Endpoint protection-practical-e book F-Secure

A hands-on guide to fighting emerging cyber security threats like ransomware

ENDPOINT PROTECTION WORKBOOK

THE REALIST’S GUIDE TO PRACTICAL ENDPOINT PROTECTION

2ENDPOINT PROTECTION – WORKBOOK

Endpoint protection is more important than ever

There’s no getting around it: cyber security gets tougher every day

3ENDPOINT PROTECTION – WORKBOOKENDPOINT PROTECTION IS MORE IMPORTANT THAN EVER

As your company adds new users, devices, apps, and back-end infrastructure, it becomes harder and harder to see all your endpoints and understand your attack surface. There’s a real risk that your attackers will know your infrastructure better than you do.

Many organizations think they’re protected because they comply with cyber security regulations. The truth is, compliance is not enough—the threat landscape changes too fast. For instance, around 10,000 new malware variants are detected for Windows every day.1 Furthermore, new attack methods are constantly being commoditized, allowing completely unskilled hackers to breach compliance-certified businesses.

We’ve all seen the stories of ransomware, with attackers often demanding “affordable” ransoms to decrypt infected files. Most businesses pay up quickly, making ransomware an attractive prospect for unskilled hackers looking for a quick return. Exfiltrating and selling valuable data takes time and skill—locking down key systems and demanding a few bitcoins is alarmingly simple.

But the ransom is only one of the costs of infection—the true cost lies in the downtime of critical systems.

That’s why getting the attack prevention basics right is more important than it’s ever been.

THE COSTS OF RANSOMWARE

Ransomware demands are mostly just a few hundred dollars, but some small businesses have paid up to $80,000 dollars to regain access to data and systems.2

One hospital in Los Angeles resorted to keeping paper admin records (and sharing them by fax) for several days before deciding to hand over $17,000 to restore access to its IT systems.3

Whatever the size of your business, paying the ransom will hurt, but losing days of productivity will hurt even more.

New threats like ransomware keep emerging


Traditional perimeter defenses won’t protect your business when users are taking the perimeter with them, beyond the corporate network.

The endpoint is your weakest link—because people make mistakes. A recent report found that 23% of employees are likely to open a phishing email, and 11% would open an attachment from an unknown person.4

As well as the risk of human error, your people are constantly expanding your attack surface. Employees will often use public cloud solutions on their work devices, for example extending the corporate network beyond IT’s control.

With everything becoming more complex— and constantly changing—it’s vital to get the cyber security basics right.

For too many organizations, those basics mean relying on tired old anti-virus and then investing in advanced detection and response systems to catch what gets through the net. But by the time a ransomware attack’s been detected, it’s already too late.

At the same time, it takes more than so-called “next gen” anti-virus tech to keep your business protected. You need a multi-layered solution that brings together genuinely advanced tech, the latest threat intelligence and the human expertise needed to make sense of it all.

In this workbook, we’ll help you assess your current approach to endpoint protection so you can prioritize what you need to do next to safeguard your business.

Let’s get started.

FINDING THE RIGHT BALANCE BETWEEN OLD AND NEW

ENDPOINT PROTECTION IS MORE IMPORTANT THAN EVER


PART I: YOUR

CURRENT CAPABILITIES

6ENDPOINT PROTECTION – WORKBOOKPART I: YOUR CURRENT CAPABILITIES

How protected is your business?

That means preventative endpoint security is still an essential (and highly effective) foundation for protecting your business. Get endpoint protection right and you’ll set yourself up to prevent the vast majority of attacks from having any impact on your business. Get it wrong, and you’ll become an easy target.

Attackers constantly innovate, creating new malware variants and ransomware tactics. Your business constantly changes as it grows, innovates and forms strategic alliances. And your infrastructure constantly evolves, with more users accessing more apps, and more back-end hardware running more services.

In an environment that’s continuously changing, you can’t rely on static defenses. You have to be able to see around corners, know what’s coming next and move fast to stop it in its tracks.

