Can anyone guess how most security incidents start? Or at least at what level is easiest to get through?

raises hand - The end user?

Correct!

According to Crowdstrike, the most common cyber attack is Malware, which is technically an umbrella term that encompasses a few things that we’ll get to a bit later in this blog.

Endpoints

Endpoints are classified as any hardware that the end user uses (PCs, laptops, mobile, etc) and they are absolutely critical to any organization, often containing highly sensitive data. Protecting endpoints has evolved over the last few years but still, the software that is closest to the user helping them fend off malicious actors is Antivirus. Depending on the organization, Anti-Spyware software too.

So what is Antivirus or Anti-Spyware software trying to catch? Remember how we mentioned the umbrella term Malware earlier? Exactly that. Well, what is Malware exactly? Malware is an umbrella term for unwanted software. Let’s break a few of them down, shall we?

Depending on who you talk to, Adware and Spyware are broken into their own categories. Adware is created to deliver you……you guessed it, unwanted ads! Spyware, on the other hand, gathers information about users and often tracks habits. Some of the most malicious spyware collects keystrokes and often credit card info. Ransomware, such as WannaCry, blocks access to endpoints or certain files, demanding money to have it unlocked. Viruses are also a very popular attack mechanism, they remain inactive until the infected file gets executed which then causes replication of other machines (local, non-local, or remote). Viruses can also damage infected endpoints in the form of file removals, performance issues, etc. Worms are basically self-replicating viruses where they don’t need any activation. The way worms spread is by exploiting vulnerabilities in operating systems, Lastly in this Malware umbrella is a Trojan. Trojans are non-replicating software pretending to be a legit piece of software but are commonly used as a backdoor.

Whew, that’s a mouthful! Swinging back to the antivirus program installed locally on orgs endpoints, depending on which antivirus program your org uses, each one handles detection differently. Most antivirus programs use two things, Signature, and Heuristics. Signatures is a centralized database of known threats that the antivirus program references. The one downside to Signatures is it doesn’t protect against zero-day/unpublished attacks. In order for the antivirus program to detect something, it has to be in the signatures database. Heuristics is a mechanism that does behavioral analysis against various pieces of malware. For example, it can monitor and execute suspicious code, if by chance the code starts behaving maliciously, it gets classified as malware and maybe most importantly, it can detect some of the zero-day attacks we spoke about earlier.

At the risk of sounding obvious, antivirus software should be kept up to date. Over the last few years, most modern operating systems have had a personal firewall built into them. Again, obviously, the personal firewall is only effective on the machine that it’s installed on. Where personal firewalls really are important and come into play is on mobile devices and VPN users.

Cisco AMP (Advanced Malware Protection) offers before/during/after protection. From a before perspective, it sends files fingerprint to the SIO cloud for analysis, it sends real-time analysis of unknown (potentially harmful) files, and then from an after perspective, there’s non-stop analysis of traffic allowed in and out of the network. Sound cool? How do we deploy Cisco AMP? You can deploy it from Cisco Firepower firewalls, ISR routers, ESA or WSA integration is an option as well. PS. If you’re not familiar with ESA or WSA, check out this blog. AMP is available for endpoints as well (windows, Mac, Linux, and mobile connectors). AMP offers hardware or software encryption and is considered a Host Based IPS (HIPS). P.P.S. If you’re not familiar with HIPS, check out this blog here.

To wrap up this blog, let’s talk about a little encryption from an endpoint perspective. Encryption can protect individual files or entire hard drives/disks. Encryption is especially important for mobile users, for example, a lost or stolen device. Encryption keys should be properly stored and archived. Losing a key equates to losing the data. As far as encryption options go, some OSes have built-in utilities (MacOS) but some third-party options are things like BitLocker and/or special USB drives.

We have reached the end! In this blog, we talked all about endpoint encryption. We touched on things like antivirus/antimalware and how they protect our endpoints and assets. We also touched on Cisco AMP and the actual encryption of data on endpoints. Did I miss anything? What would you add? Leave me a comment below!