We all know that not only intellectual property, sensitive business information, customer data bases etc reside on the end points; it also includes user’s private information along with deepest darkest (and most valuable) secrets.
Moreover we are in the era of IT Consumerization where a perimeter has become perimeter less and organizations are opening themselves up to interaction with external services on the Internet and access from mobile devices including laptops and smartphones.
There is very high probability that one clueless user may lose them or may bring back bad stuff from hotels, coffee shops and airports where compromised endpoint device gives the bad guys running the underground economy , an entry inside the organization and enables them to compromise other systems and spread this love.
On top of this majority of current Threats are pretty sophisticated & don’t forget the deadly part…They are targeting these thousands of endpoints i.e. “individual gateways” silently. Threats are now designed such that they can infect, expand, and function and remain undetected by security components.
This evolving threat environment has caused a corresponding shift where we must deal effectively with this Chakra-Vyuha threats that utilize these behaviors of elusion, secrecy, and aggression targeting infrastructure, information and user identities.
So how to demystify this Chakra-Vyuha?
(Those all who are wondering what the meaning of Chakravyuha is – it has been taken from great epic tale of Mahabharata… It is made up of Chakra meaning circle or ring and Vyuha meaning formation. Chakravyuh is a formation consisting of 7 concentric circles of warriors rotating in unison…)
So let’s understand the 7 Keys to exit successfully from this Chakravyuha. In this discussion we will take a closer look how endpoint security compliance approach is evolving on Protection Technologies, management, Policies and Processes to fight these tough Categories of threat which sometimes are known and sometimes situation is scarier with the unknown bad world.
Key 1 : PROTECT ( Evolution of Protection Technologies)
Proactive Protection from known and unknown Threats: In Today’s time, a protection technology needs to fight against the reduced exploit time of known and unknown vulnerabilities. Hackers start exploiting the vulnerabilities as soon as they are discovered. Even if a patch is available for that vulnerability, organizations rarely can apply a system patch immediately it takes some time to test the patch and deploy it on all systems. This is a big window of opportunity for hackers to target these vulnerable systems.
or you get a virus sample and create a static signature just to address malware sample…But after some time…another variant will come and you are gone….so this way now we can’t play and win this game…so how do we win?
Heuristic Detection & Network Vulnerability shielding Technology needs to gear up & should incorporate the heuristic/generic detection logic using emulated behavior or binary characteristics to mitigate multiple variant of threats to have a proactive approach for threat mitigation whereby inspecting network traffic based on the latest vulnerability signature. This scenario is something like if central locking is not operational in your car; you are putting one guard to prevent tis theft before that actual issue of central locking gets fixed.
Behavioral monitoring – On top of this, behavior monitoring capabilities can identify new threats and tracks behavior of unknown processes and known good processes which may have gone bad.
E.g if there is a process that we don’t have a signature for but dropping a file that antimalware is detecting, it may conclude that it is a new malware dropper that you should want to get a sample of.
Another example can be Kernel tampering – any process that’s hooking the kernel or making other modifications to it. Technology should be able to detect this behaviour to have a closure look.
Emulation – Also, it is a good approach to Translates code that accesses real resources (unsafe) into code that accesses virtualized resources (safe). Translation helps to deal with malware volume – many are the same threat, just obfuscated differently. With polymorphic malware, what the code does may be the only common aspect of two samples so the emulation of the code helps to detect as well as prevent the malware from impacting the system
Signature from the Cloud – After suspicious detection using above approaches next logical step may be Query the file reputation data & behavior classifiers on “interesting” files. If it is a recently identified malware, a new signature is delivered dynamically to the requesting client in real time without waiting for the regular signature update process. It also minimizes the false positives on that threat detection.