Are you ready to fight off ransomware attacks? Or is there work to be done to ensure your business gets the best possible protection?

Answer the following questions to assess how susceptible your business is to ransomware and similar cyber threats.

PART I: YOUR CURRENT CAPABILITIES


We’ve assessed the specific business impact of attackers taking critical systems offline and simulated a range of likely scenarios.

We understand the business impact of losing critical systems, but we haven’t analyzed specific attack scenarios.

Obviously, downtime is bad, but we can’t put a number on how much an attack might hurt us.

Well, they’re “critical” to the “mission”, so I guess it’d be bad, right?

Impact assessment

Recent research shows the average cost of downtime is nearly $9,000 a minute.5 But when critical systems go down, it affects different businesses in different ways.

For an online retailer, it can lead to an instant loss of revenue and long-term loss of customer trust. For a police department, it can bring criminal investigations grinding to a halt. And for a hospital, it can directly impact patient care—in some cases literally making the difference between life and death.

Do you know the impact of mission-critical systems being taken offline?

UNDERSTANDING YOUR RISKS prevention starts with assessment


A

B

D

C


Threat intelligence Attack surface mapping

Great protection starts with great intel, so it’s essential to keep up with the latest threat intelligence. Without access to the best feeds and ongoing research, you’ll find yourself at the mercy of attacks that are evolving faster than your endpoint protection can.

How well do you know your attack surface?


UNDERSTANDING YOUR RISKS prevention starts with assessment

How aware are you of changes in the threat landscape?

We have a trusted cyber security provider who ensures we’re up to date with all the latest developments.

We try to keep up to date, but nobody has overall responsibility for threat intelligence.

We’re probably six months behind where we need to be.

Who can keep up with that stuff? If things change, we just pray our old AV will notice.

To manage your vulnerabilities, you need to know where they are. In an age of BYOD and shadow IT, that’s not easy—just knowing all the mobile devices and cloud apps connected to your network can be tough.

We know about every endpoint that’s connected to our network and we know all the first and third-party applications users access.

We have a good view of most endpoints and applications, and it’s generally up to date.

We have trouble mapping everything—there are just too many changes to keep up with.

To be honest, most hackers probably know more about our attack surface than we do.

A

BB

C

D D

C

A


Unwanted services

Too often, corporate IT services are retired in theory, but not in reality. And there’s nothing hackers love more than an old, unloved app or utility that’s not being patched or monitored. If users still have access to unsupported services, it creates an easy way in for attackers.

What happens to services that are no longer required?


MINIMIZE YOUR ATTACK SURFACE SMALLER TARGETS ARE HARDER TO HIT

All unwanted services are immediately taken offline.

Most unwanted systems are removed within a month.

We occasionally take unwanted services offline.

There are probably loads of systems out there we don’t even know about.

A

C

D

B


Less than a day.

2-7 days.

8-30 days.

Patching takes way too much time —so we stopped doing it.

Patch management

Outdated software is the cause of up to 85% of cyber security incidents6. Yet as many as 70% of organizations have no solution for patch management.7

Patching might not exactly be fun, but it’s a vital first step in continuously improving your endpoint protection. If patches get missed or delayed (which is pretty common with so many services using corporate networks), it just makes hackers’ lives so much easier.

How easily can you find and manage updates for various software installations across the company?

We have centralized visibility and control over all available patches and updates.

We can centrally manage updates for most software installations.

It’s up to the end-users to install updates themselves.

Most of the time we don’t even know what software is being used.

How long does it take you to deploy patches to critical apps?

A

B

C

D



B

C

D

A


System hardening

When hackers are determined to get into your systems, it pays to make the attack surface as hard to break as possible. Hardening should be the first item on your security to-do list when new systems are added to the network.



Have you hardened all systems on your network?

All systems are hardened, and mobile endpoints have mandatory disk encryption and VPN connectivity.

