Intelligent Endpoint Security- Protection, Detection and Prevention

Jyothi Babu Thummala,Lead- Disruptive & Next Gen Security Solutions, Happiest Minds Technologies

In network security and mobility, end points are devices outside the corporate firewall. These are usually mobile computing devices like laptops, tablets and mobile phones that are used to connect with the central network. Given the nature of business today, end points are increasing at a breathtaking speed. The numbers of mobile end points are increasing due to globally dispersed workforce that is constantly on the move and existing trends like Bring Your Own Device (BYOD). Hence, this leads to an increase in the threat vectors, potential vulnerabilities and attack surfaces. The threats are becoming increasingly sophisticated with most threats being either zero day threats or advanced malwares. Clearly, threats are gaining in intelligence and we need an exceptional intelligent threat defense system. Here steps in Intelligent End point security.

The Intelligent End Point security rises above the traditional siloed approach and provides protection, rapid detection and prevention across the complete threat defense life cycle. Siloed systems do not allow the sharing of insights gained from one system, to reinforce the other systems. A lot of the traditional approaches like signature-based defenses are not working today due to the increase in sophistication among cyber criminals. This makes it more tedious for the enterprise to protect all possible endpoints as the criminals just need to be successful at breaching one.

Threat defense lifecycle based approaches are the only way to go. Protection should start by curtailing all the known threats and arriving at an integrated approach focusing on end points and cloud interfaces. This will bring together malware protection, data protection and web security management. All virtual and physical endpoints should be mapped and protected with multi-layered protection techniques like encryption, advanced threat protection, anti-malware, command and control (c&c) blocking, browser exploit protection, application control, behavior monitoring, web threat protection, vulnerability protection and others. This part of the security should be automated to the core and should not depend on multiple platforms. It needs to be the fastest and most comprehensive barrier against threats as it defeats the attacker’s intention of getting enough time inside the system. The stronger the protection, the lesser dwell time the threat gets inside the system. This helps when the enterprise is busy with the second and third stages of detection and prevention.

The foremost detection requirement for an intelligent end point security is to have the ability to communicate with other security arrangements and to offer total visibility into most of the traffic. As the attacks are getting more sophisticated, it has become increasingly difficult to detect their signature through a single analysis or intelligence source. It needs multi-tiered, multi-point analysis to discover attacks as their threshold is becoming lower. Organizations usually have several security solutions like antivirus, gateways and Intrusion prevention systems (IPS).  These are positioned at different end point locations and hence they encounter threats that can be of a different kind. However, it lacks an integration of architecture that will allow:

- All these applications to work together as one

- Where they talk to each other and have visibility of what each other are doing

- What is the kind of traffic that is being scrutinized by each one of them?

This visibility and sharing of insights exposes current and incipient threats faster and improve the speed of response. This capability to coordinate across different end points also allows for quick isolation of all breached end points in the fastest possible manner and to share information about other possible red flags like indicators of compromise and potential exploits across more end points.

Preventing the threat from causing more damage directly depends on the speed at which it is detected and how clearly it is detected. It is important to know what is going wrong or has gone wrong, what are the attack surfaces and which critical resources are under threat. Prevention hinges almost entirely on how quickly the spread of the threat is blocked by understanding its path and intent, how fast the security policies adapt to the information on intrusion, how fast the quarantine is put in place and how fast the virtual patching & lock down works.

Ideally, all three stages should form a feedback loop that allows the security infrastructure to learn and improve at each of the three stages and then on an overall basis. To put it in a nutshell, the information about all possible attempts to infiltrate the network – from where, how, what kind of end point, at what level inside the organizational hierarchy, the threshold, possible intent; all these need to be relayed down the stages to understand and continuously upgrade the threat intelligence. All the incidents need to be thoroughly analyzed in real time to cull out insights that can be implemented in real time or near real time.