With the recent vast increase in the need for remote workplaces and the resulting expansion of the potential attack field, it’s even more important to build your own Fort Knox to provide environment-wide security. Using the right tools in the right way reduces the likelihood of attacks on remote workers and their connections to your environment.
With the recent vast increase in the need for remote workplaces and the resulting expansion of the potential attack field, it’s even more important to build your own Fort Knox to provide environment-wide security.
The infosec industry has been buzzing lately about the MITRE ATT&CK chain, its capabilities, and how it can be added to an engineer’s toolkit to further secure environments. The MITRE ATT&CK framework is a leading-edge concept and toolkit that security engineers and threat hunters use to find and prevent techniques that attackers leverage when attempting to compromise environments.
With the MITRE ATT&CK chain in mind, Symantec’s threat hunter team continually develops new techniques and tools for securing environments—from the point of infiltration, to recon and exfiltration operations. One such tool is Symantec Endpoint Security (SES) Complete, the fully cloud-managed version of Symantec Endpoint Protection (SEP) that delivers multilayer protection to stop threats, regardless of how they attack your endpoints.
The Components of Effective Attack Prevention Strategies
Any effective attack prevention solution employs breach prevention strategies such as firewalls and intrusion prevention to harden a network’s entry points, download insight to prevent downloads of malicious packages, and device control to protect against malicious USB, disc, and other hardware exploitation techniques. IPS running in the user space covers browser exploitation by preventing redirection and hijacking, further hardening potential entry points. SES anti-malware checks the data coming into the system to block the infection of files.
When an attacker or malicious payload infiltrates the environment and lands on a system, anti-malware, blacklisting, Symantec Online Network for Advanced Response (SONAR), behavioral isolation, memory exploit mitigation (MEM), advanced machine learning (AML), and intelligent threat cloud service (ITCS) prevent attack execution. At the forefront, anti-malware and blacklisting stop known suspected threats at the source, customizing and updating hash values for future blacklisting. SONAR’s behavioral analysis and heuristic functions flag and isolate potentially malicious behavior even before it’s identified by signature or hash as a known threat. Behavioral isolation steps in to prevent malicious files and packages from acting beyond intended functions, such as executing embedded scripts in Word documents or PDFs. MEM prevents unknown or unwanted packages from modifying, accessing, or manipulating the memory space, a common attack performed by ransomware and other malware.
For more exotic threats, AML looks at questionable behaviors and, based on the characteristics of the behavior, make the call as to whether to deny the new threat. ITCS supplements the SES client with cloud lookup, which allows for a more efficient, more up-to-date, and a smaller footprint on the endpoint. This reduces the definition size on clients with limited or no internet access. It also deepens your defense against attack execution if a threat is so new that anti-malware, blacklisting, and AML have not identified it. In that case, the client can reach out to the ITCS platform for lesser-known or rare threat information and block the action when it is identified by ITCS-provided info.
To prevent attackers from remaining on a compromised system, organizations should evaluate solutions that utilize sector-level anti-malware scanning, continuously updated real-time protection, and early launch anti-malware (ELAM). These features make lingering difficult and treacherous, leading to demotivation to re-attack the environment.
Prevent attackers from remaining on a compromised system: evaluate solutions using sector-level anti-malware scanning, continuously updated real-time protection, and early launch anti-malware (ELAM), which makes lingering difficult and treacherous.
When an attacker gains a foothold in the environment, it’s important to combat privilege escalation and lateral movement. Threat detection for active directory (TDAD) can prevent recon and movement across credential sets with deception and obfuscation and provide reports and alarms when illegitimate credential access attempts occur. In addition to TDAD, anti-malware and SONAR back up the environment with heuristic analysis, execution sandboxing, and execution prevention to contain the attacker.
If, by some stroke of luck, an attacker survives in an environment long enough to retrieve target data, the right tools can keep them from exfiltrating that payload. For example, device control, IPS, and firewalls prevent the removal of data by physical and network means. Anti-malware and blacklisting policies can prevent script executions that could automate exfiltration. These components, along with memory execution protections, guard against data corruption and destruction via common attack techniques like ransomware. Whitelist capabilities can tune out false positives, removing noise from alerts and logs, which makes them more relevant and actionable.
Many organizations supplement attack prevention strategies with reporting and alerting capabilities that react to and remediate attacks and prevent future attacks—including threat hunting with AML to suggest techniques for finding improvements that aren’t inherently well seen.
When cybersecurity is further complicated by a distributed workforce resulting from disruption versus planned strategic actions, quotidian tasks are supplanted by complex challenges. Even if the acute onset of remote work had not occurred, we can be sure that another event will come along to test our security resources and resilience. A comprehensive solution like Symantec SES features all of the components I’ve discussed here and includes a shared management console and a shared client. Not only that: The Symantec SOC works 24x7 to detect unseen attacks and suspicious behaviors and uses the information to assist in better protecting client environments. Such a solution can leverage insights provided by the MITRE ATT&CK chain to make your environment as secure as Fort Knox—and provide peace of mind.
My recommendations for considering SES in your environment is to start with comparing the data sheets available between your existing security platform and that of SES. Available white papers do a great job of explaining what SES: Complete can do in an easily comparable fashion. Given the time and budget, a formal assessment and design plan would be extremely beneficial. Also, consider getting an objective perspective from someone with the experience and skills to shed more light on how SES can help improve the performance and strength of the security platform. A pilot or proof of concept (POC), leveraging a consultant with the right expertise, can show both you and your organization’s management structure the benefits of adopting the right attack prevention strategies and solutions.
About Enterprise Studio
Enterprise Studio by HCL Technologies helps organizations make the connections between IT and business that optimize time and multiply value for realizing the full potential of their digital business plans. Our seasoned technologists, coaches, and educators can help you unlock value from existing IT investments to become a stronger, more adaptive organization – in part by leveraging a BizOps approach so that IT outputs are strongly linked to business outcomes.
Whether you’re an established Global 500 company or a new disruptive force in your industry, we can help you navigate the complexities that come with competing in an inter-connected digital era. We are a global solution provider and Tier 1 global value-added reseller of Broadcom CA Technologies and Symantec enterprise software.
Many of our experts at Enterprise Studio are from the former professional services units of CA Technologies and Symantec. For decades, our teams have supported and led organizations to innovation with powerful enterprise software solutions and cutting-edge methodologies – from business and agile management to security, DevOps, AIOps, and automation.