Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Essential Knowledge On Endpoint Security For Linux

Essential Knowledge On Endpoint Security For Linux

Linux endpoint security is a more prevalent topic now than it was a decade ago. With the rapid growth of the SaaS industry, many significant applications in cloud environments now rely on Linux.

Today, this operating system plays a crucial role in global business and infrastructure and is often intrinsically connected to data privacy, data security, and intellectual property. Therefore, enterprises must take Linux endpoint security seriously.

In this article, we’ll explore endpoint security for Linux, digging into the areas your security team should be focused on in 2020.

Understanding Endpoint Security On Linux Servers

Twenty years ago, Linux users didn’t really worry about their systems being vulnerable to attack or malware. (learn about conducting a vuln assessment for linux) Today, security teams are seeing advances in attacker behavior. The rapid changes in adoption and the fact that Linux is used so heavily within the cloud make it a more desirable target for malefactors. (Tweet this!)

Generally speaking, Linux endpoint security comes down to some standard best practices, such as:

  • Only running the essential services and software on any machine.
  • Avoid having open ports if they don’t serve a functional purpose on the system.
  • Correctly configuring your operating system and ensuring it is regularly updated (i.e. by applying security patches)
  • Enabling and monitoring audit logs for potential malicious activity

When it comes to establishing Linux endpoint security protocols, your team can take cues from the Center for Internet Security (CIS). CIS is operating system agnostic, so it publishes best-practice standards for basically every operating system and a plethora of popular applications, offering security teams expert advice on how best to configure their operating systems and tools.

To get a better understanding of how Linux endpoint security is changing, consider containers. A Linux container is a set of processes that are isolated from the rest of the system. DevOps teams can spin up and deploy containers without security teams even being aware of their existence. If using Docker, this makes containers even more portable and easier to deploy.

If your DevOps team starts running a set of containers to host a new application, it should be standard practice to notify your security team. They can then assess this environment and help secure the containers and/or application. Better yet, automation can be built into this process to better support these security practices. Unfortunately, it is all too common for Linux containers to be a blind spot for an organization’s security team while the reality is containers are another endpoint in the broader environment that could be compromised.

For the most part, Linux endpoint security is about understanding the core controls that are necessary at a fundamental level, and being able to audit those controls on a server (or container). Doing that allows you to assess your current status, and helps you identify any deviations from the desired path.

How Security Professionals Manage Endpoint Security For Linux Threat Prevention

The Linux ecosystem is a bit unique in that not only are there a number of built-in security tools in the operating system, but there is also a robust open source community that provides additional options. This leads to a decision for many security teams. On one hand, they could build out their security controls and monitoring using built-in and/or open source tools, such as these:

  • Firejail
  • Wireshark
  • Snort
  • Nikto
  • osquery

Alternatively, security teams could look to a 3rd party commercial solution. Naturally, there are advantages and disadvantages to each route, and there are a number of different factors that must be considered. (Take a look at this OSSEC vs osquery comparison) These can include the time, effort, people and skills required with each approach, and of course, cost. It’s also not a one or the other, black and white decision. A blend of built-in, open source and commercial tools can co-exist just as well.

With that in mind, let’s take a closer look at two ways in which you can implement endpoint security for Linux threat prevention.

1. Built-in and/or open source (i.e. DIY)

There are numerous security tools that are available within the operating system and/or from the open source community. A good example of this can be found when looking at the process of monitoring audit logs. Audit logs are used generally when monitoring for certain “events” that occur on a Linux system. Examples of these events include:

  • File access
  • User authentication
  • Process execution
  • Network socket activity

Whenever an audit event happens, your security team must be able to collect and store the data for analysis. That data may then be correlated with your threat intelligence feeds and/or other data collected from various sources. Ultimately, a decision is made about whether or not that event is something that needs to be investigated further and/or action taken upon. (Read more here: Conducting a Vuln Assessment for Linux Servers)

For building out a data pipeline for monitoring audit logs there are a number of tools available. Just to name a few, you might use auditd, syslog-ng, rsyslog, Auditbeat and/or Logstash. Regardless of the tool(s) selected there is significant effort that goes into this DIY project. As mentioned above, there are a number of factors to consider. And really, a number of phases of work as well. From design, build, implementation, maintenance, monitor and actual usage there is simply a lot of work to be done. If you’ve considered the factors and phases of work that go into this decision, this may very well be the route your team chooses.

This do-it-yourself approach is possible with native tooling and open-source solutions. However, you will need people who possess the technical knowledge and skill set to deploy this solution for Linux endpoint security.

2. Third-party Vendor Solution

Essentially, third-party vendors offer a similar solution in the form of a commercial tool. The major benefit of using vendors is that much of the heavy lifting is handled for you, freeing your time and resources to focus on other, likely more valuable, tasks. The other major benefit of a vendor solution is very often there are multiple use cases that can be covered with a single solution. In the example above, we discussed the process of monitoring audit logs. But if you also wanted to audit what ports were open on a Linux server or the current state of patches, you would need a different set of tools. And that adds to the amount of work to be done in a DIY setup as well as the overall complexity. Given that each of these use cases involve various pieces of Linux endpoint telemetry, it’s more likely that a vendor solution will be able to meet these various needs.

Your internal security team will still have responsibility for monitoring events or conducting investigations into suspicious incidents. The vendor provides a technical solution to retrieve critical data and ensure your team is notified of issues. And the vendor is typically responsible for all maintenance related to the solution as well in addition to providing new features and functionality to continually improve the solution. In security, there is always something new to be concerned with and having a trusted vendor helping you stay on top of things can be particularly valuable.

Ideally, your security team should not be responsible for the entire data pipeline in your organization. If you opt for a vendor instead of the DIY route, your organization will have much better support with regard to data analysis, data management, and threat prevention.

Get the tailor-made solution you need with Uptycs.

Today, all security teams must ensure they have a solid strategy for Linux endpoint security as it has a critical role in data systems and global business. Getting the fundamentals right provides an excellent foundation, but it doesn't end there. Your security team will need to remain proactive with endpoint security, especially for Linux threat prevention.

Uptycs is a scalable solution using osquery-powered security analytics which offers support for your entire data pipeline; from collection and analysis to detection. Furthermore, Uptycs is a flexible platform, so we can customize the Linux endpoint security system to your organization’s environment, effectively offering a tailor-made solution. If you’d like to learn more about how Uptycs works, get in touch.