Endpoint Protection Field Notes
October 6, 2023The primary focus at this level should be on beginning to invest in people and process. Begin a conversation with the business about the type of threats that are reasonable to expect and the corporate resources that are most critical to business goals. Establish an end goal and a timetable, and budget to get to the desired level. Initial focus should be on getting an inventory of assets and resources.
Typical projects include:
- Inventory endpoints – Ensure that there is an accurate inventory of all devices that connect to the network; this includes security controls in place, and patch and configuration levels.
- Inventory, upgrade and audit existing EPP (End-Point Protection Policy) SEG (Secure Email Gateway) and SWG (Secure Web Gateway) tools – Many organizations at this maturity level have outdated versions of security products. Begin the process of bringing these tools up to the latest version level that is more than six months old and ask the vendor for assistance in auditing the configuration.
- Establish a common gold image for endpoints and begin to reduce configuration drift – Use the Windows Microsoft Security Compliance on gold images to assess the configuration level.
- Complementary EPP (End-Point Protection Policy) – Considering that the state of patch configuration and vulnerability management is likely low at this maturity level, it may be prudent to invest in complementary EPP (End-Point Protection Policy) solutions to ensure better protection despite poor process. Most new EPP (End-Point Protection Policy) solutions are compatible with older AV and cloud-delivered, making them easy to deploy.
- Active outsource – If increasing staff levels and staff skills is unlikely in the near term, consider outsourcing to MSSPs for security operations and system management.
- Migrate to platform vendors – When selecting new vendors, give more weight to solution providers that have multiple solutions with integrated management.
- Cloud-first deployment strategy – Favor cloud-deployed solutions to reduce management burden and provide faster deployments.
At this stage, the organization should be defining requirements, taking inventory, and developing a gap analysis and a plan to close gaps. Focus on getting application- and authentication-level inventory. The focus should expand to improve application-level network security and backup and restore:
- Application inventory and consolidation – Begin to inventory all executable programs, determine providence and business value, and consolidate applications and version. Begin to establish a new application approval process.
- Improve patch management – In this stage, the biggest process benefit is improving patch management processes. However, it is important to not get too stressed out at this stage by the universe of vulnerabilities. The vast majority of opportunistic attacks go after the most common software. So patching the “notorious five” (Windows, Office, browsers, Adobe and Java) is the first priority.
- Phishing protection – Invest in advanced phishing protection. Most anti-spam solutions do not provide antiphishing with their anti-spam protection. Upgrade to cloud-delivered SWG (Secure Web Gateway)s to reduce management burden.
- Add cloud SWG (Secure Web Gateway) – On-premises SWG (Secure Web Gateway)s should be replaced or augmented with cloud-delivered SWG (Secure Web Gateway) protection to expand protection to roaming workers and small offices.
- Windows 10 (Credential Guard) and Exploit Prevention – Update Windows OS to Windows 10 with Credential Guard and Exploit Prevention (see “Windows 10 Enhances Security”).
- Backup/restore – Ransomware is the biggest threat to most organizations and destructive attacks are on the rise, so a solid endpoint backup strategy is critical (see “Five Key Actions for Midsize Enterprises to Improve Storage and Backup”).
Organizations should have most of the requisite tools, but should be improving process and establishing a formal security operations center for incident response. Reporting and tracking of performance is beginning to be addressed at this level. Focus expands from malware prevention to detection and response to catch more opportunistic attacks. Root cause analysis and proactive hardening of endpoints begins:
- Security operations center – Begin to establish and staff or outsource a security operations center. At this stage, integration with a network operations center is likely desirable. Establish roles and responsibilities and begin to work on incident response handling guidelines (see “Setting up a Security Operations Center [SOC]”).
- Endpoint detection and remediation – implement an endpoint EDR (End-Point Detection & Response) solution as a primary tool for incident response.
- Sandbox (automatic and on demand) – Consider implementing a network-level sandboxing service to filter inbound binaries before they get to the endpoint.
