When it comes to designing good protection for your organisation, it’s essential that you place substantial focus on protection of clients, such as smartphones and computers. These devices also need to provide a good end-user experience, however, and these separate requirements can result in a direct conflict.
The user devices need to provide a good end-user experience, but they also need to be adequately protected. These separate requirements can result in a direct conflict, and it’s important to find the right balance.
Jørgen Styrmo Borghagen, Senior Consultant at Aztek, a part of Iver
It’s a good idea, according to Jørgen, to imagine the process of hardening your security as an onion, with multiple layers of protection.
“The key thing is to have multiple security layers that, collectively, provide strong protection. The more layers you have, the less important each individual layer becomes, and it’s easier to accept exceptions or deviations from the hardening process for services, or users of certain security services.”
When designing your security, Jørgen recommends starting from basic security principles, as they give you a good overview of the things you need to bear in mind. There are also a further 7 aspects, listed below, on which you should focus in relation to endpoint security.
Create a clear overview of your organisation’s endpoints
Start by creating an overview of all the endpoints in your environment, then carry out regular reviews, based on multiple sources, to ensure that you have included every single one. Crosscheck the database, and make sure that the endpoints are registered under the right services, because it’s important to pick up on the endpoints that fall outside “the box” or don’t meet the criteria.
Keep up to date on vulnerabilities
Scan the endpoints continuously for third party software, firmware, drivers, and updates.
“People often scan a selection of endpoints to get an idea of the environment, but I recommend scanning all of them. All the time. Always. Because if you don’t, you could have undetected vulnerabilities.”
It’s also important to have tools that can run automatic processes to ensure that updates can be implemented sufficiently quickly. This applies both to updates to firmware and drivers for HW components, for which providers often provide updating tools and services that automatically update third party applications on endpoints.
“If you don’t want automatic updates, you should take the time to roll out new updates gradually, so that you can make sure errors are detected before they’re rolled out to all your users. Treat exceptions as exceptions, and don’t let exceptions become the norm!”
Protect and restrict administrative access
Privileged access to endpoints means you lose control over your environment, so it’s important to ensure you have unique passwords for all endpoints and that you change passwords regularly.
“In the locations where end-users need to have administrative access for one reason or another, you should create a separate user that can be used for the tasks that require this access, rather than giving users permanent privileged access, which increases the security risk substantially,” says Jørgen.
Start from Zero Trust
Starting from Zero Trust is a sensible approach when designing security for your organisation’s endpoints. The concept is based on continuously validating access on the basis of multiple, quantifiable parameters, such as information on location and device (compliance status, operating system, etc.), rather than automatically trusting devices/users. This principle can be used for authentication of both infrastructural services such as VPNs and WiFi, and end-user services, and allows you to prevent unwanted access to infrastructure and services by people who should not have access.
Hardening using best practice
There are a number of sources of recommended endpoint hardening techniques. Microsoft, for example, have been offering recommended settings in the form of a “security baseline” for a long time now, and several other security organisations offer the same thing. Use these sources as a starting point and bear in mind that some services/endpoints require exceptions. A well-thought-out structure makes it easier to grant individual exceptions and thereby avoid having to grant all exceptions for all endpoints.
“Good hardening is the result of the combination of lots of small, individual measures. Simply using traditional antivirus protection based on known signatures is, quite simply, not good enough,” says Jørgen.
You should also audit your hardening continuously by means of automatic services and/or external audits/penetration tests.
Make sure you have detection and incident management in place
Detecting undesirable incidents requires alarm systems that sound the alarm based on a number of indicators (and not simply known signatures). Several XDR-solutions (Extended Detection and Response) use thousands of indicators to detect attacks. It’s also important to have well-integrated security solutions that provide valuable aggregated data from multiple sources.
“This makes it easier to see incidents in a context, and to see connections between different incidents. It also makes limiting the scale of the damage quicker.”
Work with clear segmentation
Restrict the possibility of vertical and horizontal movements in the environment. Vertical blocking prevents outsiders from entering your environment and obtaining even more privileged access, while horizontal blocking prevents unauthorised parties from moving between endpoints.
“I recommend implementing a ”tiering model”, where you put good network segmentation in place with the aid of micro-segmentation and a local firewall that also separates admin accounts and user accounts.”
If your company needs a security review, or advice on how your organisation can increase your endpoint security, Iver has the resources to help you. Contacting us is easy via the form below.