Home >Technology >Top Tactics For Endpoint Security

Top Tactics For Endpoint Security

Date post:02-Nov-2014
View:5 times
Download:0 times
Share this document with a friend
Webinar - Rothke - Top Tactics for Endpoint Security.
  • 1. Top Tactics for Endpoint Security Ben Rothke, CISSP, CISM Identity and Access Management Security School searchsecurity.com/iamschool

2. Times have changed

  • Just 15 years ago, when you called and spoke to someone in area code 212, you could reasonably assume that the person was indeed in New York City.
  • Today, when you call area code 212, the personmightbe in Manhattan; but can also be in Los Angeles, Moscow, Rio or anyplace in the world.
  • Endpoints are clearly changing, both in the physical world -- and as we will see -- in the digital world.

3. Digital endpoint security

  • Within information security, the perimeter of old was simply a router or firewall
  • Today, the endpoint is the perimeter
    • In most organizations, with a laptop and DHCP, everyone gets in.At this point, there isnovalidation.
  • The old perimeter is dead
  • Network perimeter weakness
    • Remote access with 80% of enterprises using VPNs
    • Web-based extranet and partner connectivity
  • Your perimeter firewall simply is not enough
  • some firewalls are so open, that all they do is simply slow down traffic.
  • In fact, in some organizations, its hard to tell the difference between a fw and a router.

4. Glass houses had no rogues

  • In the mainframe era of glass houses and dumb terminals, there were simply no rogue devices
  • Networks were private, leased and closed
    • Everything around the IBM mainframes was proprietary and closed.
  • Today, networks are made to be open
  • Today, rogue devices are a bane
  • And endpoint security is becoming a crucial aspect of an information security endeavor

5. Security risks of rogue devices

  • The inability to control network admission exposes significant risk to an organization
    • Can be accidental or malicious in nature
    • Often leads to network downtime or exposure of sensitive information
  • Therefore, only allow authorized devices onto the network
  • With endpoint security, non-compliant endpoints attempt connection, but are first quarantined
  • After inspection and remediation, only then are they admitted
  • Your endpoints are now secure

6. Definition

  • While there is no single universal definition for endpoint security, the general definition of endpoint security is:
    • the use of a network access control
    • system used to restrict network access
    • only to systems that demonstrate
    • adherence to a pre-defined corporate
    • security policy

7. Why do we need endpoint security?8 bullet items

  • Viruses and worms continue to disrupt business
  • Zero-day attacks make reactive solutions less effective
  • Point technologies preserve host rather than network availability and enterprise resiliency
  • Non-compliant servers and desktops are difficult to detect and contain
  • Locating and isolating infected systems takes significant time and is extremely resource intensive
  • Users are often authenticated, but devices are not
  • Non-compliant/unmanaged devices pose an unacceptable risk
    • Often source of infection
    • Rogue assets untracked, invisible
  • Device compliance as important as user authentication

8. Where are the endpoint threats?15 of innumerable threats

  • Remote users
  • Mobile users
  • Regional, remote and branch offices
  • Non-compliant laptops
  • Wireless
  • Guests
  • Contractors
  • Interconnected networks
  • Distributed data
  • Business extranets
  • Remote access
  • Web services
  • Wireless
  • Mobile smart devices
  • VoIP phones
  • and many more

9. What are the endpoint threats?

  • Rogue wireless access
  • Keystroke loggers
  • Contractor with latest worm or virus on their laptop
  • Kiosks
  • Backdoor listening for inbound connections
  • Spyware download via P2P
  • IM
  • and more

10. Origination points

  • Accessed by employees, consultants,
  • customers, trading partners
  • From home office, hotel, branch office,
  • client site, airport, conference, restaurant,
  • home, trains, planes, automobiles
  • Using laptops running Windows, Linux, Mac OS/X;
  • PDA running PocketPC, Symbian or PalmOS; mobile phone, public kiosk
  • By dial-up modem, hotel Ethernet, Wi-Fi, mobile carrier, cable modem, DSL
  • To connect with email, Web-based intranet, terminal services, CRM, ERP, partner data
  • Contrast this with the old dumb terminals.One location, one hard connection.

11. Endpoint security benefits

  • Manage zero-day threats
  • Reduce incident response cost
  • Eliminate system downtime
  • Reduce hot fixes and patching
  • Lower recovery cost
  • Comply with regulatory requirements
  • Single solution, multiple security functions, low performance impact
  • Increased security of corporate resources
  • Ensures endpoints (laptops, PC, PDA, servers, etc.) conform to security policy
  • Proactively protects against worms, viruses, spyware and malware
  • Reduced risk of outbreak due to infected endpoints
  • Safe access to networks through VPN access
  • Controlled remediation and patching of unhealthy endpoints

12. Evolution of endpoint security

  • Today
  • Static network access
  • Every device is permitted
  • Infected or unhealthy devices are frequently the root of an outbreak
  • Tomorrow
  • Dynamic network access based on policies
  • Screen devices before granting access
  • Infected or unhealthy devices treated separately

13. How do you start thinkingabout endpoint security?

  • Know what you want to inspect
  • Ensure you have policies in place
  • Risk assessment
    • Define in detail what are your risks
    • Not all risks are created equal
    • Not all endpoints are created equal

14. Questions you need to ask

  • How do we enforce compliance with our security policies in order to provide a safe and secure network environment for everyone?
  • How do we identify unmanaged desktops to deliver our security message?
  • How do we ensure all types of users have adequate awareness and training of security issues?

