When it comes to endpoint security, it’s been said that the best way to keep an infected device from causing damage to the broader network is to keep it turned off once it’s compromised. While this method of quarantining an endpoint may be a quick fix, for obvious reasons it’s not very practical in the long run.
A better approach would be to keep endpoints from being infected in the first place. But in today’s world of sophisticated malware attacks, a prevention strategy isn’t enough on its own. You also need the ability to detect attacks as they happen and take remediation actions on noncompliant endpoints.
To keep your endpoints safe and your data secure, you need a robust endpoint security platform — one that allows you to monitor and secure endpoints before, during and after an attack.
Solid, holistic endpoint security strategies address the prevention, detection and remediation phases. And, once in place, these solutions should enable you to answer four critical questions about your endpoints.
The Four Questions of Security
1. Are my endpoints vulnerable?
An endpoint with one or more vulnerabilities, such as a missing security patch or misconfiguration, can be exploited by a threat agent. Building a new endpoint from the ground up so that it is secure will ensure it is not vulnerable by design. Vulnerability resiliency has to be carefully maintained.
2. Are my endpoints compliant?
Endpoints on which all configuration settings and software levels follow your corporate standards — and which are in a state of continuous compliance — are much less likely to be attacked.
3. Are my endpoints protected?
When an endpoint becomes infected, it’s important that you’re able to discover the problem quickly and immediately respond to attacks. That way you ensure your data stays protected, and you’ll be in a much better position to survive a cyberattack. Appropriate measures like disk encryption or data loss protection (DLP) software can further protect an endpoint.
4. Are my endpoints compromised?
Any endpoint that has been compromised requires sophisticated techniques to understand what is wrong with the device, how it was infected and what can be done to remediate any damage that may have occurred.
In order to fully answer these four critical questions, it’s essential that your organization bridge the traditional gap between IT operations and security. That means both teams need to have real-time situational awareness of every endpoint on the network — regardless of device type or location — and the ability to quickly detect and respond to threats.
Managing Your Endpoint Security
A strong solution delivers a unified endpoint security and management platform that significantly improves security posture while reducing operational costs. It provides:
- Real-time endpoint status, including operating system or application exposures that can be addressed by patches;
- Discovery of all licensed and unlicensed software with in-depth granularity to mitigate the risk of malicious software;
- Continuous configuration compliance with security and regulatory policies (i.e., DISA, CIS and PCI-DSS) on every endpoint to eliminate configuration drift;
- Near real-time protection from malware and other malicious threats through file and Web reputation, personal firewalls, antivirus tools, behavior monitoring and more.
Platforms such as IBM BigFix also give you visibility into endpoints that are already compromised and those that are at risk. Relevance language, native to the platform, provides you with a large set of endpoint data, such as files, services, processes, device drivers, operating system configuration and network configuration. This data can then be sourced into out-of the-box automation known as fixlets to remediate vulnerabilities.
Download the white paper: Detecting Endpoint Exposures via Indicators of Compromise (IOC)
CTO for Endpoint Security, IBM