If you wait by the river long enough, you’ll see the bodies of your enemies float by.
The accuracy of the translation may be questionable, but the general idea that you’ll see all sorts of things if you stick around holds true. This is particularly true when it comes to the discussion on which cyber defense methodology should have primacy over the other: network-based defense or endpoint-based defense.
Before approaches that focused on discrete devices was ascendant, network defense was king. Ads for network monitoring solutions were constantly in your face, and if you weren’t doing full packet capture you were a fool. Bad guys have to use bandwidth to carry out their evil schemes, right?
The situation gets more complicated with the proliferation of Internet of Things (IoT) devices. The vast majority of IoT devices lack the processing power, memory, and other features that would enable them to run an endpoint sensor. While a lot of IoT devices use TCP/IP, what they share over the wire can be parsimonious. They many also use protocols that your average network-based solution can’t deal with. Your ability to detect and respond to threats has an inverse relationship to the growth of IoT in your environment.
To drive this point home, at the 2018 RSA Conference, the Senrio research team demonstrated how an attacker could go from a connected device like a surveillance camera, to a router, and then onto a network attached storage device, allowing an attacker to exfiltrate data without ever touching a system that might have had an endpoint sensor on it. Network sensors might have caught such activity if they knew what to look for; no endpoint solution would have set off an alarm.
This is why Senrio has always followed a “play well with others” philosophy. We export data into formats that every system administration and security tool or service uses. We have a very robust and well documented API. We make the effort to integrate with a range of products like:
NetWitness, Splunk (app), Slack, and especially our recent integration with Carbon Black.
Senrio Insight data can be used by information sharing platforms, which helps any one of us improve the security of all of us.
Cybersecurity 101: know what you’re defending. If this is proving to be a challenge, then you owe it to yourself to try Senrio Insight:
- Identify all connected devices in an enterprise - IT or IoT - along with metadata about make, model, manufacturer, OS, firmware, protocols used, connections made, etc.
- Know what your enterprise really consists of so you can ensure that all devices that can have endpoint protection on them do.
- Know what ports and protocols your devices are communicating on so that you can detect anomalies and enforce policy.
- Understand what ‘normal behavior’ is for every device in your enterprise and generate an alert when devices behave abnormally.
- Use Senrio data to create firewall rules or IDS signatures to prevent malicious behavior from impacting devices.
Defending an enterprise is a holistic endeavor. Every device a potential weak-point; every connection a potential avenue of attack. Senrio’s ability to detect devices, their connections, and behaviors provides administrators and defenders with the ability to address both domains - network and endpoint - to provide comprehensive awareness and visibility no single-purpose solution can.