Threats to man-made systems have been around almost as long as technology itself. In the late 1950s, for example, malicious actors compromised telephone networks to make free long-distance calls in a process called phone phreaking. The breaches were so easy that they could be done with an electronic blue box and a plastic toy whistle. It took almost 20 years for telecom vendors to build a robust monitoring and interrogation system to track these actors.
Today, system threats come in the form of network and computer security risks. These security threats are significantly more sophisticated and difficult to track — they’re often faceless entirely, and can even shapeshift as they penetrate deeply into an organization’s network, often costing organizations billions of dollars per year.
Addressing Issues With Real-Time Endpoint Inspection
To address these breaches, security vendors have developed various tools that specialize in certain domains. Sometimes these tools can be too narrowly focused, which makes it more difficult to identify security threats. The increasingly sophisticated attacks, combined with overly narrow tools, is compounded by a third problem: the lack of qualified security analysts on the market. In fact, security positions are expected to grow to 1.5 million by 2020, and many of these openings will remain unfilled.
Real-time endpoint inspection can be used to identify these threats before they become full-blown security issues, but this requires the proper tools and technologies.
There are four key features that security tools need to successfully hunt security breaches, tear down the fences created by narrowly scoped tools and look for anomalies and patterns without requiring specialized skills. These characteristics include asking intuitive questions, collecting quality data, sharing interrogation results and fixing the basic issues.
Watch the on-demand webinar: Interrogate Endpoints With Intuitive Questions – Get Intelligent Answers
Ask Intuitive Questions
Security tools should provide an ability to ask intuitive questions about endpoints. They must support basic actions to seek information that is either hidden or out of range. Security analysts need an easier way to find endpoints satisfying specific conditions, locate an application and its details or even seek out active connections to endpoint IP addresses.
System administrators would benefit from the capability to perform policy and system checks and view system configurations. Additionally, operators who are trying to close down their help desk tickets would like easier access to basic information such as disk size, application version and endpoint names.
Security tools should provide an interface that makes it easier to create these questions, share them with the community or have the option to keep them private to declutter the workspace. They should also provide a library of intuitive questions that can speed up endpoint interrogation.
Get Quality Data
Recently, there has been a lot of buzz around natural language-based search and interrogation techniques. While that makes for a nice headline and a good marketing campaign, a prospective client should pause to understand the purpose behind endpoint interrogation before taking that kind of claim at face value.
The fundamental goal behind real-time endpoint inspection is to get access to accurate information as quickly as possible. Organizations are looking for a trawl that can catch high-quality data so that they can fix the issue quickly and secure the premises. Security tools should have built-in expertise so they can look beyond the fences of the surrounding tools — reducing the need for specialized skills to access relevant endpoint data.
To get this kind of high-quality, real-time data, security tools should directly interrogate against the data definitions of surrounding tools. A catchy marketing headline touting natural language capabilities cannot mask the need for actual high-quality data itself. When it comes to endpoint security, every moment spent refining the interrogation and pouring through layers of results leaves systems vulnerable and exposed. The ability to respond quickly and accurately is critical.
Share Interrogation Results
Traditionally, the focus of security tools has been improving access to endpoint data at the expense of readability or the ability to share within the community. Cutting/copying/pasting endpoint data in an email or spreadsheet was the de facto management process for years. But productivity and presentation tools excelled tremendously, making it too expensive for various security solutions to provide better built-in reporting and sharing capability.
The endpoint interrogation capability of security tools should return results that can be easily shared with the community via email or other collaboration methods. These results should be read as an action document for operation teams or as a finished document to represent current security posture to stakeholders.
Fix the Basic Symptoms and Advanced Issues
Some security tools do a decent job of providing interrogation results but require users to do a tremendous amount of manual work to fix both basic symptoms and advanced issues. Seamless integration with the remediation capability of incident response tools is an expectation that should be fulfilled. Systems should provide the ability to view endpoint details and deploy custom, targeted actions to fix the issue in question or even add the result set in a to-do list for future actions.
IBM BigFix has been providing vast amounts of endpoint intelligence data over the past two decades. BigFix finds, fixes and secures endpoints — fast. To learn more about endpoint interrogation from BigFix, watch our on-demand webinar “Interrogate Endpoints With Intuitive Questions. Get Intelligent Answers.”
Senior Product Manager, IBM