In the past 15 years, organisations have built up defensive barriers for the servers and databases that house their most sensitive data. But today's threats aren't restricted to the datacentre - they have moved downstream, to endpoints outside the protective cocoon, providing hackers an on-ramp to the network, writes Chris Schwartzbauer, senior vice-president at Shavlik Technologies.
The physical machines that are the endpoints in a centrally-managed network include servers, desktops and laptops. Representing the vast majority of machines in a network, all can potentially host virtual images both online and offline, presenting even more opportunity for the hacker. Add to this the proliferation of USB drives, external hard drives and the like, and it becomes obvious that protecting the datacentre no longer protects the data.
In my opinion, the malicious targeting of endpoints is exposing serious gaps in corporate security defences. Many security teams continue to believe that properly configured routers, firewalls, and antivirus software are the keys to good endpoint protection, but threats are now able to bypass perimeter protection. One of the reasons for this lies in an over-reliance on outdated antivirus software.
Once a threat is in-house a hacker has little difficulty locating and infecting unpatched or misconfigured machines. Historically patching these endpoints has been too time consuming for IT teams; particularly given their focus on the critical servers. And they lack the visibility into these machines to know when they have drifted away from corporate-defined configuration policies. Yet the primary reason for endpoints to emerge as a significant hole in corporate defences stems from the traditional separation of duties in security practice.
Once the security team establishes perimeter-based protections, the ongoing maintenance - system updates, signature updates, and mitigation of problems found at the endpoint - are then the responsibility of the IT operations team. This separation of duties might be required for audit purposes, but the lack of integration and automation between these tasks wastes hours of IT staff time, while opening the gaps in system security.
What do you do? My advice is to ensure protection isn't limited to the datacentre. Supplement Internet-facing protection with a proactive approach that provides defence in depth for every machine. This requires three critical responses:
1. Properly configure and monitor the configuration of your endpoints
2. Correctly patch and monitor the patch status of your endpoints
3. Utilise up-to-date real-time protection software; not just reactive anti-virus
Addressing these issues requires a dedicated effort to take stock of the tasks and develop processes specifically designed to address them. After such an effort, IT can achieve efficiencies through automation. Control will be established and maintained by ensuring visibility into all systems on the network.
Clearly, the business of managing and securing endpoints is in serious need of an overhaul.
The singular approach of using a cookie cutter, one-size-fits-all anti-malware program to keep endpoints safe isn't good enough anymore. Nor can companies afford the current processes that require too much time, money, and IT staff to chase after incidents or check on the status of the volumes of systems on the network. Depth and comprehensive protection is required, while more and better automation will be needed to be efficient, and provide the visibility and control necessary to be effective. In the final analysis, organisations won't be secure unless they can prove endpoints are secure.
This was first published in June 2009