Continuous end-point visibility has a massive role to play in mature security programs, says John Mc Loughlin, MD of J2 Software.
Our customers with mature security programs have invested heavily in perimeter security, logging, and enhanced server / endpoint controls, and still see significant improvement in their security posture from the endpoint visibility and risk scoring delivered by Dtex’s SystemSkan.
I can provide some examples of customer findings in locked-down companies:
Misconfiguration and bypass
An expensive DLP system is installed, but SystemSkan still detects corporate data stored on removable media. This is a very common finding, usually due to the DLP system being improperly configured, a lenient exception process, or a failed deployment due to performance issues.
Some clients have set their Web filtering solution to block all non-work categories, but during our risk assessment we still find employees visiting “blocked” sites. This is usually because of improper configuration, a larger-than-needed population of people with exceptions, or employees who have figured out a way to bypass a Web filter.
Off-Network Visibility
During our risk assessments we often find that when employees take laptops home they visit and use risky Web sites and will often be downloading risky files/applications. This then causes major risk because when these machines are brought back into the corporate network all malware which was downloaded is now inside the firewall.
Determining intent
Employees who maliciously exfiltrate sensitive data will take multiple steps to cover their tracks. Each step, if viewed alone in a siloed security system, appears innocuous. But putting the story together from the endpoint shows clear intent.
Let’s go through a common example: (1) employee searches for “how to encrypt and rename a zip file” online, (2) copies an unusual number of files to their endpoint device, (3) splits them up, zips, and encrypts them, (4) renames them, and (5) e-mails them to a personal address. This sequence is impossible to piece together from disparate security systems. Dtex’s SystemSkan gives you this view instantly.
Cloud services
While corporate Web filters typically block cloud services like file sharing and personal Web mail, employees still use these services when they’re off the corporate network. Dtex provides visibility into what they upload and download.
Also, every company has a list of users who are partially or entirely exempt from the restrictions on using cloud services. Dtex provides visibility into their activity and alerts security if someone is abusing their privileges.
Super users and admin rights
Super users tend to have the fewest security controls in place, even in organisations that have partial or full deployments of privileged account management
Dtex provides visibility into all super user activity, and helps enterprises to understand where controls need to be tightened vs. where they can be relaxed.
Some customers find that the enhanced visibility provided by Dtex allows them provide super user and admin rights to more users, increasing efficiency and trust.
Data-driven prioritisation
Historically, it’s been difficult to measure the effects of security training. Dtex customers use endpoint visibility to objectively measure behavioural changes, and make corrections as needed.
Similarly, customers use Dtex to quantify when new security controls are needed vs. more basic remediation steps. For example, typically only 1.7% of employees use pirated media and applications. With this data-driven visibility, a company can make a risk-based decision about whether to implement application whitelisting or simply keep a closer eye on this small population.
Privacy
HR, Legal, and Privacy departments often raise concerns about monitoring endpoints, especially from an employee privacy perspective. Dtex’s anonymisation process and strong insider-focused heritage maintains employee privacy. Users can be “demasked” only once there is legitimate suspicion of wrong-doing.
In the modern technologically driven world we work in, we no longer can use the excuse that we didn’t know what was happening! New laws and compliance codes makes it an obligation to know what is really happening with your machines, information and systems.
This is why it is vital that you get the unique user visibility offered by Dtex Systems’ SystemSkan. I am often asked ‘where do we start?’ and my answer is really simple: “Just start somewhere. Every step taken to secure your internal environment is a good step.”
Make sure that you get the capability to have total end user visibility – whether that user in on the network or not. You cannot measure what you cannot see – so total end-point visibility is key.
In order to further strengthen your mature security program – you must know what is happening with your internal, trusted users. Understanding how the users are actually using their machines, the data they are actually accessing and how they move it around will give you the information you need to make better decisions, ensure policy compliance, reduce risk and cut costs.