Choose relevant protection component as per Risk Assessment: With so much proliferation of types of devices and multiple platforms, instead of just following a stereotype approach of asking protection technology support, You should do risk assessment against CIA value of the asset to consider relevant protection technologies like for HIDS/HIPS, Access Control, Host Firewall etc for different platforms and devices including the DC servers and Mobile devices. Risk mitigation strategy should get related to risk & threats profiling like malware, intrusion, denial of service, buffer over flow attacks, un-authorized access, admin privilege abuse, Data & Identity theft etc
Maintain the Basic of defense in depth: On Top of antimalware engine, Host Firewall can block or filter inbound connections to listening services that may have exploitable vulnerabilities or are susceptible to brute force attack. It is particular effective in blocking targeted attacks, and worms which try to propagate automatically. Further to this, proactive technologies explained above can be combined with browser-based protection mechanism where it tries to match a particular host or URL request to a known bad list, If it gets through that (e.g. a site hosting malicious threats is not yet classified), it further inspects the files for known malicious content as it is read and written from the file system.
Get Current…Stay Current:To some of you it may look very strange to put this strategy of “Get Current –Stay Current” under protection technologies. But it will be worthwhile to note that not only evolution on security technologies is happening but on top of that most positive change is that infrastructure solutions providers are realizing the need of providing integrated approach of security as compared to bolted down that security layer later on reducing the threat surface area itself. In my view keeping the infrastructure components as current as possible it can play a vital role in enhancing security framework and hence it should be an important part of best practices.
Key 2 : MANAGE ( Better Management leads to More Security)
Integration of Security and Management: Desktop management and security have traditionally existed as two separate disciplines, yet both play central roles in keeping users safe and productive.
Whereas Desktop Management ensures proper system configuration, deploys patches against vulnerabilities, and delivers necessary security updates. On the other hand Desktop Security provides critical threat detection, incident response, and remediation of system infection.
Most desktop vulnerabilities are a result of poor system configuration, and sometimes security personnel do not have ready access to inventory, patch level, and other desktop-specific configuration data. Combining the threat detection capabilities of a desktop security solution with Desktop management tool for remediating desktop security vulnerabilities organizations can get a unique, consolidated viewpoint into the health and protection status of their user systems
And also….In the case of a security event, IT administrators can do the Inventory of malicious applications , identify at-risk machines and take action to patch those vulnerable applications and systems and hence block outbreaks, and initiate clean-up efforts using a single infrastructure.
These efficiencies not only lower hardware, maintenance, and training costs, buy they also allow IT administrators to do their jobs more quickly and effectively— e.g it can reduce the helpdesk calls drastically…
Lock Down: On the proactive side, leverage on technologies where we can define a white list of files or folders or digitally signed content that we will accept to run – and block everything else. So even if we haven’t identified something as malware, it won’t run. Alternatively similar blacklisting approach can be incorporated. Also Organization should do risk assessment around peripheral ports of systems like USB, Bluetooth, firewire etc to control their use.
Key 3 : VERIFY (Secure Access to Corporate Resources Based on Asset Classification, users Identities and & threat Profiling of devices)
Compliance Validation: a framework should be incorporated where organization should be able to differentiate between corporate owned devices (e.g domain joined) & unmanaged machines ( Guest , Home , Kiosk PC etc) and also secure state of machines & users credentials can be validated against organization security policies at different entry points of network including LAN, gateway and depending upon this assessment result , restricted or full access to appropriate resources should be granted.
Please have a note that here most of the time secure state of the machine means that security components installed on the devices are running as intended i.e. are enabled and updated with and/or relationship with the patch status , application presence , registry settings etc. Some solutions may also include the malware and vulnerability scanners against the database mostly deployed inline.
Host based enforcement can ensure that compliance is being validated even when endpoints are not getting connected to corporate network entry points against last known good compliance policies. E.g ensures antimalware solution is always active while user is getting connected to the internet using personal DSL connection at home.
Automatic remediation also plays a major role here in reducing the administrative overheads.