Most internet-exposed systems are hardened, but there are some end-user systems we can’t reach.

We’ve only hardened business- critical systems.

None of the systems on our network are hardened.

A

C

D

B


PREVENTING INCIDENTS VIGILANT PEOPLE, SOLID PROCESS, ADVANCED TECH

Your people

Everyone thinks they wouldn’t fall for a phishing scam, so why are they still so effective? Some phishing emails are so obvious they’re funny, but more sophisticated scams will look and feel real—and they’ll often contain a ransomware link, just waiting for the unwary user to click. That’s why keeping staff training up to date and creating a culture of vigilance are so important.

How often do you train staff on cyber security?


We keep all our staff constantly informed as new threats, phishing campaigns and scams emerge.

We train people periodically—every year or so.

We train new staff during the onboarding process.

We haven’t got time to train people—we’ve got a cyber security operation to run!

B

C

D

A


Your processes

Basic processes, such as system hygiene and backups, are a vital first line of defense in the battle against ransomware. But often these processes are inadequate to keep up with the pace of change in the threat landscape and corporate infrastructures.

It’s great to back everything up, for example, but if you don’t test your backups regularly there’s no way to know whether you’ll actually be able to quickly retrieve data in the event of a ransomware infection.

How frequently do you backup critical data?Do you test backups to make sure they’re recoverable in the event of an attack?



What’s your current approach to system hygiene?

User access privileges are constantly updated as people’s roles change or they leave the business.

We remove leavers’ access quickly, but some of our veteran staff still have access to all kinds of things they don’t really need.

Things change so fast it’s hard to keep everything up to date, but we update access privileges periodically.

We just give everyone access to everything—it’s much simpler that way.

We take snapshots of the entire environment every 10 seconds or so and we can recover up-to-date files almost instantly.

We backup all our most critical data overnight.

We get everyone to copy their files to a removable drive from time to time.

We’re not really sure where all our critical data even lives.

All backups are automatically tested to guarantee recoverability.

We occasionally test our backups.

We rarely test backups.

Don’t worry—we’re sure they’ll be fine.

B

BB

C

CCD

DD

AAA


Your technologyHow would you rate your current endpoint protection?

Do your systems use behavior-based scanning?



All our endpoints are protected with behavioral scanning and we also use behavior-based breach detection systems in our network.

Most of our endpoints are protected with behavioral scanning.

Our endpoint protection software doesn’t include behavioral scanning technologies.

We have behavior-based scanning tech, but we’ve disabled it all.

We constantly update our endpoint defenses and all alerts are monitored and dealt with.

We’ve deployed and configured advanced defenses and we manage them centrally, but we can’t always handle all the alerts.

Endpoint protection is in place, but we don’t have centralized visibility of alerts.

That reminds us—we should probably renew the anti-virus licenses.

All organizations operate some kind of endpoint security, but not every organization takes full advantage of all the latest advanced capabilities.

To prevent 0-day attacks from penetrating your network, it takes a lot more than old-fashioned AV tech. You need systems using behavior scanning engines to identify and contain unknown threats, along with centralized visibility and control for your cyber security team.

BB

CC

DD

AA


PART II: PRACTICAL ADVICE FOR

FIGHTING RANSOMWARE


PART II: PRACTICAL ADVICE FOR FIGHTING RANSOMWARE

The best cyber security requires a holistic approach covering every aspect of predicting, preventing, detecting and responding to attacks. And as part of that approach, it’s essential to get the prevention basics right. Here’s our checklist of the fundamentals of preventing ransomware and other threats getting into your network.

1: Backup all critical data

First you need to identify all the data that’s critical to your business and then make sure it’s regularly backed up.

A media services company we worked with had been backing up its financial data only. When it got hit by ransomware, it lost pictures, videos and music that were vital for providing services to its customers.

Also make sure crypto-ransomware can’t encrypt your backups—keep them inaccessible from other machines on the network.

