[ Home ]

Three Ways to Reshape Endpoint Security

Malicious targeting exposes serious gaps in corporate security defenses

by Chris Schwartzbauer, Senior Vice President, Shavlik Technologies

During the past 15 years, organizations have built up defensive barriers for the servers and databases that house their most sensitive data. But today's threats aren't restricted to the data center. They have moved downstream, to endpoints outside the protective cocoon of the data center, providing hackers an on-ramp to the network.

The physical machines that are the endpoints in a centrally-managed network include servers, desktops and laptops. Representing the vast majority of machines in a network, all can potentially host virtual images both online and offline, presenting even more opportunity for the hacker. Add to this the proliferation of USB drives, external hard drives and the like, and it becomes obvious that protecting the data center no longer protects the data. The malicious targeting of endpoints is exposing serious gaps in corporate security defenses.

Why antivirus software isn't enough

Many security teams continue to believe that properly configured routers, firewalls and antivirus software are the keys to good endpoint protection. Though presenting a hardened Internet-facing exterior, threats are bypassing such perimeter protection with increasing regularity. One of the reasons for this lies in an over-reliance on outdated antivirus software.

According to the Verizon Business 2009 Data Breach Investigations report, threats are increasing in number and complexity. In 2008, over 285 million records were compromised, with 74% of them compromised by external threats including malware such as viruses, worms, back doors, key loggers, trojans, spyware and rootkits. We can expect the number reported for 2009 to be higher causing anti-virus programs to bloat even more with nearly one million signatures. Authors of malicious software understand how the system works and use polymorphic code to modify the malicious code so that it no longer matches the original threat, rendering existing signatures ineffective. Some easy math can show that the number of signatures to track is growing out of hand.

Once a threat is in-house, a hacker has little difficulty locating and infecting unpatched or misconfigured machines. Historically, patching these endpoints has been too time-consuming for IT teams, particularly, given their focus on the critical servers. And they lack the visibility into these machines to know when they have drifted away from corporate-defined configuration policies. Yet the primary reason for endpoints to emerge as a significant hole in corporate defenses stems from the traditional separation of duties in security practice.

Once the security team establishes perimeter-based protections, the ongoing maintenance -- system updates, signature updates and mitigation of problems found at the endpoint -- are then the IT operation's team responsibility. Security may use one set of technologies to find gaps while IT operations uses another set of technologies to close them. This separation of duties might be required for audit purposes, but the lack of integration and automation between these tasks wastes hours of IT staff time, while opening the gaps in system security.

Defense In-depth: Three ways to keep your organization safe

The old adage of ensuring in-depth defense must not be limited to the data center. Organizations must supplement their Internet-facing protection with a proactive approach that provides in-depth defense for every machine. This requires three critical responses.

1. Properly configure and monitor the configuration of your endpoints.

Misconfigured endpoints are one of the main causes of system downtime and exposure to threats and misuse. In fact, studies show that up to two-thirds of vulnerabilities are a result of system configuration errors. And it only takes a relatively small percentage of misconfigured endpoints -- usually those with nonstandard settings that allow the user too much control -- to generate a large number of virus and spyware incidents.

Ensuring endpoints are properly configured will seal cracks in your defensive armor by, for example, preventing password guessing programs from working by setting account lockout thresholds to proper levels, or verifying that there are no open shares on the endpoint that a hacker can use to gain a foothold on the machine, and recording that staff perform all policy check enforcements on a machine.

2. Properly patch and monitor the patch status of your endpoints.

Similarly, keeping your endpoints up to date with the latest security patches is critical to keep them secure. IT must apply these patches in a timely manner. Consider the Conficker worm known as Downadup. By January, 2009, it was estimated to have infected more than 9 million machines, even though the patch that plugged the vulnerability (MS08-067) was available in October 2008.

3. Utilize up-to-date, real-time protection software not just reactive antivirus software.

Companies must update their anti-virus and threat management to include state-of-the art heuristics (pattern matching) and behavior detection as well as signature matching, then supplement it with real-time protection software that actively monitors a machine. Rather than serving as the primary method for deterring threats, use the antivirus as your last layer of defense. It serves behind the real-time protection software that stands as a constant sentry against attempts to sabotage by watching for changes to specific security configuration settings and values. If it detects a change, it can respond immediately, and according to your policy, may ask the user what to do, or simply change the setting back to the original value.

So what is preventing organizations from properly protecting the endpoints? Many issues, including the sheer volume of systems, the numbers of patches issued each year, and the diversity of operating systems and application software. Offline systems, including laptops and virtual images, are very difficult to monitor and maintain. The separation of duties leaves individual tasks managed by different departments or managers. Addressing these issues requires a dedicated effort to take stock of the tasks and develop processes specifically designed to address them. After such an effort, IT can achieve efficiencies through automation, and establish and maintain control by ensuring visibility into all systems on the network.

Clearly, the business of managing and securing endpoints is in serious need of an overhaul. The singular approach of using a cookie cutter, one-size-fits-all antimalware program to keep endpoints safe isn't good enough anymore. Nor can companies afford the current processes that require too much time, money and IT staff to chase after incidents or check on the status of the network's volumes of systems. Organizations require in-depth, comprehensive protection, while IT needs more and better automation to be efficient, and to provide the visibility and control necessary to be effective. In the final analysis, unless organizations can prove endpoints are secure, the organizations won't be.

Driving the strategy for all of Shavlik Technologies' customer facing operations, Chris Schwartzbauer heads up global marketing, sales, business development and customer support activities. He is an expert in automation trends and the streamlining of IT security operations, and is in ongoing consultation with Shavlik's largest customers, including several within the finance, government and technology sectors.

For Shavlik, Schwartzbauer oversees the organization's product positioning and launch strategies, business development and customer operations. In 18 years within the technology and security sector, he has overseen the launch and development of pioneering technologies within the security sector, working with companies such as Secure Computing, SafeNet Incorporated, Object FX and Dianon Systems. A former US Army captain, Schwartzbauer has a B.S. in engineering from The United States Military Academy.