Using ITOA to secure endpoints

Businesses today invest heavily in security technology in an effort to protect the most vulnerable aspects of their IT infrastructure – the endpoints and end-user devices – in order to ensure compliance enforcement of corporate security policies and standards.

According to a survey we carried out recently with IT security professionals, more than half (58%) of enterprise security is currently focused around ways of preventing threats, comprising solutions such as enterprise firewalls, intrusion prevention systems and endpoint anti-malware systems.

However, a recent report from Gartner predicts that advanced targeted attacks are set to render such prevention-centric security strategies obsolete over the next five to six years. The report posits that by 2020 the BYO culture and the rise of the Internet of Things (IoT) means enterprise IT departments will no longer own the devices connected to their infrastructure. Indeed, in the case of cloud services in particular, they may no longer have control over the network itself, or the servers, OS or applications being employed by the end-users.

Vulnerabilities and weak points
As a result, enterprise IT systems will constantly find themselves open to compromise, unable to adequately prevent advanced target attacks from finding their way into the infrastructure. The rise in advanced persistent threats (APTs) presents additional challenges, having made their way into the infrastructure and remaining there undetected while carrying out their nefarious purposes.

Businesses are beginning to realize that they need to better understand the vulnerable points in their IT environment in order to tighten security measures against an increasing number of aggressive targeted attacks. Sophisticated APT and malware attacks highlight the fact that employee-related endpoints are the weakest points in an organization’s IT perimeter; areas of vulnerability that represent the greatest risks to security.

Picture the enterprise as a house, with traditional prevention-centric security strategies blocking access via typical entry points, its doors and windows. The explosion in additional endpoints that BYO and the IoT represent will significantly increase the number of these potential entry points, and thus reduce the effectiveness of any pure prevention-centric strategies.

Visibility across the IT infrastructure
In able to ensure better protection from those threats that exploit this wealth of entry points, organizations require clear visibility of what’s occurring across the entire IT infrastructure, including each endpoint.

There are many technologies and solutions that can – and should – be integrated to achieve greater levels of IT security for a businesses including, importantly, the ability to monitor and analyze actions carried out by all endpoints and end-users across IT infrastructure.

To return to the house analogy, businesses require a security camera in order to monitor any unusual activity taking place right around the house’s perimeter.

One means of visualizing an organization’s IT infrastructure and its endpoints is through the use of IT Operations Analytics, or ITOA, a form of real-time analytics recently identified as an emerging sector by Gartner. ITOA solutions employ advanced analytics to harness and process vast volumes of highly diverse data from the various applications and endpoints across an organization’s IT infrastructure.

As a result, attacks can be detected early enough for IT security teams to be able to react and prevent them from spreading which, according to our survey, is something that only a fifth (19.8%) of security teams are currently able to do.

Visibility in context
Working on the assumption that, certainly by 2020 as suggested by Gartner, enterprise IT systems will be compromised by advanced targeted threats, there is a clear need for security solutions to move more toward the perimeters, with a greater focus on context.

ITOA can be used to detect the presence of increasingly sophisticated threats such as signatureless APTs by recognizing anomalies in the behavior of users and devices, identifying deviations from normal behavior as being potentially malicious activity.

Once a baseline of user behavior has been established, ongoing access and activity can then be monitored and analyzed in real time. From the analysis, behavioral anomalies in areas such as frequency of access and the amount and type of information downloaded, can be identified as being indicative of malicious intent.

Identifying and isolating
Having identified anomalous behavior, it is then possible to isolate the affected endpoint. In the case of a user’s system, ITOA can monitor what it is running, along with any recent interactions the user and their system may have had with content, executables and enterprise systems. Rather than taking a snapshot of a particular point in time, this form of monitoring returns information more akin to a moving film, providing the security team with visibility of what occurred – in a useful context.

As and when a breach occurs, this data can be used to glean a clearer insight into other users who may have also been targeted, and which systems affected and, from there, take the appropriate remedial actions.

By using ITOA, businesses can be proactive in detecting abnormal activities across their IT infrastructure and all connected endpoints, allowing them to enforce security compliance standards at all times by using the constantly available real-time, accurate information.

Businesses, particularly those that find themselves subject to APT and as potential targets for motivated hackers, must take the precautions necessary to protect their technical estate. Using real-time ITOA as a security measure will play a crucial part in helping businesses add an additional layer of protection against threat to their infrastructure, endpoints and end-users.