Endpoints, specifically workstations, come packaged with a multitude of features intended to allow users to perform all of the wide varieties of operations they may need for work, research, education, entertainment, and more. This results in the default endpoint having a wide variety of features that most individuals will not use in a typical day, especially at work. Unfortunately, these features often come with innate vulnerabilities and weaknesses that can be easily exploited by a threat actor. The result is that the default system is high-risk and easily exploited. Endpoint hardening is the process of disabling or securing these functions so that only the ones necessary for your business’s specific operations are available. Despite being considered a fundamental process and recurring job for Security Operations, endpoint hardening is overlooked by teams that lack the expertise and know-how to properly perform the hardening processes.
Endpoint hardening can be separated into three categories: system hardening, configuration drift management, and patch management. Each process is a fundamental pillar of any IT Security program. They work in tandem to ensure that the devices that run day-to-day business operations are fortified and protected from known vulnerabilities and easily avoidable attacks.
System Hardening
System hardening is the act of identifying which endpoint features are not used and which security configurations can be enabled without disrupting the day-to-day operations of the business. The resulting set of configurations is called a “baseline” and is deployed across a set of systems to make management consistent and easy. System sets typically include computers of the same type or use-case (e.g. servers vs user endpoints, or IT systems vs other business units). The perfect baseline that balances availability with security is colloquially known as a “golden image”. It often takes security professionals dozens if not hundreds of hours to develop a golden image for each type of system for their business before those systems can be confidently deployed.
Configuration Drift Management
After a baseline is deployed, security professionals must then constantly monitor systems on their network to ensure that machines do not stray from the baseline throughout the course of daily operations. Configuration management can be a full time job for security professionals in an organization and is often unsustainable over a long period of time, even with the assistance of software designed to manage configurations. As a result, managing and updating baselines as well as devoting large amounts of time managing configuration drift can be a core function for many IT security programs.
Patch Management
The final category is Patch Management. One of the most basic yet important security functions that a professional can perform, patch management is the act of ensuring that operating systems and applications are fully up to date with the newest patches released by vendors. With newer software on the market, management of patches for popular third party software (e.g. Slack, Google Chrome, Adobe) has also become a possibility. Although simple, ensuring that systems are fully patched can be considered one of security’s most vital, but overlooked activities.
Importance of Endpoint Hardening
Historically, system hardening was a priority for servers because they were the devices with the most exposed attack surface. Standard user workstations were considered low priority due to their lower exposure and assumed trust of being physically located on a company’s internal network. However, as the Internet grew in popularity, accessibility, and value, threat actors began to employ different methods of attack that target end users and their personal devices. Top threats in recent years include phishing attacks and trojans aimed at user endpoints. While the data on laptops and workstations usually is not nearly as valuable to threat actors compared to a server, they’re much easier targets to gain access to and are ideal staging grounds for pivoting into higher priority systems within a company’s network. Properly defending endpoints through hardened baselines, configuration management, and patch management is essential to ensuring that attackers do not obtain the footholds they need to pivot across security boundaries and into your network.
How Senteon Makes This Process Easy
Senteon is helping businesses simplify this time intensive process with their new Automated Endpoint Hardening solution. Through a two week automatic evaluation process followed by a short setup wizard, Senteon determines the ideal baselines for your endpoints based on your unique business needs and network activity. After deployment, Senteon continuously monitors for configuration drift away from baselines and automatically corrects it without any additional intervention from your IT/security teams, simplifying the workflow and allowing your business to focus on the bigger picture.
Learn more about Senteon at: https://www.senteon.co
