Written by Ziften CEO Chuck Leaver
During the Christmas season it is a time of opportunity for the cyber lawbreakers, syndicates and state sponsored cyber teams to hack your company. A decreased number of IT personnel at work might enhance the odds for undiscovered endpoint compromise, sneaky lateral pivoting, and undetected data exfiltration. Experienced attack teams are more than likely designating their top skills for a well-coordinated holiday hackathon. Penetration of your business would likely start with an endpoint compromise through the usual targeted methods of spear phishing, social engineering, watering hole attacks, and so on
With countless business client endpoints on offer, initial infiltration hardly poses a difficulty to seasoned enemies. Standard endpoint security suites exist to protect against previously-encountered known malware, and are basically worthless against the one-off crafted exploits utilized in targeted attacks. The attack group will have examined your business and assembled your standard cyber defense products in their labs for pre-deployment evasion screening of planned exploits. This pre-testing might consist of appropriate sandbox evasion techniques if your defenses consist of sandbox detonation safeguards at the enterprise perimeter, although this is not constantly required, for instance with off-VPN laptop computers visiting jeopardized industry watering holes.
The ways in which business endpoints may end up being jeopardized are too many to list. In a lot of cases the compromise may just involve jeopardized credentials, without any malware required or present, as validated by market studies of malicious command and control traffic seen from pristine endpoints. Or the user, and it only takes one among thousands, may be an insider opponent or an unhappy worker. In any large enterprise, some incidence of compromise is inevitable and continuous, and the holiday period is ripe for it.
Given relentless attack activity with unavoidable endpoint compromise, how can enterprises best respond? Endpoint detection and response (EDR) with continuous monitoring and security analytics is a powerful strategy to determine and respond to anomalous endpoint activity, and to perform it at-scale across many enterprise endpoints. It also augments and synergizes with enterprise network security, by supplying endpoint context around suspicious network activity. EDR offers visibility at the endpoint level, similar to the visibility that network security provides at the network level. Together this offers the complete picture needed to recognize and react to uncommon and possibly significant security incidents across the business.
Some examples of endpoint visibility of prospective forensic worth are:
- Tracking of user login activity, specifically remote logins that may be attacker-directed
- Tracking of user presence and user foreground activity, consisting of common work patterns, activity periods, etc
- Monitoring of active procedures, their resource usage patterns, network connections, procedure hierarchy, and so on
- Collection of executable image metadata, including cryptographic hashes, version info, filepaths, date/times of first appearance, etc
- Collection of endpoint log/audit incidents, preferably with optimum logging and auditing setup settings (to take full advantage of forensic worth, reduce noise and overhead).
- Security analytics to score and rank endpoint activity and bubble substantial operating pattern abnormalities to the enterprise SIEM for SOC attention.
- Assistance for nimble traversal and drilldown of endpoint forensic data for fast expert vetting of endpoint security anomalies.
Do not get a lump of coal in your stocking by being caught unawares this Christmas. Arm your enterprise to contend with the threats arrayed against you.