Protection for endpoint may seem totally unrelated to ancient history, but we can learn a lot from our past. The most important building in ancient Greece was the temple, with its most recognizable and famous feature, massive columns. The most famous Greek temple is the Parthenon over the Acropolis in Athens. Over its long life, the Parthenon has served as a fortress, church and treasury and has survived through the ages due to its mighty pillars. Such stone pillars have protected the Parthenon and many other massive structures of the ancient world from crumbling over time.
I draw on this history lesson to make a comparison between these everlasting ancient structures and the digital infrastructures and protection for endpoints we build today. If we were to build our enterprise IT infrastructure as a Parthenon, then we would have solid rock foundations protecting our most valuable possessions. Instead of precious statues and gold, we need to protect our intellectual property and sensitive customer data. While we have invested a great deal of effort in ensuring that our digital infrastructure’s foundation can support the entirety of our enterprise, we must also ensure that our enterprise is supported by strong pillars of protection that will stand the same test of time as well as the ancient Greek columns did.
Five Pillars of Protection for Endpoint
There are five security pillars of endpoint protection to consider. Each pillar may stand alone, but in concert, they become a powerful structure to secure any enterprise. While not exhaustive of all the protections that can be placed on the endpoint, these pillars represent the critical protection points that are used to stop advanced malware and advanced persistent threats (APTs).
1. Safeguarding Corporate Credentials
The first pillar of protection is safeguarding corporate credentials. Corporate credentials represent the keys to accessing the kingdom. The Verizon DBIR 2013 cited that 76 percent of network breaches investigated were a direct result of lost or stolen credentials. Credentials can be stolen by malware, phishing and third-party breaches. It is important to invest in a protection system to prevent keylogging malware. The system should also ensure that users do not submit user credentials to nonapproved websites.
2. Exploit Chain Disruption
The second pillar in defending against attacks is exploit chain disruption. Attackers want to take advantage of commonly used applications and their vulnerabilities to gain access to the enterprise. Zero-day attacks occur during the vulnerability window that exists between the time when a vulnerability is first exploited and when software developers write and publish a countermeasure to that threat. Fortunately, there are a limited number of opportunities for exploits to deliver malware. Enterprises should look for systems that understand how exploits work and preempt the processes used by exploits to install malware. To stop zero-day attacks, the system should be able to operate without the prior knowledge of the exploit, malware or vulnerability.
3. Legacy Threat Protection
The third pillar is legacy threat protection. There is no doubt that the evolving threat landscape can be both very dangerous and disruptive. While some legacy viruses may not compromise your organization, they can produce much noise, causing IT security professionals to scramble to investigate which are true threats versus false alarms. A system that investigates suspicious files and compares against blacklists and several antivirus engines can help reduce the noise to help keep IT focused on higher-priority challenges.
4. Lockdown for Java
The ubiquitous nature of Java requires a fourth pillar of defense. Legitimate Java applications can be written to compromise endpoint systems. These rogue applications take advantage of users’ trust and bypass many other security controls. Vulnerable Java applications have high utilization in most enterprises, which presents IT security teams with a high-risk business application environment. Find a system that will block risky application actions from untrusted applications. The protection system should understand the trust level of the Java code inside the Java Virtual Machine and what the code is attempting to do on the host system. Risky behaviors like writing to the file system or making registry edits should be blocked. More common Java actions like display or local calculations are allowed. By only blocking risky behavior, users will not suffer from lost productivity.
5. Malicious Communications
The fifth pillar of protection for endpoint is blocking malicious communications. Many, if not all, advanced threats open communication channels to command and control servers and locations to upload stolen data. This is the most important step for malware to monetize and provide value to the attack. Similar to the limited paths for exploits to deliver malware, there are limited options for software to establish outbound channels of communication. Protection systems should understand more than just the destination or data content; they need to understand how these channels are opened. Malware often hides its activity to bypass traditional security controls. Malware launches application processes that are allowed to communicate outbound, and then the malware suspends the application processes just long enough to hollow and replace them with malicious code. Users are not aware of these zombie processes, nor are they aware that they may be the source of the endpoint infection. Blocking malicious outbound communication will prevent endpoint compromise even after an endpoint system is infected.
All five pillars protect separate vulnerability points along the attack chain that can be used to disrupt and preempt advanced and persistent attacks, providing protection for the endpoint. This defense-in-depth approach provides IT and security administrators with multiple opportunities to prevent and defend against malicious adversaries that only need to be successful once in order to damage the business.