15. Next steps

  • Assessment of endpoint
  • security requirements and needs
  • Decision making based on policy compliance
  • Admission enforcement at the network infrastructure level
  • Quarantining/remediation of unhealthy devices

16. Determine the context ofthe endpoint device

  • Function
  • Location
  • Criticality
  • Compliance state

17. What are your minimums?

  • Define and evaluate what is necessary
  • What is to be allowed?
  • Obligatory compliance of all desktops to minimum corporate security policy
    • Define minimum desktop requirements
    • Current OS patches
    • Latest Web browser
    • Latest AV signatures and definitions
    • Up-to-date personal firewall
    • Latest spyware signatures and definitions
    • Other security configurations

18. Strategic endpoint security

  • Effective endpoint security requires a strategic approach that understands the need to optimize connectivity while also ensuring protection for all critical resources
  • This is not a trivial task
  • Endpoint security is not plug and play

19. Converged devices

  • Devices such as notebooks, tablet PCs, PDAs,smartphones and other types of mobile devices also need to be secured
  • They have increasing storage and performance capabilities
  • They travel outside the bounds of physical and logical perimeters and they arent connected to the network at all times
  • These devices enter and leave your network many times over the course of the year
    • That leaves myriad opportunities to return with malware

20. Converged devices

  • The Bad
  • These devices present a significant potential for financial loss, legal liability and brand damage since they are unprotected
  • The Ugly
  • Many organizations have no idea if these devices are connected to their network or how many are connected
  • The Good
  • Endpoint security can offer protection against the threats that converged devices bring

21. Non-corporate owned devices

  • Consultants, contractors, hackers, employees and more will attempt to connect their own devices to the corporate network
  • Be it a corporate-owned device or privately-owned endpoint, theyallmust be controlled before being given access to the network

22. Legal issues

  • There may be regulatory
  • and legal issues that have a
  • local impact
  • Your organization must be aware of them and fully comply with them
  • If the logs are going to be used as evidence, they must be appropriately secured
  • Get legal counsel involved

23. Basic endpoint security recommendations

  • An unsecured endpoint must not be allowed to connect to the network if doing so inappropriately increases the risk to the organization
  • Management must identify the state of the endpoints before they are allowed access to internal networks
  • CISO must be able to provide a level of assurance to management that information will be protected when it reaches the endpoint
  • Remediation plans must be created for remote endpoints

24. Endpoint security is not a silver bullet

  • While endpoint security is a hot topic with myriad hardware and software solutions, the reality is that:
  • There are no standards
  • Many current solutions are proprietary
  • It is still somewhat of an immature solution
  • There are not a lot of experts in the field
  • Solutions are costly and complex to implement

25. The Big 3 Endpoint Security Solutions

  • Cisco Network Admission Control (NAC)
  • Microsoft Network Access Protection (NAP)
  • TCG Trusted Network Connect (TNC)

26. Other vendors in the space

  • Check Point
  • Endforce
  • StillSecure
  • Symantec
  • Juniper
  • Configuresoft
  • Lockdown Networks
  • eEye
  • Qualys
  • Funk
  • 3Com
  • Altiris
  • ISS
  • Citrix
  • ConSentry
  • Vernier
  • Senforce
  • McAfee
  • Forescout
  • InfoExpress
  • Intel
  • and many more.

27. Commonalities

  • All of the solutions are basically attempting to perform the same task
  • They all use routers, switches, wireless access points, software and security appliances to enforce endpoint security
  • Requires security credentials from endpoint devices
  • Relays them to a policy server
  • Policy servers evaluate credentials and make admission control policy decision (permit, deny, quarantine or restrict)
  • Network access device enforces admission control policy decision

28. Commonality Policy Server

  • The policy server is generally a RADIUS, Kerberos or 802.1x system and is the central point for establishing network access policies and is the primary mechanism for the endpoint security workflow
  • The policy server decides whether to allow an endpoint onto the network based on input from the baseline of the device
  • The server interfaces with other security configuration management functions that hold information such as OS updates, AV, patches, etc.

