Endpoint Security

Securing “endpoints” is becoming increasingly complex. This not only has to do with the increase of malware but also with the fact that threats are becoming more and more “clever.”

The number of new threats that is detected grew exponentially in recent years to currently 65,000 per day. It is almost impossible to write the correct virus definition for all of these new threats in a timely manner. Lately we have increasingly seen the consequences of this in the form of a growing number of virus outbreaks and false positives.

And the type of viruses is changing as well. More and more polymorphic viruses are appearing on the scene. These are viruses that create new variations of themselves after having been activated. Because no virus definitions have yet been written for these new versions, they often have free reign to continue infecting the system and the network.

And the objective of the virus writers has changed. These are no longer the stereotypical bored teenagers who develop a virus purely for “fun.” Nowadays the motivation is financial gain, through extortion and espionage. The result of this shift is that viruses are increasingly being used in a targeted manner, with the virus creator being intent on remaining undetected as long as possible.

The large quantity of viruses and their automatic development and targeted use render the classic anti-virus model inadequate. There first has to be one entity in the world that beats a virus before working on protecting the rest of the world. Despite anti-virus software, the chance of infection has reached an unacceptably high level due to all of the developments. That is why security specialists have been pleading for a much more proactive security approach for several years now.

Here are the most obvious and proactive technologies that can be applied to an endpoint:

• Patch management or virtual patching. Malware often exploits the vulnerabilities of a software in order to embed itself into a system without the user’s knowledge. Without knowledge of the malware variation, its installation can thus be prevented by resolving the vulnerabilities that are exploited. This requires adequate patch management, with Microsoft not being the only player in this respect. However, in practice it often proves impossible to always roll out all critical patches immediately, even if the reason is simply a lack of a thorough test. In this case, the “virtual patching” functionality provides a solution. This means that a virtual security shield is placed around the system that prevents exploitation of all the known security gaps in the software. This stops the malware while granting sufficient time to comprehensively test and launch the necessary patches.

• Regulation of USB sticks. Experience has shown that the most virus outbreaks at companies originate from an infection stemming from a USB stick. The stick will have been used in another, non-secure and infected system and then introduced into the organization will all the associated consequences. A great danger is eliminated by limiting use of the USB sticks to only sticks that are trustworthy, e.g. because the stick itself contains an antivirus engine.

• Web filtering. The Internet is the virus distribution medium. It is also pre-eminently suited for misleading people and quickly spreading new variations of viruses in an automated manner. The methods of the malware writers are so sophisticated that even the best-trained ICT professionals can fall into the trap. Uncontrolled use of this same Internet is therefore truly no longer possible. If policy could be stipulated for only allowing certain types of websites, then compelling this would yield the best results, but this is often not feasible. Instead there is a very good manner of web filtering in order to use reputation databases. These databases list websites that have been used in the past to spread malware. These websites get a bad reputation and can be blocked based on this. Such reasoning seems quite logical and can be implemented with relatively little effort.

• Security outside of the network as well. Mobile devices, especially laptops, regularly find themselves in situations where the company’s Internet gateway is not secured. For example: at home. The selected proactive security measures should be in effect at such locations as well, and in order to check this, the systems should be continuously monitored, even if they are physically outside of the network. This provides a good setup of the security management environment for endpoint security.

  Security specialists also agree that the classic antivirus model, called “blacklisting” (you define what is undesired, the rest is permitted), is as good as bankrupt and will have to be replaced in the coming years by “whitelisting” (you define what is desired, the rest is NOT permitted). This way viruses, both known and unknown, have no chance to infect the system.

  • Host Intrusion Prevention
  • Application Whitelisting
  • Anti-virus & anti-spyware
  • Endpoint URL filtering