Protection for endpoint may seem totally unrelated to ancient history, but we can learn a lot from our past. The most important building in ancient Greece was the temple, with its most recognizable and famous feature, massive columns. The most famous Greek temple is the Parthenon over the Acropolis in Athens. Over its long life, the Parthenon has served as a fortress, church and treasury and has survived through the ages due to its mighty pillars. Such stone pillars have protected the Parthenon and many other massive structures of the ancient world from crumbling over time.

I draw on this history lesson to make a comparison between these everlasting ancient structures and the digital infrastructures and protection for endpoints we build today. If we were to build our enterprise IT infrastructure as a Parthenon, then we would have solid rock foundations protecting our most valuable possessions. Instead of precious statues and gold, we need to protect our intellectual property and sensitive customer data. While we have invested a great deal of effort in ensuring that our digital infrastructure’s foundation can support the entirety of our enterprise, we must also ensure that our enterprise is supported by strong pillars of protection that will stand the same test of time as well as the ancient Greek columns did.

Five Pillars of Protection for Endpoint

There are five security pillars of endpoint protection to consider. Each pillar may stand alone, but in concert, they become a powerful structure to secure any enterprise. While not exhaustive of all the protections that can be placed on the endpoint, these pillars represent the critical protection points that are used to stop advanced malware and advanced persistent threats (APTs).

1. Safeguarding Corporate Credentials

The first pillar of protection is safeguarding corporate credentials. Corporate credentials represent the keys to accessing the kingdom. The Verizon DBIR 2013 cited that 76 percent of network breaches investigated were a direct result of lost or stolen credentials. Credentials can be stolen by malware, phishing and third-party breaches. It is important to invest in a protection system to prevent keylogging malware. The system should also ensure that users do not submit user credentials to nonapproved websites.

2. Exploit Chain Disruption

The second pillar in defending against attacks is exploit chain disruption. Attackers want to take advantage of commonly used applications and their vulnerabilities to gain access to the enterprise. Zero-day attacks occur during the vulnerability window that exists between the time when a vulnerability is first exploited and when software developers write and publish a countermeasure to that threat. Fortunately, there are a limited number of opportunities for exploits to deliver malware. Enterprises should look for systems that understand how exploits work and preempt the processes used by exploits to install malware. To stop zero-day attacks, the system should be able to operate without the prior knowledge of the exploit, malware or vulnerability.

3. Legacy Threat Protection

The third pillar is legacy threat protection. There is no doubt that the evolving threat landscape can be both very dangerous and disruptive. While some legacy viruses may not compromise your organization, they can produce much noise, causing IT security professionals to scramble to investigate which are true threats versus false alarms. A system that investigates suspicious files and compares against blacklists and several antivirus engines can help reduce the noise to help keep IT focused on higher-priority challenges.

4. Lockdown for Java

The ubiquitous nature of Java requires a fourth pillar of defense. Legitimate Java applications can be written to compromise endpoint systems. These rogue applications take advantage of users’ trust and bypass many other security controls. Vulnerable Java applications have high utilization in most enterprises, which presents IT security teams with a high-risk business application environment. Find a system that will block risky application actions from untrusted applications. The protection system should understand the trust level of the Java code inside the Java Virtual Machine and what the code is attempting to do on the host system. Risky behaviors like writing to the file system or making registry edits should be blocked. More common Java actions like display or local calculations are allowed. By only blocking risky behavior, users will not suffer from lost productivity.

5. Malicious Communications

The fifth pillar of protection for endpoint is blocking malicious communications. Many, if not all, advanced threats open communication channels to command and control servers and locations to upload stolen data. This is the most important step for malware to monetize and provide value to the attack. Similar to the limited paths for exploits to deliver malware, there are limited options for software to establish outbound channels of communication. Protection systems should understand more than just the destination or data content; they need to understand how these channels are opened. Malware often hides its activity to bypass traditional security controls. Malware launches application processes that are allowed to communicate outbound, and then the malware suspends the application processes just long enough to hollow and replace them with malicious code. Users are not aware of these zombie processes, nor are they aware that they may be the source of the endpoint infection. Blocking malicious outbound communication will prevent endpoint compromise even after an endpoint system is infected.

All five pillars protect separate vulnerability points along the attack chain that can be used to disrupt and preempt advanced and persistent attacks, providing protection for the endpoint. This defense-in-depth approach provides IT and security administrators with multiple opportunities to prevent and defend against malicious adversaries that only need to be successful once in order to damage the business.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…