If you can contain or block threats before they hit the endpoint with network-based security such as detection and sandboxing, that is always a good idea. The problem is that if you don’t secure the endpoints first, you end up with an eggshell security stance, where you are reliant on a single outer shell to protect your data. Without secure endpoints, even one small crack in the network shell will cause all of your data to spill out, creating a real mess..
When you look at some of the big US data breaches, a number had bought into the latest and greatest “next gen” network security technologies which had “detected” the threats and raised warnings. The problem was that there was so much noise generated by the solutions that no one prevented the attacks happening as thousands of other alerts flooded in daily. This is part of the battle when you are looking to detect threats especially at a network level. It can be like looking for a needle in a haystack.
Network defences face an almost impossible trade-off between security and usability. You want threats to be deeply analysed, however you can’t make the user wait. This results in rash decisions being made by the solution, or network security features being disabled. Intel Security found that over 30% of organisations disable network-based security features in order to boost speed. Malware authors know this and therefore will create attacks that simply lay dormant for a period of time to bypass the network sandbox.
Malware has rapidly evolved to evade network sandboxes using a variety of techniques including:
- Delayed onset
- Detecting virtualised environment
- Checking the number of CPU cores (network sandbox usually only presents 1)
- Checking if user is real (monitor mouse movement etc)
- Exploiting the virtual environment to escape
If we don’t believe the hype and accept that no system is ever 100% secure, we realise that some threats will not be detected - so where will these end up? On the endpoint.
If the endpoint is not robustly secured using proactive defence in depth, you are reliant on endpoint detection, such as AV to block the threats, essentially the same kind of detection that failed to identify the threat at the network level. In this case it only takes one threat to breach an organisation; one APT that is not detected and you are breached. In fact, when you look at a lot of network-based solutions they have accepted this fact and are now looking to detect attacks post compromise.
Possibly the most worrying aspect of network-based security is that some major network security vendors have been found to be introducing vulnerabilities and back doors into organisations. Several independent security researchers have detailed flaws that can be exploited by attackers to not only bypass these defences, but also gain access to a privileged position on the network.
Let us not forget that the corporate network is not the only way into a system. Mobile users who connect to external networks, USB devices or rogue users can all cause serious damage. How well does a network solution prevent these common attack vectors?
Critical business data is accessed and stored on the endpoint, and as code either good, bad or unknown executes on the endpoint, the endpoint should be where you start when looking to secure your enterprise against the latest APTs and cyber threats.
Network security products are often viewed as a panacea to the latest threats an organisation is battling with. Buy a box, plug it in and wait for a wonderful report that tells you how many threats are blocked. This might seem like a great solution, but in practice is not the solution and just serves to give the illusion of a problem solved.
So, when it comes to security, always start from the endpoint and build out. A bank doesn’t leave the vault door open just because they have a security guard on the door - they start from the vault and layer security outward. In a business, data and IP is money - so as reassuring as it is to have something watching data coming in and out…if you don’t secure the endpoint you simply risk losing it all.
James Maude,
James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.