The Cyberattacker of today is no rush to launch their threat vectors. Unlike their previous “smash and grab” style, Cyberattackers now take their time to select, profile, and carefully study their potential victims. They do this to seek out any unknown vulnerabilities and weaknesses, so they can stay in the confines of their victim’s system for much longer periods of time.
One area where a Cyberattacker can remain hidden are at the endpoints of the systems that reside in your company’s IT/Network Infrastructure. This is where the need for an Endpoint and Detection Response (EDR) tool comes into play.
Endpoint Detection & Response Defined
Endpoint Detection and Response can be defined as follows:
“The tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.” (Source 1)
In other words, you and your team are trying to identify and determine if any potential security risks exist where one point starts and the other point ends within in your entire IT Infrastructure. Take the example of a Client-Server Network topology. In this situation, there is the central server (also known as the “Primary Domain Controller/” or “PDC”) and the various workstations (known as the “Clients”).
In this specific scenario, EDR would be used to search for unknown weaknesses that could exist where the network starts at the PDC to where it ends at one of the Client workstations, and vice versa.
The Top 5 Best Practices for Deploying EDR
The top five best practices for deploying EDR are as follows:
- Make use of Automated Patching Software. One of the cardinal rules of Security in general is to have your IT staff stay on top of the latest software upgrades and patches. In fact, some experts will claim that you should even have a dedicated individual to handle this specific task. If your organization is a Small to Medium sized Business (SMB), this may be possible. But even then, this can be quite a laborious and time-consuming process. But what if your business is a much larger entity that has multiple IT environments and thousands of workstations and servers? Obviously, the number of endpoints you will have to fortify can multiply very quickly. In that case, it is highly recommended that you have a process is place that can automatically look for the relevant patches and upgrades, as well as download and deploy them.
- Perform routine Security Scans on your Endpoints. Just as important it is to maintain a routine schedule for staying up-to-date with software upgrades and patches. The same holds true for examining the state of the endpoints in your IT Infrastructure. In fact, it should be the responsibility of the Network Administrator to formulate such a schedule, and this should include conducting exhaustive checks for any signs of potential Malware. Sophisticated antivirus software needs to be deployed at the endpoints and maintained on a regular basis. As a rule of thumb, it is recommended that these Endpoint Security Scans be conducted on a weekly basis.
- Disable any ports that are not in use. This sounds like an obvious task to be done, but very often it goes overlooked. Many organizations leave their Network Ports wide open, thus providing an extremely easy point of entry for the Cyberattacker. It is highly advised that your IT Security staff check for any open ports that are not being used, on a weekly basis. If any are discovered, they should be closed off immediately. Of course, if there are any Network Ports that are open and being used, they must be secured as well, especially at the endpoints. This is critical for wireless devices, especially where Bluetooth is being used.
- Make use of Multi Factor Authentication. Many Cybersecurity experts advocate the use of Two Factor Authentication (2FA), but even this is not proving to provide adequate levels of Security. Therefore, it is recommended that more than two layers of authentication be implemented, especially at your endpoints. Perhaps consider implementing at least three to four layers of authentication, one of which should make use of Biometric Technology. This can guarantee much higher levels accuracy when confirming the identity of an individual.
- Make sure that your Endpoints are well protected. This means that you have implemented the right mixture of Security Technologies, primarily those of Firewalls and Routers. But the cardinal rule here is: Do not simply use the default settings that have been set up by the Vendor and assume that they will provide adequate levels of Security. The settings that must be set up and established are dictated by the specific security needs of your organization. Also keep in mind that many Network Infrastructures remain static in nature unless there is a specific reason to change them. Because of this, make sure that your Virtual Private Network (VPN) stays up-to-date and secure, especially when it comes to your employees accessing the endpoints through it.
This article has examined some of the best practices you should implement to keep your endpoints more secure. It is important to keep in mind that this not an all-inclusive list, and whatever security practices you have implemented must be checked and updated on a regular basis to keep up with the ever-changing Cybersecurity landscape.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He is also studying for his Certificate In Cybersecurity through the ISC2.