Endpoint detection and response (EDR) has demonstrated clear value in protecting endpoints, and in many ways provides unique visibility into local processes. However, customers and prospects tell us their percentage of EDR coverage on endpoints is in the range of 60-70%. In other words, 40-30% of devices are out of their control.
Out-of-control devices fall into a few different categories:
- Traditional. This includes network gear like routers and switches that will never support agents and you know will always be out of control.
- Digital transformation driven. Next are the rapidly expanding number of devices and systems that are now attaching to network infrastructure, including Internet of Things (IoT) and operational technology (OT) devices like video surveillance systems, HVAC systems, and supervisory control and data acquisition (SCADA) systems. Any appliance that can’t support an agent for whatever reason can be hijacked and taken advantage of as an entryway to launch attacks.
- Rogue. Finally, there are devices people bring into your infrastructure without your knowledge. They may have added the device as a function of their job and simply forgot to add an EDR agent to it. Or perhaps they spun up a new service in the cloud but didn’t use the approved automation that adds all your infosec tools to it. However, sometimes a rogue device is plugged into the network for nefarious purposes – to conduct reconnaissance and serve as a jumping off point for a data breach or disruption.
Not only are we blind to many devices currently connected to our networks and new devices being added every day, but also what these devices are doing. Many organizations have governance practices and policies that specify behavior. So, we often end up with a gap in visibility between what we think is happening and what is actually happening and, on top of that, a gap in capabilities to easily know if that behavior is okay or something potentially malicious that needs immediate attention.
Cast a light on shadow areas
We live in a world rife with stories of malware existing within an organization’s infrastructure for months before it’s caught. Meanwhile data has been exfiltrated because the malicious activity happens in the shadows of the network where attackers can hide and do their work mostly undetected.
So, the first step to reign in out-of-control devices is to gain visibility into what’s happening on the network. However, in today’s dispersed, ephemeral, encrypted, and diverse (DEED) environments, shadow areas are everywhere so it’s incredibly difficult to gain network visibility relying on conventional tools. Instead of finding one spot to monitor and do packet capture, there are dozens, if not hundreds, of spots. Deep packet capture (DPI) becomes extremely complex to manage and takes costs through the roof. That’s where metadata data comes in, allowing you to cast a light on shadow areas you can’t afford to ignore. Metadata in the form of flow data provides a passive and agentless approach to network traffic visibility across multi-cloud, on-premises, and hybrid environments, including every IP address, and every device.
Context comes next
We also need capabilities to meld visibility with context for governance, because even when you can see what is happening on the network, you still need context to understand what that traffic means. For instance, you might see a host on your platform scanning across your network. How do you easily tell the difference between your penetration testing platform performing as it should, and a rogue host that has been compromised? If all you’re looking at is network traffic this will raise alarms.
However, when you can enrich flow data with information from other sources, such as your EDR system, configuration management database (CMDB), and cloud security posture management (CSPM), you gain additional meaning that doesn’t necessarily exist inherently in network traffic data. You can understand the who and the what. If it turns out that it’s your pen test platform scanning as it should be, then there’s no need to worry. But if it turns out to be a sales rep’s Mac OS laptop that’s supposed to have policies in place that limit user access to specific parts of the network and applications, you may have a problem and need to investigate further.
Operational governance: the end game
Ultimately, reigning in out-of-control devices is about operational governance. So, the final piece is to build detections around governance policies to identify anomalous behavior and alert on it. In effect, bridging the gap between the visibility piece and the investigation piece.
Out-of-control devices run the gamut from known to unknown and benign to malicious, and where you draw the line is unique to your organization. What’s considered out of control for a large manufacturer with an OT platform that handles all the automation for devices on the plant floor, is very different from how that’s defined in a financial services firm and likely necessitates different controls. Even within a single company, the definition of out-of-control varies whether you’re referring to the OT network or the IT network where laptops, servers, and printers reside. And even at a device level, what’s out of control in the cloud versus the data center is different. Fortunately, metadata enriched with context and overlaid with governance policies provides the flexibility needed to define and detect what is truly out of control and reign it in.