Skip to content

Page303

Endpoint Security

While most organizations have long employed perimeter firewalls, Intrusion Detection Systems (IDS), and numerous other network-centric preventive and detective countermeasures, defense-in-depth mandates that additional protective layers be employed. When the firewall, IDS, Web Content Filter, and others are bypassed an endpoint can be compromised.

Because endpoints are the targets of attacks, preventive and detective capabilities on the endpoints themselves provide a layer beyond network-centric security devices. Modern endpoint security suites often encompass myriad products beyond simple antivirus software. These suites can increase the depth of security countermeasures well beyond the gateway or network perimeter.

Though defense-in-depth is a laudable goal on its own, endpoint security suites provide significant advantages to the modern organization beyond simply greater depth of security. These tools can aid the security posture of devices even when they venture beyond the organization’s perimeter, whether that is because the device has physically moved or because the user has connected the internal device to a Wi-Fi or cellular network. An additional benefit offered by endpoint security products is their ability to provide preventive and detective control even when communications are encrypted all the way to the endpoint in question. Typical challenges associated with endpoint security are associated with volume considerations: vast number of products/systems must be managed; significant data must be analyzed and potentially retained.

Many endpoint products can be considered part of an overall endpoint security suite. The most important are antivirus, application whitelisting, removable media controls, disk encryption, Host Intrusion Prevention Systems, and desktop firewalls.

Note: For details on Host Intrusion Detection Systems (HIDS) and Host Intrusion Prevention Systems (HIPS), please see the “HIDS and HIPS” section below. For details regarding desktop firewalls, please review the “Firewalls” section above.

Antimalware/Antivirus

The most commonly deployed endpoint security product is antimalware, still very commonly referred to as antivirus, software. Many of the full endpoint security suites evolved over time from an initial offering of merely signature-based antivirus. Antivirus products are often derided for their continued inability to stop the spread of malware. However, most arguments against antivirus seem to bemoan the fact that these products alone are not sufficient to stop malware. Unfortunately, there is no silver bullet or magic elixir to stop malware, and until there is, antivirus or antimalware products will continue to be necessary, though not sufficient. Antivirus is one layer (of many) of endpoint security defense-in-depth.

Although antivirus vendors often employ heuristic or statistical methods for malware detection, the predominant means of detecting malware is still signature based. Signature-based approaches require that a malware specimen is available to the antivirus vendor for the creation of a signature. This is an example of application blacklisting, sometimes now referred to as blocklisting (see “Application Whitelisting/Application Control” section below). For rapidly changing malware or malware that has not been previously encountered, signature-based detection is much less successful.

Application Whitelisting/Application Control

Application Whitelisting, also known as application control, is a more recent addition to endpoint security suites. The primary focus of application whitelisting is to determine in advance which binaries are considered safe to execute on a given system. Once this baseline has been established, any binary attempting to run that is not on the list of known good binaries is prevented from executing. A weakness of this approach is when a “known good” binary is exploited by an attacker and used maliciously.

Whitelisting techniques include allowing binaries to run that:

  • Are signed via a trusted code signing digital certificate
  • Match a known good cryptographic hash
  • Have a trusted full path and name

The last approach is the weakest: an attacker can replace a trusted binary with a malicious version.

Application whitelisting is superior to application blacklisting (where known bad binaries are banned).