The Fundamentals of Endpoint Security

The core function of an enterprise endpoint solution is to provide visibility and control across a vast array of endpoints. These serve as the two fundamental components of endpoint security. Organizations should not only be able to effectively discover networked components, but also identify how they are behaving and then determine if this behavior is as expected. From there, organizations can quickly take control and react to events when necessary. 

Having visibility and the ability to quickly assess an environment must be accompanied by the ability to control the nodes in that environment. Let's delve deeper into the fundamentals of endpoint security to ensure you have the proper coverage within your organization.

The endpoint landscape

The endpoint has emerged as a prime target for launching attacks against organizations' key assets. Traditional endpoint security is no longer effective. The advancement of cloud computing, virtualization and connected devices (mobile, IoT, etc.) have reshaped how the endpoint is defined.

Organizations are now expected to discover, manage, inventory and distribute software and patches for hundreds of thousands of endpoints and across a vast array of platform types. While many programs and solutions might address common types such as Microsoft Windows, macOS and Linux OSes, other OS types and networked devices should also be included within the endpoint security strategy.

We always recommend having modular solutions to address fragmentation, lack of visibility, integration and other risks, but also solutions that have open and publicly documented application programming interfaces (APIs) and have an open ecosystem of working with other vendor technologies. Today operations and cybersecurity teams require days or even weeks to deploy critical patches or mitigate critical security issues. 

Similarly, security teams are completely defenseless against zero-day vulnerabilities and advanced malware threats, because primitive signature-based prevention approaches lack the sophistication and speed necessary to stop attacks already underway. These antiquated tools have become a liability to security and operational efficiency and are just incapable of solving today's most pervasive problems.

More important to the final technology selection is the value of having a partner that has implemented and integrated the chosen solution(s) at scale. Many clients purchase technologies and don't implement a fraction of the functionality. As well, most partners do not have a capability of testing proposed solutions before making a business decision. We have supported large federal entities in the DoD that host several hundred thousand to around one million endpoints.

Visibility

Visibility is one of the biggest challenges for IT organizations. Often organizations do not know what is on their network, and according to Forrester, only 51 percent of enterprises are confident of their visibility into risks. We have observed that most organizations struggle with visibility because they either do not have the correct tools or the environment is complex with cloud computing, shadow IT and other challenges in play. We begin its assessment by asking organizations three main questions:

• What is on your network?
• What is it doing?
• Should it be doing it?

We have found that most customers are surprised to learn what is on their networks and the behavior associated. We recommend including the ability to rapidly take control of what is discovered or, at minimum, have the ability to tag an endpoint that is considered unmanageable; such as the case with IP printers and other networked endpoints.

It is common for up to 15 percent of the assets in an environment to fall into the category of "unmanaged assets." These assets represent the most dangerous security threats to the network. This is due in part because these endpoints are often not properly patched, do not have anti-virus protection, do not have adequate data loss prevention (DLP) in place or management agents, or do not have Active Directory Group Policy Object (GPO) policies enforced.

With Tanium, enterprises can detect an unmanaged asset within seconds of it joining the network via the Discover Module. When Tanium identifies unmanaged assets on the network, the Discover Module tags the endpoint and then deploys a light-weight agent to the selected machines. This quickly brings them under appropriate management. Tanium's instant visibility and instant action capabilities provide organizations with constant assurance that sensitive data is properly controlled and safe within their enterprise.

Integration

You can further enrich Asset inventory data with information from an external database. Tanium Asset will not only enrich external solutions, it can also receive data from external sources if need be. WWT enables customers by making sure they have the necessary inventory and reporting capabilities and address integration challenges with other solutions (ServiceNow, Splunk, Flexera, etc.).

Integrating the endpoint security solution with other tools establishes a stronger cybersecurity posture and maximizes an organization's capabilities. We have extensive experience working with customers to enable Tanium Connect to send and receive data from a variety of sources and destinations. Tanium Connect acts as a gateway between the already powerful Tanium platform and other solutions such as SIEM, External Databases and CMDB. Customers can quickly configure a Splunk integration and begin pushing data to the solution for continuous monitoring and alerting.

Having a myriad of tools may not only cost an organization, but it can also weaken the security posture via fragmentation. We regularly conduct tool rationalization workshops with customers to determine how these tools map together. The exercise also provides insight into the tools ecosystem and how each tool works in an integrated manner.

