By Malcolm Orekoya, Senior Technical Consultant, Netutils
Views expressed in this post are original thoughts posted by Malcolm Orekoya, Senior Technical Consultant, Netutils. These views are his own and in no way do they represent the views of the company.
The idea that no single solution can suffice on its own to protect enterprise endpoints from the huge number of threats out there is a reasonable one. Therefore most security professionals accept the concept of defence in depth as the best means of protecting endpoints. The key however is to know what to focus on and to make sure your strategy covers all angles. Below are a few areas of focus that you might find useful.
- Understanding the endpoint
There are a couple of aspects of endpoint protection that sometimes get overlooked; the first is the multiple device types and roles that exist within the enterprise network and the second, the multiple operating systems (OS).
The first refers to the fact that most people misunderstand the term “endpoints” and often assume that ‘endpoints’ refers only to the laptops and computers that are used by their end users. Others should also include the increasing numbers of smartphones, tablets and servers on your network. However I believe the true definition of an endpoint should be any device that can connect to a network, can be assigned an IP address, and maybe (in some circumstances) gain access to the internet. Therefore devices such as printers, faxes, phones, electronic point of sales devices (EPOS) etc. are all endpoints and their level of protection and access on the network must also be controlled.
The second looks at the issue of managing and protecting other operating systems that easily exist on enterprise networks outside of the most popularly used Microsoft operating systems. A lot of organisations are increasingly having to provision access for a variety of other operating systems on the network, such as Apple OSX and various Linux operating systems like SUSE and Ubuntu. Security administrators must make sure they have the ability to recognise these operating systems on the network and apply the same level of protection and control as they would on their standard operating systems.
- Basic defence in depth
There are a few standard layered methods of protection that almost all endpoints should have today. This includes basic things such as automatic screen locking, password protection and enabled firewalls. Then every endpoint (irrespective of the operating system installed) should run an Anti-Virus (AV) and Anti-Spam (AS) software and even a malware protection solution. It is already well documented that AV alone will not protect endpoints against threats and with the increase in Advanced Persistent Threats (APT), there is even more of a requirement for AS and Malware solutions to work alongside AV solutions. All of the above should be the basic minimum security baseline for all enterprise endpoints.
- Data exfiltration protection
Most hackers are after your data and in order to get this data from your enterprise, hackers are intelligently going after enterprise endpoints as a way into the network as opposed to the enterprise networks directly. This means administrators have to start paying attention to how data can be extracted from their enterprise endpoints and how devices interact with their data. Intelligent whitelisting of known applications and operations on endpoints, especially those that make any outbound communications as well as control over what executables can run on an endpoint is one way of controlling this.
In addition privileged account usage and management is also key as administrator and root level credentials are the Holy Grail for hackers. So network and endpoint administrators need to be aware of how these privileged account credentials are used and stored on their endpoints and also within the enterprise network as a whole.
- Data in transit protection
Sharing of data across the untrusted internet is a normal part of business operations today due to the global nature of the workforce and flexibility provided by remote working. As a result organisations need to pay particular attention to the type of confidential data that can be taken out of their organisation either via storage on the endpoints themselves or via sharing mechanisms. Encryption of confidential data as it leaves your organisation as well as the ability to validate receipt and provide an audit trail of how that data has been used is becoming increasingly important. As a result there are now platforms available on the market that extend the protection provided by standard encryption of files, with things like two factor authentication, one-time passcodes, secure vaults and sandboxed environments. Depending on the classification of data within an organisation- i.e. the confidentiality rating of that data, varying methods of protection should be considered.
- Keep an eye on the news
Understandably it is absolutely impossible for any security professional to keep abreast of all the latest threats, vulnerabilities in software and trends without following a wide variety of vendors, news forums, blogs, social media etc., so although, these can sometimes be in themselves overwhelming with the huge amount of contents they publish, I think they are of paramount importance in providing a source of current and relevant information. Sites such as Dark Reading (www.darkreading.com) and the BBC News Technology website (www.bbc.co.uk/news/technology) can be a valuable source of breaking technology news as well as social media posts on sites such as Twitter and LinkedIn, provided one is following relevant organisations and individuals. As always individual preference will differ and determine which sites you prefer to follow, but the point is to use these resources in one way or the other.