Why should your endpoints be an important part of your network security strategy? Because even though they are out in the wild, endpoints are part of your network! We really should stop viewing endpoint devices as being separate from the rest of the network. The truth is, once an endpoint device connects to your network, it is part of your LAN/WAN and is a security concern. This means that each device with a remote connection creates a potential entry point for security threats.
One of the obstacles that security teams face with locking down endpoints, like those pesky BYOD devices, is that they mostly rely on solutions that require something to be installed on their device. Making sure that the monitor is updated, running properly, and hasn’t been compromised can be difficult to manage. Not to say that there aren’t applications out there that can help overcome this obstacle, but the obstacle is real nonetheless. Still, monitoring via an endpoint client doesn’t address the issue of monitoring the traffic for specious activates.
Visibility is the key, but how?
Today’s networks are getting far more complex and the lines between the traditional network and the cloud network are blurry. In most cases, with technology like BYOD, wireless connections, VPNs, and cloud-based services, there’s not a lone point of entry and exit anymore. Because of that, we just can’t lock things on the firewall and walk away. You need to be able to see and monitor those devices traffic for suspicious activity.
So how can admins obtain this visibility and in a way that is easily managed? This is where traffic metadata comes into play. Many of today’s vendors support flow technology that records conversation data. Examples of this are NetFlow, IPFIX, AppFlow, etc. With this flow data, we have a record of each and every conversation. We know who was talking to whom, when they were saying it, and what they were saying. Best of all, this data comes from your routers, firewalls, access points, switches, load balancers, and more. With this model you have core devices reporting on traffic from all your endpoints. You now have visibility with less responsibility!
Security! Security! Security!
I know what you’re saying: “Jimmy D, you’re trying to pull a fast one aren’t you?” I can understand. From the top view it looks like you are trading a management nightmare for a data nightmare, but that’s not the case. Typically the metadata collector is designed to store and report on this vast amount of data. Scrutinizer, for example, can handle millions of flows per second and still report almost instantly. So the real question is, how does this help with security?
The point of endpoint security it to protect networks that are remotely bridged to client devices. You can gain visibility into this traffic by using flow metadata. Flow metadata, like NetFlow, has evolved considerably in the past years. It provides contextual information that can be used by systems to detect abnormalities in that network’s traffic. In Scrutinizer, we have the Flow Analytics engine that takes this flow data and looks for Indicators of Compromise (IOCs). It also monitors the IOCs for multiple incidents per host. In most cases, the generated alert is escalated for investigation.
Again, even though these endpoints are remote devices, they are still part of your network. With flow technology and the right collector, you can now see those conversations. Most importantly, you can monitor them for suspicious activities.
The right tool for the right job.
For example, maybe a tablet or a phone connected via VPN and was infected by an app. Mobile Malware Infections like these are not all that uncommon. Client-side security on the endpoint may or may not catch the issue at this level. Let’s say the infection becomes active and starts to do network recon. At this point Scrutinizer would be able to see the suspicious traffic patterns like ICMP Scans, SYN scans, RST/ACK attacks, and more. Once that alert is raised you can then use Scrutinizer as your main forensics tool for investigating the incident. You can quickly find out who the infected person was, who they were talking to, and how they were doing it.
Now we’ve found the violating endpoint, but how can this help secure the entire network? Because we collect all the conversations on the network, we can easily search for anyone else on the network who was communicating in a similar manner. This is powerful!
Best of all, you are not limited to what is happening now. Scrutinizer will save all of this data for as long as you need it. So when an issue does comes to light you still have the historical data to easily search through. You of course have more options like building your own monitors, multiple levels of alerting, or integration into your SIEM or security suite, but in the end having a strong foundation of granular data is what turns your security incident from something that is on the six o’clock news to a non-issue.
Is one of your requirements is improving your security posture and gaining deeper visibility but you don’t know where to start? Why not evaluate Scrutinizer?