Security: 5 tips for protecting your workstations
Author: Mark Johnson, Presales Engineer at Stormshield
Securing workstations is a never-ending task. With an increasingly digital economy and ever-more mobile workstations, even the smallest vulnerability can be catastrophic when exploited. However, security methods and solutions are adapting to these new constraints.
Discover the source of the infection as early as possible
An attacker’s main goal is to seize sensitive personal, industrial or commercial data, encrypt it and demand a ransom, publish it or disrupt the company’s production. This is achieved by finding “points of entry”, which are often user machines. Once compromised – even without elevated privileges – the attacker is then able to penetrate deeper into the system.
To achieve this, attackers can both exploit human vulnerabilities, with increasingly targeted phishing (“spear phishing”), or vulnerabilities in poorly protected systems: RDP servers exposed on the Internet, non-updated applications, etc. To ensure attackers cannot gain deeper access to the system, it is important to identify these attacks as soon as they occur, stopping the malicious processes and immediately preventing their propagation on the machine or application in question.
Tailor the protection level to the environment
Ensuring workstation safety was already a big enough ask on-site at the company’s own premises. With the proliferation of laptops – and more importantly, with the mobility issues specific to each organisation – the task has become an even more complex one.
Therefore, the protection afforded to workstations can no longer be static, but must instead become dynamic, depending on the context and the various different mobility scenarios within the organisation. This means, for example, controlling authorised WiFi networks, disabling them when a LAN connection is available, or – in cases where a VPN is active –preventing any connection other than the VPN (to avoid smurf attacks).
Focus protection on the agent, using a behavioural philosophy
It is always simpler and less risky to identify a malicious element at the point of entry (workstation or server), before it has a chance to spread, and to block its activities immediately. This is the purpose of a workstation protection system. Traditional signature-based antivirus software is not sufficient to counter ransomware, which is becoming increasingly sophisticated. Unknown Zero-Day attacks simply cannot be detected immediately.
To overcome this deficiency, behavioural HIPS bases its analyses on the “normal” behaviour of a host or its applications. If suspicious activity is detected in legitimate applications, the system immediately raises an alert (or immediately blocks the activities in question), to limit the risks of propagation. Although a little more complex to implement, it is easily tailored to any type of organisation, and will be able to counter unknown Zero-Day attacks.
Proactively block attacks and predict future attacks
Knowing how to interrupt an attack – whether known or unknown – is of course essential. But to take things a step further, we also need to learn from these attacks, so that we can more easily prevent them in the future. This is one of the roles that can be attributed to Endpoint Detection & Response (EDR) solutions: in addition to immediate response, inspection of their logs makes it possible – after in-depth analysis – to improve the solutions’ effectiveness in searching for attacks.
Two approaches are possible in this respect. The Cloud solution-focused approach is based on feedback from a thin client deployed on each workstation, delivering all the promise of artificial intelligence, yet still requiring workstations to be connected.
In contrast, a standalone agent-based solution provides proactive real-time protection for each endpoint, while providing information to enable further analysis of the attack. Third-party systems will then be able to take account of these events, correlating them in an artificial intelligence context.
Ensure the security of the protection system itself
A cyberattacker’s main target is corporate data. But organisations’ security systems continue to be prime targets.
After all, if attackers manage to disable the protections – or worse, use the escalated account privileges of these solutions – the door to the information system is wide open to them. As with the deployment of any hardware or application, the aim is to limit the risk of a bug or the appearance of a vulnerability wherever possible, delivering a hardened and effective configuration by default, given the attack surface that they represent.
With escalated privileges, the attack surface presented by protection systems remains relatively broad. A “Security by Design” approach to their development should therefore be encouraged.
Follow Us
