As employees increasingly work remotely, it is more important than ever to maintain visibility and threat detection in a remote working world. We have seen a significant increase in state-sponsored attacks and malicious phishing campaigns, and this trend is expected to continue. This period of remote work is a good time for enterprise to make sure endpoint security techniques are in place and up to date.

In this environment, endpoint security is critical. Security teams face several challenges:

  • A rapid surge in the size and complexity of the attack surface: With a predominantly remote workforce, organizations now have large numbers of devices outside the corporate network that attackers are targeting to infiltrate the organization, steal data and conduct other nefarious activities.
  • Home networks: The remote workforce is using a larger number of remote endpoints to access sensitive data and systems. Threat actors can take advantage of home networks that lack the defense-in-depth security controls of corporate networks.
  • BYOD risk: Bring-your-own devices typically do not have the same security controls as corporate-owned devices, and security teams must protect these devices from malware and viruses.
  • Remote security teams: Security teams are also remote while still needing 24/7 visibility and monitoring for users and endpoints. This raises new challenges, such as figuring out new ways to collaborate on issues even though they are no longer sitting next to each other in the security operations center (SOC).

The most commonly asked question by security teams is this: How can we monitor and secure endpoint devices? Of course, the security basics must be covered. These include scanning and managing vulnerabilities, applying patches and more.

Endpoint Security Tools

The term endpoint security refers to tools, services or controls that protect endpoints from cyberattacks. These may include antivirus software, firewall services, email and web filtering and more.

Security teams can use existing devices while also arming themselves with additional tools to fortify their endpoint devices with visibility, monitoring, threat detection and remediation. These tools include security information and event management (SIEM), security orchestration, automation, and response (SOAR), endpoint detection and response (EDR), the MITRE adversarial tactics, techniques, and common knowledge (ATT&CK) framework and artificial intelligence (AI).

Security Information and Event Management 

SIEM platform collects, aggregates and normalizes data from a large number of log sources that include network servers, web servers, endpoints, containers, applications, network devices (routers, firewalls, etc.), security software (authentication servers, intrusion detection and prevention systems and  vulnerability management software) and more. A SIEM platform gives security teams visibility and control over their environment by providing actionable insights that allow security analysts to quickly detect, investigate and remediate threats.

Security Orchestration, Automation and Response 

A SOAR system allows endpoint security teams to respond to threats with speed and effectiveness. Usually, a SOAR system integrates with a SIEM platform for end-to-end visibility into threat detection, investigation and response processes during remote working.

Endpoint Detection and Response

An EDR solution is designed to protect endpoints from attack by continually collecting, monitoring and analyzing data from endpoint devices to identify suspicious activities and cyberthreats. An EDR system integrates with SIEM and SOAR platforms for end-to-end visibility, detection and remediation of threats. This should be in place under normal working conditions, but can be especially helpful during remote working.

Artificial Intelligence

Security teams can leverage AI to enrich data within their networks and from endpoint devices to provide more visibility into their organization’s network traffic. With this increased visibility, AI significantly reduces the amount of time it takes analysts to identify, analyze and remediate threat attacks in any given situation. AI solutions help security teams increase productivity, improve efficiency and save time even during remote working by allowing them to detect, investigate and remediate threats more quickly, accurately and consistently.

MITRE ATT&CK

MITRE ATT&CK is a comprehensive, globally accessible knowledge base of attackers’ tactics and techniques based on real-world observations of cyberattacks. Since it is based on adversarial behavior instead of signatures or static indicators of compromise (IoC), this framework enables security teams to better understand what adversaries are likely to do in their environment, including on endpoint devices. It is a living framework that is updated every quarter. The MITRE ATT&CK framework is incorporated into other security tools, including SIEM and SOAR systems. It helps SOC analysts reduce attacker dwell time, which in turn lowers the cost of security breaches if and when they occur. See the MITRE ATT&CK framework for enterprises here.

With the MITRE ATT&CK framework, security teams can see which tactics and techniques have already been used by attackers, whether under remote working conditions or normal operation. This helps them anticipate the next steps that the attackers could take. Security teams can be more proactive by understanding how the attackers operate — what steps they have taken so far and what steps they are likely to take to attain their objectives.

A Real-World Endpoint Security Scenario 

In the following scenario, using a SIEM platform, we identified a source that attempted to attack a larger number of hosts on the network than are known to exist. An authentication failure followed by a successful login were detected, indicating urgency to investigate further. Once the attackers logged in, a command was executed from a compromised host. During this attack, AI flagged it as a high-value attack.

By leveraging the MITRE ATT&CK framework, we correlated the threat actor’s actions to the following MITRE ATT&CK tactics, techniques and descriptions:

Action Taken By Threat Actor MITRE Tactic MITRE Technique MITRE Description
Compromised Credentials Initial Access Valid accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Compromised Account Credential Access Credentials from Web Browsers Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Gain Higher Level Permissions Privilege Escalation Valid Accounts Once attackers gain access to the network, they try to gain access to privileged/administrator accounts to be able to access higher value systems and databases.
Malicious Malware Execution User Execution An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.
Scroll to view full table

This tells us that the attackers have already used four tactics. Based on their attack behavior, we can expect them to move on to Lateral Movement, Collection, Command and Control, Exfiltration and Impact. After investigating this incident, a SOC analyst can block the workstation to stop data exfiltration. These incidents are remediated using a SOAR platform.

Going Into Detail on Remote Working

As we adapt to remote working, security tools such as SIEM, SOAR, AI and MITRE ATT&CK complement any security strategy. By providing enterprise with threat intelligence and insight into attack behavior, these tools enable security teams to detect, investigate and respond to intrusions more effectively and efficiently.

Interested in learning more? Register for the webinar Endpoint Security for Your Remote Workforce Using AI & MITRE, at 12 pm (EST), Thursday, August 13, 2020, to learn more about protecting endpoints for a geographically dispersed workforce.

 

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …