10 Endpoint Security Technologies And Tips Proven To Deny Hackers4:00 PM EST Wed. Aug. 28, 2013
Businesses are increasingly looking at technologies to better detect targeted attacks and defend against phishing campaigns designed to trick end users into clicking on malicious files. Endpoint security technologies are now using a variety of new measures, from sandboxing to isolate and inspect the behavior of files to crowdsourcing capabilities that provide businesses faster protection against custom malware. Security experts agree that advanced persistent threats (APTs) are fueling the demand for stronger security detection measures.
The following endpoint protection technologies were identified in two separate studies commissioned by Waltham, Mass.-based white-listing security firm Bit9 and Boston-based vulnerability management vendor Rapid7. Here's a look at the studies' most significant findings as well as advice from security experts.
If you can't defeat attacks at the network, you can contain them either on the user's system or within their application, according to some experts. Invincea created a virtual sandbox to encapsulate the browser and other highly targeted applications. The company, which came out of the Defense Advanced Research Projects Agency (DARPA) research, scored a big win by landing an OEM agreement with Dell in June.
Cupertino, Calif.-based Bromium, founded by engineers from Citrix Systems, is developing a similar capability by deploying hardware-isolation protections around each Windows task. It's still early for the two companies, but they are gaining interest from industry analysts and business executives, looking for alternative protection technologies at the endpoint.
Microsoft's Enhanced Mitigation Experience Toolkit is entering its fourth iteration, but it has seen sluggish adoption. If the tool is enabled, it makes it more difficult for an attacker to target memory corruption vulnerabilities, a common attack technique. The tool also helps administrators closely validate digital certificates to safeguard against man-in-the-middle attacks. EMET helps support the roll out of Microsoft's security mitigation technologies.
Microsoft said the toolkit drastically reduced the effectiveness of application exploits on Windows systems. In tests conducted by Microsoft, EMET running on Windows XP SP3 systems reduced the effectiveness of the exploits by 88 percent. The same test conducted on a Windows 7 system reduced the effectiveness of the exploits by 94 percent, Microsoft said.
Rapid7 found that 54 percent of surveyed customers either do not use code execution prevention on their users' systems or don't know whether or not they do. Microsoft supports both data execution prevention (DEP) and address space layout randomization (ASLR) in all supported versions of Windows. Depending on the Windows version, system administrators need to take measures to enable the controls. Both attack mitigation technologies help prevent attackers from executing code or make it more difficult for them to break out into the underlying operating system to cause damage.
One of the big surprises that came out of the Bit9 survey was that 13 percent of those surveyed did not know whether they had any security incidents, Bit9 Chief Security Officer Nick Levay said.
Businesses are considering strong technologies that can provide real-time endpoint or server monitoring to keep track of security incidents, according to the survey. Tracking metrics, such as how many times a help desk team needs to investigate a potential problem or how many times a laptop needs to be reimaged, can help prove the return on investment of security, Levay said.
"It's very easy to miss a trend within an organization that should be hitting you in the face because you are simply not gathering metrics," Levay said.
Account credentials are a hot commodity on underground hacker forums, and organizations are considering technologies that help ensure environments are protected with strong passwords. According to Rapid7, users should be prompted to change their passwords on a quarterly basis. Identity and access management projects can be extremely complex, channel experts told CRN, but a new breed of point technologies are gaining interest. Multifactor authentication, automated user provisioning systems and reporting technologies can help businesses manage the myriad of authentication and access issues that IT administrators face on a daily basis.
Organizations are considering bolstering end-user awareness and training programs, according to the Bit9 survey. Bit9's Levay said scheduling training sessions that are narrower in scope are typically more successful than broad security discussions with end users. Training sessions can revolve around a single topic, such as how to create strong passwords or phishing scam identification.
"If you do manage to execute it properly, the effects are really good, Levay said. "You have to be strategic and have a long-term plan for how to approach training."
Support from upper-level executives helps keep a program running and instills a security-aware culture over time, Levay said. It also helps to have "champions," or respected people, within the various business units who can push the value of an awareness program over the line, he said.
The Rapid7 study found that 90 percent of organizations have the capability to scrub email of malicious file attachments, spam and phishing messages. But, cybercriminals are still finding success using email as the primary attack vector, according to the recent Verizon Data Breach Investigations report. The latest filtering technologies mix traditional blacklisting approaches with stronger analysis capabilities and crowdsourcing to identify new threats and provide protection. Newer technologies have also cut down on false positives, which have notoriously wrangled end users in the past.
Businesses are also considering the deployment of file inspection technologies as part of enhanced detection, according to the Bit9 survey. Emerging capabilities from Palo Alto Networks and FireEye inspect documents and executable files in a virtual or sandbox environment. Levay said the file is run in the safe environment to scrutinize its behavior and determine if it is malicious. The systems determine if it drops registry keys or other suspicious files, he said.
"These are next-generation solutions where you are looking for threats that don't have a signature," Levay said. "Traditional antivirus is relatively useless unless the attack matches some sort of signature. Attacks that are brand new, used for the first time or customized for their target, are not going to be detected by antivirus."
Rapid7 found that 17 percent of respondents have not, or are not sure if they have, updated endpoint systems with the latest operation system patches. A variety of automated patch and configuration management tools are available to help system administrators test operating system patches and deploy them to end-user machines.
System configuration issues also open up the attack surface to cybercriminals, giving them easy access to pivot to more sophisticated systems. Data breach studies found that attackers consistently target poorly configured systems, including remote access technologies and systems using weak or default passwords. Configuration management tools can also help identify high-risk areas and system components that are turned on but rarely, if ever, used by employees, say security experts.
Technologies that improve detection of malware and suspicious activity at the endpoint are gaining interest, according to Bit9's survey, which identified business IT security priorities for 2014. Levay told CRN that organizations are seeking technologies that can scan endpoints for indicators of compromise, such as the behavior of new files on a system or new software installed by the user. In-place enhanced detection looks at files running on the endpoint. Up until now, activity occurring on the endpoint has been very noisy, Levay said.