- Security awareness training – Begin security awareness training programs, particularly around account takeover attacks, web and email security best practices, and how to report suspicious incidents to the SOC.
- Improve vulnerability and patch management – Expand vulnerability and patch management programs to non-Windows devices and expand to include the universe of applications. Configuration management should also begin to establish baseline configurations for non- Windows endpoints (see “A Guidance Framework for Developing and Implementing Vulnerability Management”).
- Privilege access management – Begin to remove admin rights from users. If necessary, implement privileged access management for end users (see “Best Practices for Privileged Access Management”).
- Privileged credential life cycle management – develop an inventory and establish a process for privileged credential life cycle management, and monitor usage.
- Multifactor authentication – Implement multifactor authentication for privileged accounts and critical business systems (see “Market Guide for User Authentication”).
- BYOD program – Start to review usage of employee-owned laptops and critical business systems. Leverage multifactor authentication to protect corporate applications. Consider supporting employees with corporate-issued endpoint protection solutions, and use network access control to enforce usage (see “How to Successfully Navigate the Hurdles of Global- Scale BYOD Implementations”).
- Cloud workload protection – Build a center of excellence around server workloads apart from end-user-focused endpoints (see “Endpoint and Server Security: Common Goals, Divergent Solutions”). Protect cloud and on-premises server workloads with products and strategies designed specifically for these workloads (see “How to Develop Infrastructure-as-a-Service Security Skills”).
- Enterprise mobility management – Implement an EPP (End-point Mobile Manager) solution to manage mobile devices and build standard policy templates enforced by EPP (End-point Mobile Manager).
Focus expands to all network-connected devices with the adoption of techniques to reduce the attack surface for the Internet of Things (IoT) and out-of-support OSs. Detection activity moves up to the device and user behavioral level. Ramp up use of default deny controls, such as applications whitelisting, network segmentation and web isolation, to reduce the attack surface. Adopt a continuous penetration testing mentality. Consider advanced tools such as deception and mobile threat defense:
- IoT/OT protection program – Begin to develop strategies and mitigations to protect nonstandard-type devices on the network. All network-attached devices should be in inventory.
- Red team blue team exercises – Move from one-time penetration testing to active detection and response exercises. The primary goal at this stage should be to test detection and response versus finding specific points of vulnerability to close (see “Using Penetration Testing and Red Teams to Assess and Improve Security”).
- Threat hunting – Begin threat hunting exercises to detect potential unknown threats (see “How to Hunt for Security Threats”).
- Application control – Deploy application control for all unpatchable systems and internet- facing servers. Consider application control for critical business users or devices (i.e., POS; see “How to Successfully Deploy Application Control”).
- Script control – Restrict and monitor script usage. PowerShell has a number of features to make it easier to monitor and control, such as transcript and constrained language model. Group policy should also be tuned for macros execution control.
- Isolation – Consider implementing network isolation solutions for web surfing and email document disarm for critical users or devices.
- Microsegmentation – Use network-level microsegmentation to isolate unpatchable servers and critical business servers. Protect them with a virtual patching tool, which makes the systems appear to be patched when probed from the outside.
- Deception – Consider implementing deception tools to detect active attackers
- Mobile threat defense – Implement mobile threat defense on mobile endpoints used by privileged users and high-value-target employees.
Expanding activity will be to inspect the supply chain for downstream attacks and those lower into the computing stack, such as firmware attacks:
- Supply chain – Focus on equipment manufacture and application supply chain. Consider geopolitical component risk.
- Firmware – Begin to inventory, monitor and patch firmware and microcontrollers.
- Continuous threat hunting – Skilled and experience SOC analysts use event data from endpoints, network devices and application logs to identify suspicious or malicious activity that has bypassed automated controls. Once discovered, the new IoAs/IoCs are added to the prevention layer, forming a closed-loop prevention, detection and response practice.
- Orchestration and automation – Begin to automate repetitive security tasks.