Control

All organizations are vulnerable to cybersecurity attacks. The common thread among organizations is the necessity to continuously validate and improve security posture while proving compliance year-round. To achieve this state, organizations are moving away from point-in-time monitoring in favor of a more continuous approach of identifying and fixing critical weaknesses.

Due to rising need of cybersecurity in one's business, innovative initiatives and detections are needed more than ever. One of the most draconian measures we see in the industry today, is that most organization's Security Operation Center's (SOC) approach security threats reactively, instead of proactively. With Tanium Threat Response, organizations can now utilize the detection (customize detection), containment (automated containment) and hunting mechanism (Enterprise Hunting) that Tanium has to offer.

Moving away from traditional signature-based detection technology is critical in today's rapidly changing threat landscape. Utilizing endpoint security technologies that protect against the latest tools, techniques and processes is vital to any organizations line of business. Additionally, the fidelity of alerting is critical to ensure security analyst resources are not overwhelmed with false positives and alerts that do not pose a true threat.  

Speaking specifically about the detection capability, Tanium allows users to create "Signals" to detect malign/malicious activities that happen to the endpoint. Tanium Signals are real-time monitoring and alerting of endpoint activity by combining the event-recorder capabilities with threat intelligence sources such as Signals. The added benefit to all of this is the mapping of these signals to the MITRE ATT&CK Framework.

The containment piece for Tanium Threat Response is the Incident Response Module. Incident Response Functionality is achieved through several sensors, packages and scheduled actions which provide the following functionality:

• Scope and hunt for incidents across the enterprise by searching for evidence from live system activity and data at rest with simple natural language queries.
• Examine and parse dozens of forensic artifacts on Windows, Mac, and Linux systems.
• Identify outliers and anomalies by collecting and comparing data across systems in real time.
• Build saved queries and dashboards to continuously monitor endpoints for malicious activity aligned to key phases of the intrusion lifecycle.
• Kill processes.
• Utilize Live Response to collect forensic information from an endpoint.
• Quarantine endpoints.

Conclusion

With WWT's expertise across the IT and security industry, understanding and applying an enterprise-wide solution risk management is a key imperative. We bring security program expertise to evaluate maturity capability enabling build of a roadmap with cost effective and impactful improvements. A technology and/or solution impartial approach focuses on customer security challenges that can be solution-ed to arrive at a secure business outcome.

Our Advanced Technology Center (ATC) environment allows customers to research, test and develop in a sandbox environment. The Tanium Proving Ground (TPG) Lab is an on-demand lab for customers to quickly spin-up a virtual network and test drive Tanium and other tools (i.e. Splunk, Nessus, Palo firewalls, etc.). Test drive Tanium today!

Tanium customer success stories

Patching – brought a large healthcare company from 80% patch compliance to 90% patch compliance in ~4 months utilizing Tanium in conjunction with a thorough patch assessment. Assessed people, process, and tooling around patch in this environment, allowing for $18 million in software savings within 18 months.

• Visibility – Provided customer with increased and never before seen visibility into software in environment to better prepare for vendor audits.
• Control – Pushed out registry fixes to over 10,000 customer endpoints during a Tanium POC in order to resolve a major patch and performance issue on endpoints.
• Security – Provided and matured security capabilities for multiple customers around Enterprise Detection & Response (EDR); integrated Tanium into customer's security tools ecosystem to drive automation.
• Migrations – Migrated over 1 million endpoints to Windows 10 using Tanium and WWT's CPMigrator tool allowing for a zero-touch migration to be done at scale.

Tanium partner accomplishments

• Accelerated ROI for new and current customers.
• Accelerated Integrations – WWT speeds up integrations by implementing Tanium out of the box integrations while also building custom integrations for customer solutions.
• ATC – Conduct vendor POCs and test integrations for holistic security architecture.
• Drive innovation through building solutions around patch automation, continuous compliance and business insights and visibility.
• WWT Security Innovation Pods – Team designated to work with customers to build security solutions in endpoint and enterprise segmentation providing solutions to improve visibility, control and security of endpoint ecosystems with speed and scale. Additionally, developing plans for implementation of enterprise segmentation to increase security and reduce risk.
• Deploy at scale – WWT deploys Tanium at scale while managing and operationalizing the largest Tanium deployment up to 1.22 million global endpoints.
• Managed Services – WWT offers a managed service in which the instance is managed from the ground up by WWT resources.
• Service offerings – If a fully managed solution is not budgeted for or required due to maturity of organizations.