Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Endpoint Visibility: 5 Best Practices To Optimize Your Security

Endpoint Visibility: 5 Best Practices To Optimize Your Security

Endpoint visibility is crucial because most attacks begin on endpoints used by people—not the firewall or your servers. Typically, attackers gain control over these entry points to the network through techniques like phishing; from there, they can move laterally to access your servers. This type of activity currently accounts for over 80% of reported incidents, according to CSO.

Therefore, it’s crucial to have visibility over all endpoints so you can identify issues before they escalate.

In this article, we’ll discuss two misconceptions about endpoint visibility, and explain five best practices that lay the foundation for an effective endpoint security strategy.

What is endpoint visibility?

Endpoint visibility requires access to telemetry from all endpoints to enable the observation of the current state of an endpoint, and also the behavior or activity that occurs on that endpoint. With a centralized endpoint management platform, your company will be better informed about potential security issues as they arise.

Endpoint visibility is more important now than it’s ever been because of the growing threat of a breach in this data-driven age. (Tweet this!) If an enterprise doesn’t take action to protect these vulnerable points, there may be blind spots, which means attackers have a better chance of carrying out their plan successfully.

There are, however, some misconceptions about endpoint visibility that, if left unchecked, can leave a business exposed.

Myth #1: User endpoint visibility is less important than server monitoring and visibility.

When it comes to protection, user endpoints (i.e. your employees’ laptops and desktops) often take a backseat to servers, which are considered the home of an organization’s "crown jewels," including applications and data stores. Thus, businesses are satisfied with applying only a minimal security strategy to user endpoints, typically consisting only of anti-virus software.

According to TechRepublic, a recent survey by Morphisec and Ponemon found that traditional antivirus products missed an average of 60% of endpoint attacks. Anti-virus combined with an endpoint visibility program could then help make user endpoints the best place to stop an attack, before it causes any additional damage.

Myth #2: Built-in security tools are always the best option.

As an example, Linux provides out-of-box tools to audit and monitor system behavior. Many organizations rely solely on these built-in features and tools, believing they alone are all that is needed. And while these are very powerful and capable tools, there typically comes a tradeoff between the time and resources for administrators to configure and maintain these tools vs. the other operational work those folks could be doing. Not to mention, in a cross platform environment with multiple OS types, having tools that work consistently across the board will typically result in a better overall experience.

5 Best Practices To Achieve Optimal Endpoint Visibility

Here are five security tasks that can improve endpoint visibility:

1. Monitor and observe process executions.

Your team needs to know the details of all activities on your endpoints, including what processes get executed, where they were executed from, what files were accessed, and what sockets were opened. Process executions and the associated detail (i.e. full command line that was executed, process ancestry, process hash, etc…) are critical for identifying unauthorized and/or potentially malicious activity.

Monitoring this activity gives you a holistic view of the security environment, which is fundamental to effective endpoint detection and response. And having clear visibility in this area allows your security team to take advantage of threat intelligence, to help identify known threats and respond in a timely fashion.

2. Assess the software packages installed on your endpoints.

Good asset inventory is crucial. It's important to know what programs are installed on endpoints, and whenever the software is updated. If you remain alert to software changes, you will be much better positioned to detect any vulnerabilities in the environment.

3. Use file integrity monitoring.

Don’t simply set and forget all your files. You should keep a close eye on the critical system and/or application files on an endpoint to make sure nothing is compromised or modified by someone without proper privileges. For example, a SaaS application provider may use file integrity monitoring to monitor their core application files and related configurations for any unusual deviations. Then in the case someone who shouldn't have permission gains access or edits a critical file path, the security team will be alerted and can respond right away. Ultimately, this would not only provide a better security posture, but also help limit downtime for their customers.

4. Conduct thorough configuration management.

You need the ability to detect configuration changes within your environment. Audit your endpoints to see if there is any drift from your established best practice settings. Not only could this impact your company’s alignment with compliance and regulatory standards, but it could impact your security posture as well. For example, someone may modify SSH server configurations or change local firewall policies, which could open up your attack surface. By having a firm handle of configuration management and auditing, this situation could be avoided.

5. Scrutinize user authentications.

User authentications on the endpoint are a critical component of identifying attackers or unauthorized users. Keep a close watch here to discern genuine users from attackers. Knowing if a user typically authenticates to a particular server as a baseline, for example, would help later on in a potential investigation into authentication attempts to that same server. Tracking authentications is also a required component of various compliance and regulatory standards so it’s a good idea to just have this in place at the foundation.

Looking to enhance your endpoint visibility?

Learn more about how osquery—a lightweight universal agent—provides robust endpoint telemetry for fleet visibility, intrusion detection, vulnerability monitoring and more by watching these power-user sessions from the recent osquery@scale conference.

 

Photo by Amanda Dalbjörn on Unsplash