29. Cisco NAC

  • API-level enforcement & quarantine technology being built into Cisco network infrastructure
  • Viable product in production
  • Multiple vendors in program
  • NAC focuses on network infrastructure, policy definition and management
  • Built on a foundation of installed Cisco devices

30. Cisco NAC

  • NAC works via trusted modules that are installed on Windows and Linux desktops (Cisco Trusted Agent - CTA) and implemented in Cisco routers and switches
  • The CTA gathers device information and passes it via 802.1x to the Cisco Secure Access Control Server (ACS)
  • The ACS communicates with the policy server to determine compliance and enforce network access via the Cisco switching infrastructure

31. Cisco NAC

  • NAC requires a Cisco infrastructure running a current version of IOS
    • 12.3(8)T or later
  • For enterprises running legacy Cisco devices, this will require an expensive hardware upgrade
  • For enterprises running older versions of IOS, this will require plans to upgrade

32. Cisco NAC

  • Benefits
  • Shipping now
  • Somewhat mature
  • Many deployments
  • Supports Linux clients
  • Disadvantages
  • Proprietary solution
    • Full solution works only with Cisco 802.1x equipment and authentication server
  • Cisco switch-based
  • Significant IOS upgrade may be required
  • Requires software agent

33. Microsoft NAP

  • Health assessment of host device
  • API-level enforcement & quarantine technology via the Windows OS
  • Available in Vista
  • Multiple vendors in program and announcing support
  • Built on a Windows foundation and uses the Windows Quarantine Agent (QA)

34. Microsoft NAP

  • QA gathers device information and passes it to the Microsoft Network Policy Server (NPS)
  • The NPS works with other devices (DHCP, IPsec, VPN, 802.1x and more) for policy compliance
  • Only supported in Vista and Windows XP SP2

35. Microsoft NAP

  • Benefits
  • Single policy solution for Windows devices
  • Supported by many vendors
  • Disadvantages
  • Still in beta development
  • Only Vista and XP support
  • No Linux support
  • No large scale deployments to date

36. Trusted Computing Group

  • Creating TNC (Trusted Network Connect) Standard
  • Multiple API-level interfaces
  • Broad approach to endpoint security
  • Still in early stage of development
  • Built on the assumption that every device has a specialized piece of hardware to verify that the endpoint has not been compromised
  • Uses that hardware to monitor and enforce endpoint policies

37. Trusted Network Connect

  • Trusted Network Connect is a set of open standards
    • Mission is to develop and promote an open, vendor-neutral, industry standard specification for trusted computing building blocks and software interfaces across multiple platforms
  • Not all of the standards have been fully defined
  • Little product support to date
  • Key components of TNC are a RADIUS server and 802.1x authentication servers, in addition to a trusted hardware chip (TPM) and software on the endpoint device

38. Trusted Network Connect

  • The TPM (Trusted Platform Module) is used to authenticate the endpoint device
  • Once authenticated, the TPM passes control to a software agent, which checks the device for compliance

39. Trusted Network Connect

  • Benefits
  • Provides security at the hardware level
  • Broad architecture
  • Wide support from laptop and other hardware vendors
  • Disadvantages
  • Requires specialized TPM hardware
  • Standards are incomplete
  • Few major rollouts

40. Client-based solutions

  • Advantages
  • Local access to suspect resources
  • Can perform a much deeper scan of the device
  • Piggyback on local processing power
  • Generally the best solution for managed PCs on a LAN or wireless LAN, or an IPsec VPN or dial-in remote access server
  • Disadvantages
  • Another piece of software to install and manage
  • Inherent trust problem with the suspect device validating itself
  • Can possibly be deleted or disabled by an end user or administrator

41. Client-free solutions

  • Advantages
  • Policy and trust mechanisms in the network vs on the client
  • Piggybacks on Windows management mechanisms for remote access to local resource information
  • Doesnt require more client software to install and manage
  • Disadvantages
  • Requires some form of managed desktops
  • Assumes new networking intelligence installed in the infrastructure

42. Universal product requirements

  • Ability to define a granular set of security policies
    • Your organization may have many different policy requirements.The product must support any number and variety of policies.
  • Ability to detect every device connecting to the network
    • Ensure that it can detect any device, irrelevant of its hardware manufacturer or software creator.

43. Universal product requirements

  • Assess the devices level of compliance
    • Scan must take place before network access
    • Must support post admission checks (Web browser, client software, etc.)
  • Enforce policy
    • Complete quarantining of device
  • Remediate non-compliant devices
    • Ability to push signatures, patches, etc., so system can be brought up to date

44. Conclusions

  • Endpoint security is a powerful technology whose time has come
  • Dont underestimate the time and complexity it will take to deploy
  • Make sure you define your specific needs and requirements and map those to your environment
  • You will have to live with and support your decision, so make sure you make the right choice


  • Also in this lesson
  • Podcast: Endpoint enforcement: Smart policies to control the endpoint explosion
  • Article: Keeping pace with emerging endpoint security technologies
  • searchsecurity.com/iamschool

Identity and Access Management Security School

Popular Tags:

Click here to load reader

Reader Image
Embed Size (px)