2005-10-25
Protecting endpoint systems such as desktop computers and servers is an important part of any reasonably well-thought security strategy for both enterprise networks and home computers. The outbreak of devastating worms and email-borne viruses plus the damage and lost productivity of SPAM and spyware have brought to the public the mantra many security experts have been chanting for more than a decade: "...defense in-depth, defense in-depth, defense in-depth..."
It now seems that the mantra has been heard and endpoint security is a serious concern for many security-conscious users. Multiple endpoint security solutions have converged on the desktop from the perspective of feature set integration and security product or service offerings from a myriad of security vendors. Host-based intrusion prevention systems (H-IDS) seem to be the rising star of this pack, yet very few innovative ideas have seen the light of day in terms of how to deploy and operate them, as well as how to determine the associated value-model they propose.In part one of this article we introduce endpoint security solution technologies and analyze some of the technical challenges they face in providing effective security to Internet users and organizations. A collaborative approach that relies on cooperation between not only software components, but also between the users of endpoint security solutions is proposed as a plausible way to addressed these challenges.
Why endpoint security?
It is evident that the traditional perimeter defense approach to information security is helpless against a myriad of attacks in any but the most simplistic network setup. From a purely "theoretical" perspective the proposal for a strong defense system at the network perimeter - built mainly using firewalls and network devices such as routers and switches with certain security features - lacks, by definition, the visibility and depth to provide effective security in the rapid changing landscape of today's software and network topologies. Undeniably, firewalls and other perimeter defenses provide some good security countermeasures to prevent attacks when it is possible to inspect and sanitize inbound and outbound network traffic. The total network security advocate would argue that perfect (or quasi-perfect) network segmentation and enforcement of security policies at the perimeter could prevent most, if not all, security incidents. However, the basic founding premise for this security strategy remains the same as in the early ages of information security: a hard network shell and a relatively soft network core. The "security in-depth" school of thought would claim that this is "philosophically" insufficient to achieve a good security posture, as several layers of security mechanisms with decreasingly or increasingly stringent controls would provide a stronger overall defense against both external and internal attackers. The rationale is that, by combining several layers with various degrees of strength, the overall robustness, redundancy and effectiveness of the security infrastructure is increased and its deployment is pervasive to the entire network that it aims to protect (including end systems).On the other hand, according to host-based security proponents, the required number of network security layers needed to deploy reasonable security adds up to be impractically complex, unmanageable or expensive (or all of the above). Even then, proponents of host-based security argue that these multiple layers of network security would still fail when facing attack vectors invisible to outer network security layers. For instance, when the internal network core is directly targeted, real security requires mechanisms deployed at the endpoint systems.
Relatively recent security initiatives such as Cisco's NAC or Microsoft's NAP, seek to combine both worlds in a seamlessly integrated and interoperable manner. However, these initiatives are yet to prove effective, suitable and of real value in live, real-world scenarios. Meanwhile, endpoint and network security threats and solutions continue to evolve at a rapid pace and, as common sense would dictate, a good mix of host and network-based components are generally used in the security infrastructure of typical IT environments.
Threat prevention at the endpoint
Endpoint security software is a major portion of today's security infrastructure. This is demonstrated by the fact that anti-virus software is the most mature security technology and the most well-established vendors of information security dominate this market segment. Undoubtedly, anti-virus software packages are the most widely deployed security solution in IT environments across the board. Still, it has been clearly demonstrated that anti-virus software alone is not enough to cope with the emergence and evolution of new security threats.Accompanying the explosive growth of computer networks - and perhaps somehow fostered by it - users and organizations have increasingly turned to network-based security solutions in their search for better security controls that could complement or replace AV software. This triggered the rise of the firewall and network IDS as de mandatory components in most security strategies today.
As was the case with the previous endpoint-centric AV solutions cycle, pure network security plays proved insufficient to cope with security threats after the emergence of automated massive attacks, worms, directed attacks using exploit code that passes unnoticed through network devices, and the various forms of malware targeted at endpoint systems and users. The attention turned back to endpoint security solutions and consequently firewalls and Intrusion Detection or Prevention Systems adapted and moved into the desktop computer. These have been taking the form (or even just the name) of Personal Firewalls, H-IDS/IPS or endpoint security policy enforcement solutions. The anti-virus software itself has mutated and evolved to cope with many of those new threats.
Today, malware detection and removal, SPAM and pop-up blocking, protection against exploitation of software flaws (mainly against code-injection exploits) and application sand-boxing have all converged at the endpoint. A multitude of different, and sometimes conflicting, solutions are available from a similarly large number of possible providers. All of them face non-trivial technical and operational issues that they need to address in order to be successfully deployed and to provide effective defense at the endpoint. In the next section we will provide a laundry list of known issues that we considerthat an endpoint security solution should address.
The visibility issue
Network based solutions can't detect or prevent what they can't see. For what they can see (such as network traffic data or traffic metadata), they lack accurate context to correlate observations to actual events on endpoint systems - why, when and how is the observed traffic generated and what generated it. The flip side to this problem is that pure endpoint security solutions are not "network aware" and therefore lack context at the global or even local network level. A given endpoint solution can see what is going on at the endpoint system where it is running but lacks the network visibility to understand the aggregated effect of multiple endpoint systems with similar behavior. This imposes some fundamental limitations on what contextual information the endpoint security solution can act upon and therefore the effectiveness of its security postureThe effectiveness issue
As the last line of defense against attacks, endpoint security solutions should (or, in a perfect world, must) be effective in detecting and preventing all types of attacks: those that are publicly known (associated to a publicly known vulnerability, exploit or "worse-practice") and those that are yet unknown to the general public (attacks that exploit 0-day vulnerabilities or use new attacking techniques).A flaw in the solution's effectiveness can lead to a direct security compromise in the case of false negatives (the case when a harmful event is considered harmless and not acted upon by the security mechanism), or to a disruptive and possible harmful reaction in the case of false positives (a harmless event that is considered harmful and acted upon by the security mechanism). An effective solution must constantly execute a delicate balancing act between the overzealous and over-permissive extremes. Tilting towards one extreme renders the solution ineffective and self-defeating for its security purpose; tilting towards the other renders the solution unmanageable, untrustable and ultimately equally self-defeating.
All current endpoint security mechanisms make their stand somewhere in-between those two extremes.
The simplest approach is to use signature-based detection of harmful events. This is the traditional approach of AV software and its effectiveness depends on both the quality of the signatures and the pace at which new signatures for new known threats can be distributed. To cope with the unknown, AV software (as well as other endpoint security solutions) has adopted heuristics-driven technology to trigger security defenses. By using heuristics that define and detect known techniques and malicious behavior, endpoint security solutions can act upon known attack patterns that target components not necessarily known to be vulnerable.
