One of the most popular talks at our summer Oasis 2016 event was delivered by Adam Bridge, Head of Forensics and looked at how organisations can reduce the time to remediation upon discovering a compromise.
Context has been working with various organisations that have suffered breaches of their network for many years and has seen an array of different methods of attack carried out. One of the biggest flaws we continue to see organisations have is, despite having a variety of excellent security measures in place, they fail to secure the endpoint and by doing so they leave themselves vulnerable to attacks.
Securing the endpoint is critical: not only can it control the access processes have to the corporate network, it also helps to significantly reduce the time to remediation should an organisation suffer a breach.
The endpoint is what the attackers are aiming to compromise, the attackers have to get on an endpoint so that they can start executing their code and moving laterally, this is the purpose of the attack and where the true execution will eventually happen. Endpoints can include any device that has access to the network, for example, laptops, PCs, servers and smart phones.
Overview
- Endpoint protection is critical for any organisation.
- Recent stats highlight that those with endpoint protection see a significantly reduced time to detect a compromise than those who don’t have endpoint security.
- We’re still seeing breaches taking place because of simple mistakes such as clicking on malicious emails, drive-by downloads and malvertising.
Why are breaches still occurring?
We continue to see successful breaches taking place due to simple mistakes. These include, phishing emails – still one of the key ways an attacker accesses an organisation’s networks, or malvertising – the use of online advertising to spread malware; and even ‘drive-by’ downloads - this usually refers to someone being engineered to click onto a website where the browser, app or operating system has been exploited to deliver a malicious download to their endpoint.
All of these could be avoided or the risk reduced with some simple checks and updates. For example, a typical endpoint security solution will include application whitelisting: a way of limiting the folders from which an executable can be launched. We would probably allow the Windows, but wouldn’t allow a user’s temp folder – a place from where many malicious executables are launched.
The stats
Recent reports suggest that the majority of organisations are notified of a recent breach by an external party [1], such as an official body, their bank or even an independent researcher. On average, when a company has been notified by an external party, it has been over 320 days from the date of compromise to the date of notification. If the breach was noticed internally, that number was reduced significantly to an average of 56 days, which is still a notable amount of time.
The reports also show the speed it takes to compromise a network is getting quicker [2]; more than 80% of compromises happen in minutes. There has been improvement in the time it takes to discover that compromise and this improvement is continuing. But, currently the attackers are still outdoing this improvement: the attackers are getting quicker at attacking than the discoverers are at discovering.
Securing the endpoint
It’s often seen that organisations have numerous security measures in place that all work well, but these various devices need to work together for the best security posture. By having endpoint protection, you can control the access certain devices have to resources on your corporate network and, most crucially, analyse any changes that have occurred on the endpoints throughout; importantly, any newly executed applications will typically be highlighted. Having a log of recent activity provides invaluable information for a team looking at remediating the compromise and ultimately can significantly reduce the attack surface available to attackers.
Conclusions
In summary, endpoint protection has an obvious and important place in any organisation, without it an organisation is lacking something critical. As well as complementing other technology such as IDS or IPS, AV and full packet capture, (it doesn’t replace them) it also cuts down time to identify a compromised host and therefore, cuts down remediation time which, in most situations, is crucial.
More information
You can view the video of the presentation here and read the slides for the presentation here. If you would like to know more about end point protection, please do not hesitate to contact us, info@contextis.co.uk or 0207 537 7515.
You can find out more about our Oasis events here, if you would like any more information, please email oasis@contextis.co.uk.