Network synchronization backup solutions don’t keep previous versions of files, so they can’t protect you from crypto-ransomware—your backups will also be infected. Consider storage snapshot backups that allow you to restore clean versions of files, applications or entire VMs from a specific point in time.

Don’t forget: make sure backups are regularly tested to ensure they’re recoverable in the event of a breach.

PART II: PRACTICAL ADVICE FOR FIGHTING RANSONWARE

2: Harden and patch

Reducing the number of entry points and patching known vulnerabilities on every system will make it much harder for attackers to find a way in.

Hardening all external-facing systems will shrink your overall attack surface significantly by minimizing individual vulnerabilities.

Relying on users to patch endpoint systems themselves is a sure way to get breached. Instead, centralize patch management so you can ensure all updates are implemented as soon as they’re available. It’s a basic security best practice, but it’s a very effective way to stop the majority of attacks.


3: Manage access rights and isolate critical resources

As your business and your infrastructure grow, it creates a complex web of interconnections that can be difficult to see and control unless proper processes are in place.

Make sure access privileges are kept up to date, with users only ever having access to appropriate files and systems.

Also, configure access control lists on network shares. Crypto-ransomware only has rights to change files if the targeted user does, so the less critical data that’s susceptible, the better.

Another best practice for limiting your vulnerabilities is to use network segmentation to isolate critical resources from visibility to ransomware and similar attacks.

4: Train all staff

Ransomware attackers often use social engineering tactics to gain access to systems, so keeping everyone educated and up to date—from the boardroom to the shop floor—is critical.

Conduct regular training with all staff on identifying suspicious emails or web links and common scams, such as phishing, spearphishing and vishing. If everyone knows what to look out for, most attackers’ scamming attempts will come to nothing.




5: Use modern endpoint protection

Cognitive endpoint protection technology is a fundamental pillar of your cyber defenses, and you can’t rely on yesterday’s technology to keep you protected in a constantly changing threat landscape.

Modern endpoint protection—using the most advanced capabilities, that are continuously improved with the latest lessons from the field—can help limit the opportunities for attackers to get into your systems.

In the next section we’ll look at the questions you need to ask to ensure you get the most effective endpoint protection.

6: Do not turn off your advanced capabilities. Repeat: do not turn them off.

For your technology to continuously improve, you need to make sure it’s constantly receiving new detections and samples and always has the latest threat intelligence available to it.

It’s why cloud check-ups and behavioral scanning are so important. You might be switching these features off because of performance concerns or very strict policies around cloud technology. Unless you have an alternative way to acquire all that new intelligence, you’re always going to be too many steps behind your attackers.

In the interest of convenience it’s tempting to switch these features off, but they’re the only way to make sure your endpoint protection keeps improving to tackle emerging threats like ransomware.

Protection features are there for a reason. Find out why you shouldn’t turn them off.



https://business.f-secure.com/why-do-you-need-modern-security-features/


PART III: WHAT TO LOOK

FOR IN YOUR ENDPOINT

PROTECTION

PART IIi: what to look for in your endpoint protection

PART III: WHAT TO LOOK FOR IN YOUR ENDPOINT PROTECTION

How to make the right choice

Does your endpoint protection provide multi-layered security (not just a “silver bullet” approach)?

Can it ensure OS and third-party app patches are applied as soon as they’re available?

Can it detect new types of ransomware based on behavior?

Is it rated highly in independent tests for 0-day attack prevention?

Can it block the traffic between ransomware and C&C server based on server reputation?

Can it support all your endpoints—including mobile devices?

Is the threat intelligence gathered from the field credible and up to date?

Does the vendor use a cloud-based approach to continuously improve its tech with the very latest threat intelligence?

Does the vendor have an installation base big enough to gather meaningful threat intelligence?

Has the vendor been around long enough to have the volume/history required?

Does the vendor understand how hackers operate, what motivates them and what they’re after?

Does the vendor have the best cyber security talent on its team?