Policies can be created in secure access solution for published portal Server, which will prevent uploading and downloading of documents when a machine is not trusted and/or does not comply with corporate security policies.
the keyword scanning, file detection, and other mechanisms built into the platform help IT prevent content such as copyrighted documents (e.g., song and video files), objectionable materials (such as profanity or discrimination), or others from being stored or corporate systems—taking up not only valuable space and resources, but exposing your company to legal liability.
Audit and Vulnerability Assessment: On auditing, basic example can be to know on how many endpoint antimalware solutions is deployed and running. Again here you may find to accomplish this in easier way if leveraging on integration of desktop management solution to run an inventory query for the same on all the endpoints across the network.
Depending upon the risk assessment organization may choose to include the coverage of client machines also while they normally run the vulnerability assessment on DC servers and network components.
Configuration Management: Leverage on the Infrastructure solution provider guidance , security baseline and Best Practices to reduce the time required to harden your environment,
and to comply with specific regulations or company policies. Sometimes these baseline and packs can be imported into Desktop Management tool easily and gold images can be created for clients & Server OS, applications & databases, browser etc and assessment can be run at a regular interval where deviations can be identified against those gold images…
Key 4 : INFORMATION & IDENTITY PROTECTION (Ensure information is protected from malware infection, intentional and unintentional data leakage, asset loss and digital intrusion)
Other key areas where organization should focus to prevent data loss or leakage on the client endpoint apart from preventing it from malware are – user authentication, encryption, persistent access control and physical security.
User Authentication: Requiring user authentication and maintaining an access control policy is your first line of defence. Assess your authentication requirements : is a password sufficient ? Do you need multiple factors , such as smart card and pin , or finger print and password ?
e.g smart card based authentication will be needed to approve an expense above specific amount threshold level.
Organizations should consider Identity management solution for credential and certificate management like user provisioning -deprovisioning , entitlements etc. criteria based group entitlement management like based upon manager , department , role – like permanent or FTE , can increase the efficiencies and accuracy of IT team to manage the identities and also helps to reduce helpdesk calls on password reset requests etc.
Most Customers find password sufficient but in that case while considering passwords , their complexity , length and frequency interval for changing the same should be considered.
Encryption: Data loss can occur from smaller mistakes like forgetting the laptop at the airport or in a taxi, leaving a USB drive full of confidential data in a restaurant or at a client site and not only from a cyber-attack on your desktops.
Also some solutions can be integrated with Hardware Trusted Platform Module that ensures that the data will not be readable on any other device but the corporate device even if the PIN is discovered. The hardware integration also ensures that changes to the boot process are stopped and that the data is also not readable if the OS has been tampered.
Same strategy can be implemented to protect removable drives, so users can continue using USB drives, but only if they type in a password to protect the drive. This allows sharing with authorized users and provides the productivity advantages of those USB devices, but reduces the risks of access by unauthorized users.
Persistent Access Control: Organizations should consider persistent document-level encryption & Right Management that goes wherever the document (or e-mail) does, no matter who accesses it or what device is used. Even if files are taken off-line, e-mailed to someone else, copied onto a USB drive/PDA, or accessed remotely, the use rights will endure and protect the information. And by federating these right management policies with outside organizations this secure collaboration can be extended to business partners and vendors.
Also, phrases that indicate confidentiality, and automatically apply access control templates to those documents using File classification techniques.
Key 5 : RESPONSE (Build and follow a plan)
Submission of Malware Samples: The goal should be that when new malware is released and is starting to spread, we can reduce the vulnerability window by not having to wait for computers to get the next signature update to be protected.
As the telemetry is sent on a file detected suspicious and for which a signature does not exist in its current signature set, if signature on the cloud is available, it is downloaded to the client in real-time, loaded and the appropriate action taken.
This kind of service can improve the quality of detection and remediation and collect samples for analysis and to create new signatures
Integration with Security Information & Event Management: it will be helpful to identify and respond to the threats with a proper incident management plan where different events can be correlated for Incident conclusion.
