Today's workforce is more empowered and mobile than ever before. Through versatile deployments of Windows, Mac, and mobile devices, users now have anywhere, anytime access to critical company data. Unfortunately, this comes at a price: if a network is exposed to a threat, IT staff can no longer “pull the plug” on the Internet. This means a successful stealth intrusion can mean prolonged, undetected access for months or even years (Sony servers had been infiltrated months before the attackers started the leak-avalanche in November 2014).
What can you do for your organization? With 70% of successful breaches stemming from a compromised endpoint, you need to take a closer look at the many types of endpoints with access to your network and how they can be monitored. While Windows is the primary endpoint operating system around the world, Macs are used by a decent proportion of the user population and are particularly popular in the C-Suite – a very juicy target for any attacker. Contrary to popular belief, Mac endpoints may be less secure than Windows, according to security firm GFI. Our powerful monitoring solution, Rapid7 UserInsight, has had the ability to monitor Windows endpoints for a while; we have now extended our coverage to OS X.
What is an endpoint?
Any device that connects to your network is an endpoint; that includes Windows, Macs, and mobile devices. Attackers love to start here, as credentials are easy to acquire and intrusion is hard to detect.
With regard to network security, each company is as strong as its weakest link. A breach can easily stem from clicking a malicious e-mail link. If it's a targeted attack, it will be much more subtle than an “obvious phishing email”. How can we quickly quarantine an unwarranted exposure? Monitoring endpoints is a giant leap in the right direction.
Endpoint Monitoring for What?
Monitoring is only useful if we know what to look for and can accurately identify red flags. Endpoints can provide significant behavioral analysis through review of Windows and OS X event logs, processes, or if there have been changes to user accounts or deleted logs. If a suspicious action is detected, we notify administrators of affected users within a few minutes.
UserInsight provides visibility into endpoints through a credentialed scan without requiring an endpoint agent, a potential IT management headache. UserInsight enables security teams to detect compromised credentials, quickly investigate user activity before and after any incident, and do this across network, cloud, and mobile environments. Our intimate knowledge of the attacker mindset allows us to identify the behavior associated with a compromised account to provide state-of-the-art coverage with minimal false positives.
For example, we were able to immediately identify attempts to exploit the Kerberos Remote Privilege Escalation vulnerability for multiple customers. These attacks are particularly devastating because they essentially require the organization to “burn down” their Active Directory and rebuild it.
Agentless Endpoint Monitoring
Endpoint Monitoring sounds great, but what does this entail for IT? Let's say each of these endpoints were a physical location. Securing these would mean allocating time and resources at each place. Digitizing this analogy means that IT staff would need to install, and maintain, and upgrade an endpoint agent on every device in the network, just like a Virtual Private Network (VPN) configuration or Mobile Device Management (MDM).
Rapid7 relieves this burden with agentless scanning technology, which allows the wide range of devices on your network to be centrally monitored without an endpoint client. Combined with the monitoring of important mobile chokepoints, such as IIS and email servers, Rapid7 can offer a complete network security solution that integrates with your existing SIEM and architecture without an added IT headache.
How can you improve your endpoint security today? The most common attack vector for breaches remains compromised credentials. Join us for a guided demo to see how we can provide value to your organization. For more, see our UserInsight page or contact us.