Saturday, April 18, 2015

Endpoint Monitoring is a Strategic Imperative for Business Operations

Invincea is starting off what promises to be an exciting RSA 2015 with its Advanced Endpoint Protection announcement, and I am looking forward to catching up with the latest RSA ECAT, Bromium vSentry, Cybereason, and more in the endpoint security space. (Also keen on a few others, but that is for next week :). Here is something I wrote a while ago that still reflects my thinking today!:

Continuous endpoint monitoring has become a strategic imperative for many security organizations. Modern attacks designed to extract confidential information modify endpoint software, reconnoiter your network looking for exploitable weaknesses, and connect to externally-sourced servers to deliver your secrets. The inevitable result is a labor intensive investigation to detect infected systems and a costly recovery process that impacts the business. If you are not continuously monitoring your endpoints, servers and connected user devices, then you will not have the intelligence to rapidly detect attacks within your perimeter and expeditiously restore normal business operations.

You have all invested in the latest pattern-matching cyber-security defenses to prevent attacks from penetrating the network. Traditional anti-malware is a required fundamental, but is proven to be incapable to preventing threats and cleaning up after an infection. In fact, it is difficult to determine what constitutes best-of-breed anti-malware and many of you base purchase decisions on price and business relationships knowing that you need to check the compliance box and that it leaves large gaps in your cyber-security practice that you must account for.

CISOs are now expected to improve operational performance in detecting security incidents and to reduce the time and energy required to return infected devices to a secure state after the detection of an attack. This strategic imperative to integrate detection of and recovery from security events with business operations drives demands for effective monitoring of servers and user endpoints. You will also find organizational benefits of security utilizing endpoint intelligence to better integrate cyber-security with IT teams.

The main features of a continuous endpoint monitoring program include:

·         Automate behavioral approaches to monitor changes in configurations, network usage, memory utilization. All attacks leave traces that can be detected such as insertion of attack logic into executable code in memory or in persistent storage, probing of your network in search of vulnerable endpoints that can join the attack or host confidential information that can be monetized by the intruder, communicate with external application services and IP addresses to  pilfer your electronic business information assets. Deploy endpoint monitoring to detect unauthorized changes to your infrastructure that may indicate the presence of an attack.

·         Use endpoint monitoring to help you confirm changes to your security policy, including deployment of software upgrades and patches, and retirement of obsolete or insecure software. While endpoint monitoring solutions analyze endpoints for the presence of infections, the process also arms you with independent intelligence on actual software configurations. Information on where executable programs are installed in your network can prove invaluable when it comes time to plan and launch attack investigations and cleanup operations. You get what you inspect, not what you expect.

·         Endpoint monitoring, a  single source of information on software and network activity, becomes a focal point for the integration of security with business operations. The business integration values of a continuous endpoint monitoring program go well beyond enhancing operational security performance for detecting cyber-threats and returning to a compliant business. IT organizations, such as end-user service desks, application services, network management, and quality assurance increasingly use security monitoring technologies as a go-to source of real-time information of what is actually happening on endpoints. They do this because endpoint monitoring reduces errors and makes their jobs easier. You will find IT colleagues using your endpoint monitoring solution to quickly gather the information they need to maintain the infrastructure.


You know you need an automated system that can efficiently and cost-effectively allow you to detect infections before your customers report them, and accelerate recovery procedures to restore a compliant business. Your peers in other organizations are utilizing endpoint monitoring tools as a strategic imperative for operating a secure business. If you are not leveraging endpoint monitoring in your security practice, this should rise to the top of your priority list for 2015.

Wednesday, April 1, 2015

RSA is approaching - check out firewall analysis vendors

Anyone managing their corporate firewalls without the use of modern analysis tools is committing security malpractice.

Every good security program starts with firewalls and the ability to control network access to critical resources.  However, firewalls are only as effective as the set of rules defining communication access policies. While it is easy to know when firewalls block legit access to applications - users call up the service desk and complain - the bigger problem is it is nigh impossible to detect when firewall rules inadvertently create broad access to your network .

The risk of enticing security incidents via gaping holes in your network security are just too great to ignore. Ferreting out holes in your firewall security requires a thoroughness and attention to detail that only an automated product can provide. It is just asking too much of your best security expert to find errors of omission and to prove negatives.

The good news is that firewall analysis tools are mature and are effective. While they are first and foremost security products, you will find many time saving benefits in helping you manage complex applications, network reconfigurations, and evolution to virtualized data centers. Any of the primary vendors will have references that you should talk with to better understand the benefits.


There are some fine firewall analysis products out there including (alphabetically) AlgoSec, FireMon, Solarwinds, and Tufin. RedSeal and Skybox provide more network path analysis, but are also worth knowing about. If you have any degree of network complexity, then go get one of these tools now. Consider it an always-on rule.