Repair: Doing the repair of the effect of malware is also critical where if a threat is detected it should look in a number of other places for other signs of a threat rather than just dealing with one detection at a time.
Solution sometimes may not be able to deal with a specific root kit; in that case it should be able to tell you that you need to run the stand-alone system sweeper.
Reboot tracking kind of capabilities Provides awareness that the system is in the process of rebooting which lets us take aggressive remediation actions that would be too risky otherwise (e.g. swapping out the registry hive and configuring a temporary one to load a kernel-mode, boot time removal driver). If this were done while the user is using the system, changes could be lost and potentially destabilize the system.
Key 6 : PERFORMANCE ( Another side of the coin – Users productivity is also critical)
Some of you may feel what performance factor is doing in endpoint security compliance?
While we are discussing on defense in depth approach where multiple security components are getting installed on the endpoints, vulnerability shielding network inspection system is being incorporated in protection technology where it is scanning each and every packet flowing through the NIC card. But on the other hand we should always remember that security should act as a business enabler where user productivity should not get affected due to these security burdens.
Disabling signatures if relevant patch is present on the System: So if once the system is patched and technology is intelligent enough to understand this and depending upon this assessment can also make the vulnerability shielding signature disabled automatically, It will a perfect scenario of achieving right balance between protection and performance as signatures are enabled only for the unpatched vulnerabilities.
Also, as we discussed, malware are increasing in numbers exponentially, there are more number of variants and hence to encounter this situation numbers of signatures are increasing. These signatures along with the threats information need to be loaded in memory and hence due to this system performance gets degraded. If the additional info on threats etc can be stored offline it can increase the system performance drastically.
Maintain a “context” which is used to determine depth of scanning: If Real Time Protection has been on the whole time, do we really need to rescan user-mode auto-start extensibility points (ASEPs) during quick scan? Similarly if we can determine evidence of kernel tampering, we may want scan should be much more aggressive. So adjust the scan depending upon the diagnose to balance out between security and performance.
Configurable parameters: CPU throttling while System is getting scanned , System Scan frequency & schedule , Update frequency and update , exclusions , network scanning , push / pull frequency , heart beat etc are various configurable parameters which can be considered to optimize the system performance.
Key 7 : AWARENESS (People make mistakes because they don’t know what they are doing is wrong)
Yes, in my view without help of users endpoint security compliance can never be achieved though we did discuss on the technologies like compliance validation where most of the control lies with the organization and control can be implemented centrally as per the security policies and internal regulation.
Also now days, we all are observing how getting connecting on social networking sites have multiplied specially in India. But since most of us access social network sites from the comfort and privacy of home or office, can be a part of false sense of anonymity. Additionally, the lack of physical contact on social network site can lower user’s natural defenses, leading individuals into disclosing information we would never think of revealing to a person we just met on road or at a dinner party.
On the other hand, there is a high probability that social network security and privacy lapses exist because of astronomical amounts of information the sites process each and every day that end up making it that much easier to exploit a single flaw in the system. Features that invite user participation — messages, invitations, photos, open platform applications, etc. — are often the avenues used to gain access to private information.
Don’t forget, there is the entire range of innocent family members on such networking sites including our grandmother to son. We need to educate them where not to click, not to accept some of the application notifications asking for the profile penetration.
For the overall success we need to bring these end users being sitting in organizations or in our home , vacant training classes and share with them the current threat landscape, organization IT security policies , Do’s & Don’t while they are on social networking web sites , Alert and notification steps , computer & cyber-crime implications and Incident Management Plan. More importantly, describe what they can do to advance this effort… Of Demystify this Chakra-Vyuha!!
So I believe keeping these 7 keys handy with us, we can avoid the unfortunate situation which happened with the great warrior Abhimanyu in the Mahabharata where he was aware how to go inside the Chakra – Vyuha but did not know how to break and come out from that.
Hoping you enjoy reading this…..Do provide your feedback using the ‘Like’ Button or share your comments!!