A New Approach to Endpoint Security: Think ‘Positive’

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/endpoint/a-new-approach-to-endpoint-security-think-positive/a/d-id/1251085

Traditional approaches of managing security through checklists, rules, and
compliance can't keep up with the increasing malware volumes and
propagation rates we are seeing today. A case in point is several recent
"Threat Reports" detailing the severity of the modern threat landscape
where:

- A total of approximately 1.81 million website redirect events were used
in 2013 to infect endpoints. (Websense Threat Report 2014, registration
required)
- Known malware -- including Ransomware and rootkits -- grew about 15%,
totaling approximately 196 million unique samples (McAfee Threat Report
Fourth Quarter 2013)
- Application vulnerabilities are about 175% higher than operating system
(OS) and browser vulnerabilities combined (Microsoft Security Intelligence
Report Volume 15).

With the rapid proliferation of mobile technology, traditional personal
computing devices today represent a much smaller share of endpoint devices
than in the past.

In the report "Enterprise Endpoint Protection When the Consumer Is King"
(subscription required), Gartner indicates that, even though traditional
personal computing devices like laptops and desktops represent a smaller
share of endpoint devices used, they still represent the most infected and
require the most effort to secure. Additionally, due to our continued use
of traditional signature-based or blacklisting technologies, these devices
remain the primary target for cyberattacks.

A game of cat and mouse
At a high level, the four primary goals of almost all cyberattacks are to
target a vulnerability, drop payload, remain undetected, and harvest data.
But today, it's not feasible to continue playing "cat and mouse" with cyber
criminals when they have invested significant effort in understanding our
blacklisting technologies' weaknesses, strengths, and even how they handle
different attacks patterns. With this knowledge, cyber criminals are able
to wreak havoc by:

- Developing attacks that have limited distribution and are intended for
targeted individuals/organizations
- Circulating attacks quickly to guarantee blind spots in blacklisting
technologies can be exploited
- Creating noise to divert the security team's attention and increase the
possibility of an attack going unnoticed.

As the ineffectiveness of blacklisting creates greater opportunities for
attacks, we as security professionals must re-evaluate whether continuing
to model our methodologies on the principle of constant "known-bad"
protection is working. More important, as our IT infrastructure expands
further to accommodate mobile computing platforms, desktop virtualization
and cloud, we must work towards implementing security controls that are
based on dynamic "known-good" protection.

To do this, we have to turn our attention to the security strategies that
reduce our attack surface(s) through deny by default application control
mechanisms and vulnerability management.

Consider all of the security controls we deploy to traditional personal
computing devices -- anti-virus, intrusion prevention, data loss
prevention, etc. These are just a few of the security technologies that
contribute -- in varying degrees of effectiveness -- to endpoint
protection. However, to maintain acceptable risk levels in the face of
increasing threats and evolving technologies, we must change our outlook
and approach to an endpoint protection strategy with a risk-based
perspective.

There are many technologies that contribute to reducing the attack surface
of traditional personal computing devices. Historically, our industry has
followed blacklisting security models that define what should be restricted
and implicitly allows everything else but this is proving to be ineffective
due to declining detection rates.

Look on the bright side
With a risk-based approach, instead of managing threats through specific
technology functionalities, we manage the attack surface with the goal of
reducing a much larger number of threats without getting into specifics. In
2010, for example, when the Australian Signals Directorate adopted a
risk-based approach to mitigate targeted cyber intrusions, it found that no
single security control prevents malicious activity, but a combination of
specific "positive security" strategies proved to be 85% effective in
mitigating intrusions.

A risk-based or positive security methodology will also result in
demonstrable business benefits with respect to traditional personal
computing devices by:

- Displacing security controls (such as antivirus) that have become
ineffective and/or contribute little value to the overall endpoint
protection
- Improving overall endpoint performance by eliminating (blacklist)
signature databases that consume significant network and system resources
- Reducing the strain on supporting infrastructure(s) for deploying
(blacklisting) signature updates across remote locations
- Enhancing operational efficiencies by lessening the work effort required
to reactively maintain security technologies.

By changing our endpoint protection strategy to follow positive security
models, we align with proven industry practices of least-privilege, or
deny-by-default, and we position ourselves as attack-agnostic where we can
be more relaxed when it comes to attack-signature deployment. In an
environment where threats are a constantly moving target, this approach is
a far more effective endpoint protection strategy.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!