Endpoint Security in Action: How Security Intelligence Provides Protection for Endpoints
January 22, 2020 • The Recorded Future Team
The majority of successful IT infrastructure breaches originate at endpoint devices. An attack may not only compromise an organization’s digital assets, but also the digital assets of any customers and supply chain partners with which the organization shares IT systems and services. That makes the protection of desktops, laptops, and mobile devices a high priority for IT security teams.
In this blog, we examine how the three principles of security intelligence help endpoint security teams take on this challenge. We also present use cases illustrating how security intelligence can be leveraged to protect a company’s brand and digital infrastructure and prevent cyberattacks from impacting the infrastructures of customers and supply chain partners.
As reported by Forbes this past fall, IDC estimates that 70% of all IT infrastructure breaches originate at endpoint devices. And while each individual endpoint itself may contain a limited amount of sensitive information, every desktop, as well as every laptop and mobile device, also presents an entry point — sometimes with admin-level credentials — to the rest of your entire IT infrastructure.
One weak link could put all of your digital assets at risk — including intellectual property, customer data, and financials. It’s also important to factor in that a breach of your IT infrastructure could threaten the infrastructures of any customers and supply chain partners with which you share system integrations or web portals.
A Challenging Scenario for Endpoint Security Teams
Endpoints create a particularly challenging scenario for IT teams that manage the security of their company’s end-user devices. This is mainly because the devices are under the physical control of personnel operating outside of the IT department. And a large percentage of these devices are mobile — with end-users taking them home, on the road, and into public places where Wi-Fi access may be open to anyone and everyone.
In addition to relying on end users to use strong passwords and avoid clicking on malicious links as a means to protect the information and the access these devices maintain, there’s the possibility of the endpoint devices being stolen. Or, a cybercriminal — maybe even a bad actor operating from within the company — could attempt to download files onto a thumb drive. The scenarios are endless, but the outcome is usually the same.
All this makes it mandatory for security teams to leverage sophisticated methods to protect their organization’s endpoints. And with cybercriminal techniques constantly morphing, methods to continually strengthen endpoint security postures must continually evolve.
The 3 Principles of Security Intelligence
To help endpoint security teams take on this challenge, we developed a new philosophy called security intelligence. The three-pronged approach drives endpoint security policies and controls while amplifying the effectiveness of endpoint security teams and the investments they receive. This is achieved by exposing unknown threats and providing information that enables better decision-making on proactive and reactive security measures that endpoint security teams can take.
By producing a common understanding of external and internal threats, as well as threats related to customer and third-party supply chain ecosystems, security intelligence can enable your endpoint security team to accelerate risk reduction across your entire organization. The security intelligence philosophy encompasses three principles that guide endpoint security teams in building a comprehensive security strategy:
- Threat intelligence provides context around the who, what, and why of potential cyberattacks by utilizing machine learning and automation to consume and analyze massive amounts of threat data and technical research from open, closed, and dark web sources. By correlating relevant, real-time insights from all these sources with internal network data, endpoint security teams can drive faster and more informed security decisions relevant to their specific device models and operating systems deployed throughout the organization.
- Brand protection enables security teams to quickly identify what’s being targeted by threats and respond to reputational attacks against their company brand, as well as the digital risks of the company and its customers. This includes fake accounts, apps, and websites that attract redirected traffic and provision inappropriate content that can harm organizations and their customers.
- Third-party risk management helps analyze risks originating from ecosystems that share sensitive information with customers, suppliers, partners, contractors, agents, temporary workers, and other third parties. Keeping a close eye on third-party ecosystems — including the types of systems and applications they use on their endpoints — is critical. Breaches to one entity can quickly infiltrate an entire ecosystem.
By leveraging these three security intelligence principles, endpoint security teams can improve their incident response, vulnerability management, risk analysis, threat analysis, and fraud prevention capabilities, all led by information pertinent to their specific endpoint operating environment.
Endpoint Security Intelligence in Action
Applying security intelligence delivers value in several endpoint security use cases that not only defend an organization’s brand, but also avoid allowing any breaches that could in turn infiltrate infrastructures of your environment, that of your third-party supply chain, and even those of your customers. For example, IT teams can aggregate alerts to suspected phishing emails from SIEM and logging services, as well as individual end users. An orchestration platform built upon the principles of security intelligence can automatically trigger a process to inform affected end users about the possible malicious emails that are being investigated. This awareness can reinforce a culture of security for the end users, thereby aiding the IT security team in their threat blocking, containment, and recovery.
The platform can also extract compromised indicators and analyze the email subject, address, and attachments to assign an incident severity value. The endpoint security team can then check for reputation red flags by cross-referencing the data against external threat intelligence databases. If any malicious indicators are found publicly, the security team can inform affected users with instructions on what to do. This information can also be used to drive conversations with the management team and executive staff as it provides the business details necessary for them to understand the impact of the threat and attack, if there is one underway.
Security intelligence can also be leveraged to deploy security orchestration and automated response mechanisms to ingest threat data from endpoint detection tools, and then query the tools for machine and endpoint names that have malicious indicators. Endpoint security teams can then cross-reference retrieved files and hashes with SIEM data to verify if any indicators were picked up and resolved by SIEM actions.
Failed user logins is another key area in which a security intelligence orchestration and response platform helps. When the number of failed logins on an end-user device exceeds the allowed maximum attempts, the affected user is automatically informed and asked to confirm whether they made the attempts. If the answer is no, the platform extracts the IP address and location where the failed attempts were made, and then quarantines the affected endpoint.
Digital Asset Protection for You, Your Supply Chain, and Your Customers
The continuous enhancements of digital transformation technologies are sure to bring a host of accompanying security risks. IoT networks, mobile devices, public clouds, partner networks, customer interactions, and even internal personnel all present cyber threats to endpoints. A sophisticated security approach to improve security postures and cyber resilience is more critical than ever before.
Organizations can solve this challenge with proactive security planning that incorporates the three principles of security intelligence. Doing so will minimize the impact of cyber threats, and by addressing cybersecurity across your entire organization, your endpoint security team can enable your company to maintain its competitive advantage, beginning with the most prevalent device in the infrastructure: the endpoint. The end result is better protection for your digital assets, as well as those of your supply chain partners and your customers.
Start making your move toward security intelligence today. Download the second edition of “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program” and find out how the three core principles of the security intelligence philosophy can provide a comprehensive approach to your endpoint threat mitigation strategy.