Protecting the Network with Endpoint Security
By Jeff Multz
CIOs are forever struggling to ensure that technology helps their businesses run efficiently and effectively and that their networks are protected. That’s a heavy undertaking for any business, but especially for healthcare organizations, as medical professionals rely on a bevy of computer devices (including their own.) These devices have become high targets for threat actors who are increasingly attacking endpoints (laptops, workstations, and mobile devices) to break into networks of healthcare and financial institutions.
The FBI recently issued an alert following a highly publicized attack on a US hospital group that warned healthcare companies they are being targeted by hackers.
"We are seeing an increase in attacks within healthcare," said Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance. "The healthcare sector’s security and privacy controls differ from more secure industries, such as financial services, and [healthcare organizations] may be easier targets."
Why is healthcare so attractive to threat actors? A few reasons.
- Nation states are after the intellectual property of medical equipment and pharmaceutical companies so they can copy their products and sell them more cheaply.
- Threat actors are also after personal identifiable information (PII) of healthcare providers, which attackers use to open up new credit card accounts under the names of patients. That PII includes a patient’s name, address, phone number, Social Security number, date of birth, and billing information.
Because it is often difficult to evade network detection devices such as firewalls and intrusion detection/prevention systems (IDS/IPS), attackers are going directly to the end user via phishing or watering hole attacks to break into networks. The trusting souls who click on the links or attachments inside these emails have no idea that when they do, that malware is automatically downloaded.
While there have been new innovations in protecting the network from outsiders, there’s been a dearth of innovation in endpoint security technology. Since antivirus (AV) software is not very effective, it has become quite easy for attackers to infect endpoints. Defenses for endpoints are still mostly malware-signature based, so threat actors run pre-attack tests to see which signatures are being detected and which ones aren’t.
This ploy has worked so well that attackers sell their testing services to other attackers, running a service similar to that of VirusTotal, which scans malware for detection rates. However, unlike VirusTotal, the threat actors don’t share the results with AV vendors.
With about 200,000 new pieces of malware being created each day, according to Kaspersky Labs, and much of the malware being polymorphic, signature-based threat detection methods can’t keep up with the pace of new malware creation.
It’s hard to keep endpoints, especially personally owned endpoints, up to date with the latest patches. There are more applications than ever that people download onto their devices and all these applications have flaws, making them easy targets for attackers. Additionally, Web-based technologies are being designed so users can do anything over the Web using HTTP or HTTPS, which subverts perimeter-based controls and makes the Web an easy way to deliver malware.
With the Internet of Things (IoT) growing daily, the front line of attack has moved from servers to the endpoint. This year alone, IDC expects shipments of smart-connected devices (PCs, tablets, and smartphones) to surpass 1.7 billion units worldwide. Organizations are being attacked via their endpoints, yet have no idea they’ve been compromised.
The average time it takes for organizations to discover they have been compromised is 229 days and 69 percent of the discoveries are made from outside sources, such as federal authorities, the FBI, or private security companies.
An organization must be able to see all activity taking place on the endpoints so they can remove attackers as soon as they enter the network. The only way an organization can know whether it has been compromised is to continuously monitor the network and the endpoints. It needs to see what’s going on at the endpoint and tie that to what is going on across the network. Anomalous activity must be spotted as soon as it occurs.
An organization should be able to determine what happened when the affected system ran, who the system communicated to, what changed on that system, what the lateral movement was, and what tools were used. Endpoint activities should continuously be collected and logged. The information should be fed into a system that takes an end-to-endpoint view of all that has occurred, providing full visibility into a network. Organizations can then take that information and adapt their infrastructure, user training, and applications accordingly to defend the network.
As soon as anomalous activity is spotted, an investigation should be initiated. If the investigation reveals that an endpoint was compromised, the system can provide a blueprint of all activity that has occurred, and all activity as it is occurring, so the threat can be contained as quickly as possible.
The 2014 SANS Health Care Cyberthreat Report found that endpoint devices not only provide challenges for securing them and the network they are connected to, but also for recovering from an incident. Continuously scanning endpoint devices that are connected to a network can tell an organization exactly where the infection is hiding in the endpoint and how to remediate it. Breaches can often be remediated without being wiped or re-imaged, alleviating the possibility of inadvertent data loss during a wipe.
Work stations are critical attack vectors, and organizations that have a multitude of high target endpoint devices must always be on high alert for attacks. For now, there is only one way to do that. Gartner calls the solution Endpoint Threat Detection & Response, also known as Advanced Endpoint Threat Detection. It should be mandatory for any organization that needs to protect its business.
Jeff Multz is director of North America Midmarket for Dell SecureWorks of Atlanta, GA.