End Point Protection by Leticia Smith
March 2016 - The ongoing success of the private sector relies in large measure on its ability to commercialize innovative research and intellectual property, business transactions, and financial data. Failing to secure this vital digital information, and the systems that hold it, inevitably leads to lost market share, fewer customers and corporate breakdown for the companies involved. On a national scale, the theft of trade secrets, intellectual property and confidential corporate information can result in lost jobs and diminished economic prosperity.
An enterprise's policy interface — like its policies — should be chosen fundamentally to address the needs of the business. Excessively complex and technical policy interfaces and reporting will force IT to interpret and implement business policy, increasing both workload and the potential for errors and miscommunication. A policy interface should be intuitive and usable by nontechnical business personnel — for example, HR and legal staff. A good way to test the usability of an interface is to give such personnel an opportunity to test it.
According to Trend Micro, around 41% of data breaches in the US have been caused by device loss. Remote device wipe, disk encryption, the use of virtual infrastructure, and enforcement of stricter policies can help mitigate such cases.
End-Point Protection (EPP) services should provide a standards-based interface in order to work seamlessly with other enterprise asset management systems.
Sandboxing provides the protections needed for deep inspection of unknown binaries. Unknown code can be pre-loaded and examined prior to loading in memory, but the time to recognize that the code is not on the whitelist and then to setup the sandbox and step through the code whilst analyzing it for malicious functionality is highly resource intensive and can cause end-user dissatisfaction with End-Point Protection products. Custom sandboxing tied to specific situations (network segment, code signatures, and device type) will reduce resource overhead and the best EPP solutions will provide support for rulesets using regular expressions.
EPP Common tasks might include:
- Review home page dashboard, paying particular attention to the placement of indicators that illustrate negative changes in the security posture of endpoints. Look for direct links to more information, recommendations and action steps to resolve events.
- Tour the report center, create a custom report, and schedule it for delivery to an email box or Web server/portal.
- Show alert configuration capability, and integrate an alert with an external subscriber identity module (SIM).
- Show real-time data that lists clients on a network that do not have an EPP agent installed.
- Create or edit the policy elements that can be delegated (or restricted) to end users.
- Create or edit the policy configuration for client update distribution and step-through policy creation.
- Create or edit the policy to automatically push the EPP client to an endpoint that does not have it installed.
- Configure scheduled scans for endpoints. Focus on the ability to limit CPU utilization, and delegate the ability for end users to delay scan execution.
- Create or edit the port (i.e., USB, CDs, infrared) control configuration. Pay particular attention to the granularity of the restrictions and the linkage to file types and encryption, if any
- Create or edit VPN policy (i.e., deny split tunneling) for a specific Active Directory group.
- Create or edit location-based policy, and pay attention to the level of automation in selecting when a policy should be invoked.
- Create or edit a Wi-Fi-specific policy.
- Create or edit a whitelisting and/or lockdown configuration for a certain group of PCs. Add a new executable program to the whitelist. Autogenerate a whitelist from the installed applications on a PC. Authorize a software distribution method and directory as a whitelisted source of applications.
- Show a single-page summary of client configuration information, and print it for review.
- Review HIPS policy configuration and step through the false-positive-handling process, including deactivating a specific HIPS rule for a specific application.
- Edit role-based administration and hierarchical administration to add a new role
A major challenge to these end points is the introduction of modern malware that is targeting the devices. This sort of attack is in the form of malware with firmware or BIOS manipulation capabilities.
In 2015, the Intel Security Advanced Threat Research team reported on hard disk drive (HDD) and solid state drive (SSD) firmware reprogramming modules. The modules do two things. One module reprograms the HDD/SSD firmware with code that is custom built for the HDD/SSD brand and model. The second module provides an API into a hidden area of the HDD or SSD. Through the API, the reprogrammed firmware can store and load custom payload code that can perform a variety of functions while remaining invisible to the operating system.
These hardware components are devices that are built with network interfaces, device on-board storage and semiconductor based controllers and microprocessors that run “beneath” the Operating System. These embedded devices can be used as small, but effective malicious back-doors into computer systems and they are capable of loading updates running custom code. These devices may be as innocuous as a network printer/copier or electronics locks to complex manufacturing and scientific equipment.
HDDs/SSDs whose firmware has been reprogrammed can reload associated malware each time infected systems boot and the threat remains persistent even if the drives are reformatted or the operating system is reinstalled. In some cases, the threat can even persist when the firmware of the device is flashed (reprogramed at hardware level).
This persistence, stealth and configurability is an amazing achievement, but it illustrates how our traditional enterprise defenses can be circumvented when faced with a new threat. Defense in depth has never been more important!