Although the perimeter firewall remains an important part of defense-in-depth security, the bulk of an organization's...
security efforts must revolve around network endpoint security controls. Numerous exploits exist that allow an attacker to gain access to a PC and use it as a resource for launching an attack against other network resources. As such, security planning efforts must focus heavily on endpoint security controls to prevent endpoints from becoming a point of entry for an attacker.
Standardize and automate endpoint security controls
One of the things that makes endpoint security control difficult is that there are not always obvious signs that a PC or device has been compromised. Unlike a ransomware attack, which alerts the end user to its presence by prompting them to take action, backdoor Trojans are often silently installed and may go undetected for some time.
One way to defend against these types of attacks is to employ the concepts of standardization and automation. Consider for a moment the basic approach that is used by casinos to spot cheaters. Casino dealers are trained to rigidly follow standardized procedures at the gaming tables. The idea is that if games are played in a highly standardized way, then any anomalies will stand out, thereby making it much easier to catch a cheat.
This same basic concept works equally well in the world of IT. Network endpoint security controls should include uniform configuration across the organization so that anomalies are easier to detect. Of course, it is unrealistic to expect to be able to visually spot security anomalies in the way that casino security might spot a card cheat. Instead, IT shops should use an automated security scanning and remediation tool, such as the Desired State Configuration tool, or a third-party tool to ensure that each endpoint continues to comply with the organization's established security requirements. The organization should also use software to automatically notify an administrator and remediate the configuration -- or reimage the system -- if a PC is found to have deviated from the approved security configuration.
Endpoint security control through process whitelisting
Another key requirement for ensuring endpoint security is to use process whitelisting. The problem with traditional endpoint security software is that it has historically been based on signature detection -- such as malware signatures or attack signatures -- and heuristic detection. This approach assumes that all processes are trustworthy unless a signature match or a heuristic pattern suggests otherwise. As such, if a Trojan can avoid detection, then it can run with total impunity.
Process whitelisting works in exactly the opposite way. Rather than searching for malicious code, process whitelisting requires an administrator to positively identify trustworthy code. Only trusted, whitelisted code is allowed to run. If a Trojan makes it onto a system, it is denied the ability to run, and an alert can be generated.
Whitelisting can be implemented via the Windows AppLocker feature or through various third-party products.
Unfortunately, there is no silver bullet security product that will guarantee endpoint security and protect an enterprise against all threats. It is therefore important to practice defense in depth in endpoint security controls, using automated security configuration scanning tools, process whitelisting and other security mechanisms.