Focus on the Host

Thursday, December 06, 2012

Matthew McWhirt

E745f78c8d9499cf7e9aea2084be2e0a

The traditional concept of enterprise security monitoring typically encompasses observing and mitigating threats at the perimeter of the organization.     Common illustrations of this practice include the deployment of firewalls, IDS/IPS devices, proxy devices, L3 screening routers, and SPAM/AV monitoring at critical ingress/egress interfaces of the network infrastructure.  While there is still a necessity for this model of security monitoring, the true notion of enterprise continuous monitoring practices must include a focus on the host.

The classically defined security perimeter of the organization is no longer sufficient for adequate continuous monitoring – as most common infection and attack vectors are able to easily circumvent many of the perimeter security controls – frequently undetected (due to the usage of common HTTP/HTTPs egress traffic flows – which are generally permitted).  As covert channels (ex: SSL/TLS) can be utilized for data exfiltration, malware command and control communications and general payload attack vectors, this essentially blinds most perimeter security devices to any activities occurring above the Layer 3 stack.  In addition, as related to IPS/IDS devices, improper placement of or lack of a signature-based match for a communication flow could allow for an attack to essentially be undetected at the perimeter.   In some instances, even the security boundary is no longer defined – due to the presence of portable/mobile devices, which are permitted access to corporate applications and data.

The focus of true continuous monitoring must expand to include the host assets within the enterprise.  This includes not just assets which house and/or proxy access to critical data (application/web/file/database servers), but the hosts which are granted access to the data.  In fact, most risks and threats that are of a prime concern to an organization (APT, data exfiltration, data leakage) are initially executed from a host endpoint.  
If logging is configured properly on edge and perimeter network devices, security analysts can be provided with an audit trail regarding ingress/egress communication flows.  Generally, these artifacts are utilized within the context of an investigation or post-incident assessment.  In order to adequately maintain a resolute defense regarding real-time threats and analysis, host based security controls and monitoring must be encompassed.

The effective deployment of collective security controls and best practices cannot be ignored from the perspective of endpoint hosts.  Common examples include:

•         Effective and Timely Patch Management
•         Secure Baseline Configuration / OS Hardening
•         Role-Based Access Control
•         Host Based Intrusion Prevention Detection
•         Host Based Firewalls (most notably for portable devices)
•         Access Protection Monitoring / Antivirus
•         File / Directory Integrity Monitoring
•         Data Loss Prevention (DLP)
•         Vulnerability Assessment
•         Host Segmentation and Sandboxing (VLANs, VRF instances, authorized communication flows, ACL enforcement)

As you can see, the true nature of real-time security risks management transitions from the perimeter – to the access layer of the organization.  The host provides not only the catalyst for an attack to originate and propagate, but the host also provides forensic artifacts and evidence – which can be utilized for future prevention and detection methods to be deployed within various security tools and resources (both host and network based).

So how does an organization essentially manage and monitor a vast sea of endpoint hosts, distributed throughout a discontiguous enterprise?  How can an organization effectively find a potentially malicious or infected needle in a haystack of endpoints?  In future articles, I will discuss not only some of the challenges regarding host monitoring and management – but some of the methodologies utilized to effectively incorporate this process as part of an organization’s risk management framework.

Possibly Related Articles:
12810
Firewalls IDS/IDP Enterprise Security
Information Security
Enterprise Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.