When you’re looking for more effective endpoint protection, you need to make your decision based on hard facts, not empty buzzwords. So be sure to ask these questions (and if your vendor can’t answer “Yes” to all of them, look for one that can):

Y N

Y N

Y N

Y N

Y N

Y N

Y N

Y N

Y N

Y N

Y N

Y N

No single technology can give you a silver bullet in the fight against ransomware and other cyber threats. You need multi-layered protection that combines intelligent scanning with behavioral analysis and cloud integration for up-to-date threat intelligence. And it takes human expertise to understand attackers and defeat increasingly creative and sophisticated attacks.

Y N

21

PART IIi: what to look for in your endpoint protection

PART III: WHAT TO LOOK FOR IN YOUR ENDPOINT PROTECTION

Start today

Cyber security isn’t simple. And it’s not something you can ever call “done”. So unless you continuously improve your security capabilities, you won’t be able to protect your business against emerging threats like ransomware – and whatever comes next.

Whatever the size of your business, being aware of the risks and prepared to battle new threats is essential. And it all starts with effective, modern endpoint protection.

LIVE SECURITY: A CONTINUOUSLY IMPROVING APPROACH

To deal with the relentless innovation in the threat landscape and your corporate infrastructure, you need to make sure your security technology is continuously improving.

Live Security is an approach to cyber security that uses the continuous influx of tactical threat intelligence from out in the field to constantly improve technology that can scale to protect all your endpoints.

Read our SlideShare to find out what it’s all about and why you should think seriously about it.

But remember: modernizing your endpoint protection is just the beginning. You need a holistic approach to cyber security that covers all the aspects of prediction, protection, detection, and response.

We hope the advice and exercises we’ve shared here have helped you scope out the size of your problems as well as showed you how to move forward.

Get started now—this is too important to wait.

ENDPOINT PROTECTION – WORKBOOK

https://business.f-secure.com/7-ways-to-keep-cyber-security-operation-ahead/


DISCOVER SMARTER ENDPOINT SECURITY

See what intelligent endpoint protection really looks like—and why the combination of man and machine is so vital for staying one step ahead of attackers.

Learn more

https://www.f-secure.com/en/web/business_global/comprehensive


Our elite team of battle-hardened cyber security experts constantly brings back new lessons learned on the frontline. We combine that expertise and insight with the latest threat intelligence to continuously improve our scalable software that predicts, prevents, detects and responds to attacks.

Subscribe to our monthly newsletter to get the latest from the frontlines of the industry.

Or better yet, if you’re looking for cyber security that always keeps you one step ahead, we should talk.

We’re f-secure

https://www.f-secure.com/en/web/business_global/our-approach#subscribe

https://www.f-secure.com/en/web/business_global/contact-us

https://business.f-secure.com/get-in-touch/


1 https://business.f-secure.com/modern-endpoint-protection-is-smarter/2 https://techcrunch.com/2016/11/03/the-ransomware-dilemma/3 http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html4 Verizon Data Breach Investigations Report 20165 2016 Cost of Data Center Outages, Ponemon Institute6 SANS Institute: State of Application Security Report 20157 https://www.f-secure.com/en/web/press_global/news-clippings/-/journal

content/56/1075444/1346675?p_p_auth=ViFbkz5z&_ga=1.183236774.1099900845.1448947977

Sources

https://business.f-secure.com/modern-endpoint-protection-is-smarter/

https://techcrunch.com/2016/11/03/the-ransomware-dilemma/

http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

https://www.f-secure.com/en/web/press_global/news-clippings/-/journal_content/56/1075444/1346675?p_p_auth=ViFbkz5z&_ga=1.183236774.1099900845.1448947977

https://www.f-secure.com/en/web/press_global/news-clippings/-/journal_content/56/1075444/1346675?p_p_auth=ViFbkz5z&_ga=1.183236774.1099900845.1448947977

Internet

Endpoint protection-practical-e book F-Secure