC, which impacts on the user experience.

Smarter sandboxing

What’s needed is a way to securely inspect and block any malicious files and data arriving at an endpoint, without inhibiting the user experience. By assuming that any email attachment or download received could be infected – and removing any potential threats from it before passing it to the user – we can eliminate many common vectors of infection.

This is called threat extraction: documents are reconstructed using only safe elements, and any suspicious content (such as macros, embedded objects and files, and external links) is removed. The clean document is available to the user in a couple of seconds, so the process doesn’t hinder their work.

The original document is then sent to a sandbox environment running in a public or private cloud, where it can be examined in detail for threats, and blocked if malware is found. 

If the document is infection-free, it can be safely retrieved by the user. This approach minimises the processing overhead on the endpoint, and enables users to work seamlessly while protecting against threats from attachments in email messages, web downloads, content copied from removable storage devices, and so on.

Attack aftermath

As enterprises have so many potentially vulnerable points that can be targeted, even if an attack has been identified and stopped at an early stage, it’s still critical that IT teams understand what the attack was, how it happened, and what damage was done, to enable the fastest possible remediation.

However, the complex ecosystem of endpoint devices within a company can make analysis of security events difficult. It can often be tricky to even pinpoint where an incident started, let alone build a complete map of the attack’s lifecycle, including any damage done.

To help analyse such incidents, the endpoint security solution must first be able to continuously capture attack forensics data, giving visibility back in time into the origin of the attack.

> See also: Is there life after antivirus? Looking to the future of endpoint protection

With the growing number of security events every organisation is facing, today’s manual methods of reviewing logs to determine entry points, methods and damage scope, are simply too time consuming to pursue for every event.

To help teams understand the complete attack lifecycle, automated incident analysis leverages the forensics data to generate detailed reports, accelerating the process of remediating any affected systems.

By combining advanced threat prevention that defends against new, targeted malware on the endpoint, and automating collection and analysis of complete forensics data to give deep insights into attacks, organisations can protect both users’ systems and their core networks without inhibiting the business.

To paraphrase the title of the Shakespeare play: when it comes to security, all’s well if the endpoints are well.

Sourced from Aatish Pattni, Head of Threat Prevention Northern Europe, Check Point

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics