Endpoint Modeling: Automatic, Noise-Free Security

Written by

The arms race in information security picked up speed in 2016. The past year, I saw an escalating series of increasingly diverse cyber-attacks, ranging from breaches of proprietary data to politically motivated theft of emails to an Internet of Things-based DDoS (distributed denial of service) attack.

The ground keeps shifting beneath the feet of IT and security professionals; due to the fact that the boundaries of computing as an activity are also expanding. Fast-moving trends such as the move to public-cloud environments, increasing levels of network- traffic encryption, BYOD, and Internet of Things connections can leave anyone responsible for securing IT resources, feeling that they’re always one step behind their adversaries.

New challenges call for new solutions. One new class of solution has rapidly gained acceptance and use in the past year, because it addresses network vulnerabilities in ways that conventional security tools simply cannot. This advanced-threat detection solution, which complements but significantly extends an organization’s security portfolio, is endpoint modeling.

Endpoint modeling automatically discovers each device that is on your network; creates a software-based model of that device’s usual behavior; continuously monitors the behavior of the device over time, identifies any deviations from the model; and when an exception occurs, generates a near-real-time, actionable alert for your security analyst(s), so that your organization can respond to a potential threat. Endpoint modeling works out-of-the-box, without requiring any input or configuration for users in order to operate.

Most importantly, by maintaining an up-to-date context of each device’s type, and its history of behavior and interactions, endpoint modeling generates genuinely helpful alerts without generating noise.

For example, wouldn’t you like to know when a device - with a history of strictly local use - accesses the internet for the first time? When a domain controller makes use of a Google form? Or when a local (but networked) printer suddenly behaves like a web server, serving remote clients? These and countless other “anomalies” in an organization’s network are systematically tracked, identified, and reported noiselessly by an endpoint-modeling solution.

The advantages that endpoint modeling offers over conventional security tools are worth noting. Most importantly, it provides a higher degree of visibility into what’s happening on a network in real time. It can discover problems or threats that were previously unknown to the network’s guardians because it is not dependent on recognizing threat “signatures.”

Instead, it is able to mitigate the impact of end-to-end encryption, not by packet inspection, but by tracking the behavior of users and devices that employ encryption. It generates no more alerts than are required to accurately report on a network’s activity, and minimizes false alarms. It is also platform-agnostic, working equally well on legacy (on-premise) networks, public-cloud environments such as Amazon Web Services and Microsoft Azure, and hybrid infrastructures that combine legacy and cloud.

In fact, endpoint modeling can be especially useful to organizations making the shift from legacy architectures to public-cloud architectures. In many cases, their environment comprise a combination of special-purpose infrastructure (e.g., manufacturing or sensor systems), legacy datacenters (both physical and virtual), geographically diverse office networks, and the public cloud – and the sheer diversity of the environment makes it hard to protect.

Endpoint modeling can integrate threat detection across all environments and present it as a unified portal, making protection much simpler.

What’s hot on Infosecurity Magazine?