Best Practices for Maintaining Endpoint Security
The threat landscape is becoming increasingly hostile.
Join the DZone community and get the full member experience.Join For Free
You throw the switch and everyone holds their breath. Weeks or months of work are being put to the test, and the team is on edge as you wait for confirmation that your high-profile security project has been a success.
The rollout of an Endpoint Detection and Response (EDR) system is always a dramatic and anxiety-inducing event. In this article, we'll look at common challenges organizations face when implementing this type of endpoint security solution. We'll also explore how to handle these situations before they become major problems.
Nobody knows your environment's quirks better than you do. And since all IT environments are unique, they all present unique installation challenges.
For any security solution, picture-perfect rollout is always the goal, but it's not always possible. The composition of each network environment can be different. So it's not uncommon to discover a few snags in the plan when you roll out your EDR.
It could be as straightforward as configuration missteps. Sometimes, existing user role and security permissions impede integration. Or, you may encounter more pernicious issues, like software application incompatibility and bugs. It happens.
Corporate IT infrastructures accumulate many custom software and hardware layers over the years. The intent is always to integrate systems across diverse endpoints, servers, applications, and physical office locations. But it makes adding an EDR into critical IT infrastructure an anxiety-provoking prospect.
If this concern strikes home, consider setting up a lab environment. Use it to build a proof of concept (POC) prior to signing a purchase agreement.
Your environment's unique peculiarities present challenges when integrating an EDR or similar systems.
A good POC will allow your engineers to learn the specific hardware and software requirements and quirks of a given solution. They'll be able to discover and account for issues, and (hopefully!) provide the functionality everyone wants.
2. False Positives
False positives are a big problem in security systems. EDRs are no exception. According to a recent study conducted by the Ponemon Institute, up to 55 percent of alerts generated by endpoint security solutions are invalid. These false positives waste valuable time for both users and IT staff and cause considerable annoyance.
And the problem of false positives is only getting worse. With the growth in threats detected by systems, many see a corresponding increase in spurious notifications.
EDR solutions always encounter new files and unique traffic from the Internet — for every user. Compounding this situation, threats are constantly evolving, and their volume and severity are increasing.
Because the purpose of an EDR is to secure endpoints and the networks they lead to, the tendency is to err on the side of caution. This means there are times when some benign traffic is mistaken for indicators of compromise and attack. And so, the alarm sounds over and over.
In the best case scenario, it means that your security staff will waste valuable time sorting the wheat from the chaff.
In the worst case, it could result in erroneous lockdown events. And nobody wants users’ access to legitimate, business-critical applications blocked.
Focus first on establishing a consistent, steady state in a development environment or a POC, as mentioned above. The engineering team must tune the system prior to rollout.
This can be done by setting the system to log-only mode, and then sending real user traffic to the EDR. It will gather and assess data but take no other actions. During this data acquisition phase, the engineers will monitor the threat detection behavior and adjust how it responds to events. This way, although some number of false positives will persist, the majority of events detected will be handled appropriately before the EDR goes into production.
3. Updating and Patching
Be honest. Do you dread Patch Tuesday?
Updates are a source of anxiety for IT departments and security staff the world over.
It's not unheard of for OS updates to introduce instability or conflicts in production. These issues also apply to your enterprise security software.
Updates can sometimes result in unwelcome surprises. You might find that access to some applications has unexpectedly changed because of a patch. Following an update, your users might complain that their normal work procedures are disrupted.
Of course, you must also maintain control over your network and protect your employee and customer data. Deploying updates is a necessity. How do you resolve this dilemma?
There are many ways to mitigate these problems, although they can not be entirely prevented. Begin by scheduling installation of updates in advance. Make sure employees are aware of the schedule so they can prepare. That preparation might include basic steps like saving their work and shutting down their applications before the update begins. Your users should also be notified of any changes to the software that could directly affect them. They should also know whom to contact if they do encounter a problem.
For non-critical updates, consider a staggered, gradual rollout. Avoid a single mass-update event when it makes sense. By updating only a small number of systems first, you can get feedback about stability from end users (see challenge #4 below).
And of course, test updates to mission critical applications in your dev environment before pushing updates into production!
4. User Frustration
People don't like change, and endpoint protection systems sometimes change how users get their work done. So when familiar processes are changed, don't be surprised employees get frustrated and push back.
Users may find device or application performance is impaired, or some actions now need administrative privileges. If their usual tasks take longer to do, it's easy to understand why they're grumpy!
While you might find it difficult to strike a balance between security and ease of use, whatever you do, don't tune out your users.
In fact, you'll be doing yourself a huge favor if you do exactly the opposite. Gather as much feedback as possible from users to identify potential problems in the integration of the EDR.
If there's a genuine problem with the implementation, listen to your users. They're the ones who use these systems as a regular part of their workday. They'll know when something isn't right. Work with them to come to a resolution.
You may find workarounds that are a good compromise. Sometimes, a procedure might change to include extra steps. Try to come to an understanding that gets everyone back to work.
5. Analyzing Log Events
When it comes to infosec, we all want to know what's lurking below the surface. And a big part of our jobs is being aware when there's a problem.
To make decisions, you need data. Well, you're in luck, because EDRs generate a lot of data. Of course, that's also kind of the point.
The amount of data we have to deal with is increasing too. Organizations are seeing growth in security data collected — more than 75 percent of respondents saw increased volumes.
The world is increasingly interconnected. More and more of the world's population is coming online. Because of this, EDR systems will naturally encounter an increasing number of threats.
All this data can help you make informed decisions. But understanding and interpreting that ocean of data can be a challenge in and of itself.
The data provided by exploit detection and prevention subsystems is one side of the coin. The other side is your interface to that data in the form of reports. You must be able to search for and interpret the data that the system provides.
Your endpoint protection suite will include tools to help you monitor, analyze, and report on this data deluge. Be sure to check them regularly!
These tools will help you to deliver the relevant details of important events to the people who need it — the managers, analysts, and incident responders who use this data to make decisions.
The threat landscape is increasingly hostile. The Internet of the 21st century demands a heightened cybersecurity awareness if you intend to survive.
Because of this, developing a multi-layered and interconnected security stance is a necessity.
An EDR alone is not able to single-handedly prevent threats, nor is it intended to. It is just one tool in your security toolbelt.
EDRs are reactive — they detect and respond. Since the source of a threat can be faked or scrambled, an EDR can generate false positives or fail to generate any alarm at all on legitimate malware intrusions. An EDR is not capable of handling advanced threats, zero-day exploits, or otherwise obfuscated or unknown attack vectors.
A serious security stance requires automated and semi-automated threat detection and prevention technologies, as well as detectionless solutions to fill in the gaps EDR cannot address. These may include remote browser isolation (RBI), data loss prevention (DLP), security information and event management (SIEM), network forensic tools, advanced threat defense (ADT), and high level security solutions to orchestrate them all.
Invest the time in building a comprehensive endpoint security strategy and you'll be rewarded.
Opinions expressed by DZone contributors are their own.