Rethinking Endpoint Security in 2022
By Carolyn Crandall, Chief Security Advocate, Attivo Networks
Compromising an endpoint is one of the most common ways for an attacker to access an organization’s network. As more organizations grapple with the challenges of hybrid workplaces and unmanaged devices, security teams need to rethink their approach to endpoint security. Endpoint detection and response (EDR) tools have enhanced endpoint protection solutions. Multifactor authentication (MFA) has improved the process for ensuring that users can securely connect to their networks in a “work from anywhere” environment. However, despite these advancements in endpoint security defenses, there are still fundamental weaknesses in preventing credential theft and misuse, privilege escalation, and lateral movement attack activities.
Security teams can start by expanding the aperture for endpoint protection beyond preventing the initial compromise to identity security that covers credential protection and gives insights into the overprovisioning of entitlements, privilege escalation, and lateral movement detection. The good news is that available new technology prevents attackers from breaking out from an endpoint. There are four key ways businesses should be prepared and equipped to stop threats. These approaches reduce risk and bolster ransomware attack readiness.
Step 1: Identity Exposure Visibility for Attack Surface Reduction on the Endpoint
The Colonial Pipeline incident showed that just one weak password can enable a devasting and disabling ransomware incident. The first step in reducing risk is finding and removing exposed credentials and privileged accounts on an endpoint to remove attack paths and reduce the attack surface. Automated tools can provide topographical relationship maps and risky credential remediation.
Step 2: Identity Exposure Visibility for Attack Surface Reduction From the Endpoint
Attackers are going straight to Active Directory to gain privileged access. Unfortunately, it is intrinsically insecure, and attackers succeed more often than not. Vulnerability assessment of Active Directory has never been simpler with insights from the endpoint that show what exposures, misconfigurations, and vulnerabilities attackers could exploit from that system. Automation tools can take hundreds of manual checks and weeks of manual processing and reduce data correlation tasks to minutes. Detailed health checks complete user, device, and Active Directory checks, providing indicators of exposure (IoEs), remediation reports, and advice to close attack paths quickly.
Step 3: Identity Exposure Visibility for Attack Surface Reduction for Cloud Infrastructure Entitlement Management
Analysts have said that 95% of entitlements in the cloud are overprovisioned and never used. Human and non-human entities belong to groups that define their entitlements in the cloud, which has helped with faster migration but has also caused an explosion in attack surfaces that organizations must manage. Azure and AWS also have different environments to manage, adding to complexity. Cloud infrastructure entitlement management (CIEM) solutions
add automation that helps see exposures and drift from security policies, which can be useful in an environment that uses MFA, but users have turned it off.
Step 4: Identity Detection and Response (IDR)
Many organizations are adopting IDR to sit alongside EDR solutions to address credential theft, misuse, and privilege escalation activities. IDR uses several strategies. Concealment technology can detect and derail credential theft and misuse, which differs from traditional deception in that it hides real production credentials and AD objects from attacker tools. Additionally, policy-based credential controls can prevent attackers from misusing legitimate credentials. The ability to bind credentials to their applications plays a powerful role in zero-trust architectures and least-privilege administration. Disinformation, lures, and deception decoys also detect lateral movement and prevent endpoint fingerprinting. IDR solutions can also find indicators of compromise (IoCs) to identify evidence of attack activities. For example, suppose an attacker tries to elevate privileges by enumerating Active Directory. In that case, the solutions can detect and alert on suspicious password changes, mass account changes, bruteforce attacks, reactivation of disabled accounts, and other dubious actions. As organizations and governments rethink endpoint security, the biggest gaps to close will be around identity exposure visibility and identity detection and response. With an average of under five days to run an exploit, preventing attackers from using identities to break out from an endpoint should be in every CISO’s budget this year.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise