Attackers Love When You Stop Watching Your Endpoints, Even For A Minute

Last updated at Mon, 28 Oct 2019 17:13:19 GMT

One of the plagues of the incident detection space is the bias of functional fixedness. The accepted thought is that your monitoring is only effective for systems that are within the perimeter and communicating directly with the domain controller. And, the logic continues, when they are away from this trusted realm, your assets are protected only by the preventive software running on them. Given the continuous rise of remote workers (telecommuting rose 79 percent from 2005 to 2012), it's now time to demand detection solutions monitor all of your endpoints. By default.

There's no time your assets are more susceptible than when they're outside the perimeter

Anyone who's experienced driving the remote countryside of the British Isles will share stories of sheep crossing, blocking, and otherwise invading the narrow roads that require delicate navigation. Think about the risk management involved in the sheep farmer's strategy to make a profit from these herds. Only so much can be spent on fencing and training sheepdogs [or the more experimental guardian llama] to protect the flock from predators and cars before it becomes too significant to the reward side of the equation. So the shepherds augment protections on their meadows with distinct spray paint tags to identify the sheep in the wide world and hold out hope they aren't fatally injured, stolen, or worse: diseased before returning to the safety of the meadow.

Your flock of company laptops is not so different (yes, in this analogy the laptops are the sheep, not the people). To maximize productivity, you hand them out with the knowledge they are likely to increase the risk to your organization. While they are connected to the network, you have various perimeter devices monitoring and blocking traffic headed their way, but there is always a limit to how much you're willing to lock them down when not on the VPN because it prevents work from being accomplished. This means you are accepting that, much more likely than the intriguing USB storage device left outside your company's headquarters, an IT-provisioned laptop will be victimized by a phishing attack or innocently downloaded malware while connected to an outside network. Then, when it inevitably reconnects to the network, attackers have access without ever having been near your perimeter. They are the diseased sheep, and in this case have access to a trusted asset and eventually the rest of your flock (ok, enough sheep).

Even the most sophisticated detection is ineffective at detecting when it can't see

And why is it that your various detection technologies are rendered ineffective here? The answer is simple: they cannot see those laptops. Whether you are monitoring network traffic, log data, or endpoints, you typically see nothing happening on your remote laptops or between them and the open internet. If Ethan Hunt in [the first of many] Mission: Impossible merely had to access a CIA operative's laptop and could wait until that operative went back into the ridiculous room with weight sensors, humidistats, and audio sensors to connect the compromised laptop to the lonely desktop containing the NOC list, it would have been a lot less dramatic, but much more realistic. Monitoring for malicious behavior and human perspiration are equally useless if the pre-approved laptop is already compromised when it rejoins the network and comes back into your purview.

Allowing you to build a complex proxy to leverage the monitoring you purchased is not a “solution”

The vast majority of detection solutions available today have workarounds to make it theoretically possible to monitor your remote endpoints, but it typically requires a great deal of effort and ingenuity to reach a functional state. You might need to force all remote browser traffic through a corporate web proxy or implement a proxy for the endpoint agents to communicate back to their central server. Suddenly, the product you've purchased is demanding a lot more from you just to use its core functionality across all the assets you're paying to monitor.

Imagine if an airline promised you inflight WiFi so you can reply to that influx of email or simply keep up with Season 2 of Daredevil. However, it comes with an accessory antenna you'll need to manually hold up whenever the satellite is out of reach.

You are going to keep giving your employees laptops, so monitoring them should be the default

So if we all accept that organizations are going to continue providing laptops, we should also agree that you shouldn't have to completely swallow them as a known risk, nor maintain your own communication system for keeping them in view. The standard package for your detection solutions should include the flexibility to see your assets whether they are on or off the traditional network. Why would you want to invest so much in detection and not include these high value target systems by default?

Every InsightUBA and InsightIDR customer has the option to deploy the Rapid7 continuous agent on its endpoints. Assets which are never taken off-site will always be monitored via scan, but we designed and built this continuous agent so that you could still watch for concerning behavior on your organization's assets when they're being used on a home network, at a coffee shop, or at a tropical resort. If the continuous agent can contact your Insight Collector, it will communicate through it. If it cannot reach any of your organization's Collectors, it will communicate directly to your instance on the Insight platform. No extra work. No additional fees. This is meant to be simple and standard because you should have as few gaps in visibility as possible.

If you'd like to learn more, check out an on-demand demo, or get a free guided demo to see how InsightIDR can benefit your organization.