Wednesday, April 26, 2017

You Paid for Endpoint Protection, But Is It Actually ON and Protecting You?

A report from Threat Stack came out recently that showed that a huge chunk of cloud-related security problems are caused by not doing the basics, such as ensuring your servers are patched on a regular basis.


From experience, I can tell you that this applies to non-cloud environments as well.
Along the same lines, I'd like to share about the importance of monitoring your endpoint protection tools and services running on your endpoints to make sure they are actually on! Seems like a no-brainer, doesn't it?

Yet I have worked for many organizations that run Windows desktops and rarely have I seen them use notification and monitoring tools (they are already paying for) to ensure that endpoints are continuously running the services that protect the endpoint. I do my best to fix that wherever possible, or at least bring the risks to the attention of higher level decision makers.
malware defenses: how to ensure they are on and running
Is your defender even on the field?
Whether your endpoint protection is HIPS, HIDS, antivirus, or any other related service, if its running on the endpoint, it must STAY running in order to be effective. Pretty basic stuff.
Yet time and time again, I see system with basic protections turned off, and the end user and the organization they work for, are unaware of this. And that's when very bad things can happen
For example, users might be downloading risky files from the Internet, thinking that antivirus (A/V) scans are taking place, protecting them, determining what files are OK and which are malicious, when in fact they are not being scanned at all.
Keep in mind that most end users are not sophisticated enough to check to see what services are running on a Windows system, and even if they know how, why would they think to go look, if nothing seems amiss?  No pop-up warning = no problems, right? Wrong...
Granted, many endpoint protection software schemes are designed to prevent being turned off, either by the end user or by a malicious actor or malware. But what if that fails for whatever reason?
Ironically, you're probably paying for tools that have this monitoring capability built right on, but its likely you're failing to take advantage of these features.
Instead of providing a list of ways to programatically ensure that endpoint protection services are always on and running, I will ask you to analyze what services SHOULD be running, and what protections AND notifications you have in place to guarantee that they stay running.
Here are some ideas, tools, or approaches you can use to make sure endpoint protection mechanisms are actually on, all the time:
  • Group Policy
  • SCCM and other enterprise monitoring systems
  • SIEM
  • Startup Scripts
  • Login Scripts
  • Powershell
I recommend getting with your I.T. cohorts and brainstorming ways to ensure your endpoints are ALWAYS being protected, which will also ensure you're fully leveraging your investment in cybersecurity defenses.
Happy hunting!
-Ryan


No comments:

Feeling Firewall Friendly? Azure Virtual Machine Protection With NSGs Explained

Let's talk cloud security best practices for Azure - Microsoft's cloud.  Do you like keeping the bad guys out? So do I... That&#...