4.5 Endpoint Security

Question 1

The endpoint

Answer 1

• The user’s access
  –Applications and data
• Stop the attackers
  –Inbound attacks
  –Outbound attacks
• Many different platforms
  –Mobile, desktop
• Protection is multi-faceted
  –Defense in depth

Question 2

Edge vs. access control

Answer 2

• Control at the edge
  –Your Internet link
  –Managed primarily through firewall rules
  –Firewall rules rarely change
• Access control
  –Control from wherever you are
  –Inside or outside
  –Access can be based on many rules
  –By user, group, location, application, etc.
  –Access can be easily revoked or changed
  –Change your security posture at any time

Question 3

Posture assessment

Answer 3

• You can’t trust everyone’s computer
  –BYOD (Bring Your Own Device)
  –Malware infections / missing anti-malware
  –Unauthorized applications
• Before connecting to the network, perform a health
  check
  –Is it a trusted device?
  –Is it running anti-virus? Which one? Is it updated?
  –Are the corporate applications installed?
  –Is it a mobile device? Is the disk encrypted?
  –The type of device doesn’t matter - Windows, Mac,
  Linux, iOS, Android

Question 4

Health checks/posture assessment

Answer 4

• Persistent agents
  –Permanently installed onto a system
  –Periodic updates may be required
• Dissolvable agents
  –No installation is required
  –Runs during the posture assessment
  –Terminates when no longer required
• Agentless NAC
  –Integrated with Active Directory
  –Checks are made during login and logoff
  –Can’t be scheduled

Question 5

Failing your assessment

Answer 5

• What happens when a posture assessment fails?
  –Too dangerous to allow access
• Quarantine network, notify administrators
  –Just enough network access to fix the issue
• Once resolved, try again
  –May require additional fixes

Question 6

Endpoint detection and response (EDR)

Answer 6

• A different method of threat protection
  –Scale to meet the increasing number of threats
• Detect a threat
  –Signatures aren’t the only detection tool
  –Behavioral analysis, machine learning, process
  monitoring
  –Lightweight agent on the endpoint
• Investigate the threat
  –Root cause analysis
• Respond to the threat
  –Isolate the system, quarantine the threat,
  rollback to a previous config
  –API driven, no user or technician intervention required

Question 7

Extended Detection and Response (XDR)

Answer 7

• An evolution of EDR– Improve missed detections, false positives, and
  long investigation times– Attacks involve more than just the endpoint
• Add network-based detection– Investigate and respond to network anomalies
• Correlate endpoint, network, and cloud data– Improve detection rates– Simplify security event investigations

Question 8

User behavior analytics

Answer 8

• XDR commonly includes user behavior analytics– Extend the scope of anomaly detection
• Watch users, hosts, network traffic, data repositories, etc.– Create a baseline or normal activity– Requires data analysis over an extended period
• Watch for anything unusual– Use a set of rules, pattern matching, statistical analysis
• Real-time detection of unusual activity. Catch the threat early