The 4 Pillars of Endpoint Security
By focusing on these fundamental aspects of network security, you can keep the bad guys out and the good data in.
Enterprise networks and their assets are under constant attack from intruders. To compound the problem, the enterprise network perimeter is completely permeable. When working on a secure IT infrastructure, the main objective of most enterprises is to maintain seamless business continuity. However, because attackers can compromise a user's computer, mobile device, the server or an application, there's frequently downtime in enterprise environments.
A distributed denial of service (DDoS) is one type of attack that can cause bandwidth starvation. It's important to note that there are many other conditions that can also cause excessive network load. For example, peer-to-peer file sharing, heavy use of streaming video, and peak heavy usage of an internal or external server (for example, the retail industry's Black Friday) can all make the network run sluggish both to internal users and external customers.
Streaming video is another great example of a bandwidth-hungry application, and there are many types of enterprises that are becoming highly dependent on it for core business operations. Geographically distributed companies use it for interoffice communications, brand management companies use it for media campaigns, and the military uses it for command and control.
These conditions have resulted in a precarious situation. DDoS is an easy attack to launch; streaming video is highly sensitive to bandwidth availability; networks are already heavily loaded even in optimal cases; and businesses are becoming more dependent on these technologies.
IT managers must be prepared. They need to change their long-term thinking and planning about resource usage, protecting devices on the network and protecting critical network bandwidth. This endpoint security model can help align this thinking to modern realities.
Four Pillars of Endpoint Security
The basic premise of the Four Pillars is to allow the network to perform, even while under attack. The first step is to identify the endpoints. In this model, an endpoint is any of the following, where the work is actually done: desktops, servers and mobile devices.
With these endpoints in mind, it's essential to have a strategy for protecting them. This strategy -- the Four Pillars of Endpoint Security -- has the following goals:
- Protect the endpoint against attack
- Make the endpoint auto-healing
- Guard network bandwidth
- Make the network auto-healing
With that in mind, here are the Four Pillars of effective endpoint security:
- Endpoint hardening
- Endpoint resiliency
- Network prioritization
- Network resiliency
For each pillar, there are several additional goals to consider. First, it's advisable to automate the process as much as possible. After all, there are only so many hours in the day, and IT managers already have full schedules.
Second, you should centrally monitor your network so you know what's happening in real time. While one purpose of the two resiliency pillars is to reduce this monitoring burden as much as possible, sometimes you have to implement manual defenses and counter-measures. Also, equipment sometimes fails -- even under normal conditions.
Third, establish a feedback loop. As attacks become increasingly sophisticated, we must acknowledge that our defenses won't keep up unless we continuously make the right investments to shore them up.
This is why constant monitoring and feedback is essential. The better we understand -- and can demonstrate -- the actual threats and attacks occurring at our perimeter and within the network, the better we can justify the attention and expense paid to protecting those business assets.
The goal of the first pillar is to ensure that network assets are using the latest technologies to defend against threats. Typical threats include unsafe e-mail attachments, worm-like viruses that propagate over the network and anything that's a threat to your Web browsers.
One example of an attack counter-measure is antivirus/anti-malware software. Another example is isolating, or sandboxing, computer application processes from potential malware by way of mandatory integrity levels enforced by the OS. This type of protection is applied to Internet Explorer versions 7 and 8 on Windows Vista and Window 7.
One improvement that would help is the ability to centrally deploy and manage isolation settings for the entire host. In order to be useful, this needs to be done in such a way that third-party applications work seamlessly (and are protected).
So how does monitoring apply to this pillar? You should monitor network assets for intrusions in the field in a scalable way. You should also watch for unexpected behavior patterns.
The goal of endpoint resiliency is to ensure that health information on devices and applications is continuously gathered and monitored. That way failed devices or applications can be automatically repaired, thus allowing operations to continue.
The following technologies are examples that can make endpoints more resilient: Network Access Protection, configuration "baselining" and management tools such as Microsoft System Center. One improvement in this area would be to marry these technologies to produce auto-healing behavior based on standardized, easy-to-extend baselines.
How does monitoring apply to this pillar? Consider trends in any of the following areas: which particular machines are out of compliance; in what way are they non-compliant; and when is this non-compliant state occurring? All of these trends can lead to conclusions about potential threats, whether an internal threat, an external threat, a configuration error, user error and so on. Also, when you identify threats in this manner, you can continuously make endpoints more robust in the face of increasingly sophisticated and distributed attacks.
The goal of network prioritization is to ensure that your infrastructure can always meet application bandwidth needs. This consideration applies not only at well-known peak demand times, but also when there are unexpected surges on network loads and distributed external and internal attacks.
Technologies that can manage application bandwidth include DiffServ and QoS. However, this pillar currently represents the biggest technology gap between what's needed and what's commercially available. In the future, it would help to have solutions to integrate user identity, application identity and business priorities. Then network routers could automatically partition bandwidth based on that information.
How does monitoring apply to this pillar? Network routers should be doing the flow logging for trend analysis. How are today's flows different from yesterday's? Is there an increased load? What new addresses are involved? Are they overseas? Effective and comprehensive monitoring can help provide answers to these questions.
The goal of network resiliency is to allow for seamless asset failover. Techniques in this area ideally afford reconfiguring the network in real time as performance degrades. This pillar is similar to endpoint resiliency in that the goal is to facilitate network self-healing in order to minimize the management burden.
However, this pillar also draws attention to the fact that failover and redundancy must be considered on a large scale, as well as a small scale. For example, you can use clustering technology to provide failover of a single node within a datacenter, but how do we failover an entire datacenter or region? Admittedly, the challenge with disaster recovery planning is broader still, as we must also consider office space, basic services and, most importantly, staffing.
In addition to clustering, other relevant technologies under this pillar include replication and virtualization. How does monitoring apply to this pillar? Failover technologies in general rely on monitoring. Plus, you can use load data for resource and acquisition planning as business needs evolve.
Fulfill Each Pillar
For each of these Four Pillars of Endpoint Security, there are likely to be commercially available security, network and business-continuity technologies that are either underutilized or not yet deployed by most organizations. Thus, IT managers have the following opportunities:
- Use the Four Pillars, or some other framework, to identify threats and gaps in your network defenses
- Make additional investments in automation and monitoring
- Engage more closely with business decision makers on the costs and benefits of these efforts
Some enterprises may already be on the cutting edge of what's readily available in one or more of the pillar areas. What's critical is to restructure your thinking to accommodate each of these Four Pillars, as each is essential.
Dan Griffin is a software security consultant based in Seattle.